Browser Tracking

Many common methods of preventing browser tracking are ineffective. This article goes over misguided ways in which people attempt to improve their privacy when browsing the web.

Tracker Blockers

Blocking a few tracker domains does not actually prevent tracking. You cannot make a list of every single tracker domain and block them all since there are far too many. Enumerating badness does not work.

Even if you did magically create a blacklist of every single tracker domain ever, the website does not need to connect to a third party domain to run tracking code. For example, blocking Google Analytics does not prevent the website from simply running their own first party tracking code or even hosting third party tracking code from a first party domain.

The website can then share this information to the people that made the trackers you've blocked so everyone gets the exact same information they would have gotten in the first place.

Blocking trackers can only remove some low hanging fruit and is not a proper approach to systemically improving privacy. This is the reason why the Tor Browser does not include any tracker blockers.

Configuring / "Hardening" the Browser

You cannot configure your browser to prevent tracking either. Everyone will configure their browser differently so when you change a bunch of about:config settings, such as privacy.resistFingerprinting, and pile on browser extensions like Privacy Badger, you're making yourself stand out and are effectively reducing privacy.

Additionally, just disabling JavaScript, while preventing large vectors for fingerprinting, does not prevent fingerprinting entirely. Fingerprinting can be done with only CSS and HTML. One example is using @media rules to figure out your browser resolution.

You also cannot substantially improve security by configuring the browser. Changing a few settings will not fix deep architectural security issues. You can at most reduce some attack surface by disabling things, but most people don't do this to an extent where it actually matters.

Fingerprint Testing Websites

Fingerprint testing websites, such as Panopticlick, cannot reliably test your fingerprint.

These websites determine the uniqueness of your fingerprint based off of their own userbase which will miss out on the majority of real users, thereby providing inaccurate statistics and is not a viable way of determining how well you fair off against fingerprinting in the real world.

These websites also don't test for much. Do these websites fingerprint you by where your cursor is on the screen? By your clock skew? By the performance of your device? etc.

Conclusion

The only real approach to preventing browser tracking/fingerprinting is by using a browser that is designed to prevent this by default and the users do not change it. The most effective browser that does this is the Tor Browser. However, the Tor Browser's fingerprinting protections aren't perfect and its security is quite weak.

Go back