Device fingerprinting is a technique used to track individual users or devices around the web by collecting information about a device or a browser. This data is then used to create a unique “fingerprint” by statistically analyzing the uniqueness of the data collected. This allows any entity to create a profile of a device or a user to track them around the web.
This presents a privacy issue for users since this tracking is conducted unbeknownst to them and there is no way to opt-out. So naturally, fingerprinting has gained more notoriety recently during the ongoing debate about privacy and is being painted as a boogeyman to companies like Google who rely on cookies to conduct their advertising business.
Chetna Bindra, Senior Product Manager, User Trust and Privacy at Google recently wrote in a blog post:
“...broad cookie restrictions have led some industry participants to use workarounds like fingerprinting, an opaque tracking technique that bypasses user choice and doesn’t allow reasonable transparency or control. Adoption of such workarounds represents a step back for user privacy, not a step forward. “
Her post outlined more thoughtful steps on how the ad tech industry can more responsibly use cookies and transparently present how user data is applied in digital advertising. This was in direct response to the other major browsers like Firefox now blocking 3rd party cookies by default. Safari had already blocked 3rd party cookies and the more niche, privacy-focused browser Brave does this out of the box.
However, all these browsers have little to lose from blocking third-party cookies, and Google has billions of dollars of advertising revenue to protect. Google also happens to own Chrome, the most popular browser on the planet that (not surprisingly) allows 3rd party cookies.
Even though it fits into Google’s agenda to cite fingerprinting as a privacy concern, Chetna is correct in that fingerprinting does not allow any transparency or control and is indeed a threat to privacy. Firefox and Brave both provide mechanisms to prevent fingerprinting, so this is a commonly recognized privacy threat.
How does device fingerprinting work?
Whenever you load a web page, certain information can be discerned about your device. This information was originally intended to be transmitted to provide users with a more dynamic and usable website but it can be used to identify individuals — especially when combined with a user's IP address.
Screen resolution, time zone, system fonts, and user-agent are examples of the pieces of data readily available for collection through HTTP headers or Javascript. While these data points can be used for good, they can also be used for more nefarious means of tracking you via fingerprinting.
You can see an example of pieces of information that can be used to fingerprint you by using the Electronic Frontier Foundation’s free Panopticlick tool. See an example below (with my values omitted):
In addition to providing all the data points used to fingerprint, the tool also provides the odds of a browser matching any given data point. Companies can perform a statistical analysis on the uniqueness of all the fields in a single set and can determine with reasonable certainty if a specific device is unique. They then create and store your unique fingerprint so they can recognize you when these same values are seen again.
Through research collected on Panopticlick of 500,000 browsers, the EFF found that “...84% had unique configurations. Among browsers that had Flash or Java installed, 94% were unique”. Since Flash and Javascript provide more data to further narrow down uniqueness, it makes fingerprinting even more effective.
Javascript can also be used in conjunction with the Canvas HTML API to create a unique hash based on the specific way your computer renders images. Web browsers process images differently and operating systems render and anti-alias fonts in their own unique way - all of which can be analyzed and stored to contribute to your unique fingerprint.
There are some positive uses of fingerprinting employed outside the ad tech industry. Banks and other companies can use fingerprinting to track suspicious activity. Device details are gathered whenever a user logs into a sensitive account and used to determine if that device’s fingerprint was used previously to login. This tactic can prevent unauthorized access to an account.
To Cookie or Not to Cookie?
Fingerprinting will continue to be rightfully recognized as a privacy concern while the cookie debate wages on. Without the tried and tried method of using cookies to track conversion, attribution and to target specific audiences, less privacy-concerned ad tech companies will employ fingerprinting as a viable method of tracking users wherever they go. This will happen with no transparency to the user and without any means to opt-out.
Cookies remain the lone alternative to browser fingerprinting if advertisers want to continue targeting individual users, but they bring their own privacy challenges. If the ad tech industry can follow Google’s lead on creating a more controlled and transparent cookie ecosystem, then it may just be the lesser of two evils that can benefit businesses and consumers.
