Browser Fingerprints are left every time you look at a web page. In the same way if you pick up a glass with no gloves on, you leave behind a trace of yourself.
So what do you leave? What can servers see? Is this information valuable?
This article examines the specific technical hows and whats of the services and how they can be used.
It also provides obfuscations and technical work arounds for those who don’t want to leave technical fingerprints.
There are three main areas
- IP Addressing
- Your User Agent string
- Cookies and JavaScript
Is this marketing or security?
Marketing is often a considerable expense for a business. According to VTL Design, in 2018, SalesForce spent US$10.8 Billion on Marketing.
The biggest question is WHERE is that money going?
For this metrics provide a concrete explanation of where the money has gone.
If you know where it was spent, the ideal goal is that you can measure how much revenue it generated. Technology provides the tools to do very specific measuring.
What is available to be measured?
Security can also use fingerprint information to be able to spot “out of place” interactions.
This idea of exception reporting in security helps to identify people and transactions which do not belong.
A simple example. The CEO always logs in from one particular country and then suddenly logs in from abroad? Holidays or a nefarious actor?
So the answer is that browser fingerprints can provide marketing and security information at the same time.
Browser Fingerprints – IP Addressing
The first and the simplest is IP addressing. Even for a traditional piece of post, you need a return address. For a phone call, to return a call, you need the sends phone number.
For a server to send back a web page to you it needs your IP address.
Yes there are two varieties of IP address widely used as of 2020, IPv4 and IPv6. IPv4 still is the most widely used.
MaxMind provide a public and private commercially licensed list of IP addresses and which country they come from. Even what city they come from.
Every Tuesday a new version comes out which you can download and now convert visiting IP addresses into the country they’re from.
Whilst far from precise you can get a very good idea of where your web visitors are coming from.
Using this information, you can then start identifying if your spend is working in that country.
For security part of a users browser fingerprints lets your team sense check where connections are coming from.
A browsers User Agent string
Raw Data Browser Fingerprints
Browser Fingerprints are part of every browser. When a browser requests a web page, it presents some information about itself.
This is called the User Agent string. This string of letters numbers and punctuation, allows the receiving server deal with the request in different ways.
- Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)
- Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
- Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
- Mozilla/5.0 (Linux; Android 9; SM-G950F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 OPR/60.0.3255.170
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 OPR/60.0.3255.95
- Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
- Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
- Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 AVG/73.0.762.88
- Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
- Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
- Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Firstly you can probably make out Windows NT 10.0 is Windows 10. Browser fingerprints helping to tweak your experience.
Furthermore you might spot the iPhone in line 2 and an Android in line 4. Also lines 7 and 8, show two different versions of Firefox.
There is also the word Bot in lines 1 and 3.
Bots are the worlds search engines visiting to pick up information so that page is available to the search engine for users searching for words.
Reading User Agent Browser Fingerprints
Now that we have that line of text, what can we discern from it?
Well as we can tell which operating system and browser, it becomes relatively easily to tell…
- Firstly, is this a tablet device?
- No, ok then is it a mobile device?
- Finally, so it must be a desktop device.
This simple check already even has code written for it. Mobiledetect.net provides a library that provides an answer.
So are people at their desks reading your website, or on a mobile phone?
For marketing this is really influential on where money is spent. Also for presentation on a mobile device requires different image sizes and layouts than for users on a desktop. Browser Fingerprints provides metrics as to how and where people are coming from.
Security will consider if that the CFO always uses his mobile and then suddenly swaps to a desktop something might be up.
MetaData
The Oxford dictionary defines Metadata as “a set of data that describes and gives information about other data.”
Firstly for this a database / list file called browscap is available. Also handily updated regularly to include new browser versions.
It adds metadata to make that User Agent a little more “digestible”. As a result it breaks things up so they are easier to categorise.
What operating system? Next, what browser? Also what version?
Not all browsers are made the same, some have more capabilities than others.
If you want a very flash HTML 5, CSS 3, 3D presentation of your products which works fine on Chrome, but doesn’t work at all in Internet Explorer, you need to know what percentage of users you are occluding by this approach.
Putting the pieces together
At this point we now have quite a bit of information from our Browser Fingerprints. All this data is gathered in less than a millisecond about this visitor to our online service.
- Firstly we know where they have come from (IP Address)
- We have an idea of what type of device they’re on (User Agent)
- Also the operating system they’re using (User Agent)
- The browser and its version and subsequently the capabilities of that browser (User Agent)
Not a bad start but we want more!! Consequently time for a bit of JavaScript.
JavaScript
So as the web server receives the request, it creates a unique id for the request.
This unique id is sent back to the browser as part of the webpage sitting quietly in the background code of the page.
A function within the code kicks off when the page opens.
- Firstly, how wide is the screen?
- Secondly, how tall is the screen?
- Also if on a mobile are we portrait or landscape?
- Furthermore being cheeky, we can ask for the specific latitude and longitude of the device if the user doesn’t mind agreeing.
- Consequently we can also track how long the user is on the page and what they click
As a result by sending this information back with the unique id, we have a mountain of information gathered about the user.
There are a host of other JavaScript capabilities including Heat Maps, timing and event types (Keyboard / Mouse / Touch) etc to explore.
If a service can link your request to your account and personal information then it becomes even more “rich” in terms of categorisation.
Google uses this form of JavaScript tracking for their ad management and calls it GCLID or Google Click Identifier
When is enough enough?
In IT terms its often better to have the data and be able to delete it, than be in the position of needing it and then realising you don’t have it.
Think of a video camera in a store. Most of the time the video is a waste of time until it comes to an incident. Compare this with not installing the camera in the first place.
So it’s a good thing to collect data such as Browser Fingerprints and then wipe it down / summate it regularly as it’s no longer needed.
General Electric (GE) aviation estimates that each of its aircraft engines produces around one terabtye of data per flight.
What do you know about how people interact with your website and online services?
I don’t feel like sharing
As a user, you do not have to share your information. You can smudge your browser fingerprints. There are some very simple steps you can take.
For your IP address, use a VPN service. Like the game “Chinese whispers”, you ask the VPN, who then goes on and asks for you. The receiving server, sees the VPN details, not yours.
Using a VPN as an intermediary also hides your User Agent string as well.
The User Agent string can be modified by you to anything you want. So you can pretend to be another browser or really mess with the server owners heads. 🙂
You can elect to disable JavaScript in your browser. By disabling it you will disable other functions on the page but it means you’re going to stop any information being sent back without permissions.
Conclusion
The data isn’t 100% precise but it does provide a good broad picture.
Your personal browser fingerprints is often one amongst many. More often than not people don’t mess / tinker with the default settings. So this allows service providers get a good broad sense of the details of those visiting.
If you do modify your settings, you often stand out more. Think of the person with the baseball cap in the shop avoiding cameras, can often draw more attention.
Having the data and not analysing it, is far better than waking up one morning and having no data at all to examine.