Imagery Majestic - Fotolia

Get started Bring yourself up to speed with our introductory content.

Browser and device fingerprinting: Undeletable cookies of the future?

Browser and device fingerprinting create cookies that users cannot prevent nor delete. Expert Michael Cobb explains how to address the threat.

I read that browser or device fingerprinting are the "undeletable" cookies of the future. How do these fingerprinting methods work, and what kind of risks do they present to enterprises?

The use of cookies to track and profile people's browsing habits has always been contentious due to concerns over privacy, but users have always been able to block or delete traditional HTTP cookies -- small text files primarily used to provide state information for Web servers, though advertisers use them to deliver targeted ads based on a user's previous online activity. For companies trying to profile and target relevant ads to people as they browse the Internet, relying on something that users can block or delete is a problem -- and one which they are always trying to solve. Mobile carriers such as Verizon Wireless have experimented with undeletable, persistent cookies that are added as traffic passes through their networks after it has left their users' phones, while researchers and those with a commercial incentive are trying to perfect browser and device fingerprinting to uniquely identify users.

The Electronic Frontier Foundation's (EFF) Panopticlick tool, which I touched on when discussing Google's proposal to replace third-party cookies, shows how easy it is to anonymously identify a Web browser with accuracy up to 94% by using the information a browser reveals about a user and their device. There is also an open source browser fingerprinting library written in JavaScript available on GitHub, while media Web-tracking technology companies such as AddThis have been testing or using anonymous personalization and audience technology. Values such as installed fonts, HTTP headers, screen size, time zone, language and installed plug-ins are passed through a hashing function to produce a fingerprint. Adding additional data measurements -- such as HTML5 canvas image data -- could make the fingerprint unique enough to work as a cookie replacement and leave users no way of preventing themselves being tracked.

Cookies provide an acceptable method of identifying people and are now reasonably well understood by users. Most importantly, cookies put users in control of their privacy as they can be deleted at any time. However, fingerprints and other undeletable tracking methods change that as they are solely for the benefit of those wanting to covertly track users across the Internet. Existing countermeasures are of limited use; private browsing and incognito mode have no effect, and perversely, browser plug-ins that manage cookies and other tracking mechanisms are likely to make a user's fingerprint more distinct. Privacy plug-ins like Ghostery, though, should be able to control fingerprinting code served from known, third-party domains used for advertising or tracking.

A risk assessment will dictate an enterprise's security policy with regard to configuring how browsers handle different types of cookies, but trying to make a browser's fingerprint less distinct is difficult; although turning off Flash, Java, WebGL and Javascript will make a fingerprint more generic, a lot of the Web would be unusable. According to the EFF, the browser most resistant to fingerprinting is the TOR browser because of its bland user-agent string and aggressive approach to blocking JavaScript. Tor also prompts a user before giving websites access to HTML5 canvas image data. The same functionality is available in the CanvasFingerprintBlock Chrome browser extension and browser plug-ins like DoNotTrackMe and PrivacyBadger.

Internet privacy laws have mainly proved ineffective at protecting users from aggressive tracking technologies, but a European Union privacy watchdog has confirmed that consent rules in the EU's Privacy and Electronic Communications (e-Privacy) Directive are applicable to device fingerprinting and other cookie-alternative technologies. Fingerprints can constitute personal data; therefore the processing of that information is subject to data protection laws. Website administrators need to provide clear and comprehensive information about how any data collected is used and obtain users' consent for the purposes of using the information for targeted advertising, though it will be a lot harder to determine whether website admins honor the obligatory opt-out policy. Fingerprint data can be used without consent, of course, if it's used only for adapting the user interface to the device, for the provision of a service explicitly requested by the user, or as a security control to prevent unauthorized access to services. However, using fingerprinting as part of a broader mechanism for verifying the identity used to provide them with access to services would require the user's consent.

Ask the Expert:
Perplexed about application security? Send Michael Cobb your questions today. (All questions are anonymous.)

Next Steps

For U.S. companies, EU cookie compliance calls for website changes

This was last published in June 2015

Dig Deeper on Web browser security