A quarter of the Alexa Top 10K websites are using browser fingerprinting scripts

Academics also discover many new previously unreported JavaScript APIs that are currently being used to fingerprint users.
Written by Catalin Cimpanu, Contributor

A browser fingerprinting script is a piece of JavaScript code that runs inside a web page and works by testing for the presence of certain browser features.

Today, browser fingerprinting is commonly used by online advertisers as a next-gen user tracking mechanism. Advertisers run different types of fingerprinting operations, create one or more "fingerprints" for each user, and then use them to track the user as he/she accesses other sites on the internet.

Because of the privacy-intrusive way that online advertisers are currently using browser fingerprinting, several browser makers like Firefox, Chrome, Opera, Brave, and the Tor Browser, have deployed features to detect and block these types of malicious code.

10% of the Top 100,000 Alexa sites use fingerprinting scripts

In an academic paper published earlier this month, a team of academics from the University of Iowa, Mozilla, and the University of California, Davis, has analyzed how popular browser fingerprinting scripts are used today by website operators.

Using a machine learning toolkit they developed themselves and named FP-Inspector, the research team scanned and analyzed the top 100,000 most popular websites on the internet, according to the Alexa web traffic ranking.

"We find that browser fingerprinting is now present on more than 10% of the top-100K websites and over a quarter of the top-10K websites," the research team said.

Image: Iqbal et al.

However, the research team also points out that despite the large number of websites that are currently using browser fingerprinting, not all scripts are used for tracking. Some fingerprinting scripts are also used for fraud detection since automated bots tend to have the same or similar fingerprints, and fingerprinting scripts are a reliable method of detecting automated behavior.

Image: Iqbal et al.

Academics discover new fingerprinting techniques

But the research team also analyzed which browser or JavaScript API features the scripts were trying to fingerprint.

"Our key insight is that browser fingerprinting scripts typically do not use a technique (e.g., canvas fingerprinting) in isolation but rather combine several techniques together," researchers said.

Researchers said they identified clusters with recurring fingerprinting techniques but also clusters that contained new techniques, which were previously unreported as potential fingerprinting avenues, suggesting that companies are actively investing in discovering new ways to track users based on their browser's footprint.

Below is a summary of some of the new fingerprinting techniques researchers discovered:

  • Permissions fingerprinting- Researchers said some websites probed the browser Permissions API to determine whether a permission was granted or denied by the user. Academics said they found specific cases were fingerprinting scripts had probed if the user had granted a website NotificationGeolocation, and Camera access, and were using this information to track the user.
  • Peripheral fingerprinting - Researchers said they also found scripts probing if websites had received access to connect to gamepads and virtual reality devices, and were using this info to track users. In other cases, some websites were fingerprinting users via their keyboard layout, typically exposed via the browser's getLayoutMap function.
  • API fingerprinting - Researchers said that some websites probed if the user's browser had specific APIs enabled. For example, some fingerprinting scripts checked for the AudioWorklet API (specific to Chromium browsers only), while others checked if certain JavaScript functions like setTimeout or mozRTCSessionDescription were overridden by extensions.
  • Timing fingerprinting - Researchers said they also found that some fingerprinting scripts measured the time that took for certain functions to execute. For example, some websites used the Performance API to track when events like domainLookupStartdomainLookupEnddomInteractive, and msFirstPaint were taking place during a predefined operation.
  • Animation fingerprinting - This category is one of the most common fingerprinting methods today, but researchers said they found new ways that websites were abusing the AudioContext API.
  • Sensors fingerprinting - Just like web animation-related functions, sensors have been heavily abused in fingerprinting scripts, but the research team said they found websites that probed for the little-known userproximity sensor.

Additional details about the team's research can be found in a paper named "Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors," set to be presented at the IEEE Symposium on Security and Privacy, next year, in May 2021.

The research team also said it reported the list of domains that hosted fingerprinting scripts discovered via FP-Inspector to Easylsit/EasyPrivacy and Disconnect, two projects that manage so-called "blocklists," which are list of domains that can be loaded inside ad blockers.

Users who consider this research paper concerning can block fingerprinting scripts by enabling anti-fingerprinting protections in their respective browser settings or by installing an ad blocker extension.

Awesome Google Chrome extensions (May 2019 edition)

Editorial standards