Can you Prevent Browser Fingerprinting?

August 26, 2021
August 26, 2021
Preventing Browser Fingerprinting

Browser fingerprinting is a method of identifying and tracking website visitors that doesn’t rely on cookies or login sessions. Instead, visitors are identified by collecting a series of browser parameters, from browser version to screen dimensions and installed fonts. Each parameter is of limited utility on its own, but when combined with others can be used to create a unique identifier for each website visitor.

Here are some data points that browser fingerprinting uses to create unique IDs:

  • Browser type and version
  • Language
  • Time zone
  • Graphics card type (via HTML canvas drawing)
  • Device make and model
  • Installed plugins
  • Screen dimensions
  • Hardware type

Privacy-conscious website visitors have their reasons for wanting to prevent browser fingerprinting. Companies can use browser fingerprinting data to build unique user profiles without cookies or user sign-ins, which can be used for advertising and marketing.

On the other hand, developers have valid reasons for fingerprinting a visitor’s browser. Fingerprinting and other anonymous user identification methods are useful for identifying patterns of fraudulent activity, as the lion's share of fraud is committed by a small number of returning visitors. Fingerprinting also makes it possible to save browsing preferences and deliver better recommendations without requiring a returning visitor to log in.

In this article, we’ll look at some of the ways a website visitor can prevent fingerprinting scripts from accurately identifying their browser. Next, we will analyze FingerprintJS Pro to see how it creates accurate visitorIDs for each browser instance that visits a page, even when methods to prevent fingerprinting are being used.

What Doesn't Work to Prevent Browser Fingerprinting

Preventing browser fingerprinting can be difficult for web users to do without having a better understanding of the technology and how it works. Some of the standard techniques the average visitor may use to protect their identity are not effective against fingerprinting, such as clearing cookies, browsing in incognito mode or using a VPN:

  • Cookies: Browser fingerprinting does not inherently rely on cookies to generate a unique identifier. So while turning them off can offer some degree of user privacy, it doesn’t impact fingerprinting capabilities.
  • Incognito mode: This method is equally ineffective for preventing browser fingerprinting, as many browser signals besides browsing history can be used for identifying visitors.
  • VPN: VPNs are effective for hiding a visitor’s browsing history from the ISP, or hiding a visitor's real IP address and geolocation from a site. It is not very effective for preventing fingerprinting however, as many browser fingerprinting scripts (FingerprintJS included) don't use IP address as a core signal as it is too unstable. If IP address is included, the fingerprinter can use fuzzy matching so that a change in IP address while all other signals remain constant would not result in a new fingerprint.

What Works (Sometimes) to Prevent Browser Fingerprinting

There are a few ways to mitigate browser fingerprinting techniques, but even these are not foolproof. Some browsers offer browser fingerprinting mitigation strategies as an in-built feature; for example, Firefox gives users the option to block third-party requests to sites known to utilize fingerprinting. This provides added protection, but would not be able to catch first-party scripts.

Another possible way to reduce the signals available is to turn off functionality/capabilities altogether like HTML canvas or audio content that are commonly used for browser fingerprinting. However, many sites won’t load correctly without these technologies, and the online experience can suffer.

Finally, some browsers like Brave use a method of spoofing called 'farbling'. Farbling introduces randomness to signal outputs so a visitor's fingerprint is generated using constantly changing inputs. Even this research-backed method has drawbacks for particularly sophisticated fingerprinting methods, as the farbling can be reverted and using fuzzy matching, fingerprints can be correctly associated despite small differences.

Creating a Fingerprint

We’ve seen the different ways a browser can be fingerprinted, as well as the various methods to prevent accurate fingerprinting. If your site relies on fingerprinting to help prevent fraud or deliver optimized content to users, it can be difficult to plan for every scenario.

FingerprintJS Pro offers a superior method of anonymous visitor identification that uses browser fingerprinting in conjunction with cookies, visit history, and geolocation data to create a unique and highly stable visitorID. Built by a dedicated browser fingerprinting research team, the library is easy-to-install, highly accurate and effective in stopping fraud and spam.

The following tutorial uses the CDN option for installation, but the library can also be installed by running npm install @fingerprintjs/fingerprintjs-pro and running import FingerprintJS from '@fingerprintjs/fingerprintjs-pro'.

To get started, create an index.html file with the following code between the head tags:

  function initFingerprintJS() {
    const fpPromise = FingerprintJS.load({ token: 'your-browser-token' });

      .then(fp => fp.get())
      .then(result => console.log(result.visitorId));

This will print the visitorID to the console, but it won’t work until we give it a proper token. You can sign up for a free account of FingerprintJS Pro to get a unique token for your website.

Click the tokens tab on the left and copy the token marked browser. Replace your-browser-token in the index.html file with the token copied from FingerprintJS. Now you are ready to test. Start up a server and visit your new site. This demo uses http-server because it installs quickly and is easy-to-use.

First visit the site in a normal Chrome browser instance with cookies enabled. If you open up the Chrome developer console, you should see your unique visitorID printed out.

Back on the FingerprintJS dashboard, you should see a count of unique visitorIDs over the current billing period. The example screenshot below has logged two unique visitors so far, but if you are testing with one computer and browser only, you should see one unique visitor logged.

FingerprintJS Dashboard showing 2 unique visitors

Try visiting the locally-hosted site again in incognito mode. Open the console and check for the printed visitorID. You should see that FingerprintJS has detected that this is still the same browser instance and has logged the same visitorID in the console.

Repeating this process with Firefox will yield different results. Because a different browser was used, FingerprintJS will generate a different visitorID than the one it created in the original Chrome browser instance. However, the Firefox visitorID should remain the same when you revisit the page with privacy and strict security mode enabled.

You can also verify that FingerprintJS works over a VPN connection. Using a cloud platform that provides app infrastructure for developers such as Heroku (or any hosting provider), deploy the local test app and visit the site over a VPN connection. Be sure to test both Firefox and Chrome in regular and incognito modes. You should observe that the visitorID is the same as when tested locally without VPN.

It is worth restating that FingerprintJS generates an accurate visitor for each browser-device combination and not for each device. Because FingerprintJS visitorIDs are derived from many browser attributes—some universal, others vendor-specific—a website visitor using both Chrome and Firefox will most likely be assigned a separate, unique visitorID for each browser type. This means that a user could escape being associated with a previous visit if they used a different browser, though this trick would only work as long as they had new browsers to use.

Browser fingerprinting can be an invaluable resource for developers looking to mitigate fraud, spam, and account takeovers, as it can accurately identify users even when they attempt to conceal themselves. As demonstrated in the example above, FingerprintJS provides this capability with maximum accuracy and minimal fuss. Website operators looking to reduce fraud can test drive browser fingerprinting immediately with a free account.

All article tags

  • Fingerprinting
  • Payment fraud
  • Bot attacks