To give people a chance to experience this, a security researcher has created a website that analyzes the installed Google Chrome extensions to generate a fingerprint, which he claims can be used to track them online. “Anytime there is something semi-unique in a computer, it can be used to derive a fingerprint,” Erich Kron, security awareness advocate with KnowBe4, told Lifewire over email. “How unique that fingerprint is could depend on what is being measured or tested.”
Browser Fingerprinting
The researcher, who uses the pseudonym z0ccc, explained that browser fingerprinting is a powerful method many websites use to collect all kinds of details about the visitors, including their browser type and version, their operating system, active plugins, time zone, language, screen resolution, and various other active settings. He argued that while these data points may not be of much use by themselves, when combined, they could help uniquely identify one specific person, since there’s a very small chance of multiple people having the same set of data points. “Websites use the information that browsers provide to identify unique users and track their online behavior,” z0ccc explained. “This process is therefore called ‘browser fingerprinting.’” Based on the combination of installed extensions, the website generates a tracking hash that can be used to track that particular browser across the web. The researcher explained that his Extensions Fingerprint test relies on certain browser extension properties, which he said are present in over 1100 extensions, including popular ones such as AdBlock, uBlocker, LastPass, Adobe Acrobat, Google Docs Offline, Grammarly, and more. He admitted that some extensions take steps to prevent detection. However, he found a trick to use their behavior to determine if any of these protected extensions were installed. In an interview, z0ccc affirmed that although he isn’t collecting any data regarding the installed extensions from people who use his website, his tests have shown that having 3+ extensions will create a unique fingerprint. In essence, people with no installed extensions will have the same fingerprint, making them less unique and difficult to track. Conversely, those with many extensions will have a less common fingerprint, making them more prone to tracking.
Gloves Are Off
In an email discussion with Lifewire, Harman Singh, Director at cybersecurity service provider Cyphere, said browser fingerprinting is a well-known technique used by online advertising and marketing websites worldwide. Data collection is an integral part of the online advertising ecosystem, explained Singh, and this type of browser fingerprinting is just another mechanism to help them serve targeted advertisements. Furthermore, he added that even financial institutions like banks use these browser fingerprinting methods as part of their fraud detection mechanisms to detect whether their visitor is a genuine user or a malicious anomaly like a bot. Browser fingerprinting isn’t illegal since it doesn’t identify a user. However, the collection of the data is governed by privacy laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), added Singh. Talking specifically about z0ccc’s Extension Fingerprints test, Kron explained that while it’s interesting from an academic perspective, it seems limited in its usefulness in its current form. “In addition, in my limited testing, this did not pick up common extensions in the Edge browser, returning the same hash for Chrome in Incognito mode, as it did [in] Edge with the LastPass extension installed,” said Kron. “There have been other fingerprinting methods that use hardware, calculations made by the installed graphics card, for example, that could be a little tougher to work around.” To help us suggest ways for people to help circumvent such browser fingerprinting, Singh said a good place to start is the Panopticlick tool, which gives insight into how much and what kind of information your web browser is revealing to websites. On the other hand, Kron believes it’s always a good practice to remove or disable unused browser extensions. “For Internet users, it’s not possible to have complete protection against such tracking techniques unless dictated by law,” opined Singh. “Our privacy regulations have got a lot to catch up with.”