Websites and apps use a technique called “device fingerprinting” to collect device data to prevent fraud, track user visits across multiple browsers and devices, and personalize their users’ experience. Although device fingerprinting can help flag potential fraudsters, your device fingerprint contains enough data to be harmful in the wrong hands.

Key Takeaways: Device Fingerprints Explained

• Device fingerprinting is a data collection and analysis technique that creates a unique “fingerprint” using multiple data sources, like your browser, IP address and your device’s unique configuration.
• The main purpose of device fingerprinting is to prevent fraud, including e-commerce fraud, credit card fraud and other types of online fraud.
• Unfortunately, device fingerprinting can also be used to identify you, track your online activity and possibly harm you in many ways, including identity theft and cyberstalking.
• Protecting yourself from device fingerprinting can be as simple as refusing consent to cookies and using a VPN.

Device fingerprinting can be used to identify individual devices, and that data can then be used to link those devices to specific individuals. Since this data often includes sensitive information, like location data, it’s easy to see how this can be used maliciously. Read on to learn about device fingerprinting, how it works and how you can prevent it.

What Is Device Fingerprinting?

Device fingerprinting is an online tracking method based on identifying and tracking devices using unique data points, such as your operating system, web browsers, IP address or screen resolution. It can be used to track and identify users across multiple devices. 

Additionally, device fingerprinting can come in several forms, including cross-device fingerprinting, desktop device fingerprinting, mobile device fingerprinting and browser fingerprinting.

Websites, apps and other online services use device fingerprinting to identify users and understand user behavior, usually for the purpose of identifying bots and fraudsters. It’s also used to gather data for targeted advertising and personalized content.

How Does Device Fingerprinting Work?

The process of fingerprinting usually starts when a user connects to a website or app. The website or mobile application then uses JavaScript code or another technique to gather data about the user’s device. Then it sends that data to a server for analysis.

Device fingerprinting works using several tracking methods, including:

• Browser fingerprinting — Identifies the user by the web browser they use.
• HTML5 canvas fingerprinting — Collects data about the user’s browser settings, including installed fonts, plugins and graphics drivers.
• Audio fingerprinting — Collects audio data, such as the sound of a user’s voice, usually for speech recognition, music identification or copyright infringement.
• User behavior tracking — Collects data about a user’s actions when using a website or app, such as their mouse movement or screen taps.
• IP address tracking — Tracks users with their IP address using information about their internet connection.
• Time-based tracking — Uses the timing of certain actions taken to identify a device, such as how long you linger on parts of the website.
• Machine-learning-based tracking — Uses AI or a machine learning algorithm to analyze a user’s device characteristics and behavior to identify their device.

A service will usually use multiple types of fingerprinting to identify an individual device by combining knowledge gained from several sources.

What Information Is Included in a Device Fingerprint?

Device fingerprinting identifies users by gathering multiple data points and combining them to form a complete device ID. Information collected via fingerprinting can include, but is not limited to:

• Operating system (OS) version and type
• Browser type and version
• Screen resolution and color depth
• Installed fonts and plugins
• Language and time zone settings
• Audio and voice data
• IP address and network information
• Device make and model
• Hardware components, such as CPU, GPU and RAM
• Battery level and status
• Accelerometer and gyroscope data (for mobile devices)
• Cookies and local storage data
• Installed software and drivers

Keep in mind that collected information can vary based on what method a website or app uses to fingerprint your device.

Why Is Device Fingerprinting Used?

The main purpose of device fingerprinting is fraud detection and ultimately preventing fraud. It also prevents other security failures, such as unauthorized logins, account takeovers and identity theft.

For example, if a user were to try creating multiple accounts, a website could use the device ID to know if the user is coming from the same device or the same IP address and block them.

However, device fingerprinting can also be used to track users across multiple devices and keep their personalization settings or track their progress across multiple sessions. Furthermore, it helps a website tailor its services to your behavior.

Aside from security and personalization, a device fingerprint tracker might be used for analytics, either to help the website improve its services or for marketing purposes.

Device Fingerprinting vs Browser Fingerprinting vs Cookies

Although device fingerprinting, browser fingerprinting and cookies can all be used to track a website visitor’s device, they differ in a few key ways. 

The chief difference is that device fingerprinting uses mostly hardware data, browser fingerprinting uses only browser data, and cookies are stored on a user’s device. Let’s go into each of these individually to give you a clearer picture.

1. Device Fingerprint

Device fingerprints create device IDs using mostly hardware-related data. Although a browser fingerprint can be part of a device fingerprint, it’s not necessarily always included. A device’s fingerprint typically holds a lot more data than a browser fingerprint does, including all the information we listed previously.

2. Browser Fingerprint

Unlike a device fingerprint, a browser fingerprint stores only data about your browser, such as your browser version, installed plugins and fonts, and your browser login profile. It’s also much less persistent than a device fingerprint, as it can be changed by altering your browser settings.

3. Cookies

Cookies are text files that store information about your browsing sessions, including logins, app use, and settings and preferences. Websites and apps both use cookies for this purpose, which means there are two types of cookies: app cookies and browser cookies. Cookies are always stored on your device, so it’s easy to delete them.

Cookies have some legitimate uses and some are necessary for a website or app to function, but they’re also frequently used for ad tracking and targeting. Thankfully, you can always change your app or browser settings to only allow necessary cookies. 

Plus, because a website must gain explicit consent to use cookies, you can simply decline a website permission to use unnecessary ones.

Why Is Device Fingerprinting a Privacy Concern?

Any type of data harvesting is a privacy concern, and device fingerprinting is just another way that data brokers, advertisers, government surveillance agencies and hackers can use to track your online behavior.

Using your device ID, you can be tracked for surveillance and targeted advertising. It can also be used to personally identify you and connect your device ID to an anonymized dataset, deanonymizing your data and giving a data controller a lot more knowledge than you’ve consented to. 

If that data controller happens to be a hacker or another type of malicious actor, they might use it to steal your identity and commit fraud. It’s also a cyberstalking risk, since device IDs can allow a stalker to track your location data.

Unfortunately, device fingerprints can also be used to discriminate against you. Because they can be used to link you to an anonymized dataset containing biometric data, you might face discrimination based on your race, gender, political beliefs or economic status when using an online service.

Can You Prevent Device Fingerprinting?

Unlike cookies, which are stored locally, device and browser fingerprints are stored on a server-side database, which makes them harder to get rid of. Remember, though, that device fingerprinting uses many different points of information to identify you, so your approach will have to be multifaceted to prevent device fingerprinting.

That said, you can take actions to better protect yourself from device fingerprinting. 

1. Disable JavaScript

This is a no-brainer. Most device fingerprinting uses JavaScript code, so disabling it in your browser can prevent that from happening. You’ll usually find the JavaScript toggle in your browser’s privacy settings. Note that disabling JavaScript will disable some website elements, so your browsing experience will be diminished.

2. Disable & Delete Cookies

In order to use cookies, websites must gain explicit consent for each type of cookie they use. Whenever you visit a website for the first time, do a manual review of the cookies it asks you to enable, and only consent to the necessary ones. To delete cookies that you’ve already unwittingly consented to, clear the cookies in your browser and mobile device. Read our browser fingerprinting protection guide to learn more.

3. Use a VPN

VPNs encrypt all of your traffic and route it through a VPN server. This hides your IP addresses, assigning you a fake IP address every time you connect to a VPN server. Because your traffic is encrypted and redirected through another device, a VPN makes it impossible for someone to fingerprint your device. Here are our recommendations for the best VPN.

4. Delete Your Data From Data Broker Archives

Under privacy laws like the GDPR and California’s CCPA, you’re entitled to the right to be forgotten. This means that if you ask a company or organization storing your personal data to delete it, it must comply. However, there are so many data brokers out there that contacting them all manually is nearly impossible.

Thankfully, services like Surfshark’s Incogni and DeleteMe can automate the process for you. All you need to do is give it your email address and a few other bits of information, and the service will contact all data brokers on its list on your behalf. The brokers will have to comply and delete your device fingerprint and other data from their servers.

Final Thoughts

Although device fingerprinting has its legitimate uses, including for fraud detection, it collects too much data to be completely safe. If you want to mitigate against device fingerprinting, you’ll need to use many different privacy and security tools.

How do you feel about device fingerprinting? Do you think a device ID contains too much personally identifying data? Are you already using a VPN to protect yourself from it? Let us know in the comments below and, as always, thank you for reading.

FAQ

• How Accurate Is Device Fingerprinting?

  Device fingerprinting can be eerily accurate, depending on the techniques used. It can collect data about your device’s unique hardware configuration, browser settings, and even voice and other audio data.

• What Is WiFi Device Fingerprinting?

  WiFi device fingerprinting identifies a signal transmitter, such as your router, by analyzing its unique characteristics and the artifacts in their output signals.

• Is Device Fingerprinting Legal?

  Although device fingerprinting is generally legal, some privacy laws, such as the GDPR, stipulate that you need to provide consent for your personal data to be collected, processed and transferred. If someone were to fingerprint your device despite your explicit denial of consent, they would be in violation of that law.

• How to Bypass Device Fingerprinting?

  You can bypass device fingerprinting by using a VPN to encrypt your traffic and route it through another device.