Another way to track you, sort of.
At a technical level, digital fingerprints are fascinating.
At the practical level, digital fingerprints can cause some concern. Much like the worry over cookies, though, that concern is often overblown.
Become a Patron of Ask Leo! and go ad-free!
Digital fingerprints are nothing more than normal data sent by your web browser as part of requesting and displaying the webpages you visit. The information includes characteristics of your machine and browser. This information is effectively unique to your web browser, which can allow it to be used for some amount of tracking.
What is a digital fingerprint?
A digital fingerprint is a collection of information sent by your web browser to the various websites you visit.
Websites use this information to understand the characteristics of your browser and device, which allows them to customize the experience they provide. A good example is a product download page that presents a download for the specific platform (Windows, Mac, etc.) you are using rather than a list of versions from which you have to choose. The webpage could determine the platform because it’s included in the information sent by your web browser when you visit the download page.
It’s important to understand that this information is sent not to track or fingerprint you. It’s just information potentially useful to the website.
What makes it a fingerprint is:
- There’s a lot of information included.
- Your specific combination of information is highly likely to be unique to your browser and computer.
By keeping track of the unique(ish) combination of information coming from only your computer and browser, you can kind of sort of be tracked. In some cases, you can be identified.
What’s in a fingerprint
There’s potentially a lot of information. Let’s start with just a few items.
Here are three pieces of information my web server already knows about you simply because you’re visiting this page:
- Your IP address: 188.8.131.52. This identifies the device acting as your point of connection to the internet — usually your router.
- The “reverse DNS” on that IP address: 097-068-165-234.biz.spectrum.com. This is a human-readable name assigned to your IP address, just as “askleo.com” is assigned to my server’s address.
- Your “user agent” string: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/184.108.40.206 Safari/537.36 X-Middleton/1. This is information supplied by your web browser identifying which browser you’re using along with several other things allowing websites to customize what they display.
That combination alone might be enough to track you to some degree, but in reality, much more information is available.
That’s a digital fingerprint.
Given the number of pieces of information included in a digital fingerprint, the chances of two users having the exact same fingerprint are low.
Put another way, the chances of your digital fingerprint being unique to you are high.
Very few machines and browsers are configured identically. Combined, the differences make your digital fingerprint uniquely yours.
Yes, there’s a possibility that you and someone else could share the same digital fingerprint. But chances are low enough that it doesn’t really matter. At worst, you might start seeing ads targeted based on the other person’s browsing habits, but again, it’s extremely rare.
It doesn’t identify you, exactly
Note that everything that comprises a digital fingerprint is about your machine. There’s nothing there that’s about you personally.
This means a digital fingerprint can say, “This specific web-browser went to this site, then to this site, then to this site.” Change browsers and you have a different digital fingerprint. Change machines and your digital fingerprint changes again.
It’s not about you, specifically.
But it could be.
It could be you, if you log in
Let’s say you visit a website that collects all of the information making up a digital fingerprint. So far, all they know is this specific browser on this specific machine at this specific IP address has just come to visit.
As soon as you log in, though, they can associate your account with that fingerprint. Now they know the fingerprint belongs to you.
In theory, sites could share fingerprints and user IDs among themselves. For example, families of ecommerce sites might, and the result might be seeing consistent advertisements across them all, based on your browsing activity, or perhaps offers made specifically to your account on one site based on the activity on another.
Avoiding digital fingerprinting
Pragmatically, it’s impossible to avoid digital fingerprinting. The information combined to fingerprint you is the same information required to make the internet work, or work well. There’s really no practical way to avoid it.
You can use blockers, VPNs, and TOR to obfuscate or hide as much of the information as you can, but the results will either still be unique(ish) to you or the process will be so cumbersome — for example, TOR can be painfully slow — as to make it something you quickly abandon.
Or a website you visit won’t work because it doesn’t have the information it needs.
You can certainly change your digital fingerprint. Changing browsers, using different machines, and so on are all things that could change the fingerprint your browser produces and shares. Once again, though, there’s only so much we can do.
And, of course there are plenty of alternatives web designers can use. Cookies are the most basic. My article Supercookies and Evercookies and No Cookies at All: Resistance Is Futile goes into more detail about some of the additional techniques available.
Why I don’t care
Of course sites track me. Digital fingerprinting is just one way they choose to do so. It’s not even clear how many sites bother to use this technology, since there are so many other tracking methods to choose from.
But no matter what I do, I’m being tracked at some level. I’m OK with that because I know it’s not about me. As a specific individual, I’m just not that interesting.
What is most important to the websites tracking me is the ability to show ads I’m more likely to act on. That’s the most common use for all this tracking by far.
This is why I don’t care about cookies either: because even if I did, doing something about cookies doesn’t remove the ability to track. It just changes which technologies are used.
Understand that your activity can be tracked in a variety of ways, and that digital fingerprinting is just one way that’s difficult to avoid. Then, to the extent you can, understand you’re just not that interesting as an individual.
The EFF (Electronic Frontier Foundation) also has a fingerprinting test site at coveryourtracks.eff.org. Like AmIUnique, it will calculate a fingerprint and then show you what went into it. On the results page will be a few guidelines for minimizing your fingerprint, including:
Knowing how easily identifiable you are, or whether you are currently blocking trackers, can help you know what to do next to protect your privacy. While most trackers can be derailed by browser add-ons or built-in protection mechanisms, the sneakiest trackers have ways around even the strongest security. We recommend you use a tracker blocker like Privacy Badger or use a browser that has fingerprinting protection built in.
Perhaps most important is to realize how prevalent tracking is and, if you care, adjust your behavior accordingly based on how concerned you are and how sensitive whatever you’re doing is.
Looking for more practical guidance? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Note that a fingerprint isn’t really “a” number. It’s the unique combination of the information collected and sent by your browser. Sites that use it can store it in a variety of ways.