Too little too late: can we control browser fingerprinting?

DOIhttps://doi.org/10.1108/JIC-04-2019-0067
Pages165-180
Published date24 January 2020
Date24 January 2020
AuthorNasser Mohammed Al-Fannah,Chris Mitchell
Subject MatterBehavioural accounting,Accounting & Finance,Organizational structure/dynamics,Accounting/accountancy
Too little too late: can we control
browser fingerprinting?
Nasser Mohammed Al-Fannah and Chris Mitchell
Information Security Group, Royal Holloway University of London, Egham, UK
Abstract
Purpose Browserfingerprinting is increasinglybeing used for online trackingof users, and, unlike theuse of
cookies, is almostimpossible for users to control.This has a major negative impacton online privacy. Despite
the availability of a range of fingerprinting countermeasures as well as some limited attempts by browser
vendors to curb its effectiveness, it remainslargely uncontrolled. The paper aimsto discuss this issue.
Design/methodology/approach Thispaper provides the first comprehensiveand structured discussionof
measures to limitor control browser fingerprinting, covering both user-based and browser-basedtechniques.
Findings This study discusses the limitations of counter browser fingerprinting measures and the need for
browser vendor support in controlling fingerprinting. Further, a somewhat counterintuitive possible new
browser identifier is proposed which could make cookies and fingerprint-based tracking redundant; the need
for, and possible effect of, this feature is discussed.
Originality/value This study provides the first comprehensive and structured discussion of measures to
limit or control browser fingerprinting. Also, it proposes a new browser identifier that could make cookies and
fingerprint-based tracking redundant.
Keywords Browser fingerprinting, Online tracking
Paper type Research paper
1. Introduction
Browser fingerprinting appears to have become a somewhat commonly used technique for
online tracking (Al-Fannah et al., 2018), i.e. linking multiple visits by a single browser to the
same website, and/or linking individual visits by a browser to multiple sites. For many
years, both types of tracking have been made possible through the use of cookies, where
third-party tracking sites can link multiple site visits through inclusion of their content on
cooperating sites. However, fingerprinting is far more persistent than cookie-based tracking,
virtually uncontrollable by users and non-trivial to detect. Moreover, fingerprinting can be
used to create supercookies, where if a tracking cookie is deleted from a user platform, it can
be regenerated if the same browser is detected via fingerprinting (Eckersley, 2010).
The fact that tracking can so readily be performed using browser fingerprinting is
potentially a major threat to the privacy of web users, and as noted above it is one over
which users currently have no control. Whilst there are uses of browser fingerprinting not
directly relating to tracking, the lack of user control combined with the serious privacy
threat suggests that means of limiting its effectiveness, i.e. what we refer to here as
fingerprinting countermeasures, are of potentially huge importance, motivating this paper.
Fingerprinting countermeasures can be divided into two categories, depending on
whether they are directly implementable by the user regardless of the browser or whether
they require support from the browser vendor. In the remainder of this paper, we provide a
comprehensive and systematic review of possible fingerprinting countermeasures. This is
significant for a number of reasons. First, some of these techniques, whilst apparently
known, have not previously been described in the academic literature. Second, this review
enables us to compare their effectiveness (and their limitations) and also consider how best
such countermeasures could be implemented, from the perspectives of both the user
and the browser vendor. Third, it enables us to identify areas where further research is
urgently needed.
Received 4 April 2019
Revised 18 October 2019
Accepted 25 November 2019
The current issue and full text archive of this journal is available on Emerald Insight at:
https://www.emerald.com/insight/1469-1930.htm
The authors would like to thank the anonymous referees for their helpful comments and suggestions.
Browser
fingerprinting
JournalofIntellectualCapital
Vol.21 No. 2, 2020
pp.165-180
©EmeraldPublishingLimited
1469-1930
DOI10.1108/JIC-04-2019-0067
165
Finally, given that fingerprint-based tracking is so privacy intrusive (and uncontrollable),
we also considera way in which the major fingerprintersmight be encouraged to abandon the
practice. We, possibly controversially, propose that browsers should support a new type of
website-accessible identifier, referred to as a Unique Browser Identifier (UBI), which would
enable a level of user-controllable tracking without involving the collection of other user and
browser data. This could make browser vendors willing to change behaviour to make
fingerprinting difficult, leading to its use becoming redundant and (potentially) prevented.
The possible operationof this identifier, and its advantagesand disadvantages, are discussed.
The remainder of the paper is organized as follows. Section 2 provides a brief
introduction to browser fingerprinting. In Section 3, a general overview of approaches to
limiting fingerprinting is provided. Sections 4 and 5 provide detailed descriptions of all
known user-based and browser-based anti-fingerprinting measures, respectively. In Section
6, we discuss a browser identifier-based proposal that aims at making browser
fingerprinting redundant. Building on the previous sections, in Section 7 we review the
degree to which browser fingerprinting can be controlled using current technology and
consider ways in which greater control can be exercised in the future.
2. Browser fingerprinting
Browser fingerprinting, as first described by Eckersley (2010), is a technique that allows web
servers to uniquely identify user devices by examining information retrievable from a
browser, where this collection of information is unique for most instances. There are various
possible uses for fingerprinting, but one of the most widely discussed (and controversial) is
online tracking(i.e. enabling web servers to link multipleinteractions with the sameplatform).
Since Eckersley first described it, the range and richness of information retrievable from a
browser that is usable for fingerprinting has substantially increased, as has real-world
deployment of fingerprinting by websites (Al-Fannah et al., 2018; Laperdrix et al., 2016).
Browser fingerprinting can be performed by active or passive means (Doty, 2015).
Passive fingerprinting depends entirely on information retrievable through regular HTTP
requests such as the HTTP header field user agent[1], whereas active fingerprinting
involves the use of scripts to retrieve further information about the browser and its
configuration, such as the set of installed fonts.
As has been widely discussed, for example by Eckersley (2010), Narayanan and Reisman
(2017), and Perry (2012), there are a number of reasons why browser fingerprinting
represents a more significant threat to user privacy than cookies:
Typically, there is no simple way to determine for certain whether a website is
deploying any of the various browser fingerprinting techniques.
A user can limit the tracking power of cookies in a number of ways, e.g. by regularly
deleting cookies or blocking them altogether (as supported by most browsers), but
there are no comparable, easily configured, means of limiting fingerprinting.
Unlike cookies, browser fingerprinting is not dependent on a single explicit feature
of HTTP. Fingerprinting rather relies on many techniques to collect various
information about the properties and configuration of the browser and its host
platform. Any of this information has the potential to be used for fingerprinting.
3. Limiting browser fingerprinting
3.1 General approaches
Most techniques aimed at limiting the effectiveness of fingerprinting either involve
user-enabled options such as installing extensions, or operate via browsers that incorporate
JIC
166
21,2

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT