The technique most commonly known for tracking users online is “cookies.” Almost all websites ask users to agree to accept cookies. But there’s another tracking method out there — browser fingerprinting. But what is browser fingerprinting?

If you’ve heard of fingerprinting, you know a bit about what’s happening in the background as you browse online.

If you haven’t heard of browser fingerprinting, you’re not alone. I’m going to explain what browser fingerprinting is and how it has and will affect the Internet and paid advertising.

Why and How Users Are Tracked Online

Website owners benefit from tracking and identifying online users — both as part of a group and as individuals. Knowing a user’s behavior informs website owners, developers, and marketers about how a website is used, the paths visitors take to engage with the site and make purchases or complete other events, and more.

Tracking on a website owner’s site is done with first-party cookies. Tracking can also be done by engaging an external service. Services typically track users with third-party cookies.

A third-party cookie is simply a string of text placed on a user’s computer. It’s a unique ID based on the user’s web browser and is placed by a website domain different from the website that the user is on. Third-party cookies are either restricted or are being eliminated due to privacy concerns.

Browser fingerprinting is another way to track users online.

Browser Fingerprinting – Just What Is It?

Browser fingerprinting isn’t new. It’s existed for 10 years. It uses scripts to collect information about a user’s device — from the hardware to the operating system to the browser and its configuration.

The scripts used by browser fingerprinting were originally used so a website would know how to display the site to the user. The script told the site what browser, OS, resolution, etc. was being used, so the site could be shown to the visitor as the developer intended.

It didn’t take long for someone to realize that there’s added value and uses for the information that’s exchanged.

Some of the information collected by browser fingerprinting comes from HTTP headers, including the browser user agent, and content language. Other information, such as screen resolution, canvas, time zone, fonts, and browser plugins, is collected using JavaScript, which is a programming language used by every modern web browser.

There are actually different fingerprinting techniques — some are used alone, others in combination. Some force the browser to draw an image in order to capture information. Others gather information about a device’s media or audio output.

a screen capture of the HTTP header attributes of a simple browser fingerprint

The HTTP header attributes of a simple browser fingerprint.

The data collected by the browser scripts is saved in a database when a website loads. A single piece of the information isn’t worth much. But multiple pieces of information create a unique browser fingerprint that could potentially identify a single user. The site doesn’t know the user’s name but knows enough to recognize an individual user or some users’ group.

Am I Unique shows users their browser fingerprints.

An Evolving Technique

Browser fingerprinting is constantly evolving with new techniques coming into use. In early 2021, scientists from the University of Illinois at Chicago described a modern variation of fingerprinting that uses favicons storage and caching.

How Is Browser Fingerprinting Used?

Website owners can access the information collected by their own scripts on their own sites or from a third-party provider. Owners can use the information for advertising and other purposes much like they use cookies.

Is Browser Fingerprinting a Bad Thing?

Online fingerprinting, like third-party cookies, is a concern for online privacy. Browser fingerprints include detailed information about a user’s habits and can track users’ behavior and information for months — even if the user clears cache.

As more companies are banning third-party cookies, fingerprinting is becoming more popular. Data brokers increasingly use fingerprinting to gather information to sell to advertisers, marketers, and others.

Fingerprinting can benefit users. For example, banks and sites that need high security, such as health insurance portals, use fingerprinting to detect fraud. When someone is trying to log in to our bank account from a device, web browser, or time zone, different from the user’s typical ones, the bank can block the login and alert the user.

Used ethically, a fingerprint can also be used to make a user’s interaction with a website better and more personalized.

Can Users Avoid Being Fingerprinted?

A 2020 study by the University of Iowa, Mozilla, and the University of California, Davis, found that 10% of the top 100,000 websites and more than 25% of the top 10,000 websites use fingerprinting.

Can You avoid being fingerprinted? Yes and no.

Unlike cookies, clearing cache or using incognito mode doesn’t prevent fingerprinting or eliminate an existing fingerprint. Ad blockers don’t prevent fingerprinting either.

Because fingerprinting happens in the background, the user can’t modify the data sent to the fingerprinting website. Actually, the user can, but this requires technical knowledge and can also leave a unique trail of information that can be used to identify the user.

There are anti-fingerprinting plug-ins and other ways to try and prevent or modify fingerprints. Some companies do support anti-fingerprinting practices. Mozilla Firefox already blocks fingerprinting as well as third-party cookies. Safari blocks fingerprinting by default. Chrome stated it will work to restrict fingerprinting in 2019, but has been quiet since. A few third-party anti-fingerprint extensions are available for Chrome users.

To prevent fingerprinting, users can use third-party extensions and/or make device modifications. Still, not having any scripts running or using blocking apps leaves a trail of collectible information, especially with newer fingerprinting methods or even behavioral biometrics, that can distinguish a user by monitoring how the keyboard is used.

So yes, users can take measures or choose certain browsers to try and prevent fingerprinting. But there’s no guarantee fingerprinting won’t still take place.

What Does Fingerprinting Mean for Paid Advertising?

The paid advertising industry could use browser fingerprints for all the same purposes as it uses third-party cookies. Whether advertisers are doing so or not today is unknown.

Some believe though, that as third-party cookies disappear, the use of fingerprinting or a newer variation will become more common for paid advertisers.

In my opinion, the upcoming years will be very interesting for the paid advertising industry. Companies, unable to adapt to a world without cookies may not survive. But the widespread distaste for invasive tracking, including from Google, may curtail significant adoption for fingerprinting or even lead to regulations.

It remains to be seen whether Google’s federated learning of cohorts (FLoC) or other future solutions from its Privacy Sandbox will suffice for the industry’s needs. So how much more common browser fingerprinting becomes or if it falls further out of favor is yet to be determined.