Your web browsing habits may be less private than you think

For years, companies followed people around the web with cookies — bits of data passed between a web server and your browser that let them know when you return to a site. But today, cookies are easily blocked, erased, or disabled by most modern web browsers. As a result, an indirect, even craftier form of online tracking known as browser fingerprinting has started to take their place.

The concept is simple. Just as the ridges on a fingerprint are unique to an individual, so are the nuggets of information stored in your web browser. To make the web easier to navigate, your browser knows what device you’re using, its settings, and hundreds of other details. Analyzed together, these scraps of data can reveal your identity to third parties, allowing them to build a profile and track your movements from site to site.

All it takes is a bit of JavaScript inserted into a webpage, often without anyone knowing. Each time the website makes an API call on your browser, it collects morsels of information that can be combined to "fingerprint” your device. Browsers like Brave, Firefox, Safari, and Tor, among others, have devised ways to block or disguise the browser’s identity by returning false values (a technique known as spoofing). But tracking methods evolve, and sometimes it’s security researchers themselves who uncover new threats.

This month at the IEEE Symposium on Security and Privacy, IBM researchers outlined a new fingerprinting technique that uses style features — things like the fonts stored on your browser — to infer a user’s identity. The work was led by a former IBM intern, Xu Lin, as a PhD student at the University of Illinois, Chicago, in collaboration with IBM researchers Fred Araujo, Teryl Taylor, and Jiyong Jang, as well as Illinois’s Jason Polakis.

Cookie-based tracking has been its way out with the tightening of privacy regulations, and browser companies making it easier to opt out. Browser fingerprinting has quickly stepped in to fill the void. Less than 1% of the 10,000 most visited websites in 2013 used browser fingerprinting, according to a study co-authored by Mozilla. By 2021, a quarter of sites did.

Inferring someone’s identity through their browser may sound less invasive than directly tracking them with cookies. But fingerprinting can be just as effective at identifying individuals, even if they’re using more privacy-focused browsers. (You can check how identifiable you are on the internet at AmIUnique.org, a website created by security researchers).

“Our work shows that more robust detection systems and countermeasures are needed,” said Lin, who starts at Washington State University this fall as an assistant professor.

To be sure, fingerprinting has applications beyond sending targeted ads. Banks use it for fraud detection, to determine if an account is being accessed by an unfamiliar device. Two-factor authenticators use it to flag users that may be impersonating someone else to get past security. One application for the current work, in fact, is to provide another tool for validating someone’s identity.

To test its effectiveness, the researchers enlisted their colleagues at IBM Research in a pilot study through an internal IBM website. With the help of research applications manager Michael Sava, they enabled stylistic fingerprinting on the portal’s web pages and found that their technique was as good at identifying unique devices as the standard JavaScript fingerprinting technique. They were surprised to find that their technique was best at cracking privacy-focused browsers and that it performed well in an enterprise setting with many similar devices.

There are two main ways to defend against this new form of fingerprinting. You can install an extension like Auto iFrames Remover to the web browser, or you can also input fake values for key features of your computer setup, like screen resolution and zoom factor. Both strategies can interfere with how web pages render in your browser, but one workaround is to spoof features less critical to rendering.

“This won't completely fix the problem — but it could help,” said Taylor.

The researchers chose not to make their code public, lest the technique fall into the wrong hands. But they did notify the major browser companies of the vulnerability. Two companies requested access to their code, and one, Brave, wrote Lin a bug-bounty check and reportedly updated their browser.