FingerprintJS works by collecting various attributes from a user's web browser and computing a hash from this information to create a unique identifier, or "fingerprint," that can track a user even when cookies are cleared or they are using incognito mode.
Here's a breakdown of the process:
Information Gathering
FingerprintJS gathers a wide range of data points from the user's browser environment. These data points include:
- Browser characteristics: User agent string, browser name and version, supported MIME types, and installed plugins.
- Operating system: OS information derived from the user agent.
- Hardware: CPU class, screen resolution, available fonts, and device memory.
- Browser settings: Language, time zone, whether Do Not Track is enabled.
- Canvas fingerprinting: This technique leverages slight differences in how different browsers render images using the HTML5 canvas element. A script draws a hidden image, and the unique characteristics of the rendered image are extracted and used as part of the fingerprint. This is often considered one of the most reliable identifiers.
- WebGL fingerprinting: Similar to canvas fingerprinting, WebGL fingerprinting exploits differences in how WebGL (a JavaScript API for rendering 2D and 3D graphics) is implemented in various browsers and graphics drivers.
- Audio fingerprinting: Exploits subtle variations in audio processing capabilities across different devices and browsers.
Hashing
Once all the relevant data is collected, FingerprintJS combines these data points into a single string. This string is then passed through a hashing algorithm (often MurmurHash3 or similar) to generate a unique, fixed-length hash value.
- Hash Function: A hash function takes an arbitrary amount of data and produces a fixed-size output. The same input always produces the same output. Good hash functions are designed to minimize collisions (where different inputs produce the same output).
Creating the Fingerprint
The resulting hash value becomes the user's fingerprint. This fingerprint is then used to identify the user on subsequent visits to the website, even if they clear their cookies or use private browsing.
Why FingerprintJS is Persistent
Unlike cookies or local storage, which can be easily deleted by the user, FingerprintJS relies on characteristics of the browser and hardware that are less likely to change frequently. This makes it a more persistent tracking method.
Implications
- Privacy Concerns: FingerprintJS raises privacy concerns because it allows websites to track users without their explicit consent, and even when they try to avoid tracking.
- Circumvention Difficulty: Fingerprinting is harder to avoid compared to cookie-based tracking, because it relies on intrinsic characteristics of the browser and device.
- Accuracy: While fingerprinting is generally accurate, it's not foolproof. Users with very similar browser configurations may generate the same fingerprint, leading to false positives. Conversely, small changes in the browser environment can cause a fingerprint to change.
Mitigation
Users can attempt to mitigate fingerprinting by:
- Using privacy-focused browsers: Browsers like Brave or Tor are designed to resist fingerprinting.
- Installing browser extensions: Extensions like Privacy Badger or NoScript can block fingerprinting scripts.
- Disabling JavaScript: While not practical for most websites, disabling JavaScript will prevent fingerprinting scripts from running.
- Randomizing browser settings: Some tools and techniques aim to introduce subtle variations in browser configurations to make fingerprinting less accurate.
In summary, FingerprintJS is a powerful technique that leverages a combination of browser attributes and hashing to create a persistent identifier for users, raising both technological and ethical considerations regarding online tracking and privacy.
