How do trackers work?
When you visit a website, your browser makes a "request" for that site. In the background, advertising code and invisible trackers on that site might also cause your browser to make dozens or even hundreds of requests to other hidden third parties. Each request contains several pieces of information about your browser and about you, from your time zone to your browser settings to what versions of software you have installed.
Some of this information is passed along by default simply to help you view the page. For example, HTTP headers are essential to most web functionality, and broadcast your device and browser version. But a lot of the information in your browser’s requests is also extracted by third-party ad networks, which have sneaky tracking mechanisms embedded across the Internet to gather your information.
At first glance, the data points that third-party trackers collect may seem relatively mundane and disparate. But when compiled together, they can reveal a detailed behavioral profile of your online activity, from political affiliation to education level to income bracket. As long as this trove of data about you is linked back to you, your online activity can be logged. Ad networks primarily rely on two methods to maintain this link: cookie tracking, and browser fingerprinting.
What are cookies?
Cookies are small chunks of information that websites store in your browser. Their main use is to remember helpful things like your account login info, or what items were in your online shopping cart—in other words, they save your place. But they can also be misused to link all your visits, searches, and other activities on a site together. This use of cookies is a privacy violation, and browsers generally allow you to block, limit, or delete cookies.
What is a digital fingerprint?
A digital fingerprint is essentially a list of characteristics that are unique to a single user, their browser, and their particular hardware setup. This includes information the browser needs to send to access websites, like the location of the website the user is requesting. But it also includes a host of seemingly insignificant data (like screen resolution and installed fonts) gathered by tracking scripts. Tracking sites can stitch all the small pieces together to form a unique picture, or "fingerprint," of your device.
What is the difference?
Think of the small tracking devices scientists use to follow animal migration patterns, or a GPS transmitter attached to a car. As long as they’re attached to the target animal or vehicle, they are accurate and effective—but they lose all value if they’re knocked off or discarded. This is roughly how cookies behave: they track users up until the point a user deletes them.
Fingerprinting uses more permanent identifiers such as hardware specifications and browser settings. This is equivalent to tracking a bird by its song or feather markings, or a car by its license plate, make, model, and color. In other words, metrics that are harder to change and impossible to delete.
Can I do anything about this?!
Completely blocking trackers is difficult, even with a fully-featured tracker blocker. Even so, we recommend using the tracking protections above. Privacy protection does not have to be perfect to make a big difference!
There are two main dynamics that make trackers hard to entirely avoid online:
- Impact on Usability: It’s unfortunate that enhanced privacy often comes at the expense of functionality. For instance, you may want to disable JavaScript to stop tracking scripts from running. But this will likely make it hard to shop, fill out forms, watch videos, or see interactive web elements. Many pages require disabling your ad blocker to see content, or refuse to load anything unless you use the “official” app.
- Identifiable Protections: Paradoxically, sometimes your protections themselves can become part of your fingerprint. An add-on intended to protect you can even lead to your full identification. Changing your settings and installing protections can lead trackers to be identified. In this case, you become a “mystery user with a very specific combination of privacy protections installed.”
In practice, the most realistic protection currently available is the Tor Browser, which has put a lot of effort into reducing browser fingerprintability. For day-to-day use, the best options are to run tools like Privacy Badger or Disconnect that will block some (but unfortunately not all) of the domains that try to perform fingerprinting, and/or to use a tool like NoScript( for Firefox), which greatly reduces the amount of data available to fingerprinters.
Cover Your Tracks’ primary goal is to help you determine your own balance between privacy and convenience. By giving you a summary of your overall protection and a list of characteristics that make up your digital fingerprint, you can see exactly how your browser appears to trackers, and how implementing different protection methods changes this visibility. The following suggestions are simple, straightforward protection methods, and are an excellent starting point.
Simple suggestions
Using a Tracker Blocker
Install a tracker blocker and watch your browsing experience get a lot more pleasant
Most tracker blockers cross-reference massive lists of tracking scripts. They then block any attempts to load an ad or other item that matches.
When you block trackers, you prevent tracking companies from reading your browser fingerprint. However, more advanced tracking techniques may still be able to gather information about you.
Disabling Javascript
Most trackers run on JavaScript, and they can’t gather much of the information used to determine your browser fingerprint without it. Thus, your browser looks a lot less distinct, and is more protected.
But there is a trade off. Disabling JavaScript breaks a staggering amount of websites, and limits the functionality of many more.
Changing browser settings from defaults
Tracking is so pervasive that all of the major browsers (Chrome, Firefox, and Safari) come with settings that disable certain types of tracking. Turning them on or off is as simple as going into the settings menu and clicking a button.
Disabling tracking scripts in your browser settings is reliably effective, though not as robust as a designated tracker-blocker.
For more info about what settings and protections your browser offers compared to others, check out this article from Blacklight.
Using a fingerprint resistant browser
Some newer browsers were built to thwart fingerprinting, such as Tor Browser and Brave. How they do this varies from browser to browser, but they generally work by making your fingerprint less unique and/or less consistent. This means trackers have a harder time following your usage of the web.
Can my attempts to protect myself backfire? How can attempting to make myself more anonymous actually make me more identifiable?
Each browser metric is highly connected to other metrics in complex ways. This is why we don’t recommend trying to change a single element of your fingerprint. Striving to get the most common result for any individual metric may seem like a good idea, but it can actually make your browser more identifiable.
Let’s look at an example of how these metrics are interconnected:
No matter what browser you’re using, they all send information about themselves to servers so that web content loads correctly. This information includes the browser name and version. If you swap out the identifier of the browser you're actually using with one from a more common browser, you may make yourself completely identifiable. How is this possible? If Chrome is a more common browser, how can identifying your browser as Chrome make you more unique?
Because trackers aren’t only looking at what browser version you have. In combination with other metrics, your fake Chrome browser may stand out. This is because if you are actually using, say, Safari browser all the other metrics will point to this fact. You will have the only browser out there identifying itself as Chrome but looking like Safari.
Incognito mode
Historically, Private Browsing and Incognito Mode had a single purpose. These modes were intended to prevent traces of sites you visited from being stored on your machine. It was not meant to prevent remote sites or trackers from identifying and storing when you visit a site on their servers.
If you are using Firefox, using Private Browsing will provide some protections against trackers. Any trackers that are included in the Disconnect tracking protection list will be blocked. This keeps you safe from known trackers. Known fingerprinters and cryptominers which use your browser against you are also blocked. However, this will not prevent a new fingerprinter or tracker from identifying your browser and keeping tabs on it. In order to get this extra level of protection, your browser needs to have a fingerprint which is either:
- so common that a tracker can't tell you apart from the crowd (as in Tor Browser), or
- randomized so that a tracker can't tell it's you from one moment to the next (as in Brave browser).
Google's Chrome browser does not provide protection against trackers or fingerprinters in Incognito Mode.