Fingerprinting is a user tracking technique. It is used to uniquely identify and track end devices and thus users. It has been or is used in various devices, such as typewriters, quartz watches in computers, digital cameras, mobile phones and PCs. The method does not require physical access to the device. In particular, the data generated by web browsers is used for fingerprinting, this is known as browser fingerprinting. This method was used by 20% of the 10,000 websites with the highest reach in 2020.
Devices can be identified on the basis of different data, depending on the area of application of fingerprinting. In most cases, parameters are read out that are sent from the device via the Internet. The data collected differs for different devices, depending on how the device is built in its software and hardware components. Due to the discrepancies in the data, individual devices can often be clearly distinguished. This also allows you to track the person using the device.
According to the World Wide Web Consortium, browser fingerprinting is used to identify users, to establish a correlation between their search activities, even over several sessions, and to track users in a non-transparent and uncontrolled manner.
---
While cookies store an identifier on the device to be read out later, browser fingerprinting reads the software and hardware characteristics of devices in order to distinguish different devices from each other. The more parameters are recorded, the clearer devices can be distinguished. The amount of actionable data is measured in bits of entropy.
In this way, browser fingerprinting creates a digital fingerprint of a device, which is stored in a hash or list. When the user visits a website again, the specific fingerprint of the device is read again and compared with the hash, so that the user can be recognized, since his/her fingerprint generally does not change. The more unusual a system’s software and hardware components are, the more unique the associated fingerprint is and the easier it is to track the user. The attributes that can be used for browser fingerprinting are extremely diverse and are subject to constant change because new attributes are added and old ones are omitted. In the following, some important techniques are presented as examples from which the data for fingerprinting is derived. Although the combination of many attributes results in a more accurate result, individual attributes are sometimes sufficient to identify users with a high degree of probability.
Java Script Attributes
HTTP header field
When responding to an HTTP request, information about the hardware, operating system, browser and its version, as well as the languages set, is included. All this data serves as a fingerprinting vector.
Window and screen properties
Here, properties such as the screen size, the size of the browser window, the color depth and the dpi (German dots per inch) are recorded.
WebGL
WebGL is a graphical API that can be used to display interactive 3D graphics in browsers without the need for additional plugins. Because different systems and browsers display the graph slightly differently, this data is suitable for fingerprinting. There are differences in the representation of light and shadow, the surface of an object and the camera perspective.
Canvas
The method of canvas fingerprinting takes advantage of the effect that the appearance of canvas elements varies depending on the operating system, browser version, graphics card and installed fonts. [15] In order to create a specific fingerprint for the site visitor at the time the page is accessed, a hidden text is passed to the browser for display. All you need is a few lines of JavaScript.
Benchmarking
This involves requesting a series of tasks via JavaScript and then measuring the time it takes to complete the task. This makes it possible to determine performance differences between computers, CPU and GPU. The interpretation of the data is difficult because it is difficult to determine whether these are actually two different devices, or whether a background process affected the performance during one of the measurements.
AudioContext
The Web Audio API provides an interface to process audio. Inaudible audio snippets are passed to the browser and manipulated, for example in compression or filtering. The results are then read out and used for fingerprinting.
CSS Fingerprinting
A list of installed fonts, the color system, the browser or browser family, and the screen size estimated via media queries can be determined. This type of fingerprinting does not require a JavaScript programming interface.
Browser add-ons
The number and type of add-ons installed can serve as a vector. The add-ons cannot be read directly, but various indications can be used to infer the presence of a certain program. For example, requests can be sent to existing and incorrect extensions, and then the time differences of the response can be measured. Furthermore, it can be detected when add-ons call very specific URLs to provide resources, such as a logo.
