Device fingerprinting is the process of analyzing a device’s unique attributes to identify it. This approach intends to track individuals reliably and collect individualized identification information.
Cookies are the most common method of tracking users. While they’re practical and users likely have some familiarity with them, they raise concerns for privacy-conscious users who disable or delete the cookies from their devices.
Although device-level fingerprinting aims to be more reliable than earlier data tracking forms, such as cookies, it isn’t an exact science. There’s still some guesswork involved as it consolidates different data points from a user’s device to calculate a unique value. Device-level fingerprinting assumes the data it collects from a device will be the same at other times, which isn’t necessarily the case.
Let’s explore how device-level fingerprinting works.
When a user visits a web-based application, a small JavaScript code queries APIs for the device’s information. This data includes the browser version, operating system, and user settings details.
The device fingerprinting provider applies a fingerprinting algorithm to the collected data, creating a unique, identifying value. They then use that value to partially or entirely identify a device.
Since system configurations keep changing, collecting device information at various times increases the accuracy of identifying it using a device fingerprint.
Device fingerprinting uses several kinds of information when creating a device profile, such as:
Unlike other data collection methods, like HTTP cookies, the user’s browser doesn’t store device fingerprints. Instead, the visited application keeps these fingerprints on its server. Therefore, users can’t delete the collected data or disable device fingerprinting, making it impossible to stop the device fingerprinting process.
Test your device against fingerprinting on browserleaks.com
BrowserLeaks is all about browsing privacy and web browser fingerprinting. Here you will find a gallery of web technologies security testing tools that will show you what kind of personal identity data can be leaked, and how to protect yourself from this.
The accuracy of device-level fingerprinting is varied and somewhat inconsistent. Research analyzing over 500,000 browser fingerprints shows that desktops are easier to track than mobile phones. The fingerprints uniquely identified 74% of desktop versus 45% of mobile users. Furthermore, 10% of devices the researchers observed multiple times changed their fingerprints between observations.
This data demonstrates that using device fingerprinting to identify a device doesn’t guarantee accurate results. However, fingerprinting is still helpful when perfect accuracy isn’t necessary. Ad tracking and fraud detection are two examples.
Let’s explore several use cases for device fingerprinting.
Device fingerprinting enables us to track and identify users as they browse the internet. Advertising companies use the method to analyze and understand user behavior and improve how they target users with personalized ads. For example, digital marketers can track a website’s new and returning visitors to gain insights into the impact of their marketing strategies.
We can detect fraud by flag flagging suspicious devices via device fingerprinting. When a user logs in to an application, the application compares the device fingerprint stored on the server to the current device’s fingerprint. If it detects a notable inconsistency, the app marks the device as suspicious.
In the past, trackers relied on cookies to identify users. However, users can block or delete cookies, making them unreliable. Device fingerprinting is an alternative to these lost cookies since users can’t disable it.
One of the main advantages of using device-level fingerprinting to track users is its reliability and consistency. We don’t have to worry about losing the user’s data when they exit their browser or clear their cookies since we store the data on our server.
However, users may be concerned about the lack of control over how websites use their data. They may take actions to actively block the fingerprinting, making it more challenging to identify each user.
Device fingerprinting is a powerful tracking technique and is difficult to block. Yet, there are some ways users can minimize their chances of being identified.
Since device fingerprinting relies on a system’s configurations for identification, using a browser that many people use reduces the chances of being identified. If someone is on a browser with fewer users, their device becomes easier to identify since there are fewer potential devices.
Keeping the browser up to date also decreases the chances of being identified. The browser’s latest features may aim to reduce online tracking.
Incognito mode reduces the amount of data that users broadcast to the internet. Since the shared data is usually the same across several users, generating a unique device fingerprint becomes more challenging.
A virtual private network (VPN) masks a user’s actual location by rerouting their internet traffic through a remote server in another area. This approach makes it seem like their traffic originates from a different IP address and physical location. The device fingerprint provider calculates the fingerprint using the fake address.
Users are harder to identify when using a popular VPN because many servers connect to the service.
Most device fingerprinting scripts run on JavaScript. So, disabling JavaScript prevents websites from collecting data from the terminal.
The downside of using this method is that most browsers rely on JavaScript to function correctly. Disabling JavaScript negatively affects the browsing experience, causing some users to avoid this approach.
Disable WebRTC if you are using Chrome, Firefox or Opera. Unfortunately, it has been revealed that it’s possible to get hold of the IP address of users running WebRTC even if they are connected to a VPN or proxy service.
Device fingerprinting is a technique to identify a device by gathering its data. Unlike cookies, a server stores the data fingerprint, making it difficult to delete or prevent the data collection process. So, tracking users is more consistent.
However, users can avoid being easily identified by device fingerprinting by using popular browsers, VPNs, and incognito mode. Users could also disable JavaScript, though it would disrupt their browsing experience.
Device-level fingerprinting helps detect security threats while minimizing false positives.
