Device fingerprint

[2] This may allow a service provider to detect and prevent identity theft and credit card fraud,[3]: 299 [4][5][6] but also to compile long-term records of individuals' browsing histories (and deliver targeted advertising[7]: 821 [8]: 9  or targeted exploits[9]: 8 [10]: 547 ) even when they are attempting to avoid tracking – raising a major concern for internet privacy advocates.

Since its introduction in the late 1990s, client-side scripting has gradually enabled the collection of an increasing amount of diverse information, with some computer security experts starting to complain about the ease of bulk parameter extraction offered by web browsers as early as 2003.

In 2012, Keaton Mowery and Hovav Shacham, researchers at University of California, San Diego, showed how the HTML5 canvas element could be used to create digital fingerprints of web browsers.

[10]: 546 In 2014, 5.5% of Alexa top 10,000 sites were found to use canvas fingerprinting scripts served by a total of 20 domains.

The overwhelming majority (95%) of the scripts were served by AddThis, which started using canvas fingerprinting in January that year, without the knowledge of some of its clients.

[18]: 678 [19][16][20][4] In 2015, a feature to protect against browser fingerprinting was introduced in Firefox version 41,[21] but it has been since left in an experimental stage, not initiated by default.

"[24] In 2019, starting from Firefox version 69, Enhanced Tracking Protection has been turned on by default for all users also during non-private browsing.

Indeed, programs that employ digital rights management use this information for the very purpose of uniquely identifying the device.

[13] The collection of a large amount of diverse and stable information from web browsers is possible for most part due to client-side scripting languages, which were introduced in the late 1990s.

A Hamming distance comparison of parser behaviors has been shown to effectively fingerprint and differentiate a majority of browser versions.

[34]: 3 [10]: 553 [38] User agents may provide system hardware information, such as phone model, in the HTTP header.

[44] The letter bounding boxes differ between browsers based on anti-aliasing and font hinting configuration and can be measured by JavaScript.

[42]: 117 As of 2017 Microsoft Edge is considered to be the most fingerprintable browser, followed by Firefox and Google Chrome, Internet Explorer, and Safari.

[10]: 552 Spoofing the information differently at each site visit, for example by perturbating the sound and canvas rendering with a small amount of random noise, allows a reduction of stability.

Typical Tor Browser notification of a website attempting a canvas read.