Some quick background on how tracking originated and still works on many sites is required. Stateful tracking is the classic version of third-party tracking. Cookies are small bits of text that websites can put onto your disk in order to maintain state - such as for authentication. When you sign in to a website, that website can check if you already have a cookie that they’ve issued, which tells them that you’re already authenticated. Websites are only allowed to access the cookies that they’ve set in your “Cookie Jar”, otherwise any website could steal all your sessions. For tracking purposes, a third-party advertiser can set a cookie on your browser, and if you access another website that they are also loading content on, they can access that cookie again. Through this, they can see that you’ve visited a website and looked at shoes, so on the next website you go to there’s a chance the ad exchange will serve you ads for shoes.
Preventing third party cookie tracking is fairly straightforward. There are many extensions out there that will either block requests coming from known advertising domains (ex: DoubleClick), or will load their content but prevent them from setting a cookie on your browser. Privacy Badger is a personal favorite, as it’s from the EFF and open sourced. It also doesn’t rely on domains, and instead looks for third party cookies that have appeared on multiple websites you’ve visited.
- All installed plugins and specific versions
- Screen size
- Installed fonts
- Time zone
- How the browser renders a specific image containing the whole alphabet and an emoji. There are differences in the results based on unique hardware quirks.
- Turns out the competing emoji ecosystem allows trackers to tell if you’re on iOS, certain Android versions, a Samsung device, or any other device with a varying standard for emoji Unicode
Some of these things may not seem like they would reveal a lot of information about your browser versus other browsers, but when we put all that information together it forms a VERY unique profile about your machine. After running my browser through amiunique.org, they stated that out of 62,109 browsers observed in their dataset (in the last 30 days), mine was entirely unique. In fact, it was unique for their all-time dataset of 1,276,470 browsers. Panopticlick reported that only 1 in 45,244 browsers observed (in the last 45 days) had the same fingerprint as mine. Both of these tools test your browser using the same methods as trackers do and will show you how you compare to other user’s fingerprints. AmIUnique will also breakdown how unique you are in each test performed. If you’re curious about why uniqueness is such an issue, the EFF has a great primer on how this applies to privacy (https://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy)
AmIUnique offers a great list of tools that you can use to implement these measures. But if you don’t feel like browsing to another website, I’ll briefly summarize a few:
The TOR browser aims to make all of its users’ traffic as identical as possible, in order to create a large anonymity set. However, the nature of onion routing means that TOR traffic is not as fast as some users would like it. The TOR browser is security focused and has tools like NoScript installed.
TAILS is The Amnesiac Incognito Live System, a live operating system that doesn’t touch the disk and aims to make every user identical. Since it is live, all memory is wiped each time it boots. It also may land you on an NSA watchlist, ironically due to NSA fingerprinting efforts. (https://www.digitaltrends.com/computing/nsa-labels-linux-tails-users-extremists/)
Privacy Badger, as mentioned earlier, helps prevent stateful tracking by blocking third party trackers that it sees appearing on multiple websites.
The subject of internet tracking is incredibly complex and this post is fairly surface level, so I would recommend checking out any of the fantastic research papers that take a deeper dive into the technology and methodology behind it. Hopefully this helped shine a little more light on what’s going on behind the curtain while you’re browsing online.
Pierre Laperdrix, Walter Rudametkin, Benoit Baudry. Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints. 37th IEEE Symposium on Security and Privacy (S&P 2016), May 2016, San Jose, United States. ffhal-01285470v2