So, you’ve disabled cookies and are using a VPN to hide your location. You’ve also got an ad blocker and an anti-tracker. Clearly you’re safe, and nobody can track your browsing activity. Unfortunately, that is not completely accurate. There is one thing you are not being protected against: browser fingerprinting.
A browser fingerprint is complex to understand, so let's first think about human fingerprints. As you know, a print from the index finger is the best way to identify a person due to its uniqueness. In fact, it's so unique that there’s no need to have a complete print to identify a person. For example, forensics officers can identify who was at a crime scene from a partial fingerprint. Here’s a more familiar example: your mobile phone will probably unlock even with a sloppy, partial finger press. Why is that? Well, the lines on our index fingers are so distinctive that it's possible to combine some of them and still reduce other possibilities to a minimum.
The same thing happens with browser fingerprints. Even if you try your best to be completely private, websites still can correlate the information they obtain to pinpoint the user accessing it.
The same canvas image can be rendered differently depending on the browser and the operating system you use. Since browsers use different image processing engines, image export options, compression levels, and other parameters, it's easy to guess which browser you use, as well as its version. On the other hand, operating systems have different fonts and use unique algorithms and settings for rendering and anti-aliasing, which is enough information for the tracker to figure out which operating system you’re using. By combining the two, trackers can start to identify you and follow your browsing activity.
You may be thinking that millions of people use the same browser and operating system as you, and you’d be right. However, when we start to add settings like screen resolution, time zone, plugins installed, and language, the number of possible options begins to plummet and it becomes easier to zoom in on your browsing habits. When using privacy measures while browsing – such as a VPN – this information is not enough to know who you are or where you live, but it's enough for marketing companies to know which ads they should feed you.
How to Protect Against Fingerprinting
Protecting yourself from browser fingerprinting is harder than protecting yourself from third-party trackers. However, some browsers have taken a step forward and now come with built-in anti-fingerprinting.
One of those browsers is Brave – a service that cares about your privacy and wants to change the ways of online advertising. By default, Brave enables fingerprinting protection for all third-party content, but it's possible to prevent any website from getting information by choosing to block device recognition attempts under the settings.
Tor is another browser that puts users' privacy above all else. In Tor's case, the browser is configured by default to have the same fingerprint as every other Tor browser. In other words, it doesn’t block the scripts, but trackers get the same information for everyone using Tor.
Firefox has also addressed this issue, releasing a beta of its fingerprinting protection in April 2019. Firefox decided to compile a list of domains that serve fingerprinting scripts and added the option to block these as part of its Content Blocking protection suite.
For macOS users, Safari has also come forward and implemented a function on the browser that confuses the information by sharing only a simplified system profile.
If you still don't feel secure while using any of these browsers and prefer a robust external solution, there are extensions that can be used, such as Canvas Defender and WebCL Fingerprint Defender, among others.