Whether it be an online store, a news site, or even this very page – the browser you use to access websites contains more information about you than you might realize. Astonishingly, this data stored in browsers can be used to uniquely identify site visitors and to track their online activity. This technique, also known as Browser Fingerprinting, is frequently used to reduce fraud and suspicious website traffic.
Although fingerprinting is a remarkably accurate method of identifying unique browsers, it has attracted some criticism regarding its seemingly invasive nature. This prominent divide on the topic might leave some people wondering if browser fingerprinting is indeed a cause for concern. This article aims to put this debate to rest by analyzing the unique purpose, functionality, and legality of fingerprinting and how its use could benefit the public.
1. What is Browser Fingerprinting?
Although they have the same name, "fingerprint" has a slightly different meaning in an online setting than in the real world: Whereas both meanings allude to an effective medium used to identify a person, a digital fingerprint accomplishes so by analyzing respective browser signals. While solely relying on browser information to identify users might sound vague at first, realistically, the chance for another user to have completely matching configurations is near impossible: Thus, they can effectively serve as user IDs.
Due to their high accuracy as user identifiers, browser fingerprinting technologies have become a pillar for developer-led fraud protection that cuts through spoofing efforts. Their use significantly facilitates the efforts of developers in triaging suspicious traffic and restricting access to users attempting to hack into accounts to spam or make fraudulent purchases. Additionally, the accuracy of browser fingerprinting can be further increased when it is combined with usage history, fuzzy matching, and probability engines.
2. How Browser Fingerprinting works
Whether online or in real life, the key to identifying a suspect is to gather the needed information that leads to their recognition: While in an analogous setting, detectives would collect clues such as analogous fingerprints, cameras, and testimonials, in the case of browser fingerprinting, the evidence is written all over the suspicious visitor’s browser configuration.
But how exactly can some browser parameters lead to exposing a criminal’s real-life identity? To answer this lingering question, it is essential to clarify what signals the services generally capture.
Which parameters are captured?
The creation of a browser fingerprint relies typically on the following parameters:
- Hardware details (screen resolution, battery usage, device memory)
- User-agent details
- IP Adresses and TSL Sessions
- WebGL parameters
- Browser plugins and extensions used
- The browser and OS settings (f.e. language)
- Keyboard Layout
- Whether cookies are enabled
As a rule, the digital fingerprinting function automatically gathers these details when a visitor first lands on a webpage. The captured information is saved in a database that is left untouched unless the data is required to identify a returning visitor who was observed behaving suspiciously or engaging in fraudulent activities.
How accurate is fingerprint-based identification?
When the public is looking for a wanted criminal, the chances of identifying them gradually increase with every single additional information about the person. Thus, the more details that can be added to the criminal sketch, the clearer the portrait of the perpetrator will be.
The same principle applies to virtual attackers. Due to the large number of specific attributes provided by browser fingerprinting, the culprit can be reliably located in a sea of online users - In fact, a study carried out by Electronic Frontier Foundation found that 83.6% of tested browsers were unique.
This accuracy of fingerprinting is even higher in the case of device fingerprinting - a technique that enhances browser fingerprinting with the additional feature of identifying users of a native mobile app. By relying on a visitor ID, device fingerprinting can recognize a returning user 99.5% of the time.
However, it is worth noting that real-life criminals and digital ones alike generally go out of their way to conceal as many of their identifiers as possible: Akin to how a robber might hide behind a face mask and dark clothing, a hacker usually uses incognito mode, browses via a VPN/Proxy and keeps their cookies disabled. Fortunately, fingerprinting can associate suspicious visitors without needing discreet identifiers like cookies or IP addresses; thus, identity-concealing techniques do not pose an obstacle. With a little extra help from bot mitigation mechanics, even sophisticated threats that go undetected by traditional means of detection can be effectively prevented.
3. Is Browser Fingerprinting legal?
Due to the many unique identifiers browser fingerprinting can capture on a whim, it is only natural to second-guess the morality and legality of this technique. To quickly answer the latter concern:
Yes, browser fingerprinting is entirely legal, since it only captures data deemed to be publicly available and no personal information is being collected. That said, each fraud solution that captures data must adhere to all applicable laws, such as local laws and GDPR.
Regardless of the practice's legality, the seemingly invasive nature of fingerprinting might raise some valid concerns regarding user privacy. While the feeling of being “watched” is an apprehension many of us have, it is worth considering that such security measures are often the key to identifying suspicious individuals and preventing attacks. Such protection tools are not exclusive to the digital world either: Nowadays, most stores and institutions handling valuable goods (f.e. banks) are equipped with a security camera. Whereas these cameras come with the expense of surveilling all activity in the building, they simultaneously capture the most solid evidence in case of an intrusion. Of course, no such surveillance would be necessary in an ideal world. Yet, as long as the risk of an attack persists, we must make the inevitable choice to observe every, including innocent, activity - or none at all.
4. Browser Fingerprinting vs. Cookies
You may have noticed that many websites prompt visitors with a window asking permission to enable 3rd party cookies. This annoying nature of a "reading exercise" in the way of the desired content frequently inclines individuals to apathetically click "accept" to get past the barrier, much like it is commonly done with the terms of service before downloading a program. While this reaction is understandable, it is still helpful to know that by consenting to cookies, you prompt a unique identifier to be placed on your web browser. Though they operate similarly, cookies and browser fingerprinting are not to be used interchangeably.
Privacy and Security - The core difference
Since cookies' core functionality might sound eerily similar to the concept of browser fingerprinting, you might wonder why only the former must specifically ask for the user’s consent. Astonishingly, while the two techniques serve the same purpose, their methods of acquiring data could not be any more different. Permission is needed for cookies because, unlike fingerprinting, they track personal data that nearly everyone can access. Thus, cookies could grant third-parties access to private information about a user, such as their name, address, and credit card number.
Although they collect unique personal information, cookies still need to catch up in successfully identifying suspicious site visitors. This is mainly due to the fact that, unlike browser fingerprints, they can easily be concealed with the help of some widely accessible techniques, such as using an adblocker. Alternatively, the user can delete them within their browser’s settings.
In conclusion, while cookies provide numerous advantages, such as enhancing user experience, the alternative of browser fingerprinting also guarantees these benefits while protecting user privacy and personal data.
5. How Browser Fingerprinting can benefit a Website
Now that we have discussed what browser fingerprinting is and how it works, there is still one crucial question that needs to be answered: What exactly are the benefits of implementing this technique? To answer this query, the following paragraphs provide an overview of the many uses of browser fingerprinting.
Account Fraud Prevention
One of the most notable benefits of browser fingerprinting is its ability to prevent account fraud. In combination with bot detection, this technique not only detects advanced bots attempting to generate fake profiles but also mitigates account takeover attempts by halting them at the source: By uniquely identifying visitors to your website, you are given a chance to immediately recognize brute force attacks and lone actors testing acquired credentials.
Browser Fingerprinting is especially valuable for e-commerce websites. With its help, you can seamlessly identify the users behind every transaction. In addition to recognizing attempts of card cracking (testing combinations of card details), you can eliminate coupon abuse and credit card fraud on your website. Thus, you can ensure that every purchase made on your website is legitimate.
More effective Monetization
As the internet is gradually replacing other media sources for content consumption, more and more websites are relying on content paywalls as a significant source of income. The mandate for a subscription to read the articles on The Wall Street Journal's website is an example of how this monetization strategy effectively attaches a price tag to particular pieces of information. Unfortunately, paywalls are not indestructible: Some experienced hackers have found a way to sneak past the barrier and read the protected material without paying. With the help of reliable visitor identification, browser fingerprinting assists content providers in more successfully monetizing their platform.
6. Fingerprinting in practice
High-accuracy device identification with Fingerprint
If you are intrigued by Browser and Device Fingerprinting, we strongly recommend you check out Fingerprint. On both the web and mobile, this best-in-class identifier software can reliably prevent fraud, spam, and account takeover with 99.5% accuracy.