Device fingerprinting and the surveillance economy

Chandler Givens 22 Aug 2019

Consumers can delete their cookies, but this is not the case for fingerprinting

Many consumers are aware of cookies that track web activity, and their use is fairly well-regulated. But online fingerprinting (also called device fingerprinting) is not as well understood. We believe mainstream media is vastly underestimating how prevalent it is.

Device fingerprinting refers to tracking software on websites used to collect information about the device you are using, such as the make, model, operating system, browser, even software installed on the device. This information is used to identify your unique device fingerprint online. 

Consumers can delete their cookies, and websites have to notify and gain permission from users to use them. This is not the case for fingerprinting, which is becoming more prevalent as cookie-tracking becomes less common.

The New York Times recently shined a light on the issue, but suggested the tactic is used by fewer than 5% of websites. We believe that understates the impact. 

The concerning thing about fingerprinting is that, because of the uniqueness of your hardware and software components, users are identifiable with greater than 95% accuracy. This allows whoever has identified this fingerprint to have a clear picture of who you are, regardless of whether you’ve granted permission for these third parties to collect information about you. After it’s collected and combined with your record of internet use and browsing history, a complete picture of your online history, preferences, activities, and even life circumstances can be traced directly back to a specific device, and then quickly to the owner.

The study quoted in the New York Times from Mozilla found that 3.5% of popular websites are using fingerprinting to track users. It may be the case that only a small percentage of the most popular websites deploy scripts that are known to be exclusive fingerprint-based trackers. This may sound like only a small minority of sites are fingerprinting, but we also know that the majority of web traffic goes to the web’s most popular sites. The really telling figure is how many internet users can be successfully identified by the information already collected about them online.   

This Princeton University study shows us that 60% or more of the top 1,000 sites share information with third parties, many of which are creating online profiles or fingerprints about website visitors that they share and sell to advertisers and data companies. In a finding reminiscent of the Mozilla study, the research shows that 96.5% of websites, though not using fingerprint-based tracking themselves, have access to your digital fingerprint from third parties. 

The critical thing is that there is no way for the regular user to know what websites are fingerprinting their devices because they look just like any other script running on a website. Scripts run in the background of websites and can be used for legitimate purposes like rendering videos, photos and more, however, those same scripts can also be used for more nefarious purposes like collecting data about the user. 

You might be wondering what companies are doing with the information they’re collecting. The large majority of companies are using this data to advertise to you and personalize your experience online. 

However, some companies are using your online data to make inferences about you that could negatively and unfairly impact you as a consumer. A few examples: 

fingerprinting_insurance

In the graphic above, you search for chest pain online → a website sells your search history to a health insurance company → the health insurance company infers you are at risk of heart disease and increases your rates.

fingerprint2

In the graphic above, you’re sharing your location → you live in an affluent neighborhood → company x charges you more for goods because they infer you can and will pay more for it

When it comes to fingerprinting, there is a complete lack of transparency with the user – they don’t know what information is being collected about them, by whom, and for what purposes. There is also a concerning lack of control for the consumer – I cannot decide to take my information with me or remove my information from the systems of the companies that hold it. I can’t even see what companies have information about me. 

Even with sites like Facebook that have questionable privacy practices, a motivated user can download their information, review it, and make decisions to change or erase their profile. Users don’t typically have control over the collection of their information on the majority of other websites. 

When our devices are our portals to information and communications – and the way we manage our most sensitive health and financial information – companies need to be held accountable for tracking. Regulations like GDPR have emerged to protect the use of personally identifiable information on the internet by specifically focusing on cookie-based tracking. But fingerprinting has come along to circumvent these practices and allow for somewhat free and unfettered tracking of individuals by the simple assumption that what the device does are likely to be the actions of a specific user. 

The scariest aspect of digital fingerprinting is once your online profile has been created and is out there in cyberspace, preventative measures like changing passwords and deleting browser history are largely futile. Stopping the leak of your personal information can feel impossible. To do so would require you to remove your data from hundreds of data brokers who already have your data – and do this on a regular basis. Companies will continue to circumvent any policy or legislation that limits their ability to track you. Consumers, therefore, need to take action to protect themselves from the surveillance economy. 

What can the average person do?

Our recommendation is for users is to assume that most websites are tracking you and take action accordingly.

Consider installing an anti-tracking product that can help keep you safe. There are good options on the market, Avast has its own AntiTrack product, and privacy-focused web browsers like Mozilla Firefox and Avast Secure Browser actively thwart online tracking.  

Instead of blocking scripts that break websites, AntiTrack inserts fake data to keep the script running while preventing accurate personal info from being collected and used against you – rendering the fingerprint tracking technique useless. Additionally, it provides protection regardless of the type of device or browser you use. 

You wouldn’t let someone record your every move in the real world, so don’t let them track you online either.

Related articles

--> -->