Privacy versus Security versus Usability. Who will win?
When talking about browser fingerprinting, you have to talk about cookies first. Which is exactly what we're going to do.
If you've been on the internet for any length of time — and, if you're reading this, it's safe to assume that you've been "on the net" for a while — you've probably been made aware of cookies. They're not the type your grandma used to make. They're used to track your activity around the internet and make your visits to certain websites easier. Cookies have been around since 1991, and the term was coined by browser programmer Lou Montulli as a shortened version of "magic cookie" — which itself was a codeword of sort for a package of data that a browser receives and then sends back out.
Cookies have been necessary because HTTPS (the protocol used for browsers to connect to websites) is a lot like a goldfish in that it doesn't remember the connections it has made previously. So, we need something else to remember our preferences and other information regarding the website we are visiting. Enter: cookies. Cookies are assigned to your browser by the website you're visiting. In the case of third party cookies, they are placed on websites usually by an advertising company. These cookies are then checked by the next website you visit to remind it of who you are and where have you been. While this provides a better user experience, it does so at the cost of some of your privacy.
For this very reason, third party cookies are disappearing from the internet. Google even announced they were starting to phase out third party cookie support back in 2020. Since advertisers rely so heavily on cookies to generate better ROI (return on investment) for their customers, they have felt the need to do something to keep third party cookies around as long as possible. They have some tricks up their sleeve to get you to keep using cookies, and ... unfortunately for the rest of us... advertisers aren’t the only ones using these same tricks.
So, if cookies are on their way out, what else can people use to identify users on the internet? Another piece of data that websites can glean from their users besides cookies is their IP address. An IP address is necessary to create a connection between any device and a website. It provides (paraphrasing hugely here) the "address" of your computer or device so that it can communicate over a network. Your IP address, combined with some additional information, means that you can be identified on the internet even without cookies. This brings us to IP loggers and how they are used both maliciously and legitimately.
An IP logger does exactly what the name implies: it collects a log of IP addresses that have made a connection with it. It can also pair an IP address with additional information from your GPU model and name to your approximate location; this is called browser fingerprinting. This is usually done by executing Javascript on the user's browser, as the browser sends the website all the information it asks about the system and the browser itself. Below is a partial list of information it can collect besides the IP address.
... and much more!
Just like cookies, this information can make you unique and identifiable across the internet. You can even check if your connection and device is actually unique from an IP loggers perspective by visiting amiunique.org. What makes this so effective are the numerous possibilities of different configuration combinations. Unlike cookies, you can’t easily remove this information from your device. Now that we know what an IP logger is, let's see how and where it is used.
Even though almost every website you visit could be classified as an IP logger, it doesn’t mean that just logging an IP address is malicious in intent. For a normal website IP logging can be done for security and compliance reasons. Sometimes even browser fingerprinting is done for simple security reasons. Ultimately, it is all about how this information is used, and who has this information.
Your IP and other data mentioned above can be logged in several ways, but we will focus on two of the most prevalent methods that allow for effective browser fingerprinting from the perspective of an email user. The terms IP logger and browser fingerprinting will be used unambiguously, because IP loggers can do both and they are commonly paired together.
Although not too dangerous in itself, you can get fingerprinted in the blink of an eye when clicking on a link in your inbox. An attacker can craft a unique link to you which has a unique ID based on your email address. This way, the attacker knows which users have clicked on the links they have sent. In addition, your fingerprint could be taken when the link you clicked redirects you to the intended site — fingerprinting you along the way. This method can be combined with either another redirecting link or a link shortener. This way it becomes near impossible to figure out the links' legitimacy by just hovering over the link. These are used both legitimately and maliciously.
Legitimate use cases are for statistical and analysis purposes, such as affiliate marketing, which is a huge part of modern e-commerce. However, one malicious way to use redirecting IP loggers is to send them as a link in a phishing email. It is more likely to be sent as a part of an attack rather than by itself. Your valuable fingerprint, combined with other information you might give as a part of an attack, is a powerful dataset to use against you... if the attacker wishes to.
Not all bad links lead to a website made by the attacker. But even if a legitimate website is used as the landing page in a phishing attack, your IP and browser fingerprint can be collected along the way. In this case the link may lead to a news article, but you were redirected there through an IP logger. In a worst-case-scenario using fingerprinting, the redirect service could detect a vulnerability on your browser and exploit it. This is yet another reason to avoid clicking on links even if you’re smart enough to never enter your credentials or open downloaded files.
Like we've mentioned already, almost any website that you connect to has not only your IP address but also a plethora of other information if they choose to collect and store it. There is no easy and surefire way to know if you have been fingerprinted maliciously unless you know how to interpret the Javascript code used on the site. Even then, it might be obfuscated to make it almost unreadable and understanding the code becomes a backbreaking task.
Alternatively, a link could lead you to a legit website and it doesn't fingerprint you. Sounds alright, right? Well (heavy sigh), this time it is the hosting company you have to worry about. It might be a data hungry company collecting everything they can on their visitors. Or it could just be regular IP logging and nothing else. Sometimes internet providing services are mandated to give their You need to consider what the meaning of privacy is for you and what is acceptable to share. Be it for companies or attackers.
Great, now an attacker has our IP and our browser fingerprint. So what might be the consequences of this?
Hate to be the bearer of bad news, but: there is currently no easy-peasy way to reduce your fingerprint on the internet.
If you install a bunch of privacy extensions, spoof your user agent, and even disable javascript to avoid browser fingerprinting, you’ll paradoxically become even more unique on the internet. Take the 'disabling javascript' option, for example. The majority of people have javascript enabled because it makes websites much more user friendly and sometimes they don’t even work without it. If you’re the one person in 15,000 who has it disabled... it makes you that much easier to identify.
But... hey! Don't give up hope yet. There are still some things you can do to protect your privacy. One should remember that these techniques can fend off websites from fingerprinting you, but none of these solutions are a magic cure-all. It is advisable to use multiple techniques instead of just one.
At the end of the day privacy, security, and usability are like the dads on Full House. They all stand for different things... but they have a lot to do with each other. You need to think how changing one of them affects the others, and which of them is a priority to you. It’s not the most convenient to have all possible security and privacy measures in place because you have to jump through a few extra hoops compared to a “normal” user experience, but having all user experience enhancing features on will most likely harm your privacy or even your overall security.
Having your IP logged or browser fingerprinted by companies isn’t the end of the world and chances are that it has been done to you multiple times a month and will be done again in the future even without you noticing it. But do you really want companies to have all that data? After all, the online advertising market is worth hundreds of billions of dollars. Browser fingerprinting is extremely popular as a quarter of the top 10 000 websites in the world do it to their users and thus it is highly unlikely that it is going anywhere anytime soon. Even as cookies seem to slowly die off, it is one possibility that browser fingerprinting completely takes over.
