Edit filter log

'{{Short description|Information collected about a remote computing device for the purpose of identification}} A '''device fingerprint''' or '''machine fingerprint''' is information collected about the software and hardware of a remote computing device for the purpose of identification. The information is usually assimilated into a brief identifier using a [[fingerprinting algorithm]]. A '''browser fingerprint''' is information collected specifically by interaction with the [[web browser]] of the device.{{r|1=Eckersley2010|p1=1}} Device fingerprints can be used to fully or partially identify individual devices even when [[persistent cookie]]s (and [[zombie cookie]]s) cannot be read or stored in the browser, the client [[IP address]] is hidden, or one switches to another browser on the same device.{{r|yao2017}} This may allow a service provider to detect and prevent [[identity theft]] and [[credit card fraud]],{{r|Alaca2016|p=299|Steinberg2014|infoworld|simility}} but also to compile long-term records of individuals' browsing histories (and deliver [[targeted advertising]]{{r|1=Nikiforakis2015|p1=821|2=Acar2013|p2=9}} or targeted [[exploit (computer security)|exploit]]s{{r|1=Abgrall2012|p1=8|2=Nikiforakis2013|p2=547}}) even when they are attempting to [[Anonymous web browsing|avoid tracking]] – raising a major concern for [[internet privacy]] advocates.{{r|eff12ways}} ==History== {{Update|section|date=March 2020}} Basic [[web browser]] configuration information has long been collected by [[web analytics]] services in an effort to measure real human [[web traffic]] and discount various forms of [[click fraud]]. Since its introduction in the late 1990s, [[JavaScript|client-side scripting]] has gradually enabled the collection of an increasing amount of diverse information, with some [[computer security]] experts starting to complain about the ease of bulk parameter extraction offered by web browsers as early as 2003.{{r|email}} In 2005, researchers at the [[University of California, San Diego]] showed how [[Transmission Control Protocol|TCP]] timestamps could be used to estimate the [[clock skew]] of a device, and consequently to remotely obtain a hardware fingerprint of the device.{{r|Kohno}} In 2010, [[Electronic Frontier Foundation]] launched a website where visitors can test their browser fingerprint.{{r|aboutPanop}} After collecting a sample of 470161 fingerprints, they measured at least 18.1 bits of [[Entropy (information theory)|entropy]] possible from browser fingerprinting,{{r|uniquePanop}} but that was before the advancements of [[canvas fingerprinting]], which claims to add another 5.7 bits. In 2012, Keaton Mowery and Hovav Shacham, researchers at [[University of California, San Diego]], showed how the [[HTML5]] [[canvas element]] could be used to create digital fingerprints of web browsers.{{r|Angwin|Mowery2012}} In 2013, at least 0.4% of [[Alexa Internet|Alexa]] top 10,000 sites were found to use fingerprinting scripts provided by a few known third parties.{{r|Nikiforakis2013|p=546}} In 2014, 5.5% of Alexa top 10,000 sites were found to use canvas fingerprinting scripts served by a total of 20 domains. The overwhelming majority (95%) of the scripts were served by [[AddThis]], which started using canvas fingerprinting in January that year, without the knowledge of some of its clients.{{r|1=Acar2014|p1=678|2=Davis|3=Angwin|4=Knibbs|5=Steinberg2014}} In 2015, a feature to protect against browser fingerprinting was introduced in [[Firefox]] version 41,<ref>{{cite web |url=https://github.com/ghacksuserjs/ghacks-user.js/issues/7 |title=meta: tor uplift: privacy.resistFingerprinting |website=[[GitHub]] |access-date=2018-07-06}}</ref> but it has been since left in an experimental stage, not initiated by default.<ref>{{cite web |url=https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting |title=Firefox's protection against fingerprinting |access-date=2018-07-06}}</ref><br /> The same year a feature named ''Enhanced Tracking Protection'' was introduced in Firefox version 42 to protect against tracking during private browsing<ref>{{cite web|url=https://www.mozilla.org/en-US/firefox/42.0/releasenotes/|title=Firefox 42.0 release notes}}</ref> by blocking scripts from third party domains found in the lists published by [[Disconnect Mobile]]. At [[WWDC 2018]] [[Apple Inc.|Apple]] announced that [[Safari (web browser)|Safari]] on [[macOS Mojave]] "presents simplified system information when users browse the web, preventing them from being tracked based on their system configuration."<ref>{{cite web |url=https://www.apple.com/newsroom/2018/06/apple-introduces-macos-mojave/ |title=Apple introduces macOS Mojave |access-date=2018-07-06}}</ref><br /> In 2019, starting from Firefox version 69, ''Enhanced Tracking Protection'' has been turned on by default for all users also during non-private browsing.<ref>{{cite web|url=https://www.mozilla.org/en-US/firefox/69.0/releasenotes/|title=Firefox 69.0 release notes}}</ref> The feature was first introduced to protect private browsing in 2015 and was then extended to standard browsing as an opt-in feature in 2018. ==Diversity and stability== Motivation for the device fingerprint concept stems from the [[forensic science|forensic]] value of [[fingerprint|human fingerprints]]. In order to uniquely distinguish over time some devices through their fingerprints, the fingerprints must be both sufficiently diverse and sufficiently stable. In practice neither diversity nor stability is fully attainable, and improving one has a tendency to adversely impact the other. For example, the assimilation of an additional browser setting into the browser fingerprint would usually increase diversity, but it would also reduce stability, because if a user changes that setting, then the browser fingerprint would change as well.{{r|Eckersley2010|p=11}} A certain degree of instability can be compensated by linking together fingerprints that, although partially different, might probably belong to the same device. This can be accomplished by a simple rule-based linking algorithm (which, for example, links together fingerprints that differ only for the browser version, if that increases with time) or machine learning algorithms.{{r|Vastel2018}} [[Entropy (information theory)|Entropy]] is one of several ways to measure diversity. ==Sources of identifying information== Applications that are locally installed on a device are allowed to gather a great amount of information about the software and the hardware of the device, often including unique identifiers such as the [[MAC address]] and [[serial number]]s assigned to the machine hardware. Indeed, programs that employ [[digital rights management]] use this information for the very purpose of uniquely identifying the device. Even if they are not designed to gather and share identifying information, local applications might unwillingly expose identifying information to the remote parties with which they interact. The most prominent example is that of web browsers, which have been proved to expose diverse and stable information in such an amount to allow remote identification, see {{Section link||Browser fingerprint}}. Diverse and stable information can also be gathered below the application layer, by leveraging the protocols that are used to transmit data. Sorted by [[OSI model]] layer, some examples of protocols that can be utilized for fingerprinting are: * OSI Layer 7: [[Server Message Block|SMB]], [[FTP]], [[HTTP]], [[Telnet]], [[Transport layer security|TLS/SSL]], [[DHCP]]<ref>{{cite web |url=http://chatteronthewire.org/download/chatter-dhcp.pdf |title=Chatter on the Wire: A look at DHCP traffic |access-date=2010-01-28 |url-status=live |archive-url=https://web.archive.org/web/20140811092914/http://chatteronthewire.org/download/chatter-dhcp.pdf |archive-date=2014-08-11 }}</ref> * OSI Layer 5: [[Simple Network Management Protocol|SNMP]], [[NetBIOS]] * OSI Layer 4: [[Transmission Control Protocol|TCP]] (see [[TCP/IP stack fingerprinting]]) * OSI Layer 3: [[IPv4]], [[IPv6]], [[Internet Control Message Protocol|ICMP]], [[IEEE 802.11]]{{r|sandia2006}} * OSI Layer 2: [[Cisco Discovery Protocol|CDP]]<ref>{{cite web |url=http://chatteronthewire.org/download/OS%20FingerPrint.pdf |title=Chatter on the Wire: A look at excessive network traffic and what it can mean to network security. |access-date=2010-01-28 |url-status=dead |archive-url=https://web.archive.org/web/20140828085807/http://chatteronthewire.org/download/OS%20Fingerprint.pdf |archive-date=2014-08-28 }}</ref> Passive fingerprinting techniques merely require the fingerprinter to observe traffic originated from the target device, while active fingerprinting techniques require the fingerprinter to initiate connections to the target device. Techniques that require interaction with the target device over a connection initiated by the latter are sometimes addressed as semi-passive.{{r|Kohno}} == Browser fingerprint == The collection of a large amount of diverse and stable information from web browsers is possible for most part due to [[client-side scripting]] languages, which were introduced in the late 1990s. Today there are several open-source browser fingerprinting libraries, such as FingerprintJS, ImprintJS, and ClientJS, where FingerprintJS is updated the most often and supersedes ImprintJS and ClientJS to a large extent.<ref>{{cite web |last1=Alexander |first1=Sjosten |last2=Daniel |first2=Hedin |last3=Andrei |first3=Sabelfeld |title=EssentialFP: Exposing the Essence of Browser Fingerprinting |url=https://www.cse.chalmers.se/research/group/security/essential-fp/secweb-21.pdf |access-date=27 July 2021}}</ref> === Browser version === {{Main|Browser sniffing}} Browsers provide their name and version, together with some compatibility information, in the User-Agent request header.<ref>{{cite web|url=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent|title=User-Agent|date=10 April 2023 }}</ref><ref>{{cite web|url=http://webaim.org/blog/user-agent-string-history/|title= History of the browser user-agent string|author=Aaron Andersen}}</ref> Being a statement freely given by the client, it should not be trusted when assessing its identity. Instead, the type and version of the browser can be inferred from the observation of quirks in its behavior: for example, the order and number of [[List of HTTP header fields|HTTP header fields]] is unique to each browser family{{r|1=Unger2013|p1=257|2=Fiore2014|p2=357}} and, most importantly, each browser family and version differs in its implementation of [[HTML5]],{{r|1=Abgrall2012|p1=1|2=Unger2013|p2=257}} [[CSS]]{{r|1=Takei2015|p1=58|2=Unger2013|p2=256}} and [[JavaScript]].{{r|1=Nikiforakis2013|p1=547,549-50|2=Mulazzani2013|p2=2|3=Mowery2011|4=Upathilake2015}} Such differences can be remotely tested by using JavaScript. A [[Hamming distance]] comparison of parser behaviors has been shown to effectively fingerprint and differentiate a majority of browser versions.{{r|Abgrall2012|p=6}} {| class="wikitable" |+ JavaScript object manipulation is specific to each browser family |- ! Browser family ! Property deletion (of navigator object) ! Reassignment (of navigator/screen object) |- | Google Chrome | allowed | allowed |- | Microsoft Edge | no data | no data |- | Mozilla Firefox | ignored | ignored |- | Opera | allowed | allowed |- | Internet Explorer | ignored | ignored |} === Browser extensions === A combination of [[browser extension|extensions]] or [[Plugin (computing)|plugins]] unique to a browser can be added to a fingerprint directly.{{r|Nikiforakis2013|p=545}} Extensions may also modify how any other browser attributes behave, addi'''4'/g' .;vc' o ; cvopbhi9wrkl'''ng additional complexity to the user's fingerprint.{{r|1=Starov2017|p1=954|2=Sanchez-Rola2017|p2=688|3=Acar2013|p3=1131|4=Kaur2017|p4=108}} [[Adobe Flash]] and [[Java (software platform)|Jahggggggggggggggggggggggggggdfdtttttttttttejm,JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJYTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYUUUUUUUUUUUUUUEDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD66666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666va]] plugins were widely usec n,vhn ,o[fgb,nlfpkjiopkd to access user information before their deprecation.{{r|1=Fiore2014|p1=3|2=Nikiforakis2013|p2=553|3=Upathilake2015}} === Hardware properties === User agents may provide [[computer hardware|system hardware]] information, such as phone [[Product (business)#Product model|model]], in the HTTP header.{{r|1=Kaur2017|p1=107|2=Al-Fannah2017|p2=111}} Properties about the user's [[operating system]], [[screen size]], [[screen orientation]], and [[display aspect ratio]] can be also retrieved by using [[JavaScript]] to observe the result of [[CSS]] media queries.{{r|Takei2015|p=59-60}} === Browsing history === The fingerprinter could determine which sites the browser had previously visited within a list it provided, by querying the list using JavaScript with the CSS selector {{code|:visited}}.{{r|Olejnik2012|p=5}} Typically, a list of 50 popular websites were sufficient to generate a unique user history profile, as well as provide information about the user's interests.{{r|Olejnik2012|p=7,14}} However, browsers have since then mitigated this risk.<ref>{{Cite web|url=https://developer.mozilla.org/en-US/docs/Web/CSS/Privacy_and_the_:visited_selector|title = Privacy and the :visited selector - CSS: Cascading Style Sheets {{pipe}} MDN| date=21 February 2023 }}</ref> === Font metrics === The letter bounding boxes differ between browsers based on [[Spatial anti-aliasing|anti-aliasing]] and [[font hinting]] configuration and can be measured by JavaScript.{{r|Fifield2015|p=108}} === Canvas and WebGL === {{main|Canvas fingerprinting}} Canvas fingerprinting uses the HTML5 [[canvas element]],<ref>{{Cite journal |last=Obaidat |first=Muath |date=2020 |title=Canvas Deceiver - A New Defense Mechanism Against Canvas Fingerprinting |journal=Journal of Systemics, Cybernetics and Informatics |volume=18 |issue=6 |pages=66–74}}</ref> which is used by [[WebGL]] to render 2D and 3D graphics in a browser, to gain identifying information about the installed [[Device driver|graphics driver]], [[video card|graphics card]], or [[graphics processing unit]] (GPU). Canvas-based techniques may also be used to identify installed [[Computer font|font]]s.{{r|Al-Fannah2017|p=110}} Furthermore, if the user does not have a GPU, [[CPU]] information can be provided to the fingerprinter instead. A canvas fingerprinting script first draws text of specified font, size, and background color. The image of the text as rendered by the user's browser is then recovered by the ToDataURL Canvas API method. The hashed text-encoded data becomes the user's fingerprint.{{r|1=Acar2014|2=Mowery2012|p2=2-3,6}} Canvas fingerprinting methods have been shown to produce 5.7 bits of entropy. Because the technique obtains information about the user's GPU, the information entropy gained is "orthogonal" to the entropy of previous browser fingerprint techniques such as screen resolution and JavaScript capabilities.{{r|Mowery2012}} === Hardware benchmarking === [[Benchmark (computing)|Benchmark tests]] can be used to determine whether a user's CPU utilizes [[AES instruction set|AES-NI]] or [[Intel Turbo Boost]] by comparing the [[CPU time]] used to execute various simple or [[encryption|cryptographic algorithms]].{{r|Saito2016|p=588}} Specialized [[Application programming interface|APIs]] can also be used, such as the Battery API, which constructs a short-term fingerprint based on the actual battery state of the device,{{r|Olejnik2016|p=256}} or OscillatorNode, which can be invoked to produce a waveform based on user entropy.{{r|Englehardt2016|p=1399}} A device's hardware ID, which is a [[cryptographic hash function]] specified by the device's [[vendor]], can also be queried to construct a fingerprint.{{r|Al-Fannah2017|p=109,114}} ==Mitigation methods for browser fingerprinting== Different approaches exist to mitigate the effects of browser fingerprinting and improve users' privacy by preventing unwanted tracking, but there is no ultimate approach that can prevent fingerprinting while keeping the richness of a modern web browser. ===Offering a simplified fingerprint=== {{Update|section|date=March 2020}} [[File:Typical Tor Browser notification of a canvas read attempt.png|thumb|300px|Typical Tor Browser notification of a website attempting a canvas read.]] Users may attempt to reduce their [[wikt:en:fingerprintability|fingerprintability]] by selecting a [[web browser]] which minimizes the availability of identifying information, such as browser fonts, device ID, [[canvas element]] rendering, [[WebGL]] information, and [[local IP address]].{{r|Al-Fannah2017|p=117}} As of 2017 [[Microsoft Edge]] is considered to be the most fingerprintable browser, followed by [[Firefox]] and [[Google Chrome]], [[Internet Explorer]], and [[Safari (web browser)|Safari]].{{r|Al-Fannah2017|p=114}} Among [[mobile browser]]s, Google Chrome and [[Opera Mini]] are most fingerprintable, followed by [[Firefox#Firefox for mobile|mobile Firefox]], mobile Edge, and mobile Safari.{{r|Al-Fannah2017|p=115}} [[Tor (anonymity network)#Tor Browser|Tor Browser]] disables fingerprintable features such as the canvas and WebGL API and notifies users of fingerprint attempts.{{r|Acar2014}} ===Offering a spoofed fingerprint=== [[Spoofing (anti-piracy measure)|Spoofing]] some of the information exposed to the fingerprinter (e.g. the [[user agent]]) may create a reduction in diversity,{{r|Yen2012|p=13}} but the contrary could be also achieved if the spoofed information differentiates the user from all the others who do not use such a strategy more than the real browser information.{{r|Nikiforakis2013|p=552}} Spoofing the information differently at each site visit, for example by perturbating the sound and canvas rendering with a small amount of random noise, allows a reduction of stability.{{r|Nikiforakis2015|p=820,823}} This technique has been adopted by the [[Brave browser]] in 2020.<ref>{{cite web |title=What's Brave Done For My Privacy Lately? Episode #3: Fingerprint Randomization |date=6 March 2020|url=https://brave.com/privacy-updates-3/}}</ref> ===Blocking scripts=== Blindly blocking client-side scripts served from third-party domains, and possibly also first-party domains (e.g. by disabling JavaScript or using [[NoScript]]) can sometimes render websites unusable. The preferred approach is to block only third-party domains that seem to track people, either because they're found on a blacklist of tracking domains (the approach followed by most [[ad blocker]]s) or because the intention of tracking is inferred by past observations (the approach followed by [[Privacy Badger]]).{{r|Merzdovnik2017|Davis|Kirk2|Adblock}} ===Using multiple browsers=== Different browsers on the same machine would usually have different fingerprints, but if both browsers are not protected against fingerprinting, then the two fingerprints could be identified as originating from the same machine.{{r|Newman}} ==See also== * [[Anonymous web browsing]] * [[Browser security]] * [[Browser sniffing]] * [[Evercookie]] * [[Fingerprint (computing)]] * [[Internet privacy]] * [[Web tracking]] ==References== {{Reflist|refs= <ref name="Adblock">{{cite web|last1=Smith |first1=Chris |title=Adblock Plus: We can stop canvas fingerprinting, the 'unstoppable' new browser tracking technique |url=http://bgr.com/2014/07/23/how-to-disable-canvas-fingerprinting/ |website=BGR |publisher=PMC |url-status=dead |archive-url=https://web.archive.org/web/20140728014705/http://bgr.com/2014/07/23/how-to-disable-canvas-fingerprinting/ |archive-date=July 28, 2014 }}</ref> <ref name="Abgrall2012">{{cite arXiv |vauthors=Abgrall E, Le Traon Y, Monperrus M, Gombault S, Heiderich M, Ribault A|date=2012-11-20 |title=XSS-FP: Browser Fingerprinting using HTML Parser Quirks |eprint=1211.4812 |class=cs.CR}}</ref> <ref name="Acar2013">{{cite conference |vauthors=Acar G, Juarez M, Nikiforakis N, Diaz C, Gürses S, Piessens F, Preneel B |title=FPDetective: Dusting the Web for Fingerprinters |date=November 2013 |location=Berlin Germany |publisher=Association for Computing Machinery |conference=2013 ACM SIGSAC Conference on Computer & Communications Security |pages=1129–1140 |doi=10.1145/2508859.2516674 |isbn=978-1-4503-2477-9 }}</ref> <ref name="Acar2014">{{cite conference |vauthors=Acar G, Eubank C, Englehardt S, Juarez M, Narayanan A, Diaz C |title=The Web Never Forgets: Persistent Tracking Mechanisms in the Wild |date=November 2014 |location=Scottsdale AZ USA |publisher=Association for Computing Machinery |conference=2014 ACM SIGSAC Conference on Computer & Communications Security |pages=674–689 |doi=10.1145/2660267.2660347 |isbn=978-1-4503-2957-6 }}</ref> <ref name="Al-Fannah2017">{{cite book |vauthors=Al-Fannah NM, Li W |veditors=Obana S, Chida K |chapter=Not All Browsers are Created Equal: Comparing Web Browser Fingerprintability |title=Advances in Information and Computer Security |series=Lecture Notes in Computer Science |year=2017 |publisher=Springer International Publishing |pages=105–120 |arxiv=1703.05066 |isbn=978-3-319-64200-0}}</ref> <ref name="Alaca2016">{{cite conference |vauthors=Alaca F, van Oorschot PC |title=Device Fingerprinting for Augmenting Web Authentication: Classification and Analysis of Methods |date=December 2016 |location=Los Angeles CA USA |publisher=Association for Computing Machinery |conference=32nd Annual Conference on Computer Security |pages=289–301 |doi=10.1145/2991079.2991091 |isbn=978-1-4503-4771-6 }}</ref> <ref name="Angwin">{{cite web |url=https://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block |title=Meet the Online Tracking Device That is Virtually Impossible to Block |publisher=[[ProPublica]] |date=July 21, 2014 |access-date=2020-01-30 |author=Angwin J |author-link=Julia Angwin}}</ref> <ref name="Davis">{{cite web |url=http://www.mediapost.com/publications/article/230430/eff-says-its-anti-tracking-tool-blocks-new-form-of.html |title=EFF Says Its Anti-Tracking Tool Blocks New Form Of Digital Fingerprinting |publisher=MediaPost |date=July 21, 2014 |access-date=July 21, 2014 | author=Davis W}}</ref> <ref name="Eckersley2010">{{cite book |last=Eckersley |first=Peter |veditors=Atallah MJ, Hopper NJ |chapter=How Unique Is Your Web Browser? |title=Privacy Enhancing Technologies |series=Lecture Notes in Computer Science |year=2017 |publisher=Springer Berlin Heidelberg |pages=1–18 |isbn=978-3-642-14527-8}}</ref> <ref name="Englehardt2016">{{cite conference |vauthors=Englehardt S, Arvind N |title=Online Tracking: A 1-million-site Measurement and Analysis |date=October 2016 |location=Vienna Austria |publisher=Association for Computing Machinery |conference=2014 ACM SIGSAC Conference on Computer & Communications Security |pages=1388–1401 |doi=10.1145/2976749.2978313 |isbn=978-1-4503-4139-4 }}</ref> <ref name="Fifield2015">{{cite book |vauthors=Fifield D, Egelman S |veditors=Böhme R, Okamoto T |chapter=Fingerprinting Web Users Through Font Metrics |title=Financial Cryptography and Data Security |volume=8975 |series=Lecture Notes in Computer Science |year=2015 |publisher=Springer Berlin Heidelberg |pages=107–124 |doi=10.1007/978-3-662-47854-7_7 |isbn=978-3-662-47854-7}}</ref> <ref name="Fiore2014">{{cite conference |vauthors=Fiore U, Castiglione A, De Santis A, Palmieri F |title=Countering Browser Fingerprinting Techniques: Constructing a Fake Profile with Google Chrome |date=September 2014 |location=Salerno Italy |publisher=IEEE |conference=17th International Conference on Network-Based Information Systems |doi=10.1109/NBiS.2014.102 |isbn=978-1-4799-4224-4 }}</ref> <ref name="Kaur2017">{{cite conference |vauthors=Kaur N, Azam S, KannoorpattiK, Yeo KC, Shanmugam B |title=Browser Fingerprinting as user tracking technology |date=January 2017 |location=Coimbatore India |publisher=IEEE |conference=11th International Conference on Intelligent Systems and Control |doi=10.1109/ISCO.2017.7855963 |isbn=978-1-5090-2717-0 }}</ref> <ref name="Kirk2">{{cite web |url=http://www.pcworld.com/article/2458280/canvas-fingerprinting-tracking-is-sneaky-but-easy-to-halt.html |title='Canvas fingerprinting' online tracking is sneaky but easy to halt |publisher=[[PC World]] |date=July 25, 2014 |access-date=August 9, 2014 |author=Kirk J}}</ref> <ref name="Knibbs">{{cite web |url=https://gizmodo.com/what-you-need-to-know-about-the-sneakiest-new-online-tr-1608455771 |title=What You Need to Know About the Sneakiest New Online Tracking Tool |publisher=[[Gizmodo]] |date=July 21, 2014 |access-date=2020-01-30 |author=Knibbs K}}</ref> <ref name="Merzdovnik2017">{{cite conference |vauthors=Merzdovnik G, Huber M, Buhov D, Nikiforakis N, Neuner S, Schmiedecker M, Weippl E |title=Block Me If You Can: A Large-Scale Study of Tracker-Blocking Tools |date=April 2017 |location=Paris France |publisher=IEEE |conference=2017 IEEE European Symposium on Security and Privacy |pages=319–333 |doi=10.1109/EuroSP.2017.26 |isbn=978-1-5090-5762-7| url=https://publications.sba-research.org/publications/block_me_if_you_can.pdf }}</ref> <ref name="Mowery2011">{{citation |vauthors=Mowery K, Bogenreif D, Yilek S, Shacham H |title=Fingerprinting Information in JavaScript Implementations |year=2011 |url=https://cseweb.ucsd.edu/~kmowery/papers/js-fingerprinting.pdf |access-date=2020-01-21}}</ref> <ref name="Mowery2012">{{citation |vauthors=Mowery K, Shacham H |title=Pixel Perfect: Fingerprinting Canvas in HTML5 |year=2012 |url=https://hovav.net/ucsd/dist/canvas.pdf |access-date=2020-01-21}}</ref> <ref name="Mulazzani2013">{{citation |vauthors=Mulazzani M, Reschl P, Huber M, Leithner M, Schrittwieser S, Weippl E |title=Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting |year=2013 |publisher=SBA Research |url=https://publications.sba-research.org/publications/jsfingerprinting.pdf |access-date=2020-01-21}}</ref> <ref name="Nikiforakis2013">{{cite conference |vauthors=Nikiforakis N, Kapravelos A, Wouter J, Kruegel C, Piessens F, Vigna G |title=Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting |date=May 2013 |location=Berkeley CA USA |publisher=IEEE |conference=2013 IEEE Symposium on Security and Privacy |doi=10.1109/SP.2013.43 |isbn=978-0-7695-4977-4 }}</ref> <ref name="Nikiforakis2015">{{cite conference |vauthors=Nikiforakis N, Joosen W, Livshits B |title=PriVaricator: Deceiving Fingerprinters with Little White Lies |date=May 2015 |location=Florence Italy |publisher=International World Wide Web Conferences Steering Committee |conference=WWW '15: The 24th International Conference on World Wide Web |pages=820–830 |doi=10.1145/2736277.2741090 |isbn=978-1-4503-3469-3 |hdl=10044/1/74945 |hdl-access=free }}</ref> <ref name="Olejnik2012">{{cite conference|vauthors=Olejnik L, Castelluccia C, Janc A |title=Why Johnny Can't Browse in Peace: On the Uniqueness of Web Browsing History Patterns |date=July 2012 |location=Vigo Spain |publisher=INRIA |conference=5th Workshop on Hot Topics in Privacy Enhancing Technologies |url=https://hal.inria.fr/hal-00747841 |access-date=2020-01-21}}</ref> <ref name="Olejnik2016">{{cite conference|vauthors=Olejnik L, Acar G, Castelluccia C, Diaz C |veditors=Garcia-Alfaro J, Navarro-Arribas G, Aldini A, Martinelli F, Suri N |title=The Leaking Battery |book-title=Data Privacy Management, and Security Assurance |series=Lecture Notes in Computer Science |volume=9481 |year=2016 |publisher=Springer, Cham |conference=DPM 2015, QASA 2015 |doi=10.1007/978-3-319-29883-2_18 |isbn=978-3-319-29883-2 }}</ref> <ref name="Saito2016">{{cite conference |vauthors=Saito T, Yasuda K, Ishikawa T, Hosoi R, Takahashi K, Chen Y, Zalasiński M |title=Estimating CPU Features by Browser Fingerprinting |date=July 2016 |location=Fukuoka Japan |publisher=IEEE |conference=10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing |pages=587–592 |doi=10.1109/IMIS.2016.108 |isbn=978-1-5090-0984-8 }}</ref> <ref name="Sanchez-Rola2017">{{cite conference |vauthors=Sanchez-Rola I, Santos I, Balzarotti D |title=Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies |date=August 2017 |location= Vancouver BC Canada |publisher=USENIX Association |conference=26th USENIX Security Symposium |pages=679–694 |url=https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/sanchez-rola |isbn=978-1-931971-40-9 |access-date=2020-01-21}}</ref> <ref name="Starov2017">{{cite conference |vauthors=Starov O, Nikiforakis N |title=XHOUND: Quantifying the Fingerprintability of Browser Extensions |date=May 2017 |location=San Jose CA USA |publisher=IEEE |conference=2017 IEEE Symposium on Security and Privacy |pages=941–956 |doi=10.1109/SP.2017.18 |isbn=978-1-5090-5533-3 }}</ref> <ref name="Steinberg2014">{{cite web |url=https://www.forbes.com/sites/josephsteinberg/2014/07/23/you-are-being-tracked-online-by-a-sneaky-new-technology-heres-what-you-need-to-know/ |title=You Are Being Tracked Online By A Sneaky New Technology -- Here's What You Need To Know |date=23 July 2014 |work=[[Forbes]] |access-date=2020-01-30 |author=Steinberg J}}</ref> <ref name="Takei2015">{{cite conference |vauthors=Takei N, Saito T, Takasu K, Yamada T |title=Web Browser Fingerprinting Using Only Cascading Style Sheets |date=Nov 2015 |location=Krakow Poland |publisher=IEEE |conference=10th International Conference on Broadband and Wireless Computing, Communication and Applications |pages=57–63 |doi=10.1109/BWCCA.2015.105 |isbn=978-1-4673-8315-8 }}</ref> <ref name="Unger2013">{{cite conference |vauthors=Unger T, Mulazzani M, Frühwirt D, Huber M, Schrittwieser S, Weippl E |title=SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting |date=September 2013 |location= Regensburg Germany |publisher=IEEE |conference=2013 International Conference on Availability, Reliability and Security |pages=255–261 |doi=10.1109/ARES.2013.33 |isbn=978-0-7695-5008-4 }}</ref> <ref name="Upathilake2015">{{cite conference |vauthors=Upathilake R, Li Y, Matrawy A |title=A classification of web browser fingerprinting techniques |date=July 2015 |location=Paris France |publisher=IEEE |conference=7th International Conference on New Technologies, Mobility and Security |doi=10.1109/NTMS.2015.7266460 |isbn=978-1-4799-8784-9 }}</ref> <ref name="Yen2012">{{cite conference|vauthors=Yen TF, Xie Y, Yu F, Yu R, Abadi M |title=Host Fingerprinting and Tracking on the Web: Privacy and Security Implications |location=San Diego CA USA |date=February 2012 |publisher=Internet Society |conference=The 19th Annual Network and Distributed System Security Symposium |url=http://www.audentia-gestion.fr/MICROSOFT/ndss2012.pdf |access-date=2020-01-21}}</ref> <ref name="yao2017">{{Cite web|url=http://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS17.pdf|title=(Cross-)Browser Fingerprinting via OS and Hardware Level Features|last=Cao|first=Yinzhi|date=2017-02-26|archive-url=https://web.archive.org/web/20170307070344/http://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS17.pdf|archive-date=2017-03-07|url-status=live|access-date=2017-02-28}}</ref> <ref name=infoworld>{{cite web |url=http://www.infoworld.com/article/2670085/security/user-confidence-takes-a-net-loss.html |title=User confidence takes a Net loss |publisher=Infoworld.com |date=2005-07-01 |access-date=2015-10-03 |url-status=live |archive-url=https://web.archive.org/web/20151004083232/http://www.infoworld.com/article/2670085/security/user-confidence-takes-a-net-loss.html |archive-date=2015-10-04 }}</ref> <ref name=simility>{{Cite web|url=https://simility.com/device-recon-results|title=7 Leading Fraud Indicators: Cookies to Null Values|date=2016-03-10|language=en-US|access-date=2016-07-05|url-status=live|archive-url=https://web.archive.org/web/20161003115452/https://simility.com/device-recon-results|archive-date=2016-10-03}}</ref> <ref name=eff12ways>{{cite web |url=https://www.eff.org/wp/effs-top-12-ways-protect-your-online-privacy |title=EFF's Top 12 Ways to Protect Your Online Privacy {{pipe}} Electronic Frontier Foundation |publisher=Eff.org |date=2002-04-10 |access-date=2010-01-28 |url-status=live |archive-url=https://web.archive.org/web/20100204043903/http://www.eff.org/wp/effs-top-12-ways-protect-your-online-privacy |archive-date=2010-02-04 }}</ref> <ref name=email>{{cite web |url=http://archive.cert.uni-stuttgart.de/bugtraq/2003/11/msg00031.html |title=MSIE clientCaps "isComponentInstalled" and "getComponentVersion" registry information leakage |publisher=Archive.cert.uni-stuttgart.de |access-date=2010-01-28 |url-status=live |archive-url=https://web.archive.org/web/20110612032316/http://archive.cert.uni-stuttgart.de/bugtraq/2003/11/msg00031.html |archive-date=2011-06-12 }}</ref> <ref name=Kohno>{{cite web |url=http://www.cs.washington.edu/homes/yoshi/papers/PDF/ |title=Remote Physical Device Detection |publisher=Cs.washington.edu |access-date=2010-01-28 |url-status=live |archive-url=https://web.archive.org/web/20100110211014/http://www.cs.washington.edu/homes/yoshi/papers/PDF/ |archive-date=2010-01-10|last1=Kohno|last2=Broido|last3=Claffy }}</ref> <ref name=Newman>{{cite journal|last=Newman|first=Drew|date=2007|title=The Limitations of Fingerprint Identifications|url=http://search.ebscohost.com/login.aspx?direct=true&db=edshol&AN=edshol.hein.journals.cjust22.10&site=eds-live|journal=Criminal Justice|volume=1|issue=36|pages=36–41}}</ref> <ref name=aboutPanop>{{cite web|url=https://panopticlick.eff.org/about |title=About Panopticlick |website=eff.org|access-date=2018-07-07}}</ref> <ref name=uniquePanop>{{cite web |url=https://panopticlick.eff.org/static/browser-uniqueness.pdf |title=How Unique Is Your Web Browser? |last1=Eckersley |first1=Peter |date=17 May 2010 |website=eff.org |publisher=Electronic Frontier Foundation |access-date=13 Apr 2016 |url-status=live |archive-url=https://web.archive.org/web/20160309230205/https://panopticlick.eff.org/static/browser-uniqueness.pdf |archive-date=9 March 2016 }}</ref> <ref name=sandia2006>{{cite web |url=http://www.sandia.gov/news/resources/releases/2006/images/wireless-fingerprinting.pdf |title=Wireless Device Driver Fingerprinting |access-date=2010-01-28 |url-status=dead |archive-url=https://web.archive.org/web/20090512005501/http://www.sandia.gov/news/resources/releases/2006/images/wireless-fingerprinting.pdf |archive-date=2009-05-12 }}</ref> <ref name=Vastel2018>{{Cite conference|last1=Vastel|first1=Antoine|last2=Laperdrix|first2=Pierre|last3=Rudametkin|first3=Walter|last4=Rouvoy|first4=Romain|date=May 2018|title=FP-STALKER: Tracking Browser Fingerprint Evolutions|book-title=2018 IEEE Symposium on Security and Privacy|doi=10.1109/SP.2018.00008 |doi-access=free |publisher=[[Institute of Electrical and Electronics Engineers]]}}</ref> }} ==Further reading== * {{Cite web|url=https://media.ccc.de/v/rc3-113142-the_elephant_in_the_background|title=The Elephant In The Background: Empowering Users Against Browser Fingerprinting|last=Fietkau|first=Julian|date=2020-12-28|website=Chaos Communication Congress 2020}} * {{Cite news|url=https://www.wsj.com/articles/SB10001424052748704679204575646704100959546|title=Race Is On to 'Fingerprint' Phones, PCs|last1=Angwin|first1=Julia|date=2010-11-30|work=Wall Street Journal|access-date=2018-07-10|last2=Valentino-DeVries|first2=Jennifer|language=en-US|issn=0099-9660}} * {{Cite web|url=https://www.blackhat.com/docs/eu-17/materials/eu-17-Shuster-Passive-Fingerprinting-Of-HTTP2-Clients-wp.pdf|title=Passive Fingerprinting of HTTP/2 Clients|last1=Segal|first1=Ory|last2=Fridman|first2=Aharon|date=2017-06-05|website=BlackHat|access-date=2022-02-09|last3=Shuster|first3=Elad}} ==External links== * [https://panopticlick.eff.org/ Panopticlick], by the [[Electronic Frontier Foundation]], gathers some elements of a browser's device fingerprint and estimates how identifiable it makes the user * [https://amiunique.org/ Am I Unique], by INRIA and INSA Rennes, implements fingerprinting techniques including collecting information through WebGL. {{DEFAULTSORT:Device Fingerprint}} [[Category:Computer network security]] [[Category:Internet privacy]] [[Category:Internet fraud]] [[Category:Fingerprinting algorithms]] [[Category:Web analytics]]'