“If you’re not paying for the product, you are the product.”

It’s an expression most of us have heard because it’s true: If you aren’t paying for with money, you’re paying with your personal data.

So, continuing on the theme of privacy protection, today’s article is about fingerprinting: A lesser-known mechanism of identifying users to aggregate data. We’ll cover how activity across websites/platforms gets aggregated, how disparate actions by a consumer turn into profiles used to identify behavior, understand the influence of marketing, attribute a purchase to an advertisement.

As an anchor point, most of us know about cookies, which are a well-known mechanism for identifying users, preferences, and activity across websites.

Fingerprinting is another widely used technique to identify users that, unlike cookies, is not currently bound by most privacy regulations, but is equally as important as — and some would say more important than — cookies.

However, before we talk about fingerprinting and how it works, let’s first understand the types of data elements that can be used to identify a person uniquely:

Personal data elements:

Tier 1 — Highly sensitive and private: Name, address, phone number, email, national identity information, pictures, physical fingerprints. Attributes are commonly used to identify an individual with high accuracy.

Tier 2 — Sensitive with potential to identify an individual with some work: Credit card or debit card number, account numbers, device id’s, passwords, etc. These are not as accurate as Tier 1 data elements but are often used as part of the mechanism to identify an individual.

Not very Personal data elements:

Type of operating system on your computer, the browser you use, plugins you have installed on a browser, fonts installed on your device, the hardware configuration of your device, screen size, etc.

Assume all of you have access to are non-personal data elements, and you still want to identify an individual. How could you do that? The process of combining non-selective information to create a unique identifier for a device is called fingerprinting.

Take an example of a computer that uses:

• OS: Windows 10 Home Edition. Nothing unique or personal about this! There are millions of devices that use Windows 10.
• Browser: Chrome. Again, extremely common.
• Time zone: PST
• Screen size: 1920x1080x24
• Language: English-US
• Cookies allowed: Yes
• Device memory: 8 GB
• Fonts installed: Arial, Arial Black, Arial Narrow, Book Antiqua, Bookman Old Style, Calibri, Cambria, Cambria Math, Century, Century Gothic, Century Schoolbook, Comic Sans MS, Consolas, Courier, Courier New, Georgia, Helvetica, Impact, Lucida Bright, Lucida Calligraphy, Lucida Console, Lucida Fax, Lucida Handwriting, Lucida Sans, Lucida Sans Typewriter, Lucida Sans Unicode, Microsoft Sans Serif, Monotype Corsiva, MS Gothic, MS PGothic, MS Reference Sans Serif, MS Sans Serif, MS Serif, Palatino Linotype, Segoe Print, Segoe Script, Segoe UI, Segoe UI Light, Segoe UI Semibold, Segoe UI Symbol, Tahoma, Times, Times New Roman, Trebuchet MS, Verdana, Wingdings, Wingdings 2, Wingdings 3 (via javascript)
• Plugins installed:
• Plugin 0: Chrome PDF Viewer; Portable Document Format; internal-pdf-viewer; (Portable Document Format; application/pdf; pdf) (Portable Document Format; text/pdf; pdf).
• Plugin 1: Chromium PDF Viewer; Portable Document Format; internal-pdf-viewer; (Portable Document Format; application/pdf; pdf) (Portable Document Format; text/pdf; pdf).
• Plugin 2: Microsoft Edge PDF Viewer; Portable Document Format; internal-pdf-viewer; (Portable Document Format; application/pdf; pdf) (Portable Document Format; text/pdf; pdf).
• Plugin 3: PDF Viewer; Portable Document Format; internal-pdf-viewer; (Portable Document Format; application/pdf; pdf) (Portable Document Format; text/pdf; pdf).
• Plugin 4: WebKit built-in PDF; Portable Document Format; internal-pdf-viewer; (Portable Document Format; application/pdf; pdf) (Portable Document Format; text/pdf; pdf)
• How are images displayed on your screen, and what hardware is used (NVIDIA say as an example). This is called Canvas fingerprinting. Example below, is a signature of the device I am using to write this article, it is 99.64% unique.

Canvas Fingerprint

How is audio processed on your device. Below are the audio context properties of my computer from different browsers, with all the cookies cleared):

Microsoft EDGE Chrome

The elements individually are not very unique (millions if not billions of devices probably have similar signatures/settings). But that is just individually. If you start combining them, before you know it, an individual can be uniquely identified. It doesn’t matter if a user changes their IP address, clears cookies, uses an incognito browser, or uses a VPN. This technique is device fingerprinting.

Once an individual is uniquely identified, their data and activity can be aggregated, across all websites. Disparate actions can be turned into patterns and behaviors.

Now you might ask, “what do I do about this?”

Understandably, as a consumer, you might be concerned and want to protect yourself. Given how easy it is to fingerprint, preventing it might seem impossible. But it’s not.

Here’s what you can do:

• Take a look at the Zendata consumer scanner to understand if a website you frequent uses fingerprinting mechanisms
• Install extensions on your browsers that defend you against Canvas fingerprinting, WebGL fingerprinting, Font fingerprinting, and Audiocontext fingerprinting (common fingerprinting techniques). Most browser marketplaces have them. Here is Font fingerprinting defender for Chrome, for example, https://bit.ly/3oBgSzG
• Use a TOR Browser (this is not 100% foolproof, slows your browsing speed down, but goes a long way)
• Use multiple virtual machines to browse
• Opt-out of sale of information. Here’s a link to the opt-out link directory for California residents: https://caprivacy.github.io/caprivacy/

By understanding fingerprinting- what it is, how it works, and why companies use it — you can take the next step to protect yourself and your identity online. If you have any questions, contact us at contact@zendata.xyz.

If you’re a company, Zendata’s platform also allows your company’s policymakers to easily assess how much of device fingerprinting mechanisms are being used by your website. This way, they can set policies appropriate to your business’s risk profile.

‍