What is digital fingerprinting: Is my device ever truly anonymous?

What is it?

Fingerprinting is the automatic collection of individual users’ browser and/or device data (e.g., IP address, browser version, Operating System) to create a unique ‘fingerprint’ for that user. This automatic data collection happens at the moment a user accesses a website or app. Typically, it’s not possible for a user to block this information being shared and devices connected to the internet will provide this information when it is requested.

Examples of data that may be automatically collected includes:

• Browser name
• Browser version number
• Operating system
• Location of the website being accessed
• IP address
• Screen size
• Screen resolution
• Battery life
• Timezone
• Language/locale
• Installed fonts
• Hardware details, such as device architecture and memory capacity
• Referrer, as in which page the user accessed before the current page

On the surface, data like screen size (or more accurately canvas size, as in the size of browser window) and browser data may appear generic and non-identifiable; however, the likelihood of two individuals having the exact same combination of browser and device fingerprint data is so statistically low that individual users are often unique, and consequently identifiable.

You can find out just how unique your device fingerprint using an online tool like one of these:

https://coveryourtracks.eff.org/
https://howthey.watch/you/
https://trackme.dev/
https://amiunique.org/
https://browserleaks.com/canvas

Why is it done?

There can be practical and justified uses for fingerprinting. Websites and services may need to know certain information about a user’s device in order to appropriately display the content and its layout (e.g. responsive design which allows a website to adapt to whether a phone, tablet or PC is being used)

Or, an online banking website might need to uniquely identify a user to protect against fraud. Unique device identifier data may be needed to distinguish between a trusted user/device versus a potential bot or hacker accessing the site from an entirely different region.

Crash reporting services may also use this type of data, as an app may seek to identify which devices or browsers lead to a higher rate of issues, or seek to understand the geographic breakdown of app crash reports to ‘improve’ services and develop aggregated analytics for prioritising improvements.

While it may not be a problem for an individual website to know that a user is using the mobile version of the site in the GB region, functional reasons for data collection leave the door open to potentially pernicious uses of the same data.

How might digital fingerprinting data be exploited?

Fingerprint data has proven vital to the AdTech industry in the past, as ‘digital fingerprinting combines multiple user data signals collected on device, building a profile that transcends websites to identify you and everything you like and are likely to buy’. This behavioural data can be sold on to further data brokers and advertisers and used for dataset enrichment.

The slow demise in use of the more popular technique of third-party cookies has left a gaping hole for advertisers in their attempts to find an alternative tracking technique.

Amidst these changes it is interesting that Google has reversed their stance on this practice. Google had previously prohibited its advertising products from deploying fingerprinting (e.g., targeting IP address data) due to what it considered to be obvious privacy and consent concerns, but the company has now reversed this stance.

The UK Information Commissioner’s Office (ICO) has also gone as far as to say that the practice of fingerprinting, if used for tracking purposes, risks replicating the invasive tracking functions of third-party cookies.

Running out of cookies?

Third party cookies are tracking files embedded by domains other than the website the user is currently visiting. They allow third party advertisers to map user activity and browsing habits across multiple sites in order to build a behavioural profile on the user to target ads to them across domains.

Over recent years, the use of third-party cookies has been blocked by a number of browsers and various alternatives to their use have been proposed by large and small(er) AdTech industry actors alike.

What does this mean for users and our privacy?

A user may accept the collection of their fingerprint data for functional reasons (like crash reporting), but they might not have understood the risk that this data could be used for advertising purposes. Just like cookies, collecting user data through fingerprinting techniques requires the user’s consent. But, because fingerprinting can occur invisibly in the background the moment a user navigates to a website or opens an app, data can be automatically collected before user consent is obtained.

This issue of consent raises wider concerns around the lack of user control. Fingerprinting techniques make it harder for users to both detect what data is being collected about their online activity, and to prevent it happening. Some data that can be used for fingerprinting is sent out without even being requested, meaning that its collection is hard to detect. Even when information must be requested, it may be hard to know when requests are legitimate or not.

While it’s possible to delete cookies from your device, fingerprinting tracks more permanent digital identifiers that a user cannot so easily wipe, such as hardware specifications and browser settings. This type of hardware data can be harder to modify and effectively impossible to delete. Additionally, fingerprinting is harder for browsers and extensions to block, so ‘even privacy-conscious users will find this difficult to stop’.

In the end, fingerprinting is an unfair means of tracking users online that is intrusive, invasive, and prevents control over how information is collected.

What you can do to protect yourself

Options for how to protect against fingerprint tracking largely involve having to make potentially difficult trade offs - ad blockers may sufficiently block some tracking scripts, but they can’t easily block fingerprinting tracking due to fingerprinting being so embedded in the service of browsers and devices. Options include:

• Browser extensions like cookie managers or ad-blockers traditionally help protect users’ privacy from cookies and similar trackers - but with digital fingerprinting, the downloading of these extensions ironically only provides more unique fingerprint data or may require a higher level of technical knowledge to set up properly.
• Disabling Javascript as most trackers run on it, but many websites will be inaccessible or their functionality heavily limited because they typically run on Javascript - a significant trade-off.
• Some browsers offer anti-fingerprinting tools such as browser randomisation or enhanced tracking protections. Their effectiveness may be limited and a more throughly fingerprint-resistant browser, such as Tor, may be a significant trade-off for those who might be required to use a mainstream browser for work or other reasons.
• Some VPNs also offer some protection by blocking DNS requests to known tracker domains.

The limited control you, the user, have ultimately demonstrates how we’re in the hands of others who get to decide how websites and apps work, such as the amount and type of fingerprint data they collect. The invisible and embedded nature of fingerprinting risks deep tracking and surveillance of users’ online activity and behaviour. With companies like Google able to change their fingerprinting policies at will, and users having to potentially accept a distinct loss in functionality in order to have a tracker-free experience, we are reminded of the need to always be aware of the power imbalances at play in how the internet (and its reliance on advertising) is designed.