SAN FRANCISCO -- Your web browser is leaking far more information about you than you may realize, two researchers said at the RSA Conference here last week.
Websites can use that data to "fingerprint" your browser and track you online, they explained, but there are still ways to protect your privacy.
- Best encrypted messaging apps: Keep your conversations secure
- How a VPN can boost your security and privacy
- Plus: Thousands of Netgear routers can be hacked: What to do now
Microsoft Edge, Mozilla Firefox, Google Chrome and Apple Safari tell every website you visit which operating system you run, what kind of video card you have, your audio settings, your screen resolution, how many CPU cores your machine has, your time zone, your language, your general location, the fonts you have installed and, if you permit it, your specific location.
On smartphones and tablets, the browsers add data from a device's accelerometers, gyroscopes and magnetometers, plus the amount of ambient light and the device geolocation.
Taken together, all of these parameters can be aggregated and compared with those of other browsers. The result is that you can be picked out of a crowd of tens of thousands of other web users.
No tracking cookies are needed, because your browser already tells the websites who you are. Using browser fingerprinting, advertisers and marketers can follow your movements around the web even if you have tracking blockers enabled.
On the bright side, banks and other financial institutions use browser fingerprinting to detect fraudulent attempts to access accounts. If you live in Nebraska and normally use Firefox, but suddenly it looks like you're trying to log in from Indonesia using Chrome, the bank will flag that as suspicious and may block the attempt.
Just how unique are you?
To see how pervasive this is, you can go to a website called BrowserLeaks.com to see exactly what your browser is giving away.
For example, BrowserLeaks says that my Chromebook connected to the internet at San Francisco International Airport, using the American Airlines Wi-Fi network in Terminal 2, has a "uniqueness" of 99.998%, meaning that "13 of 528,769 user agents have the same signature."
In other words, my Chromebook's Chrome browser might stand out as completely unique in a crowd of 40,000 other web users.
That fingerprint was generated by using only the Canvas element of modern browsers, a graphic component of the HTML5 standard. BrowserLeaks considers its Canvas test "rude and nominal" as it doesn't consider time zone, language, geographic location or dozens of other parameters that would narrow down your identity even further.
Various browsers on different operating systems give different Canvas uniqueness results.
Microsoft Edge on a Windows 10 laptop connected to Time Warner Cable in Brooklyn, New York was somewhat commonplace, with a uniqueness of only 99.41%, or one out of every 169 users.
But Safari on a Mac was 99.99% unique, and Firefox on Android 99.998% unique, matching only one in every 58,700 users.
Good and bad
"Like any other tool, browser fingerprinting can be used for good or bad," said Daniel Ayoub, a product-management executive with LexisNexis who presented the findings at the RSA Conference along with his colleague Dean Weinert.
Ayoub asked the crowd of hackers and security experts if they thought it was acceptable for advertisers and marketers to use browser fingerprints to present web users with tailored advertising. A clear majority of the people in the audience raised their hands in agreement.
"This is used every day in the background by ecommerce solutions, and most users are unaware," he said. "But most people in this room are OK with that."
Likewise, the crowd thought it was fine for banks and other financial institutions to use browser fingerprinting to detect fraud.
But few in the audience felt comfortable with websites using browser fingerprinting to collect user behavior and sell that data to third parties.
How to not stand out
If you're uncomfortable with browser fingerprinting, then there are a few things you can do, but they're not what you might think.
Blocking tracking cookies, blocking ads, using incognito or private modes, or even using privacy-oriented browsers or protocols like Tor or Brave won't really help you hide, Ayoub said. They might even make you stand out more.
"Imagine you're in a busy airport terminal and this guy comes walking through wearing a fedora and a trench coat with bandages wrapped around his face," Ayoub said. "Who is he? The Invisible Man, of course. But he's not invisible -- you can pick him out from a mile away."
You don't want to be the Invisible Man, Ayoub said. Instead, you want to look ordinary.
"Try to blend in with the crowd," he said. "Use common browsers and common operating systems with common settings. Don't obfuscate or hide your browser attributes -- that just makes you stand out."
Nonetheless, after we enabled a JavaScript-blocking extension in Chrome on Windows, BrowserLeaks couldn't return information about exactly where we were or information about our system's hardware.
Nor did the Canvas fingerprinting test work. It could only reveal that we were using Time Warner Cable in Brooklyn. The server on the other end might still be getting a lot of that information, but we couldn't tell.
Bad guys
You might not be the only type of person hiding in the crowd. Criminals often are too, and they have specific tools to spoof browser identities.
"If every single device on the internet looks exactly the same," Ayoub said, "that protects the sheep but also the wolves."
If, for example, a known user of a bank uses Mozilla Firefox on a Mac with a 1920 x 1080 resolution running macOS Mojave 10.14.1, and is located in the Bay Area with a specific IP address, the bank knows that and won't make the user jump through extra hoops when they log onto their online account.
A criminal can capture that specific user's browser information, perhaps by luring the user to an otherwise benign website, and then replay all those unique browser attributes to make his own run at the online bank account. If the browsers match up, the bank might not notice the fraud.
Some of these browser-replay tools cost $100 a month to license from cybercrime-software developers, plus sometimes an additional one-time fee of a few thousand dollars. To professional crooks, that's well worth it.
"To have one of the best fingerprint-bypass tools is like printing your own money," Weinert said. "There are pirated or cracked versions of these tools, but they're riddled with malware."
A PDF of Ayoub and Weinert's presentation is on the RSA 2020 website.
