Many users share a computer with other people. They may trust each other not to do anything particularly malicious, such as installing malware or spyware, but they may still not want the other computer users to see their browsing activities. Whether it’s buying Valentine’s Day gifts, using websites that others might disapprove of, searching for private health information, or logging into a social media account on a friend’s computer, personal is personal.
Many people also share a network, at home, work, or via a shared WiFi service. When using an insecure website, all of the data is sent between the website and the browser without the protection of encryption. Other users of that network can see whatever private information is shared, and potentially modify the website so that it acts differently and the information is sent elsewhere.
Even when using a secure website, other users of the network can also see what website is being visited (because of the IP address of the website connection), even if they cannot see what was sent. In some cases, this can lead to false assumptions about what the user was using the website for. Even if the network itself is not shared, as the data passes over the Internet, any agency which can monitor that Internet connection may obtain the same information.
A website may check the styling that the browser applies to « visited » links, pointing to other websites, to determine if you have visited them. They may also try various tactics to load websites that have automatic redirections for logged-in users, and count the increase in history entries, to determine whether you are logged in to the website.
When browsing websites, the websites may embed content from a third party, which can set tracking cookies, or use other methods to identify a user. Every time the user visits a site where that third party’s content is embedded, that third party gets to know that the same user has visited the new site. Over time, the third party can build up a profile of the user – without even needing to know who they are. What websites they use, what they appear to be interested in, what time of day they are awake.
Of course, there are a number of other ways that a website can try to recognize you. They may use your IP address if your IP address seems to be unique to you – not a shared network, WiFi, or NAT (where many computers sit behind a single IP address, common with companies and universities, and even a couple of countries). They may use the ETag of cache files, which the browser sends when checking if it needs to obtain a new version of a file.
To track users, websites may also use a technique called « fingerprinting » which has nothing to do with your own fingerprints.
The website looks for all of the various things that make your browser different from everyone else’s. The user-agent (UA) string lists your operating system and your browser version. Vivaldi is popular enough that if you keep it up to date, you will have the same UA string as a lot of other users. The battery API lets a website see your laptop battery charge level, but only to a very low resolution so that many other users have the same numbers as you. And, of course, every time your browser installs updates, those numbers change, and the website has to start again, which is a positive thing for privacy.
Your browser window size, screen resolution, installed plug-ins, and a few other things are not unique to your computer, but a website can use the combination of all of these to reduce the number of people that match the combination, and eventually they may be able to determine that given all of the values they can detect, it’s likely to be the same person: you. They may even be able to monitor the way you move the mouse, scroll the page, or type on the keyboard to try to tell the difference between your behavior, and the behavior of other users.
It may be tempting to disable some of the things that a website can check for – such as the battery API. However, as soon as you start changing multiple settings that affect how a website works – whether cookies are enabled, whether the browser sends a do-not-track header, whether Local Storage is enabled, whether the battery API exists, whether you are blocking ads – you make your browser stand out more from the crowd.
The way to avoid fingerprinting, or to make it harder, is not to change settings. It is to remain as normal and ordinary as possible so that your browser appears just like everyone else’s. This, of course, conflicts with the desire for privacy, and it does mean that there will often be a trade-off – change a setting to enhance your privacy, but make it easier for a website to fingerprint.
Vivaldi – and other browsers – make it difficult for websites to fingerprint by placing limitations on the battery API, and putting little detail in the UA string. However, fingerprinting will always be possible to some extent.
On the much brighter side, websites, in general, do not use fingerprinting since there are so many easier ways to track users, such as tracking cookies and Local Storage. Where possible, websites will use an easier technique and rely on users not wanting to change those settings.
In such cases, you can regain your privacy just by deleting the cookie. In addition, in some countries, websites are required to adhere to requests for privacy (though this will depend on the country where the website is run from).
Over the next couple of weeks, we’ll post more on how to deal with many of the cases discussed here. Stay tuned for more tips in our series on privacy and security.
* * *
Read more blog posts from the series:
- The basics of web browser security: an introduction
- Your browser, antivirus and other network intercepting software
- Website permissions and third-party services in Vivaldi
Main photo by Marvin Meyer on Unsplash.