Read this article in 日本語.
Many users share a computer with other people. They may trust each other not to do anything particularly malicious, such as installing malware or spyware, but they may still not want the other computer users to see their browsing activities. Whether it’s buying Valentine’s Day gifts, using websites that others might disapprove of, searching for private health information, or logging into a social media account on a friend’s computer, personal is personal.
Many people also share a network, at home, work, or via a shared WiFi service. When using an insecure website, all of the data is sent between the website and the browser without the protection of encryption. Other users of that network can see whatever private information is shared, and potentially modify the website so that it acts differently and the information is sent elsewhere.
Even when using a secure website, other users of the network can also see what website is being visited (because of the IP address of the website connection), even if they cannot see what was sent. In some cases, this can lead to false assumptions about what the user was using the website for. Even if the network itself is not shared, as the data passes over the Internet, any agency which can monitor that Internet connection may obtain the same information.
A website may check the styling that the browser applies to “visited” links, pointing to other websites, to determine if you have visited them. They may also try various tactics to load websites that have automatic redirections for logged-in users, and count the increase in history entries, to determine whether you are logged in to the website.
When browsing websites, the websites may embed content from a third party, which can set tracking cookies, or use other methods to identify a user. Every time the user visits a site where that third party’s content is embedded, that third party gets to know that the same user has visited the new site. Over time, the third party can build up a profile of the user – without even needing to know who they are. What websites they use, what they appear to be interested in, what time of day they are awake.
Of course, there are a number of other ways that a website can try to recognize you. They may use your IP address if your IP address seems to be unique to you – not a shared network, WiFi, or NAT (where many computers sit behind a single IP address, common with companies and universities, and even a couple of countries). They may use the ETag of cache files, which the browser sends when checking if it needs to obtain a new version of a file.
To track users, websites may also use a technique called “fingerprinting” which has nothing to do with your own fingerprints.
The website looks for all of the various things that make your browser different from everyone else’s. The user-agent (UA) string lists your operating system and your browser version. Vivaldi is popular enough that if you keep it up to date, you will have the same UA string as a lot of other users (since Vivaldi 2.10, the user-agent string is shared with other Chromium-based browsers, making it even less identifiable). The battery API lets a website see your laptop battery charge level, but only to a very low resolution so that many other users have the same numbers as you. And, of course, every time your browser installs updates, those numbers change, and the website has to start again, which is a positive thing for privacy.
Your browser window size, screen resolution, installed plug-ins, and a few other things are not unique to your computer, but a website can use the combination of all of these to reduce the number of people that match the combination, and eventually they may be able to determine that given all of the values they can detect, it’s likely to be the same person: you. They may even be able to monitor the way you move the mouse, scroll the page, or type on the keyboard to try to tell the difference between your behavior, and the behavior of other users.
It may be tempting to disable some of the things that a website can check for – such as the battery API. However, as soon as you start changing multiple settings that affect how a website works – whether cookies are enabled, whether the browser sends a do-not-track header, whether Local Storage is enabled, whether the battery API exists, whether you are blocking ads – you make your browser stand out more from the crowd.
The way to avoid fingerprinting, or to make it harder, is not to change settings. It is to remain as normal and ordinary as possible so that your browser appears just like everyone else’s. This, of course, conflicts with the desire for privacy, and it does mean that there will often be a trade-off – change a setting to enhance your privacy, but make it easier for a website to fingerprint.
Vivaldi – and other browsers – make it difficult for websites to fingerprint by placing limitations on the battery API, and putting little detail in the UA string. However, fingerprinting will always be possible to some extent.
On the much brighter side, websites, in general, do not use fingerprinting since there are so many easier ways to track users, such as tracking cookies and Local Storage. Where possible, websites will use an easier technique and rely on users not wanting to change those settings.
In such cases, you can regain your privacy just by deleting the cookie. In addition, in some countries, websites are required to adhere to requests for privacy (though this will depend on the country where the website is run from).
Protecting you from tracking
In Vivaldi 3.0, we introduced tracking protection. This recognises known tracking services, and prevents their content from loading. Cookies and other identifiers are therefore not sent to the tracking service. It can be enabled with just a couple of clicks, allowing you to browse in relative privacy, without having to be troubled by fingerprinting, and without having to try more drastic measures like disabling scripts or cookies, both of which can cause websites to malfunction. The feature is aimed at blocking cross-site tracking, since this is the most privacy invasive. It does not block access to websites that only monitor your usage of that website, since this is largely acceptable – a shop can see what products you look at while you are in that shop, but they should not be able to follow you into another shop to see what you look at in that other shop. All websites will be able to monitor usage of their own website to a large degree.
The tracker blocker uses blocker lists provided by trusted partners, but you can enable additional lists, or add your own lists as well. By default, it only blocks trackers and adverts that use tracking to build behavioural profiles, while it allows contextual or non-targeted advert providers to display adverts. Websites still need to be able to provide their services, and many do so by using harmless adverts as a way to fund the website’s operation. However, you can optionally choose to block those adverts too. The feature can be disabled, or set to block all adverts per site using the shield icon in the address field. This allows you to remove unruly adverts on a particular website, to allow it to function better.
This is a field where active research is still taking place, and other methods may also provide usable solutions. Other approaches to tracker blocking might include trying to automatically limit access to properties and APIs that might be used for fingerprinting if too many get used. This can only have a limited effect, since even with only a couple of properties and an IP address, a website might still be able to recognise users. Another approach might be to detect when websites are repeatedly loaded as third party resources, and accessing certain APIs, or setting certain cookies, before blocking them as a tracker. However, a tracker may be able to find ways to use this to their advantage, causing certain resources to be blocked and not others, creating a uniquely fingerprintable configuration that distinguishes users from each other. For this reason, the tracker blocker does not use these approaches, and instead just blocks known tracking providers. However, we do continue to monitor advances in these fields with interest, and it is possible that we might use a combined approach in future.
Over the next couple of weeks, we’ll post more on how to deal with many of the cases discussed here. Stay tuned for more tips in our series on privacy and security.
* * *
Read more blog posts from the series:
- The basics of web browser security: an introduction
- Your browser, antivirus and other network intercepting software
- Website permissions and third-party services in Vivaldi
Main photo by Marvin Meyer on Unsplash.