What you need to know about your browser’s digital fingerprints

Facebook and others want to track you. Apple is blocking them.
colored fingerprints

Your browser has a fingerprint. It’s not as obvious as the real ones on your fingertips, but it exists nonetheless. And advertising networks can use it to track your browsing.

Apple announced yesterday that they are fighting that strategy. Among the software updates they highlighted during the keynote address at the company’s Worldwide Developers Conference were interesting details about the next version of Safari, the internet browser made by Apple.

Craig Federighi, the company’s software engineering lead, mentioned two developments that people interested in staying private online may like: They’re going to fight the ways that advertising networks can use your browser’s digital fingerprint to track you, and battle another tracking method—how buttons such as those Facebook “like” elements can follow your browsing behavior, too.

First, fingerprinting: That’s when a tracker tries to identify your machine based on the details it can glean about it, using seemingly innocuous details like the system fonts you have installed. It sounds evil, but the technique actually has two sides to it—security experts can use it to try to identify the computers used in an attack, for example, and that’s a good thing.

But a typical internet user who values their privacy wouldn’t want their machine, and behavior, tracked and identified with this technique. “Fingerprinting is just little bits of data that lead up to something specific,” says Jarrod Overson, the director of engineering at Shape Security, a cybersecurity company. “And it gets to be problematic when those data bits end up leading to individual people.”

Yesterday at the Apple keynote, Federighi explained how the next version of Safari will fight this tracking strategy. “We’re presenting web pages with only a simplified system configuration,” he said. “As a result, your Mac will look more like everyone else’s Mac, and it will be dramatically more difficult for data companies to uniquely identify your device and track you.”

If you’re interested in seeing what elements of your browser are trackable, head over to a Electronic Frontier Foundation’s page called Panopticlick; click “test me,” and then check out the results. Click “Show full results for fingerprinting” to see what kind of details the test noticed about your browser. In testing it on Chrome, Safari, and Firefox, I noticed that none of them performed well when it comes to fingerprinting protection.

And while you might hope that Safari’s Private browsing mode or Chrome’s Incognito Mode keep you anonymous online, remember that those features are more about shielding your internet history from others who might have physical access to your machine, as opposed to data trackers online. Shape Security’s Overson compared the situation to an “arms race.” “Incognito mode limits the ability for people to collect and store a variety of data on your browser and device,” he says. “But it’s not going to limit the creativity of people who are explicitly out to track you.”

Fingerprinting wasn’t the only tracking technique that Apple discussed. The Facebook, Twitter, and other social buttons you see at the bottom of an article, even the comment areas—companies can use those elements to track your web behavior, too. Apple’s Federighi said that in the forthcoming version of Safari they are blocking that approach.

Here’s how that kind of tracking works. Say you visit one website, then another, and they both have a Facebook button on them, explains Shuman Ghosemajumder, also of Shape Security, and the former head of product at Google for click fraud. “The way that ‘like’ button ends getting served, is actually from the Facebook domain,” Ghosemajumder says. “What that means is that when you visited both of those sites—neither of which are Facebook—there was a call that was actually made by your browser to Facebook servers. Now Facebook has the ability to correlate those two calls, and it’s aware of the fact that you’ve visited both of those websites.” The same is true of the other buttons you see. And that is not great news, from a privacy perspective.

During Apple’s event, Federighi said that the way they’d fight the use of those social buttons is by presenting a dialogue box that asks you if you want to allow a company like Facebook to track your activity.

If you want to take a step now to make your online browsing a little less trackable, consider installing a tool called Privacy Badger, also made by the Electronic Frontier Foundation. With Privacy Badger installed on Chrome, I ran a Panopticlick test. The results were good—except for the fact that it said my browser still has “a unique fingerprint.” In other words, the grubby fingers of my browser may still be visible to those who want to track me.