Apple Makes Fingerprinting (A Bit) Harder

A couple of weeks ago, I mentioned how it’s usually better for privacy to use your web browser instead of a mobile app.

However, using your web browser doesn’t mean that sites still can’t try and find out who you are and track you across the web.

A recent decision by Apple to not implement certain features in Safari shows just how sophisticated browser fingerprinting can be.

The 3rd-Party Cookie

Before browser fingerprints, advertisers would use cookies to track your web browsing habits.

Previously, a website (let’s call it “Site A”) would serve an ad from Site B. This means that there would be a small bit of code (usually an image) on Site A that downloaded content from Site B. When you visited Site A (and saw the ad image from Site B) a cookie would be set in your browser that contained a unique bit of code. This unique bit of code (which is unique to your specific browser on your specific computer) would be read whenever you visit any site with ads from Site B.

This is how Site B could show you ads for the same thing on multiple different web sites.

If you turn on “block 3rd-party cookies”, though, your browser will reject the tracking cookies from Site B when you’re on Site A.

Enter, browser fingerprinting

Browser Fingerprinting

Browser fingerprinting is an attempt by ad sites to get around this 3rd-party cookie restriction by noticing and combining unique browser configurations to identify users.

Web sites can use JavaScript to request bits of information about your computer and browser in order to run web apps or display content. Some of these bits of information include:

  • Your computer’s operating system
  • Your browser version and all installed plugins (and their versions)
  • Current time zone
  • System language
  • Touchscreen support
  • The size (resolution) of your browser window
  • Custom fonts you have installed
  • The way your computer renders colors, fonts and images

While none of this information is that interesting alone, by combining it together you can come up with some very specific information.

You can just how easily identified you are by going to Panopticlick and clicking on the “Test Me” button. I’ve got some bad news, though, if you’re like most people (me included) you’re pretty easily identified via your browser fingerprint.

One small note – if you want to block almost all fingerprinting, you can turn off Flash, Java, and JavaScript in your browser. But since this breaks almost every web site that’s been made in the last 15 years, it’s not really a practical solution.

What Apple Blocks

The list of new data sources that Apple blocked is pretty alarming, if you think about combining it with already-available data. The blocked information includes:

  • Web Bluetooth
  • Web Bluetooth Scanning
  • Magnetometer
  • Network Information
  • Battery Status
  • Ambient Light Sensor
  • Proximity Sensor
  • Geolocation Sensor

Among several others. You can see a more complete list over on ZDNet.

It’s not to difficult to see how knowing nearby (or connected) Bluetooth devices, network connection, and battery info could drastically improve the accuracy of browser fingerprints.

Other Browsers

Aside from Safari, it looks like Mozilla Firefox also blocks most of these new APIs.

It should be only a small surprise that Chrome (and Chromium-based browsers) does allow them. If you’re using Chrome, the new Microsoft Edge, or another browser based on Chrome, you’ve been warned!