Creepy cookies that track all your online activity are (slowly) being eradicated. In recent years major web browsers, including Safari and Firefox, have restricted the practice. Even Chrome has realized that cookies present a privacy nightmare. But stopping them ends only one kind of online tracking—others are arguably worse.
Fingerprinting, which involves gathering detailed information about your browser’s or your phone’s settings, falls into this category. The tracking method is largely hidden, there’s not much you can do to stop it, and regulators have done little to limit how companies use it to follow you around the internet.
What Is Fingerprinting?
The exact configuration of lines and swirls that make up your fingerprints are thought to be unique to you. Similarly, your browser fingerprint is a set of information that’s collected from your phone or laptop each time you use it that advertisers can eventually link back to you.
“It takes information about your browser, your network, your device and combines it together to create a set of characteristics that is mostly unique to you,” says Tanvi Vyas, a principal engineer at Firefox. The data that makes up your fingerprint can include the language you use, keyboard layout, your timezone, whether you have cookies turned on, the version of the operating system your device runs, and much more.
By combining all this information into a fingerprint, it’s possible for advertisers to recognize you as you move from one website to the next. Multiple studies looking at fingerprinting have found that around 80 to 90 percent of browser fingerprints are unique. Fingerprinting is often done by advertising technology companies that insert their code onto websites. Fingerprinting code—which comes in the form of a variety of scripts, such as the FingerprintJS library—is deployed by dozens of ad tech firms to collect data about your online activity. Sometimes websites that have fingerprinting scripts on them don’t even know about it. And the companies are often opaque and unclear in the ways they track you.
Once established, someone’s fingerprint can potentially be combined with other personal information—such as linking it with existing profiles or information murky data brokers hold about you. “There are so many data sets available today, and there are so many other means to connect your fingerprint with other identifying information,” says Nataliia Bielova, a research scientist at France’s National Institute for Research in Digital Science and Technology, who is currently working at the French data regulator, CNIL.
Fingerprinting evolved alongside the development of web browsers and is intertwined with the web’s history. As browsers have matured they have communicated more with servers—through APIs and HTTP headers—about people’s device settings, says Bielova, who has studied the development of fingerprinting. The Electronic Frontier Foundation (EFF) first identified fingerprinting back in 2010. Since then fingerprinting has become increasingly common as advertisers have tried to get around cookie blocks and limits put on ad tracking by Google and Apple.
So How Bad Is It?
While there’s little transparency around the companies that run fingerprinting scripts, the practice is verifiably widespread across the web. Many of the websites you visit will fingerprint your device; research from 2020 found a quarter of the world’s top 10,000 websites running fingerprinting scripts.
New ways of fingerprinting are being created too. “The existing fingerprinting algorithms are not the upper boundary in terms of trackability,” says Gaston Pugliese, a research fellow at Friedrich-Alexander-Universität in Germany, who has studied the long-term impact of fingerprinting. For instance, earlier this year researchers proved they could create fingerprints of GPUs to identify people. Tracking people across different browsers is also possible.
But not all fingerprinting is bad. David Emm, a principal security researcher at Kaspersky, says the technique can often be used as a way to spot potential fraud, such as banks using it to identify suspicious behavior.