Two fingered salute: Privacy regulators focused on cookies, email identifiers outflanked as firms hone tracking techniques, but fingerprinting next in firing line
Regulators and lawmakers are working up rules that prevent tracking and data collection without explicit informed consent. But a vast trove of probabilistic data can be harnessed to build accurate alternatives. UM's global media chief Joshua Lowcock, Civic Data co-founder Chris Brinkworth and Havas data and adtech lead Kevin Fernandes think fingerprinting is alive and kicking for now – but may be next in the firing line. Publishers and adtech firms take note.
What you need to know:
- A US firm says it can create a basic fingerprint of users without using cookies or JavaScript. FingerprintJS instead uses installed fonts, header images, colour schemes, and other innocuous signals.
- The firm states its tech is for fraud prevention. But others warn similar probabilistic systems, being assessed by some of Australia's publishers, could build unique profiles of users that could be used to retarget them without consent. It is “very likely” to become illegal, said Civic Data’s Chris Brinkworth. UM global media boss Joshua Lowcock said it shows how regulators are playing catch-up to tech.
- Fingerprinting replacing cookies – and evading regulation – would be a poor outcome for users, per Havas ad tech and data chief Kevin Fernandes.
Fck the cookies
Third party cookies may be disappearing from Google Chrome, but there are dozens of digital signals that can still be collected and bundled together – without consent – from tens of millions of Australian users. And it’s possible these signals could create a replacement for the cookie.
A demo from a US-based company called FingerprintJS can create a 32-digit fingerprint using at least 34 settings, like fonts, header images, colour schemes and other elements of browser coding, without using cookies or JavaScript. It is innocent-looking, but mostly unchanging technical information that, added to other data points, could create a unique snapshot of an individual.
And while the Australian government is looking hard at re-defining certain data points as personally identifiable information – IP addresses, location data, and other metadata, for example – it’s unlikely the information included in these fingerprinting services would be included.
Why? Because each individual piece of information is virtually untraceable, and software like FingerprintJS is used for fraud detection – not ad targeting.
“It's possible for unscrupulous individuals and organisations to use this approach to circumvent privacy regulations and privacy controls and use it for ad targeting,” UM Worldwide’s Global Chief Media Officer, Joshua Lowcock, said.
“The proof-of-concept demonstrates that regulators are at a disadvantage when it comes to an industry that rapidly evolves and where some people will seek to circumvent the spirit and intent of laws.”
The Australian government is planning new privacy legislation that accounts for the explosion of data, digital platforms and digital advertising. But they’re being outgunned so far, Lowcock said, adding that privacy regulators would need powers to audit the ad tech ecosystem for compliance on the spot, rather than just retrospective punishments.
“Using methods to identify someone, without their consent or knowledge will very likely become illegal in Australia,” Civic Data’s Chris Brinkworth said.
“It's very clear that this will cover fingerprinting as it does in other parts of the world. That means that while tools such as FingerprintJS are very valuable and considered legal under Europe’s General Data Protection Regulation (GDPR)/California Consumer Privacy Act (CCPA) for fraud detection, if that same process is used outside of the very specific 'fraud' use case those GDPR/CCPA [and, very likely Australian Privacy Act] consent rules must still be obeyed.”
One organisation that supports victims of identity theft, IDCARE, specifically raised the point of “digital fingerprints” in its submission to the government, urging the Attorney-General to include it in the list of personal information as some people’s IDs are sold on the dark web.
"No different to a cookie"
Fingerprinting has been around in various forms for more than a decade. While cookies were the standard universal tracking currency there’s increasing concern that building profiles of users based on other signals could prove more pervasive as third party cookies are culled.
What most people, even the privacy conscious, may not realise is that this information is collected anyway by default. “You’re probably using a VPN – it doesn’t block fingerprinting,” Havas’ Head of Data Solutions and Ad Tech Kevin Fernandes said.
“Cookies and fingerprints are pretty much the same thing, but the latter, nobody has explored because they’re focused on cookies.”
Aaron Woolf, CEO of Trendii, a contextual advertising platform, said: “When all these pieces are combined together it creates a profile of a person which in essence is a unique identifier and therefore no different to a cookie.”
But he echoes Civic Data's Chris Brinkworth in suggesting cookie workarounds will be heavily regulated – soon.
“The biggest issue in my opinion is we are still trying to create alternatives to a solution [cookies] which the consumer clearly does not want,” Woolf said, “when we should be focusing on solutions which put the consumer first and at the centre of the product.”
FingerprintJS, meanwhile, said it recommends its technology is used not for advertising but for fraud prevention.
“We try to combat any negative perception around fingerprinting by being transparent about how the technology works, and informing readers where it is best used [for fraud prevention],” Sergey Mostsevenko, a JavaScript developer from FingerprintJS, said. The company also said it alerts authorities to potential data leaks and breaches.
In an article about the no JavaScript fingerprinting demo, the company explains exactly which signals it can source, even if a user actively disables JavaScript.
Can its services be used to target individuals based on profiles, known as deterministic advertising?
“If by ‘deterministic’, you mean a unique identifier that can be used to track an individual person, then no,” Mostsevenko said.
“Device and browser fingerprinting methodologies are considered to be probabilistic as they are not tied to any PII or login information and don’t uniquely identify a visitor. Many people can have the same features or signals, and users can change their features, e.g. change the screen size or the system language.”
Conversely, he said the reason fingerprinting using these signals is useful for fraud detection is that “everybody has them, they are left unintentionally [and] they are hard to change”.
Where regulators eventually land remains to be seen, but consent to track browsing habits and collect data, plus what constitutes PII has never been higher on the agenda, locally and globally.