“Just because you are paranoid, does not mean you are not tracked.” (unknown)
2022-04-02 Alois Schlögl
[2022-04-04 revised: summary added, intro and conclusions revised]
It is tested how resilient browser and browser settings are against browser fingerprinting. The results suggest that even the most “privacy-aware browsers” like TorBrowser and LibreWolf reveal a unique fingerprint when JavaScript is enabled. Only when Java-script was disabled, a unique fingerprint could be prevented.
Browser fingerprinting is one effective way to track users on the world-wide-web (WWW). There are also seveal sites that show which information is revealed by your browser (e.g. 1, 2, 3, 4 ). These pages 5, 6 explain why browser fingerprinting is bad, and why you want to avoid this.
The most common justification for browser fingerprinting is that this enables “personalized advertisements”. However, this is the same technology that has been used to manipulate people and elections (see 7, 8 ) and is therefore a danger to democracy. Moreover, online advertisements require huge amount of energy [9, 10], and can cause security issues (e.g. 11, 12, 13, 14, 15). There is also more fundamental critiscm to advertising in general (see 16, 17, 18, 19). Moreover, the money “generated” by these advertisements is usually used to increase vendor-lockin (20). This is detrimental to the values of free software, as well as supply-chain security, and to society as a whole - to all of mankind.
There are some public tools available that can measure browser fingerprinting. These were used to test which browsers and browser settings help reducing browser fingerprinting.
(i) https://coveryourtracks.eff.org/ (EFF) were there results from last 45 days are usually presented. At the time of testing, it contains about 222500 entries
(ii) https://amiunique.org/ (AIQ) were the “all time” results are reported here. It contained about 253000 entries at time of testing.
Both websites report whether you can be identified uniquely, or how many other browsers with the same finger among all tested have been identified (AIQ), or the ratio of browsers with the same fingerprint (e.g. 1:1000) than yours have been observed. In the present work, results from AIQ have been translated to ratios by dividing the total number of observations with the number of browsers with equal fingerprint.
Chromium, Brave, Firefox, TorBrowser, and LibreWolf were tested on GNU/Linux, and some browsers were tested on Windows, too. Also the effectiveness of blocking JavaScript against fingerprinting was tested. In this work, the NoScript plugin for blocking JS was used on all Firefox-based browsers. Other blockers like AdBlock, PrivacyBadger etc. have not been evaluated. While these might be useful, it is difficult to assess under which conditions these do work, and the effectiveness of these is more difficult to assess. Moreover, we do not expect and advantage over blocking all JS. The full list of tested configurations, and the result of each can be found in the attachment.
The full list of individual tests shown below in the attendum. The results are summarized in table 1.
Table 1: Summary of among how many tests, the tested Browser is unique. on the day of testing (Mar 23, 2022). A large number means more information is leaked, and is easier to track this browser. A number of 222500+ on EFF, and 353000+ means that the Browser can be uniquely identified among all browsers. A number of 135.8 means that about more than 2000 Browsers out of 270000 have the same fingerprint, and can not be distinguished. The (*) refers to the fact that this browsers uses some kind of randomization.
| EFF (past 45 days) | AIQ (all time) | Browser and settings |
|---|---|---|
| 222.507 | 353.292 | Chromium Version 99.0.4844.84 (Official Build) built on Debian 11.2, running on Debian 11.3 (64-bit) |
| 222.671 | 353.430 | Firefox 91.7.0esr (64-bit) without noscript blocker |
| 2.224,84 | 5.047,16 | Firefox 91.7.0esr (64-bit) with noscript blocker enabled |
| 11.729,58 | 353.614 | Firefox 98.0.2 (64-bit) with noscript blocker enabled (Windows) |
| 222.541 | 353.317 | (*) Brave Release Notes V1.36.122 (Mar 26, 2022) |
| 1.738,73 | 353.328 | Tor Browser 11.0.9 (based on Mozilla Firefox 91.7.0esr) (64-bit) with security level “Safer” |
| 73,89 | 157,09 | Tor Browser 11.0.9 (based on Mozilla Firefox 91.7.0esr) (64-bit) with security level “Safest” |
| 73,80 | 157,09 | Tor Browser 11.0.1 (based on Mozilla Firefox 91.3.0esr) Windows (64-bit) Security level “Safest” |
| 222.749 | 353.498 | LibreWolf 98.0.2-1 (without noscript) |
| time out | 135,79 | LibreWolf 98.0.2-1 with noscript disabling all JS |
| 127,41 | 135,79 | LibreWolf 98.0.2-1 with noscript enablying JS only from eff.org |
Based on these results we can draw the following conclusions:
AIQ shows worse results, thus is it seems to have a more effective way of obtaining a fingerprint. In any case, we should not forget that there might be also other ways of leaking information, which is not covered by these tools. Examples are cookies, login credentials, side channel information leak. etc.
Most tests were run from a GNU/Linux machine, but two browsers (Firefox,and TorBrowser) were also tested from an MS-Windwows machine. The results did not show big differences, so it seems that the operating system was not part of the finger printing information, at least not on these two test sites.
Some browsers (e.g. Brave) use “randomizing” some information, which could prevent general user tracking. However, all computers use pseudo-random number generates which are not purely random, but when knowing he seed for the random number generator (RNG), the outcome is deterministic. This information could be used to decipher the information, and even leak much more information. Therefore, I'd not assume that randomization is an effective way to prevent leaking of (personalized) information.
The widely used Browsers like Chromium, and Firefox, browser fingerprinting is not prevented. Even with privacy-aware browsers like LibreWolf and the TorBrowser in their default settings do not prevent browser fingerprinting.
The TorBrowser with the default security level “Safer”, did not rely help in preventing browser finger printing, at least one of the tests (AIQ) could still obtain a unique fingerprint.
One crucial measure for preventing browser fingerprinting is to block JavaScript. When JavaScript was enabled, it was possibly to obtain a unique browser fingerprint on all browsers; when JavaScript is disabled, at least 70 other entries had the same fingerprint (FireFox+NoScript) and reached up to 2600 equal fingerprints (librewolf+noscript).
Trying to avoid tracking through browser fingerprinting is most effective when a) using LibreWolf with blocking all JavaScript, or b) using the TorBrowser with “Safest” security level. Blocking of JavaScript helps a lot against fingerprinting, this has also other advantages, like less energy consumption, longer battery life time, less security issues from malicious ads. I encourage you to test your browser, how well it does in preventing browser fingerprinting. The procedure is simple, just visit the following site
and test your browser. One should be also ware that preventing browser fingerprinting alone is not sufficient to prevent of being tracked. Other tracking mechanism are cookies, login credentials, your IP address, used DNS, and other side channel attacks.
In order to reduce the risk of being tracking, the following measures can be recommended:
Some claim that the WWW became too bloated, and suggest alternatives like Gemini (heavier then Gopher, more lightweight than the World-Wide-Web), Gemini Browsers like Lagrange or Kristall. However, the problem does not seem to be the http-protocol of the web, but rather its extension with JavaScript. At the time of this writing, the author was aware of only one search engine that was still usable without JavaScript, and that was DuckDuckGo-html.
EFF: Your browser fingerprint appears to be unique among the 222,507 tested in the past 45 days.
AIQ: Yes! You are unique among the 353292 fingerprints in our entire dataset.
EFF: Your browser fingerprint appears to be unique among the 222,671 tested in the past 45 days.
AIQ: Yes! You are unique among the 353430 fingerprints in our entire dataset.
EFF: Within our dataset of several hundred thousand visitors tested in the past 45 days, only one in 2224.84 browsers have the same fingerprint as yours.
AIQ: Almost! Only 70 browsers out of the 353301 observed browsers fingerprints in our entire dataset (<0.01 %) have exactly the same fingerprint as yours.
EFF: Within our dataset of several hundred thousand visitors tested in the past 45 days, only one in 11729.58 browsers have the same fingerprint as yours.
AIQ: Almost! Only 1 browsers out of the 353614 observed browsers fingerprints in our entire dataset (<0.01 %) have exactly the same fingerprint as yours.
EFF: Your browser fingerprint has been randomized among the 222,541 tested in the past 45 days.
AIQ: Yes! You are unique among the 353317 fingerprints in our entire dataset.
EFF: Within our dataset of several hundred thousand visitors tested in the past 45 days, only one in 1738.73 browsers have the same fingerprint as yours.
AIQ: Yes! You are unique among the 353328 fingerprints in our entire dataset.
EFF: Within our dataset of several hundred thousand visitors tested in the past 45 days, one in 73.89 browsers have the same fingerprint as yours.
AIQ: Almost! Only 1 browsers out of the 353614 observed browsers fingerprints in our entire dataset (<0.01 %) have exactly the same fingerprint as yours.
EFF: Within our dataset of several hundred thousand visitors tested in the past 45 days, one in 73.8 browsers have the same fingerprint as yours.
AIQ: No! Only 2250 browsers out of the 353452 observed browsers fingerprints in our entire dataset (1 %) have exactly the same fingerprint as yours.
EFF: Did not provide any result - timeout
AIQ: No! Only 2602 browsers out of the 353336 observed browsers fingerprints in our entire dataset (1 %) have exactly the same fingerprint as yours.
EFF: Within our dataset of several hundred thousand visitors tested in the past 45 days, only one in 127.41 browsers have the same fingerprint as yours.
EFF: Your browser fingerprint appears to be unique among the 222,749 tested in the past 45 days.
AIQ: Yes! You are unique among the 353498 fingerprints in our entire dataset.