SAN FRANCISCO -- Your web browser is leaking far more information about you than you realize, two researchers said at the RSA Conference here last week.
Websites can use that data to "fingerprint" your browser and track you online, they explained, but there are still ways to protect your privacy.
- Best encrypted messaging apps: Keep your conversations secure
- How a VPN can boost your security and privacy
- Plus: Thousands of Netgear routers can be hacked: What to do now
Microsoft Edge, Mozilla Firefox, Google Chrome and Apple Safari tell every website you visit which operating system you run, what kind of video card you have, your audio settings, your screen resolution, how many CPU cores your machine has, your time zone, your language, your general location, the fonts you have installed and, if you permit it, your specific location.
On smartphones and tablets, the browsers add data from a device's accelerometers, gyroscopes and magnetometers, plus the amount of ambient light and the device geolocation.
Taken together, all of these parameters and many others can be aggregated and compared with those of other browsers so that you can be picked out of a crowd of tens of thousands of other web users. No tracking cookies are needed -- your browser already tells the websites who you are.
Just how unique are you?
To see how pervasive this is, you can go to a website called BrowserLeaks.com to see exactly what your browser is giving away.
For example, BrowserLeaks says that a Chromebook connected to the internet at San Francisco International Airport, using the American Airlines Wi-Fi network in Terminal 2, has a "uniqueness" of 99.998%, meaning that "13 of 528,769 user agents have the same signature".
In other words, the Chromebook's Chrome browser would stand out as completely unique in a crowd of 40,000 other web users.
That's just using the Canvas element of modern browsers, a graphic component of the HTML5 standard. BrowserLeaks considers its Canvas test "rude and nominal" as it doesn't even involve time zone, language, location or dozens of other parameters that would narrow down your identity further.
Various browsers on different operating systems give different Canvas uniqueness results.
Microsoft Edge on a Windows 10 laptop connected to Time Warner Cable in Brooklyn, New York was somewhat commonplace, with a uniqueness of only 99.41%, or one out of every 169 users.
But Safari on a Mac was 99.99% unique, and Firefox on Android 99.998% unique, matching only one in every 58,700 users.
Good and bad
"Like any other tool, browser fingerprinting can be used for good or bad," said Daniel Ayoub, a product-management executive with LexisNexis who presented the findings along with his colleague Dean Weinert.
Ayoub asked the crowd of hackers and security experts if they thought it was acceptable for advertisers and marketers to use browser fingerprints to present users with tailored advertising. A clear majority of the people in the audience raised their hands in agreement.
"This is used every day in the background by ecommerce solutions, and most users are unaware," he said. "But most people in this room are OK with that."
Likewise, the crowd thought it was fine for banks and other financial institutions to use browser fingerprinting to detect fraud.
But few in the audience felt comfortable with websites using browser fingerprinting to collect user behavior and sell that data to third parties.
How to not stand out
If you're also uncomfortable with that, then there are a few things you can do, but they're not what you might think. Blocking tracking cookies, blocking ads, using incognito or private modes, or even using privacy-oriented browsers or protocols like Tor or Brave won't really help you hide, Ayoub said. They might make you stand out more.
"Imagine you're in a busy airport terminal and this guy comes walking through wearing a fedora and a trench coat with bandages wrapped around his face," Ayoub said. "Who is he? The Invisible Man, of course. But he's not invisible -- you can pick him out from a mile away."
You don't want to be invisible, Ayoub said. You want to be ordinary.
"Try to blend in with the crowd," he said. "Use common browsers and common operating systems with common settings. Don't obfuscate or hide your browser attributes -- that just makes you stand out."
Nor did the Canvas fingerprinting test work. It could only reveal that we were using Time Warner Cable in Brooklyn. The server on the other end might still be getting a lot of that information, but we couldn't tell.
You might not be the only type of person hiding in the crowd. Criminals often are too, and they have specific tools to spoof browser identities.
"If every single device on the internet looks exactly the same," Ayoub said, "that protects the sheep but also the wolves."
If, for example, a known user of a bank uses Mozilla Firefox on a Mac with a 1920 x 1080 resolution running macOS Mojave 10.14.1, and is located in the Bay Area with a specific IP address, the bank knows that and won't make the user jump through extra hoops when they log onto their online account.
A criminal can capture that user's browser information, perhaps by luring the user to an otherwise benign website, and then spoof all those unique browser attributes to make his own run at the online bank account. If the browsers match up, the bank might not notice the fraud.
Some of these tools cost $100 a month to license from cybercrime-software developers, plus sometimes an additional one-time fee of a few thousand dollars. To professional crooks, that's well worth it.
"To have one of the best fingerprint-bypass tools is like printing your own money," Weinert said. "There are pirated or cracked versions of these tools, but they're riddled with malware."
A PDF of Ayoub and Weinert's presentation is on the RSA 2020 website.