The cookie is the best-known method for identifying and tracking people online. But it’s not the only one. For years, device fingerprinting has gone somewhat under the radar as a more surreptitious alternative to the cookie. However, browser makers including Apple, Google and Mozilla have recently targeted device fingerprinting as a privacy-invasive practice that they are looking to eradicate as part of a broader crackdown on online tracking.
WTF is device fingerprinting?
Device fingerprinting is a way to combine certain attributes of a device — like what operating system it is on, the type and version of web browser being used, the browser’s language setting and the device’s IP address — to identify it as a unique device. It’s an imperfect method of identification. Unlike the cookie, which is effectively a tracking monitor placed on an individual device, device fingerprinting relies on the probability that a device recognized as having certain attributes on one day is the same device seen with those same attributes on another day.
What is it used for?
Using device fingerprinting to identify and track someone online is similar to recognizing someone in a police lineup. A witness may remember certain characteristics of a suspect — like how tall they were, their hair color and length, whether they were male or female, etc. — and if someone in the lineup shares those characteristics, the witness may assume that person is the suspect. They may be right, but they’re effectively making an informed guess about the person’s identity based on this patchwork of information.
Device fingerprinting can, in some ways, be a more reliable way of identifying and tracking devices online. The practice emerged within the online advertising industry as an alternative to the cookie for environments like mobile apps where companies cannot place cookies to definitively track individual devices. And since people can delete cookies from their browsers but are less likely to change operating systems or reset their IP addresses, device fingerprinting can provide a more consistent way of tracking people around the web.
Device fingerprinting seems shady. Is there any way for someone to not let companies use device fingerprinting to track them online?
Not really. People can use virtual private networks to disguise their IP addresses, but for the most part, device fingerprinting is hard for individuals to prevent. That’s because the information used for device fingerprinting is basic information that’s passed anytime a website loads in a browser in order to make sure the site loads properly, such as by recognizing that a person is using a browser that doesn’t support a particular feature or is set to view content in a particular language.
Can’t web browsers do anything to prevent device fingerprinting?
Yes, and they are. Over the past year, Apple, Google and Mozilla have announced that they will be limiting device fingerprinting within their respective browsers. They are taking different approaches to this. Apple obscures the data that is collected and combined for fingerprinting in an effort to make it harder for companies to use that information to identify a device while still passing enough of the data for sites to load properly. Mozilla relies on a third-party list that names specific companies that perform fingerprinting and blocks those companies from accessing the information used for fingerprinting. And Google has proposed, but not implemented, a “privacy budget” to put a cap on how much of the information used for device fingerprinting a given company can access at a time.
Do a lot of ad tech companies use device fingerprinting to track people?
It’s unclear, even among ad tech companies. Digiday asked seven ad tech companies — BounceX, Dataxu, Index Exchange, LiveRamp, Lotame, Sovrn and Tapad — if they use device fingerprinting, and all seven said that they do not because of the difficulty in providing people with an option to opt out of this kind of tracking.
“I don’t see a wide utilization of fingerprinting,” said Mark Connon, COO of Tapad, an ad tech company that specializes in cross-device advertising.
However, while those companies don’t use device fingerprinting, others might. Ad exchanges have asked Dataxu CTO Bill Simmons whether the automated ad-buying firm uses device fingerprinting, and when he replies that Dataxu does not, “people are surprised we don’t,” said Simmons, who has taken the exchanges’ response as indication that many ad tech companies may use fingerprinting.
A clearer indication of which companies use fingerprinting can be found in the list of companies that Mozilla uses to block fingerprinting. That list includes ad verification firm DoubleVerify and demand-side platform MediaMath. MediaMath declined to comment on its use of fingerprinting, and DoubleVerify did not respond to a request for comment. However, it’s possible that neither company uses fingerprinting to track people for ad targeting purposes.
Is this just for ad targeting?
Not at all. Bank websites, for instance, can use the same information to check whether a person trying to log into a given account is the person who owns that account based on whether they are using a device or browser that has been previously used to log in, said Lotame CMO Adam Solomon. It can also be used for measuring ads across multiple devices. Companies often use IP addresses to associate multiple devices that connect to the same wifi network within a single household. This association helps them to recognize how many times a given brand’s ads were shown across those devices so that they can manage the frequency with which people are bombarded with the brand’s ads.