What Is Device Fingerprinting?
Basics
Browser or device fingerprinting is a technique used in computer science to generate distinct identifiers for various forms of digital data. It involves collecting information about smartphones, computers, and other devices. This can be done even if the user changes browsers or their IP address is hidden.
Web analytics services have collected browser and device data for years to measure legitimate web traffic and prevent fraud. However, recent technological advances allow for gathering more specific parameters.
In the past, fingerprinting was mainly used to identify computers. Now, advanced methods can recognize almost any device, and the mobile environment has become an increasingly important area of interest.
How Does Device Fingerprinting Work?
The device fingerprinting process involves gathering data sets, which are combined and submitted through a hash function. The resulting hash value can serve as a unique identifier for each device or user. The information is typically stored in a database rather than on the device itself. Although a single data point may be generic, combining multiple data sets can be unique.
Both passive and active methods can be employed in device fingerprinting to gather a device's information. Even if thousands of computers have the same operating system, each will likely have a distinct combination of software, hardware, browser, plugins, language, time zone, and general settings. This is the goal of both approaches - to collect as much information as possible about the device.
Passive Fingerprinting
Passive fingerprinting refers to subtly collecting data without directly querying the user or remote system. As a result, this approach often yields less specific information, such as the operating system.
For example, using a passive fingerprinting technique is possible to gather information about wireless drivers on networking devices like modems. This can be achieved by examining the various types of drivers and how they scan for possible connections without requiring any interaction from the devices. By identifying the differences in how multiple devices scan for access points, an attacker can accurately determine which driver is being used on each targeted device.
Active Fingerprinting
Active fingerprinting involves network communication, which can be more easily detected on the client side. Websites may use JavaScript code to gather information about the user's devices and browsers, including window size, fonts, plugins, language settings, time zone, and hardware details.
One example of an active fingerprinting technique is canvas fingerprinting, which is utilized on both computers and mobile devices. This approach often involves a script that interacts with the canvas of an HTML5 web page. The script instructs the canvas to create a hidden image on the screen, which records information such as screen resolution, fonts, and background colors.
What Is Device Fingerprinting Used For?
Device fingerprinting is commonly used by advertisers to track user behavior on multiple browsers. Banks also utilize these methods to ensure that a request is coming from a trusted device and not from a system involved in fraudulent activities.
Device fingerprinting is also helpful for websites to avoid multiple account registrations and for search engines to flag suspicious behavior of a device. Additionally, these techniques can help detect and prevent identity theft and credit card fraud.
However, device fingerprinting poses a threat to user privacy, and depending on the implementation, data collection may be undetectable, especially with passive fingerprinting techniques.
Limitations
Limitations of device fingerprinting exist in both active and passive methods. Active fingerprinting relies on the availability of scripting languages such as JavaScript, which may not be present on mobile devices or devices that run privacy software or plugins. However, privacy-focused users with particular settings or using unpopular software can be easily identified.
Passive fingerprinting collects data based on what is sent out by each device but tends to provide less specific information. Inaccuracies may occur when users constantly change their settings or use multiple virtual operating systems. Additionally, using different browsers may cause inconsistencies, but cross-browser fingerprinting techniques can help avoid such limitations.
Conclusion
Device fingerprinting can be implemented in various ways, and the effectiveness of each method can differ significantly in terms of gathering data and identifying a single source. Whether used alone or in combination with other methods, device fingerprinting is a powerful tool for tracking user behavior and identification. It can be utilized for both legitimate and illegitimate purposes, making it essential to understand its basic mechanisms.