If we can’t fingerprint you, we’ll fingerprint your device
Privacy rules such as the new GDPR regulations may be just the push that trackers need to stop identifying individual people, and instead focus on precisely identifying the device that these individuals are holding using a variety of “fingerprinting” techniques.
Think about it: there’s not much of a difference between compiling data about the online activities of you as an individual and the online activities conducted with your device—especially as almost everyone has their own devices these days.
Skipping over the GDPR hurdles
The new GDPR has thrown a complicating knot in how companies collect “personal data,” data which includes the person’s ID number or other factors specific to their physical and social identities. In addition, GDPR also includes the right to data erasure for individuals, requiring companies to be prepared to delete their records on individuals if requested.
One potential way out of this situation is for data trackers and brokers to move away from tracking individual people—and instead develop a set of technical criteria for identifying individual smartphones and computers. Even without collecting the ID number and the actual name, the tracking results are just about the same.
Your device also has its unique fingerprint
Yes, your device has a number of specific features, making it easy to single out from the millions of other devices out there. These features can be divided into three major categories: browser extensions (AdBlock), website logins (Facebook), and its technical fingerprint.
One canvas fingerprinting technique, for example, uses HTML5—the latest version of the web content markup language—to have your browser paint or draw a 3D graphic shape, and converts this into a digital token. This special portrait of your device is influenced by variables such as the operating system, browser, programs, and screen settings. For a quick look at your own computer, try this test. This is what I learned about my work computer:
While adblockers may reduce the number of ads hitting your eyeballs, they are limited in their ability to stop fingerprinting. The above portrait of my computer happened, despite me running Adblock and the Privacy Badger ad blocker and tracker blocker.
It’s a cat and mouse game (you are the mouse)
The jury is still out on how often fingerprinting techniques are used. The difficulty in detecting—and stopping it—makes it more attractive. Unlike a malware alert from your antivirus, you are unlikely to ever know if your device is being fingerprinted.
For example, EFF’s Privacy Badger lists trackers, but they do not go into the specific techniques used by each of them. However, if you are using the Tor Onion browser, you will get a palette-shaped pop-up with the option to accept or deny the HTML 5 fingerprinting technique.
Firefox gives users an option to tweak the browser settings to block most fingerprinting attempts.
Change is coming… sometime
With companies still struggling to get used to the GDPR regulations, fingerprinting has largely escaped scrutiny. That will eventually change for two primary reasons, according to the Electronic Frontier Foundation. First, they believe that this type of sneaky collection of data is just what the GDPR regulations are designed to prevent. Second, the EU is about to revise its ePrivacy Directive – best known for requiring websites to warn you about their use of tracking cookies. Limiting fingerprinting might be the next step.
Until then, just think a bit about the privacy of you and your device. The technical specs on your device and the apps running on it reveal as much of your personal data—or even more—than placing your inky finger on a piece of paper.