Browser fingerprinting

Image: panthermedia.net / Tyler Olson
Image: panthermedia.net / Tyler Olson

FAU computer scientist investigates methods of protection against online espionage through browser fingerprinting

July 20, 2015

There are several ways of protecting one’s data online. However, many people are not aware that the information which is revealed via their browser alone makes it possible to create an almost unique digital fingerprint which can be used to identify individual users later on. Is there any kind of protection against this browser fingerprinting? Tim Grocki, a student at FAU’s Chair of Computer Science 1 (IT Infrastructures), investigated several ways of protecting oneself against such online espionage in his Master’s thesis.

The combination of data makes the fingerprint unique

Website operators can read out information about the browsers used by the individuals visiting their pages. The amount of information that is revealed about a user via their browser is huge and the combination of data is unique, making it possible to recognise it again. The fonts installed, browser software, operating systems, screen resolution, colours and plug-ins ‑ all of this information and more is accessible to website operators via the browser used, making it possible to identify a user later on. Browser fingerprinting is mainly used for promotional purposes.

Protection strategies have limitations and disadvantages

There are several ways of protecting oneself against browser fingerprinting, such as deactivating JavaScript, using standard settings or imitating commonly used fingerprints, i.e. browser configurations which are frequently used. ‘These protection strategies have their limitations and disadvantages. Comprehensive testing and analysis of all methods is vital for IT security and data protection,’ says Prof. Dr. Felix Freiling, Chair of Computer Science 1, in his assessment of the Master’s thesis. ‘Tim Grocki analysed how efficient the various methods of protection against browser fingerprinting are and found that individual methods cannot provide comprehensive protection,’ says Dr. Zinaida Benenson, Mr Grocki’s supervisor.

Disappearing in the crowd is not possible

Website operators can read out information about users with the help of JavaScript. When users deactivate JavaScript they are noticeable because most users have JavaScript activated, which means that they can be recognised as having deactivated it. The means of deactivation, such as NoScript, can also be used to distinguish a user from others. What is more, even when JavaScript is deactivated, users still reveal information that, when analysed skilfully, is still sufficient to create a fingerprint.

Changing one’s own settings to correspond to a common fingerprint is another method of protection – the user can simply disappear in the crowd. However, even common fingerprints are very rare and there is only limited information on common fingerprint models available.

As browser fingerprinting is based on the idea of identifying browsers by their browser configuration, standardising browser settings would be a possible way of protecting against online espionage. If all users had the same settings, it would be impossible to distinguish them from one another. However, different users have different requirements for their browsers and in order to make standardisation of settings an efficient method of protection, a sufficient number of users would have to participate. Another disadvantage of this method is that the amount of information that would have to be standardised is huge, which would make the whole process very difficult.

The recommended strategy: combine as many methods of protection as possible

As the individual strategies commonly used against browser fingerprinting do not provide sufficient protection, Grocki recommends a combination of all of these measures. However, it is impossible to achieve absolute protection. The problem of browser fingerprinting remains unsolved and there will probably not be any simple means of protection against this form of web tracking in the near future. ‘In addition to further research, politicians, website operators and normal users could take action against browser fingerprinting that does not involve technology. Browser fingerprinting could be boycotted or banned,’ says Grocki.

Further information:

Dr. Zinaida Benenson
Phone: +49 9131 8569908
zinaida.benenson@cs.fau.de