WTF is device fingerprinting?
The cookie is the best-known method for identifying and tracking people online. But it’s not the only one. For years, device fingerprinting has gone somewhat under the radar as a more surreptitious alternative to the cookie. However, browser makers including Apple, Google and Mozilla have recently targeted device fingerprinting as a privacy-invasive practice that they are looking to eradicate as part of a broader crackdown on online tracking.
WTF is device fingerprinting?
Device fingerprinting is a way to combine certain attributes of a device — like what operating system it is on, the type and version of web browser being used, the browser’s language setting and the device’s IP address — to identify it as a unique device. It’s an imperfect method of identification. Unlike the cookie, which is effectively a tracking monitor placed on an individual device, device fingerprinting relies on the probability that a device recognized as having certain attributes on one day is the same device seen with those same attributes on another day.
What is it used for?
Using device fingerprinting to identify and track someone online is similar to recognizing someone in a police lineup. A witness may remember certain characteristics of a suspect — like how tall they were, their hair color and length, whether they were male or female, etc. — and if someone in the lineup shares those characteristics, the witness may assume that person is the suspect. They may be right, but they’re effectively making an informed guess about the person’s identity based on this patchwork of information.
Device fingerprinting can, in some ways, be a more reliable way of identifying and tracking devices online. The practice emerged within the online advertising industry as an alternative to the cookie for environments like mobile apps where companies cannot place cookies to definitively track individual devices. And since people can delete cookies from their browsers but are less likely to change operating systems or reset their IP addresses, device fingerprinting can provide a more consistent way of tracking people around the web.
Device fingerprinting seems shady. Is there any way for someone to not let companies use device fingerprinting to track them online?
Not really. People can use virtual private networks to disguise their IP addresses, but for the most part, device fingerprinting is hard for individuals to prevent. That’s because the information used for device fingerprinting is basic information that’s passed anytime a website loads in a browser in order to make sure the site loads properly, such as by recognizing that a person is using a browser that doesn’t support a particular feature or is set to view content in a particular language.
Can’t web browsers do anything to prevent device fingerprinting?
Yes, and they are. Over the past year, Apple, Google and Mozilla have announced that they will be limiting device fingerprinting within their respective browsers. They are taking different approaches to this. Apple obscures the data that is collected and combined for fingerprinting in an effort to make it harder for companies to use that information to identify a device while still passing enough of the data for sites to load properly. Mozilla relies on a third-party list that names specific companies that perform fingerprinting and blocks those companies from accessing the information used for fingerprinting. And Google has proposed, but not implemented, a “privacy budget” to put a cap on how much of the information used for device fingerprinting a given company can access at a time.
Do a lot of ad tech companies use device fingerprinting to track people?
It’s unclear, even among ad tech companies. Digiday asked seven ad tech companies — BounceX, Dataxu, Index Exchange, LiveRamp, Lotame, Sovrn and Tapad — if they use device fingerprinting, and all seven said that they do not because of the difficulty in providing people with an option to opt out of this kind of tracking.
“I don’t see a wide utilization of fingerprinting,” said Mark Connon, COO of Tapad, an ad tech company that specializes in cross-device advertising.
However, while those companies don’t use device fingerprinting, others might. Ad exchanges have asked Dataxu CTO Bill Simmons whether the automated ad-buying firm uses device fingerprinting, and when he replies that Dataxu does not, “people are surprised we don’t,” said Simmons, who has taken the exchanges’ response as indication that many ad tech companies may use fingerprinting.
A clearer indication of which companies use fingerprinting can be found in the list of companies that Mozilla uses to block fingerprinting. That list includes ad verification firm DoubleVerify and demand-side platform MediaMath. MediaMath declined to comment on its use of fingerprinting, and DoubleVerify did not respond to a request for comment. However, it’s possible that neither company uses fingerprinting to track people for ad targeting purposes.
Is this just for ad targeting?
Not at all. Bank websites, for instance, can use the same information to check whether a person trying to log into a given account is the person who owns that account based on whether they are using a device or browser that has been previously used to log in, said Lotame CMO Adam Solomon. It can also be used for measuring ads across multiple devices. Companies often use IP addresses to associate multiple devices that connect to the same wifi network within a single household. This association helps them to recognize how many times a given brand’s ads were shown across those devices so that they can manage the frequency with which people are bombarded with the brand’s ads.
‘It’s really just like a catalog’: Overheard at the Digiday Media Marketplace Strategies Forum
Top concerns expressed included navigating selling on a multitude of new marketplaces and maintaining brand equity in the face of third-party sellers
The Rundown: Facebook recommends spending your way through its measurement problems
Facebook estimates that it is under-counting conversions from iOS devices by about 15%.
The definitive Digiday guide to what’s in and out in the privacy conversation this year
The race against the loss of the third-party cookie has created a slew of competitors. Here is Digiday's guide to who is in and out.
SponsoredHow retailers can be ready for holiday shoppers this year
Suchi Sastri, managing director and partner, Boston Consulting Group As the holiday season approaches and the pandemic continues to evolve, retailers want to know what to expect. Will e-commerce continue to grow at the rate it did last year? How big of a role will in-store shopping play in holiday shopping? While it’s still early, […]
‘Create cultural touchstone moments’: Why this direct-to-consumer shoe brand added sabbaticals for employees this year
A Salt Lake City, Utah-based company is one of a number of employers looking for new ways to engage employees and foster office culture despite the continued work from home environment due to the Delta variant.
How the new CEO of the IAB Tech Lab plans to support a responsible digital ad ecosystem
Anthony Katsur is only weeks into his new role as the CEO of the IAB Tech Lab, but already has big plans for what he wants to do at the organization.