Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What is a Digital Fingerprint?

Another way to track you, sort of.

Digital fingerprints are another way that websites might track you, should they want to. What can you do? Should you be worried?
Digital Fingerprint (Concept)
(Image: canva.com)
Question: What are digital fingerprints and do you have any advice on what I can do against them?

At a technical level, digital fingerprints are fascinating.

At the practical level, digital fingerprints can cause some concern. Much like the worry over cookies, though, that concern is often overblown.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Digital fingerprints

Digital fingerprints are nothing more than normal data sent by your web browser as part of requesting and displaying the webpages you visit. The information includes characteristics of your machine and browser. This information is effectively unique to your web browser, which can allow it to be used for some amount of tracking.

What is a digital fingerprint?

A digital fingerprint is a collection of information sent by your web browser to the various websites you visit.

Websites use this information to understand the characteristics of your browser and device, which allows them to customize the experience they provide. A good example is a product download page that presents a download for the specific platform (Windows, Mac, etc.) you are using rather than a list of versions from which you have to choose. The webpage could determine the platform because it’s included in the information sent by your web browser when you visit the download page.

It’s important to understand that this information is sent not to track or fingerprint you. It’s just information potentially useful to the website.

What makes it a fingerprint is:

  • There’s a lot of information included.
  • Your specific combination of information is highly likely to be unique to your browser and computer.

By keeping track of the unique(ish) combination of information coming from only your computer and browser, you can kind of sort of be tracked. In some cases, you can be identified.

What’s in a fingerprint

There’s potentially a lot of information. Let’s start with just a few items.

Here are three pieces of information my web server already knows about you simply because you’re visiting this page:

  • Your IP address: 17.241.75.84. This identifies the device acting as your point of connection to the internet — usually your router.
  • The “reverse DNS” on that IP address: 17-241-75-84.applebot.apple.com. This is a human-readable name assigned to your IP address, just as “askleo.com” is assigned to my server’s address.
  • Your “user agent” string: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15 (Applebot/0.1; +http://www.apple.com/go/applebot) X-Middleton/1. This is information supplied by your web browser identifying which browser you’re using along with several other things allowing websites to customize what they display.

That combination alone might be enough to track you to some degree, but in reality, much more information is available.

Visit AmIUnique and it will calculate your browser fingerprint. Scroll down and you’ll see all the different factors that went into the calculation.1

That’s a digital fingerprint.

It’s unique-ish

Given the number of pieces of information included in a digital fingerprint, the chances of two users having the exact same fingerprint are low.

Put another way, the chances of your digital fingerprint being unique to you are high.

Very few machines and browsers are configured identically. Combined, the differences make your digital fingerprint uniquely yours.

Mostly.

Yes, there’s a possibility that you and someone else could share the same digital fingerprint. But chances are low enough that it doesn’t really matter. At worst, you might start seeing ads targeted based on the other person’s browsing habits, but again, it’s extremely rare.

It doesn’t identify you, exactly

Note that everything that comprises a digital fingerprint is about your machine. There’s nothing there that’s about you personally.

This means a digital fingerprint can say, “This specific web-browser went to this site, then to this site, then to this site.” Change browsers and you have a different digital fingerprint. Change machines and your digital fingerprint changes again.

It’s not about you, specifically.

But it could be.

It could be you, if you log in

Let’s say you visit a website that collects all of the information making up a digital fingerprint. So far, all they know is this specific browser on this specific machine at this specific IP address has just come to visit.

As soon as you log in, though, they can associate your account with that fingerprint. Now they know the fingerprint belongs to you.

In theory, sites could share fingerprints and user IDs among themselves. For example, families of ecommerce sites might, and the result might be seeing consistent advertisements across them all, based on your browsing activity, or perhaps offers made specifically to your account on one site based on the activity on another.

Avoiding digital fingerprinting

Pragmatically, it’s impossible to avoid digital fingerprinting. The information combined to fingerprint you is the same information required to make the internet work, or work well. There’s really no practical way to avoid it.

You can use blockers, VPNs, and TOR to obfuscate or hide as much of the information as you can, but the results will either still be unique(ish) to you or the process will be so cumbersome — for example, TOR can be painfully slow — as to make it something you quickly abandon.

Or a website you visit won’t work because it doesn’t have the information it needs.

You can certainly change your digital fingerprint. Changing browsers, using different machines, and so on are all things that could change the fingerprint your browser produces and shares. Once again, though, there’s only so much we can do.

And, of course there are plenty of alternatives web designers can use. Cookies are the most basic. My article Supercookies and Evercookies and No Cookies at All: Resistance Is Futile goes into more detail about some of the additional techniques available.

Why I don’t care

Of course sites track me. Digital fingerprinting is just one way they choose to do so. It’s not even clear how many sites bother to use this technology, since there are so many other tracking methods to choose from.

But no matter what I do, I’m being tracked at some level. I’m OK with that because I know it’s not about me. As a specific individual, I’m just not that interesting.

What is most important to the websites tracking me is the ability to show ads I’m more likely to act on. That’s the most common use for all this tracking by far.

This is why I don’t care about cookies either: because even if I did, doing something about cookies doesn’t remove the ability to track. It just changes which technologies are used.

Do this

Understand that your activity can be tracked in a variety of ways, and that digital fingerprinting is just one way that’s difficult to avoid. Then, to the extent you can, understand you’re just not that interesting as an individual.

The EFF (Electronic Frontier Foundation) also has a fingerprinting test site at coveryourtracks.eff.org. Like AmIUnique, it will calculate a fingerprint and then show you what went into it. On the results page will be a few guidelines for minimizing your fingerprint, including:

Knowing how easily identifiable you are, or whether you are currently blocking trackers, can help you know what to do next to protect your privacy. While most trackers can be derailed by browser add-ons or built-in protection mechanisms, the sneakiest trackers have ways around even the strongest security. We recommend you use a tracker blocker like Privacy Badger or use a browser that has fingerprinting protection built in.

Perhaps most important is to realize how prevalent tracking is and, if you care, adjust your behavior accordingly based on how concerned you are and how sensitive whatever you’re doing is.

Looking for more practical guidance? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Footnotes & References

1: Note that a fingerprint isn’t really “a” number. It’s the unique combination of the information collected and sent by your browser. Sites that use it can store it in a variety of ways.

15 comments on “What is a Digital Fingerprint?”

  1. It’s interesting that you echoed the actual data that the web servers get. I found the User Agent string —

    Mozilla/5.0 (Linux; Android 9; KFTRPWI) AppleWebKit/537.36 (KHTML, like Gecko) Silk/104.2.16 like Chrome/104.0.5112.114 Safari/537.36 X-Middleton/1

    — to be of particular interest to me; I’d been curious as to what it was for a long time. Thank you! Two items of particular note here are the KFTRPWI, signifying my Amazon Fire HD10+, and Silk/104.2.16, which is the name and version of my web browser.

    Some misguided souls attempt to thwart fingerprinting by using special apps to alter or conceal their User Agent string.

    Poor schlubs! “User Agent” obfuscation doesn’t solve the fingerprinting issue at all, and in fact actually makes it much worse. If you change your User Agent string to say, for example, “User Agent Hidden,” you only succeed in identifying yourself uniquely — if anything — much better than a regular old User Agent string! :o

    Reply
    • There’s at least one legitimate reason to fake the UA string: websites that deny certain UA’s. For example, if a website says “we don’t support Silk”, changing the UA to be a mimic of Chrome could get you through. There may be side effects (they might not support Silk for a reason), but it often gets people through.

      Of most recent concern as websites that insist on Internet Explorer which no one should be using any more. Fake the UA string and you can often get through.

      Reply
    • ADDITIONAL THOUGHTS: I’ve been thinking on this matter, turning it over in my mind, and have some additional thoughts.

      For clarity, let’s call the person doing the tracking the Tracker, and the person he’s tracking his Target.

      Traditionally, the usual method of tracking people on the Web has been cookies. Fingerprinting is newer. It’s not as convenient, and would seem to be at least somewhat self-limiting.

      The idea with cookies is that the Tracker places a small identification file on the Target’s computer; when the Target returns, the Tracker’s site finds that same file and knows “this person’s been here before.” The cookie itself might contain additional information such as the Target’s name, or the date he last visited, etc.
      There are three immense advantages to cookies: (1) they are transparent, meaning tge Target need not know anything about them; (2) The Target does not need to log in (indeed, a cookie can actually be a form of login); and (3) Importantly, the Tracker does not need to store any of this information on his own system.

      The latter is not true of browser fingerprinting. Becsuse — unlike with cookies — the Tracker does not create the information he “sniffs,” the only way he can recognize anyone with it is via a database… and a huge one. If everyone’s User Agent is as long as mine, for example, just think of the size databse required to track tens of thousands of (just) User Agents! Thus it seems to me that digital fingerprinting must be self-limiting. Even when digital storage is cheap and plentiful, it’s not infinite. There’s a limit to how many “fingerprints” he can store.

      Now, all of that said, I find that I do have to reconsider my stance on my User Agent. To quote a query from World War II, “Is this trip REALLY necessary?” Instead of —

      nbsp;    Mozilla/5.0 (Linux; Android 9; KFTRPWI) AppleWebKit/537.36 (KHTML, like Gecko) Silk/104.2.16 like Chrome/104.0.5112.114 Safari/537.36 X-Middleton/1

      Why wouldn’t something like —

           Android 9; Linux; Silk/104.2.16 (like Chrome)

      — suffice just as well…??? Shresh!!!

      Reply
      • With cookies, the tracker usually has the information on the target on their servers. The cookie is most commonly a binary number which refers to the information stored on the server.

        The database containing the targets’ information would be tiny by today’s storage standards. Let’s say each target has 10 KB of information. 10 million users would use 10 GB. A small USB flash drive could hold it.

        Reply
  2. I understand that tracking is unavoidable and gave up trying. What I do find really annoying though, is when I’m shopping for a gift for a family member and ads for that exact thing show up in that persons Facebook feed or some such. What’s the best way to avoid that?

    Reply
  3. So can we obfuscate a little by using more than one browser, going to certain sites on one browser and other sites on the other?

    Reply
  4. My question above was inarticulate.

    My wife and I use the same laptop, would we benefit by using different browsers to each other, for say Amazon, to keep our searches more private? We do have our own Amazon accounts. I would not like my searches to pop up on her page.

    Reply
  5. Wow!!! I went to that Am I Unique site that you linked and I was *BLOWN AWAY* by all the different data-points they were able to collect. No wonder they can make a unique fingerprint for each of us — the odds of each and every one of those dozens of data-points being *exactly* the same is just about impossible!

    Reply
  6. For Jonathan, I would shop incognito (private browsing). You’ll still be able to log in to your Amazon account, but it would likely stop the ad from popping up elsewhere.

    Interestingly, CBC (Canadian TV channel) Marketplace TV program did a test and found that not using private browsing, the shoppers on average paid more than those who shopped using private browsing. When those ad trackers get saved, some of them apparently can help others using the same advertising network know the types of things your interested in … which is why they server more relevant ads. But a website can also use that information to know that you like looking at boats for sale and assume you have more money to spend and charge you a higher price on whatever item you happen to be shopping for, even if it’s not a boat. In private browsing, they don’t know you from a hole in the ground and offer you the usual or average selling price.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.