Times are changing. Over the past year we’ve seen multiple browsers put in place efforts to prevent accidental data leakage, combat cross site tracking, and in general make it more difficult to track specific devices and users across the internet. Interestingly, cookies are not the only way to do identification, and with the privacy protections being put in place by the browsers, there has been a increase in questioning if the analytics and advertising industries should switch to browser fingerprinting so solve their tracking needs.
How tracking typically works on the web
Normally on the web cookies are used for identification from one web page to the next. While a lot has been said claiming the evilness of said cookies, the fact remains that at least for now – the presence of cookies is what allows users to login, use social media, do online banking and a number of other activities. Having some sort of token that syncs state between the client (your browser) and the server is required for the technology to work.
What we’ve seen with the privacy war playing out across the web is that sometimes these tokens are deleted or reset systematically by the browser. This effectively divorces previous behavior from new behavior unless some other self-identifying indicator is present to link the before state and after state of this reset.
The net result is systems such as Safari’s Intelligent Tracking Prevention, Edge’s Anti-Tracking Tech, or Firefox’s Enhanced Tracking Protection seek to make it harder to target you, because some of the stateful identifiers are concealed or removed making it harder to pick you specifically out of the larger population.
Put another way it’s hiding in plain sight. What you see is a school of fish, but it’s hard to identify a specific fish as they swim in the school unless you had some sort of identifying markers in order to make that determination.
What is Browser Fingerprinting
Browser Fingerprinting is different. It doesn’t rely on cookies, localStorage or any other token which is common to state tracking. Instead, it looks at the various information the browser provides by default and APIs available then records data on the browser and how your hardware behaves. The number of unique data points discovered create a device fingerprint.
Going back to the picture of the fish, this is roughly equivalent to measuring the exact scale pattern and fin size of each fish. While all the fish have scales, and they all have fins, it’s very unlikely two fish have the same exact scale pattern as well as the same exact fin sizing. So armed with the exact fin sizing and scale pattern you could then reasonably identify each specific fish time and again.
The same principal applies to your computer – given enough information about how it works there is a very reasonable chance it could identify you again in the future based on the number of unique markers it’s tagged you with previously.
The act of fingerprinting is increasingly seen as a solution to the privacy protections being put in to browsers. You can even see evidence that banks have explored using fingerprinting and behavioral biometrics in past efforts to identify users and protect against fraud, but how do the browsers feel about this?
Most of the major browsers have agreed to limit fingerprinting – which is often something the users have no control over. Rather than having you blend in as Safari and Firefox would do Brave is looking at a different path.
Brave’s Fingerprinting Plan
A few days ago Brave announced a plan for how they’d like to handle fingerprinting. Instead of adjusting how the browser behaves in order to make you indistinguishable from the rest of the population, it’s going to inject random information – which has the net effect of making you very noticeable. While this may seem to defeat the purpose of fighting fingerprinting – the browser will provide this protection by consistently randomizing the data on several APIs, creating, tens, dozens or hundreds of unique device signatures over time. So provided the user does not self-identify the identification window will be minimal, and end when the re-randomization occurs when the user switches sites, or ends the browsing session.
If you want more technical details, Brave has a wiki page explaining this new approach.
The effect on Advertising and Analytics
The first scenario, used with Safari’s Intelligent Tracking Prevention, has tokens being blocked or reset – it will be harder to segment visitors into various audiences because the identity identified by the segment may only be temporary. This means you may have segments of traffic which become unreachable via targeted advertising methods. It may mean you have segments which are loyal users, but whom you are considering ‘new’ to the site because you lack the information to know they’ve been there before.
This can break:
- Lookback Windows
- Channel Attribution
- Segmentation (resulting in segments larger/smaller than actual – depending on traffic volume, possibly an order of magnitude in difference).
- A possible sharp increase in identifiers used in visitor stitching and identification.
- Unreachable audiences.
The above list is not comprehensive.
But what about what Brave is proposing? Largely the same due to how Brave fights tracking and deviates from Chrome.
However the introduction of randomization could cause an explosion in audience size should the methods be adopted by Brave and the other browsers follow suit. Data Platforms, for example, could end up swamped in identifier fragmentation as a single customer is bound to hundreds of device fingerprints.
The fact is at the end of the day, most of these audiences identified by fingerprinting will cease to exist as soon as the browser is closed rendering them unreachable for advertising across the web or even cross-session on the same site.
If this tech becomes widely adopted it realistically could be a valid defense against fingerprinting.
Conclusion
Fingerprinting has come a lot way since some of the earliest examples. It’s hard to stop while also allowing the technology to work. Would I recommend adopting it?
No.
The user identification and profiling still falls under the same laws as working with cookies. The fact that you don’t use cookies isn’t relevant. This may mean that depending on your location you are still subject to the provisions of laws such as the General Data Protection Regulation or the California Consumer Protection Act.
With that in mind, if your company was subject to a data disclosure request – how comfortable would you be disclosing that you have extensive information about how their computer behaves which is not at all related to your core product of selling shoes. There is a very real public relations aspect to consider when engaging on profiling on this level.
Further, major browsers are seeking to limit fingerprinting – which is often invisible to the user, and difficult or impossible to disable. I consider it risky, at best, to work on developing tech for use when the major browser makers have stated it’s their goal to break it.
Instead I would advise building strong consented first party relationships and encouraging the user to self identify via some mechanic such as login. Encouraging users to be more open with your company is bound to serve you better then fire fighting fingerprinting breakage as the browsers continue to clamp down and shrink the fingerprinting surface.