I read this very interesting paper (2017 study) which can be downloaded at:
What’s really interesting is the use of techniques for fingerprinting using stateless features exposed by the OS or the hardware. Since 70% of people use two or more different browsers on the same machine (maybe hoping to so defeat tracking, fingerprinting and correlation), this study shows an accuracy of 99.24% at identifying uniqueness on the same machine.
Really worth reading (but very technical) Abstract:
In this paper, we propose a browser fingerprinting technique that can track users not only within a single browser but also across different browsers on the same machine. Specifically, our approach utilizes many novel OS and hardware level features, such as those from graphics cards, CPU, and installed writing scripts. We extract these features by asking browsers to perform tasks that rely on corresponding OS and hardware functionalities.
Our evaluation shows that our approach can successfully identify 99.24% of users as opposed to 90.84% for state of the art on single-browser fingerprinting against the same dataset. Further, our approach can achieve higher uniqueness rate than the only cross-browser approach in the literature with similar stability.
Noting also that there are two completely opposite approaches to countering fingerprinting.
Standardised settings with suppression of uniqueness. So that there are a great many users with the same fingerprint. Tor Browser tends in this direction.
Randomised settings by the addition of noise. So that you are always highly unique but you do not match earlier or later selves, and you do not match yourself in other browsers and in other environments even when conditions are largely the same. “Rate my uniqueness” doesn’t really work here unless the site exposes the fingerprint so that you can see that your multiple fingerprints are relatively uncorrelated.
The two approaches can be combined e.g. suppress uniqueness where it is practical to do so and add noise to ‘measurements’ where it is not practical to suppress.
In my config … WebGL is disabled (yes, I understand that some web sites won’t work but for me it is in practice an insignificant downside) and access to the canvas is disabled (or should be - it may ask the first time and you have to say “no”). Those settings, with resistFingerprinting, should counter most of the techniques discussed in the paper.
In my config … Number of CPUs would likely still be exposed although in the computer that I mostly use for browsing the number is so utterly unremarkable that it wouldn’t stand out. If you had a computer with a much larger and potentially more unique number of CPUs then you would likely want the browser to be limited to using (for JavaScript) and reporting 2 or 4 CPUs.
In my config … the audio fingerprinting is likely something that I need to investigate i.e. a potentially novel privacy exploit.
One thing that annoys me is that even though my UserAgent is forged in order to deny that I am running Linux, privacy exploits still manage to detect that I am running Linux. I don’t know why that is. Insights welcome.
Detecting supported system fonts from your web browser can be used as a operating system fingerprinting metric to infer whether you are using Linux or not.