A Practical Guide to Minimise Browser Fingerprinting

Ever heard about browser fingerprinting? If Yes, you might be a privacy freak. If Not, do you care about your privacy in the World Wide Web? Well, if you belong to either, this article will help you to cover up or fill up what you have already interested in or known.

Browser fingerprinting is one of the latest trending user tracking methods and is widely used in major tracking companies (Like Google and Facebook). Whatever you type, post or browse through, over 70% of the data is obviously being tracked by the above-mentioned companies. They are using cookies and session data to track you throughout the websites no matter how many browser tabs you have opened. Even when you leave a website, the cookie will be retained to track you later. However, as the security and privacy needs arise, the privacy conscious people are more magnetified towards keeping their data and session state safe from the major tracking companies. They use ad-blockers, private browsing tabs. And Firefox has recently added the tracking cookie blocking feature by default. Which minimises the uniquely identifiable information from exposing to the tracking companies. It alone is not enough. The website owners can still track the user by the HTTPS Headers. Which exposes identifiable information such as Browser vendor, version, OS, screen resolution, time zone, installed fonts, default language, use of AdBlock etc. By adding all of these data at once, a unique fingerprint can be created. This is called the ‘Browser Fingerprinting’. As an example, even if we use a widely using OS, Browser version, Default language, it can still identify you by the screen resolution, and the time-zone (Specially for Sri Lanka). Which is inflexible to change on our own. The most dangerous thing is they can track you even if you browse through the incognito tabs offered by browsers. Just think that you have just logged in to the Gmail and you have opened a new incognito window and do anonymous online shopping without logging in, they can still identify you and may display ads based on that. Which will not limit by that, also they will sell your data to third parties where they could provide you with free services. You were always the product. That is the cost of free services.

You might think why we should keep our data safe as long as there are no hackers present and we are communicating through HTTPS. Well, hackers are the first prioritised threat and more than 60% of the internet browsing people often know how to prevent themselves from hackers. And most of them are even assuming that the data will be safe on HTTPS. It is false. Why? HTTPS is for security and our data can still be accessed by the website owner. What if the website which has HTTPS needs to track you? It is pretty damn easy for them. They have full control over everything no matter what security options they provide. As an example, Google provides security options such as two factor authentication and website traffic through HTTPS. But as they own the service that you are using, they have full control over it. The GDPR covers the most for the European territory. However, still there are loopholes present. As per GDPR, if a website is using cookies, it should be declared and get the consent of the user before it stores the cookies in the web browser (GDPR Rec 40 and Art. 5(1)(a)). It is enforcing nowadays. But for browser fingerprinting, there is no such direct explanation. However, it limits the user data collection for identifying a particular user individually by any means, but if the website owner gets the consent from the user, it can also be acceptable by the GDPR as long as it has a legitimate reason. As we all know, Aforementioned companies changing their privacy policy regularly and we have already accepted and accepting the policy as we have already addicted to their services. Could we change it. Yes, we could. Here are some of the things you could do to prevent or minimise the browser fingerprint.

 

Most effective and one-shot ways

• Use Tor browser. Which is open source and it uses virtual tunnels where the connection goes through many tunnels and then lands on the website we are requesting. And the website could not identify us as a unique person and even if they identified, it will not be effective for them to keep our state as every Tor user uses the connection and thus, the fingerprint gets blurred. This is the best and easiest way. But the performance is slow. And using the widely known Google search is much harder as it asks to fill up a captcha to verify we are not bots. Alternatively, we could use the DuckDuckGo search engine which respects privacy. And it has an onion site too.
• Disable JavaScript. Which insanely reduces the data you share with the internet. But it is harder to browse websites as most of the websites are prominent with JavaScript.

 

General, most practical and flexible methods

• Use Firefox 🦊 as the default web browser. It is open source and built for privacy from the ground-up. Google Chrome is not open source, which means only the Google knows what happen inside the browser backend. Which is tricky. Some of you could still argue about the fact that the Chrome is widely used and Thus having a common fingerprint. No. Even if it is true, the browser is made by a well-known tracking company. Would you trust them? Someone who does not reveal the browser source code!!
• In Firefox, there is a specific property to be changed to have a minimised fingerprint. It is not enabled by default as it is harder for the browser and the websites to debug the issues arise in a global point of view. To enable that, type ‘about:config’ in the browser address bar in Firefox. And then click on ‘I accept the risk’. Inside the browser window, search for ‘privacy.resistFingerprinting’ and make it to ‘true’ by clicking on it twice. Close and Open the browser and you might feel that your browser window size is changed. Yes, it is changed to provide a commonly used screen resolution value to the tracking party. And the advanced tracking features such as canvas fingerprinting is also minimised in this mode. Some of the websites might not work as expected. However, more than 90% of the websites I have browsed with this configuration is working fine without any issues.

Update: Firefox 67 has an option to prevent websites from fingerprinting.

 

Update 2: Firefox 72 (Released on 7th Jan 2020) blocks fingerprinting scripts by default.

• On top of the above methods, use Private browsing mode 👓 . It will also minimise the tracking caused by cookies.

 

That is all for now. I will come up with some privacy focused articles in upcoming days. Happy surfing 🌈😀.