The word fingerprinting comes from the forensic analysis of a human hand. These fingerprints are considered markers of human identity as they’re not easy to alter and are durable over the lifetime of an individual. These characteristics make them suitable markers for human identity. In similar fashion, our computers and multimedia devices can be identified and tracked by websites we access on these devices.
Before we divulge into the details of how device fingerprinting works, let us revise some old concepts about the working of internet. Internet wouldn’t have been such a global phenomenon if there was no standardization and a website which appeared perfectly on one computer looked a random mesh of images and text on another. To avoid such a scenario, we have an internet body which develops standards to ensure the universality of content on the internet. Worldwide Web Consortium (W3C) is the name of this body and the latest iteration of markup language, recommended by W3C, used for structuring and presenting content on the internet is HTML5. The APIs of HTML5 are a set of routines, protocols and tools to create applications, websites in our case.
There are many factors which are exploited to fingerprint a user’s device, some of these are the obvious ones but many are things which the average user does not realize that they can be used to identify and track his device. Here’s a list of some of those major factors:
- IP address
- Time zone
- HTTP headers (User agent, referrer, etc.)
- HTML5 APIs (WebRTC, Battery API, etc.)
- HTML5 and CSS3 features detection
- CSS media queries
- Browser plug-ins (Flash, Silverlight, Java, etc.)
- Browser add-ons
- Browser options (Do-Not-Track etc.)
- Browser storage
- System fonts
- TLS/SSL Session IDs
- Hardware detection (Camera, Mic, Touch screen, etc.)
- Screen (resolution, color depth, pixel density, etc.)
- Audio and video codecs
- Accessibility features
Now that we’ve mentioned some of the main culprits, we shall now see how these factors help in the fingerprinting of our devices and what the precautions we can take to not become a victim of this.
Battery Status API
According to researches, Battery Status API is able to determine current battery level, time required for the device to fully charge again as well as time left for the device to be fully discharged. All this data combined together adds up to a unique number to identify an individual device, potentially allowing the tracking of activities on the web.
WebRTC stand for Web Real-Time-Communications. This API was developed to support browser to browser applications for voice calling, video chatting and P2P file sharing without the need for plug-ins. As the nature of this API tells us that it has access to our camera, microphone and browser data, it becomes very easy to identify the device by exploiting a single API. In order to avoid WebRTC leaks, in Firefox use Privacy Settings extension. On Chrome, install WebRTC Leak Prevent add-on.
The “Resource Timing” interfaces is basically a set of APIs to retrieve and analyze timing details used on network for an application to load all web resources. It enables websites to measure user latency. Using the Resource Timing API allows us to retrieve and analyze a detailed profile of all the network timing data for every resource on the page.
If you use Firefox you can disable this API by installing Privacy Settings add-on and setting the values of
It can reveal your physical location and compromise your privacy. Modern browsers always ask permission to reveal geo location to websites and apps requesting it though.
On Firefox browser to disable geo location access permanetly, you can install Privacy Settings add-on. After installation, in the panel, look for
geo.enabled value and set it to
false (disabled). On Chrome go to “Settings”, then “Show advanced settings”, find “Privacy” block and click on “Content settings”, in this window look for “Location” and select the option “Do not allow any site to track your physical location”.