“If you’re not paying for the product, you are the product.”
It’s an expression most of us have heard because it’s true: If you aren’t paying for with money, you’re paying with your personal data.
So, continuing on the theme of privacy protection, today’s article is about fingerprinting: A lesser-known mechanism of identifying users to aggregate data. We’ll cover how activity across websites/platforms gets aggregated, how disparate actions by a consumer turn into profiles used to identify behavior, understand the influence of marketing, attribute a purchase to an advertisement.
As an anchor point, most of us know about cookies, which are a well-known mechanism for identifying users, preferences, and activity across websites. For more detail on the mechanics of the cookies, including who places them, how they work, and how they are used, check out this post: https://medium.com/zendata/cookies-and-privacy-management-the-essential-handbook-dce2c759776d).
Fingerprinting is another widely used technique to identify users that, unlike cookies, is not currently bound by most privacy regulations, but is equally as important as — and some would say more important than — cookies.
However, before we talk about fingerprinting and how it works, let’s first understand the types of data elements that can be used to identify a person uniquely:
Personal data elements:
Tier 1 — Highly sensitive and private: Name, address, phone number, email, national identity information, pictures, physical fingerprints. Attributes are commonly used to identify an individual with high accuracy.
Tier 2 — Sensitive with potential to identify an individual with some work: Credit card or debit card number, account numbers, device id’s, passwords, etc. These are not as accurate as Tier 1 data elements but are often used as part of the mechanism to identify an individual.
Not very Personal data elements:
Type of operating system on your computer, the browser you use, plugins you have installed on a browser, fonts installed on your device, the hardware configuration of your device, screen size, etc.
Assume all of you have access to are non-personal data elements, and you still want to identify an individual. How could you do that? The process of combining non-selective information to create a unique identifier for a device is called fingerprinting.
Take an example of a computer that uses:
How is audio processed on your device. Below are the audio context properties of my computer from different browsers, with all the cookies cleared):
Microsoft EDGE Chrome
The elements individually are not very unique (millions if not billions of devices probably have similar signatures/settings). But that is just individually. If you start combining them, before you know it, an individual can be uniquely identified. It doesn’t matter if a user changes their IP address, clears cookies, uses an incognito browser, or uses a VPN. This technique is device fingerprinting.
Once an individual is uniquely identified, their data and activity can be aggregated, across all websites. Disparate actions can be turned into patterns and behaviors.
Now you might ask, “what do I do about this?”
Understandably, as a consumer, you might be concerned and want to protect yourself. Given how easy it is to fingerprint, preventing it might seem impossible. But it’s not.
Here’s what you can do:
By understanding fingerprinting- what it is, how it works, and why companies use it — you can take the next step to protect yourself and your identity online. If you have any questions, contact us at email@example.com.
If you’re a company, Zendata’s platform also allows your company’s policymakers to easily assess how much of device fingerprinting mechanisms are being used by your website. This way, they can set policies appropriate to your business’s risk profile.