The end result is the ability to track users even if they are deleting all their cookies and hiding their IP addresses with tools. While fingerprints are not identifying in the same way as an IP address, they do enable user recognition whenever revisiting a website. Even when deleting cookies, the browser fingerprint allows organizations to re-identify and re-cookie your system, essentially rejecting your efforts to remain private.
A joint research project conducted by the Princeton University in the US and University of Leuven in Belgium analyzing the tracking techniques of 100,000 websites, showed that over 5% utilize the canvas fingerprinting process to identify visitors.
In a University of California report presented at the 2013 IEEE Symposium on Security and Privacy, Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting, the authors found that fingerprinting is already part of some of the most popular sites of the Internet, meaning hundreds of thousands of their visitors are fingerprinted on a daily basis.
According to UC Study, Skype.com surfaces as the most popular website utilizing fingerprinting, while the most popular categories of websites were pornography and dating sites. Specifically, for pornographic sites, the authors see a reasonable explanation being that fingerprinting is used to detect shared or stolen credentials of paying members, whereas for dating sites it ensures that attackers do not create multiple profiles for social-engineering purposes.
Circumventing the Fingerprint
Since the fingerprint is derived from a host of system-based characteristics, circumvention is far more complex than the historical process of deleting cookies. While its possible to make system changes by hand, doing so after each browsing session could prove laborious and annoying at best.
Specifically, the manual process of protecting against the fingerprint involves changing monitors or screen resolutions; installing or uninstalling fonts, extensions and plugins; as well as switching between different browsers and browser versions.
However, even after exerting all the effort to make changes, it's hard to know if you have done enough or have done it right without a detailed analysis.
A better approach is to make your browser fingerprint as common and generic as possible. You can do that by running the browser inside a clean and un-customized virtual machine. It's only in this kind of environment that it's feasible to revert to the clean state at the end of every use, preventing the accumulation of identifying changes. This approach gives the browser a truly generic identifier, while eliminating all other kinds of tracking techniques.
The virtual machine solution works because an out of the box installation is very standard. There will be many people with brand new computers who would have very similar or identical configurations. The more people who do this, the less identifying it becomes. It also ensures complete elimination of any other tracking tools like cookies other than user's IP address, which still requires a VPN for protection.
Sign up for CIO Asia eNewsletters.