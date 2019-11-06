Just when you thought we had hit rock bottom on all the ways the internet could snoop on us — no. We've sunk even lower.

There's a tactic spreading across the web named after treatment usually reserved for criminals: fingerprinting. At least a third of the 500 sites that Americans visit most often use hidden code to run an identity check on your computer or phone.

Websites from CNN to Best Buy to WebMD are dusting your digital fingerprints by collecting details about your device you can't easily hide. It doesn't matter whether you turn on "private browsing" mode, clear tracker cookies or use a virtual private network. Some even use the fact that you've flagged "do not track" in your browser as a way to fingerprint you.

They're doing it, I suspect, because more of us are taking steps to protect our data. Privacy is an arms race — and we are falling behind.

Fingerprinting happens when sites force your browser to hand over innocent-looking but largely unchanging technical information about your computer, such as the resolution of your screen, your operating system or the fonts you have installed. Combined, those details create a picture of your device as unique as the skin on your thumb.

Sites can use your digital fingerprint to know whether you've visited before, create profiles of your behavior or make ads follow you around. They can also use it to stop you from sharing a password, identify fraudsters and block harmful bots.

Patrick Jackson, chief technology officer of privacy software company Disconnect, tested for signs of fingerprinting on the 500 most popular websites used by Americans. He revealed what these sites hide in their code and do on our computers that we don't get to see on our screens.

Of the 183 likely fingerprinters Jackson identified between Sept. 30 and Oct. 8, I asked 30 of the most well-known to explain their behavior. Some claimed it was industry-standard to fingerprint. Many said they didn't realize it was happening or never collected the data themselves, because they had let ad and data partners operate parts of their websites. After hearing from me, six sites said they would remove fingerprinting code, including four run by the U.S. government.

How they fingerprint you

It's happening on sites you wouldn't think would be so intrusive, including Thesaurus.com and AllRecipes.com — even security and privacy software maker Norton.com. Two porn sites didn't answer my questions, but Jackson said he suspects they're using it to track and tailor content to the people who view them in private-browsing modes that turn out to be not so private.

The Washington Post website fingerprints visitors when they've blocked cookies, which ought to be a signal visitors don't want to be tracked. In different ways, the Fox News and New York Times websites do it, too.

Fingerprinting isn't yet as widespread as cookies, those tiny files websites drop in your browser to track you. But it's concerning because it's much, much more aggressive.

"Fingerprinting is designed to be user-hostile," Jackson said. "It even takes the fact that you don't want to be tracked as a parameter to make your fingerprint more unique."

Google, Apple and Mozilla, which make the world's most-used browsers, rarely agree on much, but they've all identified fingerprinting as a growing threat.

"Because fingerprinting is neither transparent nor under the user's control, it results in tracking that doesn't respect user choice," wrote Google's Chrome browser engineers in May.

Fingerprinting sites don't necessarily know you by name. But they're connecting the dots on information that could be just as valuable.

When you load a site, fingerprinting code starts asking your computer for things that aren't part of the usual process of drawing a page. Knowing what operating system you're running, what fonts you have installed or what your address is on your internal network makes you look different from other people visiting the site.

Some sites use as a signal whether people have turned on the "Do not track" flag in their browser. (That's not ironic; it's malicious.)

Many times, fingerprinting code will run the digital equivalent of a sonar test, sending out a signal just to see what comes back. Website code instructs your browser how to draw out text. The coding in it for fingerprinting can include words or icons that never show up on your screen, letting websites track minute differences in how each device responds. The Best Buy website used this invisible ink to write "F1n63r, Pr1n71n6!" Stand back and you might see it spells out "fingerprinting!"

How some are fighting back

Fingerprinting isn't like other online snooping. We can't entirely stop it by blocking cookies or making other simple changes to our browsers. The tactics keep evolving.

The good news is that there are gradations of certainty in fingerprinting — not all devices and browsers are equally easy to detect.

Valentin Vasilyev, who created fingerprinting software, said it is still possible to make yourself hard to fingerprint by using software such as Tor. It's a privacy-first browser that goes to great lengths to make each user's device look the same — but only useful for highly technical people because it breaks common websites.

You can also get some protection from more consumer-friendly software.

Apple iPhones, iPads and Macs running the company's Safari browser are among the hardest to fingerprint. That is, in part, because Apple has a relatively limited product line and those devices tend to be standardized — so they look more similar to fingerprinting software (compared to the zillions of variations in Android phones and Windows laptops out there). It's a kind of online herd immunity.

Apple's Safari also has been tackling fingerprinting directly by reducing the amount of information it shares, such as a list of built-in fonts (instead of custom ones).

However, most people in the world do not own Apple devices. Everyone else should consider the Firefox browser because of its aggressive default protection from tracker cookies.

Google's Chrome browser doesn't do much to stop fingerprinting by default. You can add browser privacy extensions such as uBlock Origin, the Electronic Frontier Foundation's Privacy Badger or Jackson's Disconnect to help stop some fingerprinting. But beware this software might break some of the sites you want to visit.

In May, Google promised it was going to join the fingerprinting fight — an important move because Chrome is by far the most-used browser. It said its plans include reducing the way browsers can be "passively" fingerprinted, so that it can detect and intervene against "active" fingerprinting efforts as they happen.