Device fingerprinting is a technique used to track individual users or devices around the web by collecting information about a device or a browser. This data is then used to create a unique “fingerprint” by statistically analyzing the uniqueness of the data collected. This allows any entity to create a profile of a device or a user to track them around the web.
This presents a privacy issue for users since this tracking is conducted unbeknownst to them and there is no way to opt-out. So naturally, fingerprinting has gained more notoriety recently during the ongoing debate about privacy and is being painted as a boogeyman to companies like Google who rely on cookies to conduct their advertising business.
Chetna Bindra, Senior Product Manager, User Trust and Privacy at Google recently wrote in a blog post:
“...broad cookie restrictions have led some industry participants to use workarounds like fingerprinting, an opaque tracking technique that bypasses user choice and doesn’t allow reasonable transparency or control. Adoption of such workarounds represents a step back for user privacy, not a step forward. “
However, all these browsers have little to lose from blocking third-party cookies, and Google has billions of dollars of advertising revenue to protect. Google also happens to own Chrome, the most popular browser on the planet that (not surprisingly) allows 3rd party cookies.
Even though it fits into Google’s agenda to cite fingerprinting as a privacy concern, Chetna is correct in that fingerprinting does not allow any transparency or control and is indeed a threat to privacy. Firefox and Brave both provide mechanisms to prevent fingerprinting, so this is a commonly recognized privacy threat.
How does device fingerprinting work?
Whenever you load a web page, certain information can be discerned about your device. This information was originally intended to be transmitted to provide users with a more dynamic and usable website but it can be used to identify individuals — especially when combined with a user's IP address.
You can see an example of pieces of information that can be used to fingerprint you by using the Electronic Frontier Foundation’s free Panopticlick tool. See an example below (with my values omitted):
In addition to providing all the data points used to fingerprint, the tool also provides the odds of a browser matching any given data point. Companies can perform a statistical analysis on the uniqueness of all the fields in a single set and can determine with reasonable certainty if a specific device is unique. They then create and store your unique fingerprint so they can recognize you when these same values are seen again.
There are some positive uses of fingerprinting employed outside the ad tech industry. Banks and other companies can use fingerprinting to track suspicious activity. Device details are gathered whenever a user logs into a sensitive account and used to determine if that device’s fingerprint was used previously to login. This tactic can prevent unauthorized access to an account.
To Cookie or Not to Cookie?
Fingerprinting will continue to be rightfully recognized as a privacy concern while the cookie debate wages on. Without the tried and tried method of using cookies to track conversion, attribution and to target specific audiences, less privacy-concerned ad tech companies will employ fingerprinting as a viable method of tracking users wherever they go. This will happen with no transparency to the user and without any means to opt-out.
Cookies remain the lone alternative to browser fingerprinting if advertisers want to continue targeting individual users, but they bring their own privacy challenges. If the ad tech industry can follow Google’s lead on creating a more controlled and transparent cookie ecosystem, then it may just be the lesser of two evils that can benefit businesses and consumers.