Skip Navigation

Fingerprinting

Browser fingerprinting is the act of using technical measures, typically delivered through JavaScript code, to attempt to assign a unique identifier to a particular web browser. This identifier is based on various properties of the computer system or device that is running the browser. When the browser fingerprint can be tied to a particular user, it provides a way to track users across the Internet without first obtaining their explicit consent.

Page Contents

Video Lecture


Watch at Internet Archive

Overview

Advertisers and other entities can utilize various techniques to try to identify and track a web browser, even if the user disables cookies and blocks web beacons. One widely used technique is called browser fingerprinting, and it is a non-consensual way for a website to assign a unique identifier to a browser. This technique is non-consensual since the user is normally not notified of the fingerprinting, and any browser settings to avoid the assignment of a unique identifier (in particular, disabling or rejecting cookies) is ignored. Marketing companies have been quietly deploying these capabilities against unsuspecting users,1 while the purveyors of fingerprinting technology try to spin the approach as a tool for fighting fraud and improving security.2

Installed Fonts

As part of the standard Document Object Model (DOM), browsers expose JavaScript methods for loading fonts into a web page.3 By loading a font and then measuring the size of the resulting text, JavaScript functions can determine whether or not the browser used the requested font. If a font isn’t available on the user’s system, then the browser will substitute a different font, which has different measurements.4 If a website tries a sufficiently large number of candidate fonts, it can systematically determine which fonts are installed on the user’s system.

Since fonts tend to accumulate somewhat randomly as software is installed and removed over the service life of a computer, it is likely that two computers owned by two different people will have different fonts. While there will be some users with the same font selection across the Internet (particularly those who have not installed anything beyond the default software that came with the computer), this piece of information generally contributes at least a few bits of entropy to the overall fingerprint of a browser.

Canvas Fingerprinting

The HTML5 canvas element is designed to allow web applications to draw graphics on a page.5 Web pages can draw arbitrary lines, shapes, colors, and text on a canvas using JavaScript to interact with the browser Document Object Model (DOM). One of the methods available to JavaScript code is toDataURL(), which creates a base64-encoded image file with a snapshot of the current state of the canvas.6 This method may be supplemented with other DOM methods to determine more properties of the canvas and browser, many of which will vary from system to system due to variations in computer and software configuration.7

One way to implement canvas fingerprinting is to combine it with font fingerprinting and render various fonts onto the canvas. The fingerprinting script then calls the toDataURL() method of the DOM object associated with the canvas. A hash, or short fingerprint, of the resulting canvas data is then computed. This hash can provide at least 10 bits of entropy toward a fingerprint.8

WebGL

WebGL is an open standard for creating low-level 3D graphics using a combination of JavaScript and the HTML5 canvas element.9 The JavaScript DOM API for WebGL implements an interface that is close to the OpenGL ES 2.0 specificiation.10 Since this API (application programming interface) works at a fairly low level, underlying details about the graphics card and driver stack on the computer may be read or guessed by JavaScript code.

It is fairly straightforward for a fingerprinter that already uses the canvas element to add support for WebGL fingerprinting. This abuse of WebGL presents both a privacy and a security concern. On the privacy side, the WebGL fingerprint adds over 5 bits of entropy to the standard 2D canvas fingerprinting techniques.11 In terms of security, there are possible vulnerabilities in WebGL that could allow malicious code to execute on the system’s graphics processing unit (GPU).12

Web Audio API

Another API exposed to JavaScript by the browser DOM is the Web Audio API.13 This API provides websites with the ability to generate and manipulate sound, which can be used for improving the user experience. However, it also provides mechanisms by which the generated sound can be sampled and analyzed, which permits fingerprinting.

Since different computers have different sound hardware, and different browsers and sound systems perform different transformations on audio streams, unique features of individual systems can be detected from JavaScript code. Published workarounds even exist to compute relatively stable fingerprints for privacy-focused browsers.14

Other Data Exposed by JavaScript

Various other pieces of data can be obtained via JavaScript methods, including the number of CPU cores available on the system15 and the user agent provided by the browser.16 This information can be used as a way to increase the entropy of the browser fingerprint, even if only slightly. However, each little piece of fingerprint information, even if it only adds 1 or 2 bits of entropy, contributes toward identifying the user of a browser.

The Irony of “Do Not Track”

Finally, newer browsers (as of 2022) typically implement a feature called “Do Not Track,” which causes the browser to send a “DNT” header with each request it makes. Unfortunately, the use of this header was never mandated by law for website operators, so most sites did not respect the user’s request not to track them.17 Since most users never enabled Do Not Track, the presence of the DNT header adds a bit of entropy to the browser fingerprint, completely defeating its purpose. For this reason, Apple removed the feature altogether from the Safari browser.18

A newer standard is Global Privacy Control (GPC), which is intended to notify website operators that users do not want their data to be sold.19 The California Attorney General has instructed businesses that are subject to the California Consumer Privacy Act to respect the GPC header as an expression of the user’s instructions not to sell their personal data.20

References and Further Reading

  1. Bill Budington. Panopticlick: Fingerprinting Your Web Browser. USENIX Association: Enigma Conference, San Francisco, CA, January 26, 2016. Presentation 

  2. Fingerprint Pro

  3. MDN Web Docs. FontFaceSet

  4. Detecting Installed Fonts.” BitBook. November 13, 2016. 

  5. W3Schools. HTML Canvas Graphics

  6. MDN Web Docs. HTMLCanvasElement

  7. BrowserLeaks. Canvas Fingerprinting

  8. Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. “The Web Never Forgets: Persistent Tracking Mechanisms in the Wild.” Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS ‘14), Scottsdale AZ, November 3-7, 2014. Available from the author’s website

  9. Khronos Group. WebGL

  10. MDN Web Docs. WebGL: 2D and 3D graphics for the web

  11. Keaton Mowery and Hovav Shacham. “Pixel Perfect: Fingerprinting Canvas in HTML5.” Proceedings of the Web 2.0 Security and Privacy Workshop (W2SP) 2012, San Francisco, CA, May 24-25, 2012. Available from IEEE Computer Society’s Technical Committee on Security and Privacy 

  12. Ibid

  13. MDN Web Docs. Web Audio API

  14. Savannah Copland. How the Web Audio API is used for audio fingerprinting. March 18, 2021. 

  15. MDN Web Docs. Navigator.hardwareConcurrency

  16. MDN Web Docs. Navigator.userAgent

  17. Kashmir Hill. “‘Do Not Track,’ the Privacy Tool Used by Millions of People, Doesn’t Do Anything.” Gizmodo. October 15, 2018. 

  18. Michael Simon. “Apple is removing the Do Not Track toggle from Safari, but for a good reason.” Macworld. February 6, 2019. 

  19. Dennis Fisher. “Global Privacy Control Protocol Aims to Pick Up Where Do Not Track Left Off.” Decipher. October 7, 2020. 

  20. Ben Brook. CCPA update: Businesses must immediately support the Global Privacy Control (GPC) signal. Transcend, Inc. July 21, 2021. 

Web Beacons

Online Tracking
Cross-Device Tracking
Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.