What is device fingerprinting?

Everyone who has ever experienced the following, raise a hand:

You go to a shopping site, look at a few different sweaters and then browse away. You haven’t logged in anywhere, accepted any cookies or told anyone who you are. Yet the exact same sweaters you looked at in the webshop keep appearing in ad after ad on other websites and in social media.

This can be the result of device fingerprinting, or browser fingerprinting as it’s also called.

Your digital fingerprint

We often hear that we leave digital fingerprints behind as soon as we use digital devices. But we rarely get an explanation of what these fingerprints consist of or how they are collected.

To begin with we want to distinguish between:

1. Personal information
   Personal information is information about you as a person: your name, date of birth, email address and similar.
2. Technical information
   Technical information is information about your computer or phone: brand, operating system, processor, which browser you use, your screen size, which time zone you’re in, which language you have set and so on.

http://fp.virpo.sk/

A good analogy is to view each individual piece of information as a ridge in a fingerprint. Looking at just one ridge in the fingerprint you can’t distinguish one individual from another. But if you look at all the ridges at once, i.e. the whole fingerprint, it becomes unique. Device fingerprinting works the same way: a single data bit, e.g. the fact that you use Mozilla Firefox, only makes you one of 250 million other users around the world. If, however, you take into account everything else your browser shares, such as screen resolution, language choice, graphics card, processor, time zone, system fonts, etc., your digital fingerprint becomes more or less unique.

To test how unique my digital fingerprint is I used an online tool called Panopticlick (https://panopticlick.eff.org/) and found that it was completely unique among the 234,173 users who had used the tool in the past 45 days. The accuracy is therefore good.

This means that by making a combined analysis of seemingly completely anonymous technical information, you (or rather your digital fingerprint) can be used to track your activities on the web. And it’s reasonably robust too. Even if you use tricks like blocking cookies or using a VPN (Virtual Private Network) to mask your IP address, you can still be identified via your digital fingerprint in 99% of cases.

Why does the browser send out this information in the first place?

Of course browser developers wouldn't include this feature if there wasn't a good reason. To build services on the web you need access to information about visitors' computers, tablets or phones and the environment they're in. You may need to adapt the design based on the user's screen resolution or ensure you guide the user to the correct language version of the site based on language settings. Some sites have special mobile versions and therefore need a way to determine whether a visitor is using a phone, a tablet or a regular computer. In general, the more advanced the service, the more information it needs about the user's digital device to ensure everything will work as it should. A very timely example of a type of service where one is entirely dependent on receiving information about the user's computer is videoconferencing, since you need to know exactly what capabilities the user's computer has for both receiving and sending video and audio.

At the same time there are signs that browser companies are worried about the trend. In 2019 Google announced that they will gradually make things like device fingerprinting harder in Google Chrome as part of what they call "The Privacy Sandbox". One strategy to limit the amount of technical information a browser exposes is to apply what they call a "privacy budget":

"Fundamentally, we want to limit how much information about individual users is exposed to sites so that in total it is insufficient to identify and track users across the web, except for possibly as part of large, heterogeneous groups."

In short, it means that a service is assigned a certain budget for how much information it can obtain from an individual user's browser. Each time information is collected, part of the budget is consumed. When the budget is exhausted, the user's browser also stops sharing the information. In this way it makes life harder for those using device fingerprinting because it's not possible to track an individual user over a longer period. Google itself says, however, that it's a complicated balancing act. If you tighten things too much you risk that ordinary websites and web services stop working.

Why not just use cookies?

So why not just write a cookie to the user's browser and use it to track the user's activity on the web? There are several reasons. Partly it's about legislation, partly about technology. Writing an identifying cookie to someone's browser is an active form of tracking and something the user themselves must legally consent to (at least within the EU since GDPR was introduced). It is therefore a more explicit way to track a user. But the main reason is that it is technically fairly easy to block cookies in your browser, which means tracking via cookies stops working. The technical information your browser shares is a completely passive form of tracking in that you only receive what you (or rather your browser) already sends, and it doesn't require cookies to work.

The very fact that your browser sends technical information whether you want it to or not, and that it can be intercepted and processed by various actors on the web in complete silence, is what attracts data brokers and marketers and frightens users and regulators.

What does GDPR say about this

If you look at how the GDPR is designed, it is technology-neutral. It does not list technologies or give examples of uses of technology that would constitute a breach of the GDPR. Instead it states that all data that can distinguish an individual from other individuals should be regarded as personal data. Note that this is not the same as identifying someone by name and image, but merely that one can distinguish and thereby trace an individual. With that definition, device fingerprinting therefore constitutes a breach of the GDPR.

Electronic Frontier Foundation (EFF) is a non-profit organisation that monitors digital privacy. They make the same assessment but at the same time say that even with the GDPR in place they do not expect it to affect the use of device fingerprinting to any great extent. Some companies that use device fingerprinting to track European citizens’ online activities will probably do everything in their power to argue that they have legitimate reasons to collect and use the information. Other actors, especially those outside the EU, will be willing to take the risk and simply ignore that their data collection falls under the GDPR. But EFF also says that these actors are taking a very big risk because the economic consequences would be massive if they were found out.

The only question is whether they will be caught?

What do the Swedish Data Protection Authority and the EU say

To clarify how many have been sanctioned under the GDPR for using device fingerprinting, we contacted the Swedish Data Protection Authority with the following question:

"Are there any examples of companies in Sweden or within the EU that have been sanctioned for using device fingerprinting to collect and process information without the user's consent?"

We did not receive a clear answer to that question, but we did at least get confirmation that device fingerprinting falls under the General Data Protection Regulation and that an actor who wants to use and process a user's technical data must obtain the user's consent to do so.

"If the electronic traces can be linked to an identifiable individual they constitute personal data and are therefore covered by the provisions of the General Data Protection Regulation.

The European Data Protection Board has in an opinion stated that device fingerprinting is covered by the provisions of the ePrivacy Directive. This means that an actor who wants to process device fingerprints on a user's device must obtain consent in accordance with the rules in the ePrivacy Directive. You can read the opinion here: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp224_en.pdf"

The opinion is from 2014 and thus not up to date. But from the opinion one can infer that device fingerprinting is a problem when it comes to personal privacy and that it is taken seriously within the EU:

"Device fingerprinting presents serious data protection concerns for individuals. For example, a number of online services have proposed device fingerprinting as an alternative to HTTP cookies for the purpose of providing analytics or for tracking without the need for consent under Article 5(3).1 This demonstrates that the risks presented by device fingerprinting are not theoretical and research has shown that device fingerprinting is already being exploited."

In summary, it seems that both at the national level and at the EU level they are aware of the problem. But it also seems that no one is doing anything concrete to identify and prosecute the companies or organisations that break the law through their use of the technology. The companies that provide the underlying infrastructure, e.g. Google, however seem more inclined to act to make things harder for those who abuse the technology.

Also read