Frequently asked questions


Browser Fingerprinting

  1. What is a browser fingerprint?
  2. What features are used for fingerprinting?
  3. Where do the features for fingerprinting come from?
  4. What are browser fingerprints used for?
  5. Are browser fingerprints bad?
  6. Are you already measuring my browser fingerprint on your website?

Registration

  1. Why did I not receive a verification email after signing up?
  2. Why do you need my email address?
  3. Isn't it dangerous to click on links in emails (phishing)?

During the participation

  1. Why did I not receive one of those emails to measure my fingerprint?
  2. What happens if I forgot to let you measure my fingerprint?
  3. Why is the number of fingerprints greater than the number of participants?
  4. Are all of these features you store really needed in order to determine a browser fingerprint?
  5. Why is my Canvas/WebGL fingerprint a string?
  6. What is this report about that you send me every 4 weeks?
  7. How can I unsubscribe from the study?

Our study

  1. How am I helping you to investigate browser fingerprinting?
  2. Why isn't there an app for that? Emails are inconvenient.
  3. What is the difference between this study and related studies?
  4. What is meant with anonymous form in terms of publishing fingerprint data for research purposes?
  5. What does 'most stable fingerprint' mean?
  6. When will the dataset for research purposes be released?

Answers

Browser Fingerprinting

  1. What is a browser fingerprint?

    A browser fingerprint is a set of browser characteristics (features) that can be used to recognize users if those characteristics are unique enough.

  2. What features are used for fingerprinting?

    A browser fingerprint can be based on obvious information (e.g., browser name, browser version), but also on less obvious information (e.g., list of installed browser plugins and fonts, or version of certain browser components). Each piece of browser information that can be queried by websites or that is revealed during your communication on the Web (HTTP-based features) is suitable to be part of your fingerprint.

  3. Where do the features for fingerprinting come from?

    The majority of your browser features can be accessed via JavaScript, which is used for a variety of reasons on most websites. Further pieces of information (e.g., the complete list of installed fonts on your device) can be queried utilizing browser plugins (e.g., Flash, Silverlight, Java).

  4. What are browser fingerprints used for?

    Similar to the human fingerprint, which is used to identify humans, browser fingerprints are utilized to recognize browsers and thus users without their knowledge or consent. The majority of browsers have a unique fingerprint, meaning that users on the Web can be recognized and tracked across several websites even if the users did not log in on a website.

  5. Are browser fingerprints bad?

    There are good and bad uses of browser fingerprints. A possible good use of fingerprints is, for example, protecting users from online account theft by detecting suspicious changes of browser characteristics between login sessions. An obviously bad use of fingerprints is tracking users without their knowledge or consent, especially because browser fingerprinting is technically very difficult to prevent.

  6. Are you already measuring my browser fingerprint on your website?

    No. We will only measure fingerprints if you visit the links we send you via email.

Registration

  1. Why did I not receive a verification email after signing up?

    Check your spam/junk directory and mark us as trustworthy contact. If you cannot find our email either in your inbox or in your spam/junk directory, please contact us via email (see contact page).

  2. Why do you need my email address?

    We hope to obtain more precise results while gathering fingerprints over a longer period by assigning them on the basis of email addresses. If your participation ends, your email address will be deleted from our database. Under no circumstances will we share your personal data with third parties.

  3. Isn't it dangerous to click on links in emails (phishing)?

    Each of our emails is signed with a S/MIME certificate from Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU, Germany), which allows you to control if we are the real sender of an email:

    Certificate owner GRP: CS1 Browser Fingerprinting
    Email address cs1-browser-fingerprint@fau.de
    Certificate issuer FAU-CA / Universitaet Erlangen-Nuernberg / RRZE / Erlangen / Bayern / DE
    Serial number 7468951089955330 (or 0x1A88F8B08FC202, or 1A:88:F8:B0:8F:C2:02)
    SHA1 Fingerprint 6A:B7:C1:CE:FB:21:80:41:6E:1F:6E:7F:E0:BF:95:9E:D2:55:9A:33
    SHA256 Fingerprint B9:B0:4F:57:48:93:FC:8E:7D:89:81:43:39:5F:79:89:11:87:8B:16:8F:51:A0:FB:85:A5:DF:9D:26:E0:04:78
    Validity begins 10.12.2015 14:16:16
    Validity ends 09.12.2018 14:16:16

    A short guide with images to verify our digital signature using Mozilla Thunderbird as an example for an email client:

     

    1. Detect the envelope icon that indicates the digital signature Click for full size image
    2. Click on the envelope icon to see the signature Click for full size image
    3. Click on View Signature Certificate for full details Click for full size image

     

    You can also download the S/MIME certificate for our email address cs1-browser-fingerprint@fau.de or group name GRP: CS1 Browser Fingerprinting directly from Deutsches Forschungsnetz (DFN) (German Research Network) and import it manually in your email client.

    If you still have doubts, you can view our emails as plain text messages (not as HTML messages) and should only visit those links that begin with https://browser-fingerprint.cs.fau.de/, or contact us.

During the participation

  1. Why did I not receive one of those emails to measure my fingerprint?

    Check your spam/junk directory and mark us as trustworthy contact. If you cannot find our email neither in your inbox nor in your spam/junk directory, please contact us via email (see contact page).

  2. What happens if I forgot to let you measure my fingerprint?

    Nothing. You are not obliged to visit the links we send you. Of course we would appreciate it if you decide to visit them so we can measure your fingerprint on a regular basis.

  3. Why is the number of fingerprints greater than the number of participants?

    The features of your browser may vary between measurements (e.g., caused by updates, or changes of settings). Furthermore, all participants are free to test each of their browsers with several settings and on various devices. Therefore, you will probably have more than one fingerprint within your participation. The evaluation will always indicate to you whether the fingerprint of your current browser is unique, or whether other participants already had the same one.

  4. Are all of these features you store really needed in order to determine a browser fingerprint?

    No. Related studies have shown that even very few features can be sufficient to recognize browser very clearly in certain circumstances. But we want to determine how all possible features can be used for browser fingerprinting, and how countermeasures affect them (e.g., the randomization or unification of characteristics).

  5. Why is my Canvas/WebGL fingerprint a string?

    Your Canvas/WebGL fingerprint is represented as a hash value. A hash value is the result of a hash function, which maps a usually large input to a smaller output value. In our case, the input value is a graphic rendered by your browser and the output is a hexadecimal value (numbers 0-9, letters a-f, length 64).

    Since hash values usually are unique for each input, they are called fingerprints and therefore can be used, inter alia, to check the equality or inequality of large inputs based on their hash values.

  6. What is this report about that you send me every 4 weeks?

    The report you receive every 4 weeks during your participation as PDF file via email summarizes your participation so far and gives you an overview about the total number of your measurements, your distinct and unique fingerprints as well as about your recognizability and your recognizability compared to other participants. You can take a look at our example report.

  7. How can I unsubscribe from the study?

    Visit the unsubscribe link that is embedded in each of our weekly emails.

Our study

  1. How am I helping you to investigate browser fingerprinting?

    Everytime you visit one of the links to measure your fingerprint, we will query and store characteristic attributes (features) of your browser. By assigning your visit to your email address, we will be able to compare your fingerprints to those of other participants more precisely. In addition, we can examine how your features change over the period of your participation.

    In order to assess countermeasures, we need real data about browser fingerprints and their characteristics in general. Therefore, we need to measure fingerprints under controlled conditions, which is why your registration is needed to participate in this study.

    Under no circumstances will we share your personal data with third parties. After your participation ends, your email address will be deleted from our database so no assigning of email address and browser fingerprints will be possible anymore.

  2. Why isn't there an app for that? Emails are inconvenient.

    With a mobile app, we would restrict the group of participants to smartphone and tablet users. However, we want to investigate the browser fingerprints of desktop, laptop, smartphone and tablet users. Based on the emails we send, we hope to cover the majority of devices.
  3. What is the difference between this study and related studies?

    In related studies, cookies were used to recognize users in order to control the total number of fingerprints and their changes over time. Therefore, users didn't need to sign up.

    Our study is based on participants that signed up with their email addresses so we can control the total number of fingerprints and their changes more precisely. Furthermore, we are planning to compile test datasets for research purposes (e.g., to benchmark countermeasures) based on anonymous fingerprint data.

  4. What is meant with anonymous form in terms of publishing fingerprint data for research purposes?

    We want to compile a dataset that includes the browser features of those participants that agreed with the publishing of their data. This dataset should basically contain the individual measurements and allow following anonymous assignments:

    • The person X had the fingerprints F1, F2, ...,
    • The fingerprints F1, F2, ... had the feature characteristics m1, m2, ...
    • The fingerprints F1, F2, ... had the timestamps t1, t2, ...
    • The persons X and Y had n identical fingerprints/feature characteristics
    • etc.

    Each person will be anonymized by using a random identification number as representation. Browser characteristics that are extremely rare will also be anonymized (e.g., by using keyed hashes).

    We will try to keep the dataset as detailed as possible, while respecting data protection laws.

  5. What does 'most stable fingerprint' mean?

    The most stable fingerprint of a participant is the fingerprint that remained constant for the longest period of time amongst all his/her unique fingerprints. Thereby, it expresses the longest period of time in which a participant was recognizable based on his/her fingerprint.

  6. When will the dataset for research purposes be released?

    The data acquisition is expected to end in December 2016. Subsequently, we will start evaluations on the entire dataset before compiling the dataset for research purposes.