Why fingerprinting is unlikely to succeed

May 06, 2020 5 min read

  • Jane Usoskina, Senior Solutions Architect

  • Safari and Firefox blocked third-party cookies and Google announced that it will do the same for Chrome before the end of 2021. This creates a challenge for ad tech vendors and advertisers who rely on these cookies for audience targeting, frequency capping and attribution. As a result, vendors are looking for workarounds to maintain their current ways of working. Fingerprinting has emerged as one of these possible solutions. However, it is not privacy compliant because it is hard to detect or stop by a user and Permutive recommends that publishers avoid using it.

    What is browser fingerprinting?

    When a user browses the web, information about their browser is made available in a network request to ensure that webpages are displayed correctly. This browser information can include: operating system, browser type and version, installed fonts, language settings, and geographical location. Together, these details create a digital fingerprint for each user. By themselves, they are not distinct, but users can be individually identified by combining enough of these data points. Any vendor running on a publisher website can, in theory, access this information.

    Browser fingerprinting was initially developed for fraud prevention. For example, when someone signs in to online banking, they are authenticated with information about their device. If they later log in from a different device, they receive an email or SMS to verify their identity and make sure someone else isn’t trying to access their account.

    The advertising world realized that users can be identified in this way, without using cookies and even when browsing in Incognito mode. Some ad tech companies saw this as an opportunity to improve audience targeting and began using fingerprinting data to identify and track users across sites.

    The challenge with browser fingerprinting

    Fingerprinting is problematic because users are unable to detect or stop it effectively. Individuals who have purposely disabled their cookies and use private browsing sessions have chosen to do so because they do not want to be tracked or shown adverts based on their activities. Their privacy should be respected and, as dictated by global regulations, they should have visibility into how their data is used and the choice about how and when it is accessed.

    Users might give consent for a specific third-party to access this data. With physical fingerprints this could be a government official for a visa and, similarly, for digital fingerprints, this could be a bank to enable easy sign-on from a mobile application. The problem with fingerprinting is that users do not have control over who accesses their information, recreating the very problem that blocking third-party cookies is trying to stop.

    Does Permutive use fingerprinting?

    Permutive has always focused on user privacy. It has never deployed fingerprinting and will not do so at any point in the future. Permutive’s DMP was designed to run on the Edge in order to protect user privacy. It processes and segments users on the device so that only aggregated segment data is used for targeting. Permutive believes that personally identifiable information should only be shared with a user’s permission and knowledge of how it will be used.

    The state of fingerprinting today

    There’s a number of different factors influencing the ad tech industry today, including browser updates, regulations, user trust and revenue opportunities. We’ve reviewed the impact of these elements on browser fingerprinting to determine what is likely to happen as the market evolves.

    What is technologically possible?

    Browsers have the ability to control privacy settings and who can access user data. Apple, Mozilla and Google have all taken a strong stance on protecting user privacy. All three leading browsers, including Chrome, have stated that they will actively stop any fingerprinting activities. Each browser is taking a slightly different approach:

    • Apple’s Safari will prevent data being shared about each user and make users look similar to one another. This will stop ad tech vendors or trackers from targeting individual users.
    • In Mozilla Firefox, known fingerprinting trackers are already being blocked. Firefox will also modify or remove APIs that can be used for fingerprinting.
    • One of Google’s proposals is a Privacy Budget which will limit the number or depth of pieces of information exposed about a user in Chrome.

    There’s more information about these proposed methods in a second blog on the topic, ‘How browsers are adapting their technology to prevent fingerprinting.

    What is legally allowed?

    Fingerprinting is not mentioned explicitly in GDPR or CCPA. These regulations aim to stay technologically neutral so that they incorporate any emerging technologies and maintain standards for protecting user privacy. Regulators understand that users require greater transparency around how their data is used and believe users should be given the ability to stop tracking for advertising purposes.

    In order for fingerprinting to be legal under GDPR or CCPA, publishers would need explicit consent from a user. They would need to share the purpose and legal basis for fingerprinting and be able to show that it does not override their privacy rights.

    What is socially acceptable?

    Unfortunately, the majority of users are not aware that browser fingerprinting exists. While users have gained a greater awareness around the use of cookies for advertising, most are not familiar with how fingerprinting could be used to track them. Opt-outs do not necessarily prevent fingerprinting. Users expect greater transparency about how and where they are being tracked on the web but most are not savvy enough to push back against fingerprinting.

    Publishers are more aware that fingerprinting exists as a technology but they do not necessarily have complete visibility into everything that ad tech vendors use to facilitate user targeting. They want to comply with regulations and protect user privacy but also need to maintain their advertising revenues as browsers limit tracking. Publishers’ legal teams are increasingly doing their due diligence in making sure their visitors get to keep the privacy they promised.

    What is profitable?

    Advertisers may reap some short-term benefits by employing fingerprinting technologies as they will continue to be able to target users. For example, fingerprinting may help with attribution or frequency capping where they can no longer use third-party cookies. However, with growing technological and legal restrictions, this technique is unlikely to be successful for long. Similarly, some ad tech vendors may leverage fingerprinting to maintain their current way of targeting users with minimal changes as third-party cookies are blocked. Publishers should not risk allowing their users to be fingerprinted by vendors.


    Permutive’s view

    Permutive believes that fingerprinting is a breach of user privacy. We recommend that publishers carefully consider any technology before implementing to ensure that it has their users’ best interests at heart. Both publishers (and advertisers) should invest in long-term, privacy compliant solutions, that will work when all the browser changes take place.