Emoji rendering differences enough to identify devices and browsers

Tell-tale ❤️

Web developer Luis Alberto has shown how it is possible to identify the devices and browsers used by surfers visiting a website based on the available emojis their systems support.

The trick is based on how different browsers and devices render graphics via JavaScript and the HTML <canvas> element of HTML5.

Differences in rendering can be used to positively identify the browser a surfer is using even if the user agent is ambiguous.

“Brave sends the same user agent as Google Chrome but your emoji fingerprint can be detected,” Alberto explained.

The most marked rendering differences are seen in how the Chrome and Internet Explorer browsers display emojis, or how they are rendered on various Android devices, according to Alberto, whose testing on the topic has unearthed numerous subtle differences beyond the most obvious examples.

“From a total of 1791 emojis tested in 11 different browsers there are a total of 114 with differences between the same 11 and a minimum of 2 emojis with differences between at least 7 different browsers,” Alberto writes in a post on Twitter summarising his work.

Privacy advocates are aware that their online activities can be traced based on unique identifiers or a combination of markers beyond website cookies or similar (overt) tracking technologies. More subtle giveaways can include screen size and resolution or language settings, a list now joined by emoji rendering characteristics.

The cloak of anonymity offered by the Tor browser can also be lifted by markers such as screen size.

Therefore the discovery that emoji support falls into this category is noteworthy for those who wish to avoid being identified, such as human rights activists and journalists who may be using Tor as a countermeasure against content controls and surveillance in countries with poor human rights records.

Disabling JavaScript has severe usability drawbacks on most websites but should prevent the Canvas rendering of the emojis fingerprinting method outlined by Alberto.

YOU MIGHT ALSO LIKE German ISP challenges GDPR fine issued over inadequate customer ID checks