SAN FRANCISCO -- Your Web browser is leaking far more information than you think, two researchers said at the RSA conference here last week. [But there are still ways to protect your privacy.

Microsoft Edge, Mozilla Firefox, Google Chrome, and Apple Safari all tell you what websites you visit, what operating system you are running, what video card you have, audio settings, screen resolution, number of CPU cores on your machine, time zone, language, general location, installed fonts, and, if you allow, specific locations.

On smartphones and tablets, the browser adds data from the device's accelerometer, gyroscope, and magnetometer, plus the amount of ambient light and the device's location.

These and many other parameters can be aggregated and compared to other browsers' parameters to pick you out of tens of thousands of web users. No tracking cookies are required. Your browser has already told the website who you are.

To see how pervasive this is, you can go to the website BrowserLeaks.com to see exactly what your browser is offering.

For example, according to BrowserLeaks, Chromebooks connected to the Internet at San Francisco International Airport using the American Airlines Wi-Fi network in Terminal 2 have a "uniqueness" of 99.998%, which means that "528,769 user agents, 13 of whom have the same signature."

In other words, the Chrome browser on the Chromebook stands out as completely unique among the 40,000 web users.

This is just using the Canvas element of modern browsers, a graphical component of the HTML5 standard; BrowserLeaks notes that this Canvas test does not even involve time zone, language, location, or dozens of other parameters that would further refine your identity. BrowserLeaks believes that this Canvas test is "rude and nominal" because it does not even involve parameters such as time zone, language, location, or dozens of other things that would further narrow down your identity.

Various browsers on different operating systems give different canvas uniqueness results.

Microsoft Edge on a Windows 10 laptop connected to Time Warner Cable in Brooklyn, New York, was somewhat commonplace, with 99.41%, or only 1 out of 169 users, being unique.

However, Safari on a Mac was 99.99% unique and Firefox on Android was 99.998% unique, or only one match out of 58,700 users.

"Like any other tool, browser fingerprints can be used for better or worse," said Daniel Ayoub, LexisNexis' executive in charge of product management, who presented the findings with colleague Dean Weinert.

Ayoub asked the crowd of hackers and security experts if they thought it was acceptable for advertisers and marketers to use browser fingerprinting to display tailored ads to users. A clear majority of the audience agreed with a show of hands.

"This is used every day in the background by e-commerce solutions and most users are unaware of it. But that's fine with most of the people in this audience."

Similarly, the crowd thought it was fine for banks and other financial institutions to use browser fingerprinting to detect fraud.

However, few in the audience were comfortable with websites using browser fingerprinting to collect user behavior and selling that data to third parties.

If you too find it offensive, there are a few things you can do, but they are not what you might think. Blocking tracking cookies, blocking ads, using incognito or private mode, or even using privacy-oriented browsers or protocols like Tor or Brave won't really help you hide, Ayoub says. Instead, they may make you stand out.

"Imagine you're in a crowded airport terminal and this guy walks in wearing a fedora, a trench coat, and a bandage on his face," Ayoub said. 'Who is he? Invisible, of course. But he's not invisible. "

I don't want to be invisible, says Ayoub. I want to be ordinary.

"Try to blend in with the crowd. Use common browsers, common operating systems, common configurations." Don't obfuscate or hide browser attributes.

Nevertheless, after we enabled an extension that blocks JavaScript in Chrome on Windows, BrowserLeaks was unable to return any information about the exact location we are or our system hardware.

Canvas fingerprinting tests also did not work. We only found out that they were using Time Warner Cable in Brooklyn. The other side's server might still be getting a lot of information, but we did not know.

You may not be the only one hiding in the crowd. Criminals often do too, and they have special tools to spoof browser identities.

"If every device on the Internet looks exactly the same, that protects the sheep, but it also protects the wolves," says Ayoub.

For example, if a known user of a bank is using Mozilla Firefox on a Mac with a resolution of 1920 x 1080 running macOS Mojave 10.14.1 and is located in the Bay Area at a particular IP address, the bank knows it and will not be able to detect the user's not be made to go through the extra hassle of logging on to their online account.

Criminals could possibly lure a user to a benign website, obtain that user's browser information, and spoof all of those unique browser attributes to gain access to the online bank account. If the browsers match, the bank may be unaware of the scam.

Some of these tools cost an additional upfront fee of $100 per month, and sometimes thousands of dollars, to license from cybercrime software development companies. For professional scammers, it is worth it.

"Having one of the best fingerprint bypass tools is like printing your own money," Weinert says. There are pirated or cracked versions of these tools, but they are riddled with malware."

A PDF of Ayoub and Weinert's presentation is on the RSA 2020 website.