I’m worried about fingerprinting on my devices

• What is fingerprinting, and how does it work?
• Why is fingerprinting a danger?
• How can I protect myself against fingerprinting?

There are probably as many myths about cybersecurity threats as there are legitimate concerns. Some people are still convinced that smart speakers are recording their conversations 24/7, for instance, which would be impractical if it were true. Collecting audio from millions of users would overwhelm datacenters, and provide mostly useless noise, all for the chance of figuring out whether to push an ad for engagement rings, e-bikes, or edamame.

The reality is actually a little darker, in some ways. Hackers, corporations, and governments don’t need to wiretap your home to learn more about you — often there are subtler ways of going about it that don’t directly breach your privacy. One of the most common tools these days is fingerprinting, which I’ll provide a brief explanation of, with some measures you can take to to block it — if you feel it’s a serious problem, which it may not be depending on your circumstances.

What is fingerprinting, and how does it work?

A way around tougher barriers

Over the years, internet security has tightened up in many ways. Any reputable site directs you to encrypted HTTPS when sensitive data is involved, and you’ve no doubt encountered those cookie permission pop-ups, something required as a result of regulations. You might find them annoying, but they are a quick way of blocking unwanted tracking. There are also browsers and plug-ins that can further lock down cookies, such as the EFF’s Privacy Badger.

These sorts of things can create a headache for advertisers and data brokers, since their business is dependent on targeting specific demographics. There’s not much point aiming farm equipment ads at a tech journalist, or PSAs for New York City trash pickup at someone living in Tokyo. Meanwhile, hackers have fewer ways to intercept your data than they once did.

Fingerprinting is a workaround. There are two main forms: active and passive fingerprinting. The first involves pinging your device with data packets, then gauging how it responds. The second involves monitoring network traffic or browser data, in essence, waiting for you to come to the tracker.

Fingerprinting maps a variety of signatures that don’t mean much on their own, but together narrow down your identity.

Either way, fingerprinting doesn’t directly collect your personal info, which is often encrypted or anonymized anyway. Instead it relies on mapping a variety of signatures that don’t mean much on their own, but together narrow down your identity in a way that can be followed if those signatures reappear somewhere else.

Let’s say you’re visiting a website on your phone. To communicate properly, that site needs to know your IP address, which can be used to get a rough sense of your geographical location. It also needs to know what device, browser, and operating system you’re using to render the site properly. Once you combine that with other details like language, resolution, and font settings, it becomes increasingly clear that a specific person is visiting, even if you don’t know their name and home address.

Active fingerprinting can potentially collect even more data, such as open network ports, but that’s not necessarily desirable, because it can be detected by security software. Hackers may use this sort of probing to identify weak points for attack.

Why is fingerprinting a danger?

Exploring the greater and lesser risks

To be clear, there are genuinely beneficial uses of fingerprinting. It can be a way for sites to filter out bot traffic, and it’s one method organizations use to protect you against bank fraud and other forms of identity theft. If you normally shop in Austin, but transactions suddenly start happening in Hong Kong without a flight in between, that’s a red flag.

For most people, I imagine, the general objection to fingerprinting is that it feels like a violation of privacy. Some people resent the idea of being followed and targeted for ads despite taking other measures to safeguard their identity, such as blocking cookies. Your objections might be even stronger towards the idea of parties like data brokers selling your data without explicit consent.

Usually, unless you have a specific reason to be concerned, the only people interested in targeting you are advertisers and data brokers.

As I mentioned, fingerprinting can also be used for more insidious purposes, such as learning everything necessary to launch a device hack. Worse than that is the prospect of surveillance. Criminals and governments alike may be able to follow you around the internet, gaining an even more detailed picture of your life over time. If this data can be correlated with real-world names and addresses, it can be used for purposes like stalking and robberies in the case of criminals, or arrest and intimidation in the case of governments. Under an authoritarian regime, it’s not out of the question that fingerprinting could get someone tortured or killed.

Don’t panic. Usually, unless you have a specific reason to be concerned, the only people interested in targeting you are advertisers and data brokers. Random attacks aren’t impossible, but you’re already lucrative as a consumer.

How can I protect myself against fingerprinting?

Some simple and not-so-simple steps

The first consideration is limiting your online presence. The fewer apps and websites you use, the less likely you are to be fingerprinted, and the smaller your overall history will be. Delete any apps and accounts you’re no longer using. When you do sign in to something, pay attention to any chance to opt out of a service collecting or sharing your data. That’s hardly bulletproof protection against fingerprinting, but it’s a step.

The next step involves software. Some browsers and plug-ins make anti-fingerprinting technology a selling point. Apart from Privacy Badger, another example is Brave, a browser with versions for Android, iPhone, iPad, Windows, Mac, and Linux. One of the most extreme browsers is Tor, which I’d actually recommend against using for casual purposes, since its relay network slows down traffic, and it scrubs all cookies and browser history whenever you’re finished — even entries that simply remember your site preferences.

Some browsers and plug-ins make anti-fingerprinting technology a selling point, a few examples being Brave, Tor, and the EFF’s Privacy Badger add-on.

If Tor sounds like too much, you might consider trying a more conventional VPN (virtual private network). Any VPN will automatically bounce your traffic through a remote server, whether in a different city or a different country. You’ll still have to combine this with anti-fingerprinting software, however, because a VPN mostly just encrypts your traffic and hides your IP address. In fact, if there’s a discrepancy between your device clock and the server you’re connecting from, that may actually make your presence easier to spot.

You should also take the time to explore unique app, device, and browser settings that can further limit what’s shared. Disabling JavaScript will block some fingerprinting scripts, for example, and removing unnecessary extensions will make your browser look more generic.

That last tip points to what you’re trying to achieve overall: blending in with the crowd. In a big city, there’s probably thousands of people using Chrome or Safari on their device at any given time. If you stick to well-known sites, only use a privacy blocker extension, and connect with a fake IP address, there’s only so much that can be gleaned about you.