A browser fingerprinting script is a piece of JavaScript code that runs inside a web page and works by testing for the presence of certain browser features.
Today, browser fingerprinting is commonly used by online advertisers as a next-gen user tracking mechanism. Advertisers run different types of fingerprinting operations, create one or more "fingerprints" for each user, and then use them to track the user as he/she accesses other sites on the internet.
Because of the privacy-intrusive way that online advertisers are currently using browser fingerprinting, several browser makers like Firefox, Chrome, Opera, Brave, and the Tor Browser, have deployed features to detect and block these types of malicious code.
In an academic paper published earlier this month, a team of academics from the University of Iowa, Mozilla, and the University of California, Davis, has analyzed how popular browser fingerprinting scripts are used today by website operators.
Using a machine learning toolkit they developed themselves and named FP-Inspector, the research team scanned and analyzed the top 100,000 most popular websites on the internet, according to the Alexa web traffic ranking.
"We find that browser fingerprinting is now present on more than 10% of the top-100K websites and over a quarter of the top-10K websites," the research team said.
However, the research team also points out that despite the large number of websites that are currently using browser fingerprinting, not all scripts are used for tracking. Some fingerprinting scripts are also used for fraud detection since automated bots tend to have the same or similar fingerprints, and fingerprinting scripts are a reliable method of detecting automated behavior.
But the research team also analyzed which browser or JavaScript API features the scripts were trying to fingerprint.
"Our key insight is that browser fingerprinting scripts typically do not use a technique (e.g., canvas fingerprinting) in isolation but rather combine several techniques together," researchers said.
Researchers said they identified clusters with recurring fingerprinting techniques but also clusters that contained new techniques, which were previously unreported as potential fingerprinting avenues, suggesting that companies are actively investing in discovering new ways to track users based on their browser's footprint.
Below is a summary of some of the new fingerprinting techniques researchers discovered:
Additional details about the team's research can be found in a paper named "Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors," set to be presented at the IEEE Symposium on Security and Privacy, next year, in May 2021.
The research team also said it reported the list of domains that hosted fingerprinting scripts discovered via FP-Inspector to Easylsit/EasyPrivacy and Disconnect, two projects that manage so-called "blocklists," which are list of domains that can be loaded inside ad blockers.
Users who consider this research paper concerning can block fingerprinting scripts by enabling anti-fingerprinting protections in their respective browser settings or by installing an ad blocker extension.