This is Your Digital Fingerprint

Mozilla invited Chicago-based teacher and activist Nick Briz to explain how people are tracked, surveilled and monetized on the web. In the fall, Nick will be leading a speaker series in Chicago on how date rules everything around us  (the D.R.E.A.M series).

This piece was originally published in The Disconnect.

Today, anonymity is no longer the default of the web. While still free, the internet that was once predicated on privacy is now dominated by the information economy. For the sake of capital, tech firms and advertisers track, identify, and monetize our every move across the digital landscape, touting this exploitation as a method for a more personalized and convenient digital experience.

Even so, there is an overwhelming understanding of the importance of privacy. In 2015, at least 90% of Americans reported that privacy is “very important” to them, according to a survey by the Pew Research Center. For this reason, savvy internet users install ad-blockers to ward off malicious cookies, while savvier users will use VPN software to mask their true IP addresses. Even casual internet users clear their cookie cache now and again or use private browsing functions.

However, even as awareness grows, many users regard online surveillance as the nature of the modern web, complacently agreeing to the terms and conditions and accepting constant monitoring as a necessary trade-off for a taste of convenience and personalization. This view is a risk to the fundamental values of liberty that define privacy as a right.

This brings us to your digital fingerprint, which is made up of tiny bits of your personal data. This  distinct, data-driven identifier is currently in the possession of countless corporate entities. The artwork above is a visual representation of your unique fingerprint, and it uses the same data as those corporations. (Curious how we did this? See the addendum.) It was created to serve as a reminder that we’re never truly anonymous online and, just as you have a right to privacy, you have a right to know when and how that privacy is being violated.

Understanding how specific tracking methods work should not be the exclusive domain of those who seek to capitalize on your web activity. In this case, we will be shedding light on a widely used yet rarely discussed tracking technique: browser fingerprinting.

What is Browser Fingerprinting?

Initially developed for security purposes, browser fingerprinting (also known as device fingerprinting) is a tracking technique capable of identifying individual users based on their browser and device settings. In order for websites to display correctly, your browser makes certain information available about your device, including your screen resolution, operating system, location, and language settings. These details essentially make up the ridges of your digital fingerprint.

Much like detectives piecing together clues from a crime scene, trackers can assemble this data into a recognizable “fingerprint” and then use this identifier to trace your activity across the web. It might seem impractical to derive a unique fingerprint from a pool of innocuous settings and data, but considering the number of browsers and configurations available to a given user, there are a lot of possible combinations. In fact, the fingerprint of the laptop we wrote this piece on was completely unique among the 1.7 million fingerprints collected by Electronic Frontier Foundation’s Panopticlick tool.

In addition, once it has been assembled, your digital fingerprint is persistently accurate. With recent developments in cross-browser fingerprinting, this technique is capable of successfully identifying users 99% of the time. That means even if you were to employ multiple recommended privacy precautions (masking your IP address through a VPN and deleting or blocking cookies) trackers can still use your digital fingerprint to re-identify and re-cookie your device when you visit a website.

Do I need a VPN?
A VPN can protect your identity. Find the right one for you in this Internet Citizen blog.

Why is It Used and Who Uses It?

Increased public concern for internet privacy has made precautionary methods more accessible and easier for users to implement, making traditional cookie-based tracking relatively untenable. This decline in cookie efficacy has led trackers to seek out more advanced ways of monitoring their users. Many of the companies that pioneered browser fingerprinting saw this as a commercial opportunity and quickly expanded their services into the world of online tracking.

Browser fingerprinting is just one of many other tracking techniques used by companies known as “data brokers.” These third-party companies use your digital fingerprint to discreetly trace your activity across the web, collecting little bits of data about you along the way.

While trackers won’t necessarily match your activity with a face or a name, the data they derive from websites you visit, social platforms you use, searches you perform, and content you consume, can be considered personally identifiable. With this data, brokers build a general profile of who you are (age range, location, language, interests, etc.) and sell this insight to advertisers and marketers who use it to relentlessly serve you personalized ads and content recommendations across the web.

While they are overwhelmingly used to violate user privacy, fingerprinting and other online tracking techniques are not all bad. For one, browser fingerprinting technologies are still used for the security and authentication purposes they were initially developed for: to prevent software piracy, identity theft, and credit card fraud among other security risks. For example, software security firms such as Sift Science offer enterprise solutions that employ fingerprinting technologies to help websites track, identify, and block “the bad guys.”

On a larger scale, these tracking techniques, and the intrusive ads they facilitate, make the modern internet possible. The large players that arguably shape the course of the web sustain their businesses on the profits made through targeted online advertising. In 2017, both Alphabet (Google’s parent company) and Facebook made an overwhelming majority of their total profits through digital advertising—88% and 97%, respectively. Online advertising also plays a crucial role in supporting free journalism and keeping media outlets afloat. Without ads, we’d have very limited options for staying informed.

Privacy is clearly a difficult challenge to tackle in an increasingly digitized world. On one hand, companies consistently violate our privacy and exploit our data, while on the other, they make the web as we know it a sustainable hub for information and social connection. Some accept this condition as the nature of the web—just something that we have to deal with to ensure two-day shipping. However, you shouldn’t have to decide between privacy or convenience every time you open your laptop or pick up your phone. We should have equal access to privacy and convenience. Is it possible for us users to have our cake and eat it too?

Mozilla podcast, IRL, discussed helpful ways to breakout of social media bubbles. Platforms use our digital fingerprint to serve us content that sometimes cuts off from others who don’t share our point of view.  

What Can We Do?

The most obvious approach to this dilemma is to protect yourself by any means necessary. That entails employing all the appropriate measures to ensure your privacy. However, due to its nature, browser fingerprinting is not easy to circumvent. While it’s technically possible to thwart this technique by exclusively using the privacy-focused Tor Browser or by blocking all JavaScript with a browser add-on like NoScript, to say these options are impractical is an understatement. (NoScript renders most websites you visit, including The Disconnect, virtually unusable.) It’s also worth noting that some measures, while intended to improve your privacy, can actually make a browser more distinct and therefore easier to fingerprint and identify.

A simpler (and arguably more effective) approach to this dilemma is education. As stated earlier, it is important to understand how your privacy is being violated—not to make you feel scared or apathetic, but to make you aware, which is our exact purpose for writing this piece. Improving our current digital circumstances starts with education. A true calibrated response to our current fingerprinting situation should include advocacy and innovation, but for either to be effective, a bit of digital literacy is a prerequisite.

Education reinforces consumer advocacy. Though policy has been relatively slow to react to our privacy concerns, consumers saw a major win earlier this year with the General Data Protection Regulation (GDPR), which is a new set of European Union rules aimed at giving users more control over their personal data online (and the reason for all those “privacy update” emails that flooded your inbox). It has only recently gone into effect, so we’ve yet to see how this might affect browser fingerprinting; however, the GDPR is a testament to the positive results that can come from consumer advocacy.

In addition, spreading knowledge of how our privacy is currently handled creates a larger demand for privacy-focused developers and entrepreneurs. Armed with an understanding of our current circumstances, these individuals will be able to effectively question the ways in which the internet works for us and against us, allowing them to develop new, creative, and practical ideas that protect the future of online privacy as well as allow companies to prosper and profit on the web. In an industry defined by innovation, we can’t be completely out of ideas, right?

In order to truly reform online tracking practices, we must understand the issue in its entirety. This means that, in addition to understanding the conditions and technologies we’re up against, we must also understand the importance and value of privacy.

Firefox keeps your data safe. Never sold.

Download Firefox

Why is Privacy Important?

Privacy is often seen merely as a safeguard against prying eyes and exploitative corporate entities. However, to summarize the ideas of Georgetown University law professor Julie E. Cohen, privacy is more than an instrument to advance liberty or check control. It is a buffer for self-development free from the influence of society and culture. It enables all the factors we need to develop distinct identities: autonomy, free thought, creativity, experimentation, and exploration. And through this same buffer, we are afforded the resources to discover the type of society we want to be a part of and the steps we need to take to get there. These are decisions we need to make while we still have the agency to do so.

By regarding the internet as unregulable, we are giving companies the green-light to continue building technologies (like browser fingerprinting) that have the potential to manipulate the way in which people think and behave, setting society on a path mirroring a dystopian sci-fi. Surveillance creates an environment that breeds conformity, obedience, and submission; the very ingredients that define the totalitarian societies feared by the likes of Orwell, Bradbury, and Huxley. And as things stand now, it feels as if we are moving in this direction.

Because data is the lifeblood for developing the systems of the future, companies are continuously working to ensure they can harvest data from every aspect of our lives. As you read this, companies are actively developing new code and technologies that seek to exploit our data at the physical level. Good examples of this include the quantified self movement (or “lifelogging”) and the Internet of Things. These initiatives expand data collection beyond our web activity and into our physical lives by creating a network of connected appliances and devices, which, if current circumstances persist, probably have their own trackable fingerprints. From these initiatives, Ben Tarnoff of Logic Magazine concludes that “because any moment may be valuable, every moment must be made into data. This is the logical conclusion of our current trajectory: the total enclosure of reality by capital.” More data, more profit, more exploitation, less privacy.

In a recent interview with O’Reily Media, author and digital rights activist Cory Doctorow paraphrases Harvard Law School professor Lawrence Lessig’s four modalities of regulation: “…the world is influenced by four forces: 1) code, what’s technologically possible, 2) law, what’s legally available, 3) norms, what’s socially acceptable, and 4) markets, what’s profitable.” Together, these forces are what regulate the internet. Lessig’s modalities suggest that if privacy is not a priority and there are no incentives for it, then the technologies built under these circumstances will not provide it. By this reasoning, the key to preventing device fingerprinting and similar privacy-killers from developing any further boils down to normative intervention. Norms dictate what is profitable; therefore,we get to choose how these forces should regulate. The choice is not whether the web should be regulated or not, rather it is whether we, the users, should be present in choosing the code that will ultimately choose our values as a society.

While markets may drive the development of device fingerprinting techniques, we need to look to what Lessig describes as “technologically possible” in order to truly regain agency in this space. Through proper education, relentless advocacy, and creative innovation, we can evolve social norms to prioritize online privacy. And even though we may have already seen new regulations drafted to reflect this shift in social norms, there is still quite a bit of work to be done. In the cat and mouse game for online privacy, device fingerprinting currently gives trackers the advantage. If that makes you feel powerless, it shouldn’t. Remember that control over our data and agency online is a never-ending negotiation. Digital rights, like all human rights, must continually be defended

(For more information on the various data points used in creating your unique device fingerprint, see the addendum.)

Addendum: How We Get Your Fingerprint

The strings of text that make up the ridges of the algorithmically-generated fingerprint in the piece above are unique to you and are made up of the same data points used by commercial device fingerprinting. Typically, this array of attributes is compressed into a shorter ID number using a cryptographic “hash” function. It’s worth noting at this point that The Disconnect is not tracking its readers’ fingerprints and thus isn’t hashing these attributes to send that unique ID back to The Disconnect’s server. Instead, the code used to render the piece is only ever executed locally and never leaves your device.

So what are these attributes and how do websites get access to them? JavaScript, the de facto programming language of the internet, is regularly used to convert simple websites into interactive applications like Google Maps. In order for these web applications to work properly, the web developer often uses JavaScript to detect information about your particular device. If you are on a desktop or laptop browser, you can actually do this yourself using your browser’s JavaScript Console:

  • Firefox: Control+Shift+K (or Command+Shift+K on Mac)
  • Chrome: Control+Shift+J (or Command+Shift+J on Mac).
  • Safari: Command+Option+C
  • Edge: F12

Once open, type navigator.userAgent and hit enter. You should see your device’s “user-agent” print to that console. The “user-agent” is used to identify what browser and platform you are using.

The “user-agent” is the first bit of data you’ll see on the cover. This is followed by other information specific to your browser like the current language it’s set to (navigator.language), whether or not you have “do-no-track” set (navigator.doNotTrack) and a list of any plugins (navigator.plugins) you may have installed. This is followed by information about your device including your screen’s resolution (screen.width and screen.height) and color-depth (screen.colorDepth), what time zone your clock is set to (Intl.DateTimeFormat().resolvedOptions().timeZone) the platform underlining your operating system (navigator.platform), how many CPU-cores your computer has (navigator.hardwareConcurrency), what GPU (or graphics processor) vendor and renderer is and whether or not you’re on a touch device. After this you’ll see a list of storage types and whether or not your browser supports them. Printing the GPU and touch information to the console requires a bit more code than the previous attributes, but you can view a fully annotated version of the source code behind the cover art here if you’re curious to learn more.

The last two data points you’ll see animating on the cover are the “font-list” and a “canvas-hash.” The former is the list of fonts you have installed on your computer. Browsers need access to your fonts in order to render the texts on your screen, but because users often add to the list of fonts that come default on their devices, this can become a particularly effective way to identify you online. The “canvas-hash” is perhaps the most unique characteristic. The HTML5 canvas is used by developers to draw 2D and 3D graphics in the browser using JavaScript. Though the same canvas code executed on different devices will render images that appear the same to our eyes, because of a list of differences among devices, the images will not be 100% identical at the pixel level. For this reason, when the pixel data of a rendered canvas image is sent through a cryptographic “hash” function, the resulting ID will be unique to that device and thus ideal for fingerprinting.


Want More?

If you’re interested in learning more about the attention economy, check out Mozilla’s original podcast IRL: Online Life is Real Life. In IRL’s Paid Attention episode, explore all the ways your attention has become monetized on social media.

Tune In: IRL

Share on Twitter