Fingerprinting Web Users Through Font Metrics

Abstract

We describe a web browser fingerprinting technique based on measuring the onscreen dimensions of font glyphs. Font rendering in web browsers is affected by many factors—browser version, what fonts are installed, and hinting and antialiasing settings, to name a few—that are sources of fingerprintable variation in end-user systems. We show that even the relatively crude tool of measuring glyph bounding boxes can yield a strong fingerprint, and is a threat to users’ privacy. Through a user experiment involving over 1,000 web browsers and an exhaustive survey of the allocated space of Unicode, we find that font metrics are more diverse than User-Agent strings, uniquely identifying 34 % of participants, and putting others into smaller anonymity sets. Fingerprinting is easy and takes only milliseconds. We show that of the over 125,000 code points examined, it suffices to test only 43 in order to account for all the variation seen in our experiment. Font metrics, being orthogonal to many other fingerprinting techniques, can augment and sharpen those other techniques.

We seek ways for privacy-oriented web browsers to reduce the effectiveness of font metric–based fingerprinting, without unduly harming usability. As part of the same user experiment of 1,000 web browsers, we find that whitelisting a set of standard font files has the potential to more than quadruple the size of anonymity sets on average, and reduce the fraction of users with a unique font fingerprint below 10 %. We discuss other potential countermeasures.

Appendices

A Sample Fingerprint

This is a sample font metric fingerprint using the fast code point testing set of Table 3. The system represented is Tor Browser (Firefox 24.8.0) in Tails 1.1.1 [3]. The fingerprint can be hashed into a single short identifier rather than being stored in the long form shown here.

B Mean Anonymity Set Size from Entropy

This appendix contains a proof of the claim in Fig. 5, that an entropy measurement implies a mean anonymity set size. Refer to Sect. 3 for notation.

Claim

Let S be a vector of categorical values with N elements and k distinct values \(v_1,\ldots ,v_k\). For \(i\in 1,\ldots ,k\), let \(c_i\) signify the number of times \(v_i\) appears in S: \(P_S(v_i) = c_i / N\). Then the quantity \(N/2^{H(S)}\), shown in Fig. 5, is \(\left( \prod _{i=1}^k c_i^{c_i}\right) ^\frac{1}{N}\); that is, the geometric mean of the vector that results from replacing each element of S with the number of times that element appears (a vector where each \(c_i\) appears \(c_i\) times).

Proof

$$\begin{aligned}&N/2^{H(S)} \\ =&N/2^{\left( -\sum _{i=1}^k P_S(v_i) \log _2 P_S(v_i)\right) } \\ =&N \cdot 2^{\left( \sum _{i=1}^k \frac{c_i}{N} \log _2 \frac{c_i}{N}\right) } \\ =&N \prod _{i=1}^k 2^{\left( \frac{c_i}{N} \log _2 \frac{c_i}{N}\right) } \\ =&N \prod _{i=1}^k \left( \frac{c_i}{N}\right) ^{\frac{c_i}{N}} = N \left( \prod _{i=1}^k \frac{c_i^{c_i}}{N^{c_i}}\right) ^{\frac{1}{N}} \end{aligned}$$

Because \(\sum _{i=1}^k c_i = N\), \(\prod _{i=1}^k N^{c_i} = N^N\), and so

$$\begin{aligned}&N \left( \prod _{i=1}^k \frac{c_i^{c_i}}{N^{c_i}}\right) ^{\frac{1}{N}} = N \left( \frac{\prod _{i=1}^k c_i^{c_i}}{N^N}\right) ^{\frac{1}{N}} \\ =&N \frac{\left( \prod _{i=1}^k c_i^{c_i}\right) ^\frac{1}{N}}{N} = \left( \prod _{i=1}^k c_i^{c_i}\right) ^\frac{1}{N}. \end{aligned}$$

   \(\square \)