For more than a decade, the ad tech industry has tried to replace the term “fingerprinting” with euphemisms, like probabilistic modeling.
But too bad for ad tech, because the term stuck.
All of the major browsers and mobile operating system makers – mainly Google and Apple, with a little Mozilla and Microsoft in the mix – now explicitly cite “fingerprinting” as impermissible.
Fingerprinting is also a target for policy actions.
But what is fingerprinting?
Fingerprinting is a way for marketing and tech companies to approximately identify users or devices without an actual user ID.
Even without IDs, sites and apps collect data that can be used to create a type of digital signature – a fingerprint, if you will.
This data includes information about a user’s browser or OS type, battery and CPU details, screen size and orientation, clock type, language settings, keyboard plugins and more.
If, for example, a publisher doesn’t have a user’s email or other user-level ID, it might still be able to make an educated guess as to whether a person is revisiting their site by triangulating data points, such as connecting the same phone model, operating system and browser type, as well as the person using dark mode, a specific emoji keyboard and 24-hour time for their clock.
In 2018, before fingerprinting became a major target for browser operators, ad tech companies like Flashtalking and Criteo and cross-device graph providers used these non-identifier data points to improve match rates.
Another form is called Canvas fingerprinting. Canvas is an HTML5 API that enables graphics and animations through the use of JavaScript. When a site runs Canvas in the background to produce something on the page, such as graphics, font size or the background color setting, differences in the graphics processing unit of the device create slight changes in the rendering that can be stamped and recognized.
Why is this allowed?
In many cases, it’s not allowed. After all, fingerprinting is a tracking method that people can’t opt out of or into.
Apple and Google have both made it harder for ad tech companies to engage in fingerprinting. Google has made moves to restrict fingerprinting since at least 2019, and Apple has instituted explicit anti-fingerprinting policies.
But fingerprinting is still not actively enforced against.
The mobile ad tech industry was on tenterhooks during Apple’s Worldwide Developer Conference in June, because many expected Apple to release technical guidelines to prohibit fingerprinting.
There was a collective a sigh of relief after fingerprinting didn’t get a mention during the WWDC keynote. And although Apple did cast shade on fingerprinting during one of the follow-up developer sessions, it didn’t share plans for enforcement.
“With permission, tracking is allowed – but fingerprinting is never allowed,” said Julia Hanson, an Apple privacy engineer, during the WWDC session. “Regardless of whether a user gives your app permission to track, fingerprinting – or using signals from the device to try to identify the device or user – is not allowed per the Apple Developer Program License Agreement.”
And even without specific enforcement guidelines for apps, Apple has been cracking down on web-based fingerprinting through Intelligent Tracking Prevention for years. (Mozilla has been doing the same over on Firefox, for that matter.)
Although Google has tracked a few years behind Apple on the removal of fingerprinting data, it’s made moves to phase out HTML user-agent strings (historically used to inform sites how to render properly) and zero out the Android Advertising ID so that it can’t be used for ad-targeting.
In browser parlance, user-agent strings and mobile ad IDs are known as “fingerprinting surfaces.” They have a stated use, but can also be co-opted for other purposes. The idea is to have as little surface as possible so as to prevent fingerprinting while balancing the user experience and still supporting publisher businesses.
The same goes for mobile operating systems and app developers. If Apple did flip a switch and begin to enforce its definition of fingerprinting in apps, popular mobile measurement vendors with large SDK networks might be in violation and all the apps that carry them would be suddenly thrown into disarray.
What can be done?
Although fingerprinting hasn’t been completely quashed, Apple, Google, Mozilla, Microsoft and others have developed built-in browsers features to limit the practice and removed data exhaust to make fingerprinting much less effective.
Although a fingerprint might sound like it should last forever, after a day or two, the constellation of data points that were used to create a device fingerprint typically no longer hold together, Grant Simmons, the head of client analytics at mobile attribution platform Kochava, previously told AdExchanger.
The challenge is that tougher enforcement against fingerprinting comes with real tradeoffs.
Removing all fingerprinting surfaces is detrimental to user experience. After all, developers and publishers collect device data and run Canvas for practical reasons. They need to have interactive features, know when to turn to low-power mode, how to render images based on the type of phone and know the user’s time of day.
Firefox is working on a fingerprinting protection feature, but warns users it’s “likely” the feature “may degrade your Web experience so we recommend it only for those willing to test experimental features.”
So, what common issues crop up for Firefox users who download the hardcore fingerprint protection?
Not all fonts are available, their time zone is reported as UTC (Greenwich England), their microphone and webcam preferences are turned off and their site-specific Zoom settings or other services could be disrupted. That’s to name just a few of what Mozilla refers to as “not an exhaustive list” of features that may be altered or disabled.
Guess there’s still no easy off switch for fingerprinting.
