Device fingerprinting is a technique for identifying a computing device (e.g. desk top, laptop, tablet or smartphone) based on its unique configurations. Many people might own the same device but once we track location and time zone settings, operating system, apps and plugins installed, browser versions, etc. we quickly get a unique device. The goal of device fingerprinting is to connect online identities to real-world ones.
In the past, this has generally been done for security purposes – think of those warnings you get when you log into certain online services from a new phone or tablet. Today however, it is increasingly being used by marketers to learn about us, study our behaviour and sell us things.
Organisations are becoming more and more capable of using our device footprints to effectively de-anonymise us, monitor our actions and predict what we will do next. For retailers, for example, this means they can begin to track our actions from the first time we show interest in a product, to the way we browse sales listings, right up to point-of-sale.
Ritchie Hall – CIO of TouchCR which integrates device fingerprinting techniques into the service it provides to its B-2-C customers, tells me “It’s about being able to resolve the identification back to a person – looking at the device, fingerprinting it back to a person and maintaining a relationship with that person on an ongoing basis.”
Of course, device fingerprinting would be very straightforward if we all used one device. That clearly isn’t the case – last year Google reported that 70% of internet users connect through at least two different devices each day. To resolve that one person using two devices to, for example, order pizza, are in fact the same person, another identifier is needed – for example an email address, or payment information.
Similarly, devices often change hands, are shared between groups, or have their fingerprint fundamentally altered in some way by, for example, operating system updates. This makes device fingerprinting a bit more complex than it first seems. In order to operate effectively, it requires a continuous ongoing process of cross-referencing and verification which is demanding in terms of CPU power and data bandwidth, making it a Big Data operation.
Nevertheless, as tools and as-a-service frameworks become available, it puts this kind of marketing firepower within the reach of moderately-resourced businesses. This therefore means we are likely to see a lot more of it in the near future.
Device Fingerprinting overcomes some of the inefficiencies of using other means of customer-tracking. Most notably this includes cookies installed in our web browsers, which businesses have long used to monitor our behaviour when we visit their websites. The problem is that cookies can be deleted whenever we want, and it’s relatively easy for us to stop specific sites, services or companies from using them to track us. Device fingerprinting doesn’t have this limitation as it doesn’t rely on storing data locally on our machines, instead it simply monitors data transmitted and received as devices connect with each other.
Privacy awareness site amiunique.org, refers to device fingerprinting as the “cookie-less monster” due to how it allows us to be tracked without storing cookies.
Monitoring and tracking via device fingerprinting is more difficult for us to circumvent than prior technologies, which makes it unsurprisingly somewhat controversial, and concerns have been raised over the privacy challenges it represents.
I mentioned this to Hale, who said that the solution is for companies to be very up-front and clear about how they are collecting data, and the reasons for it. “Two things need to occur – there needs to be the ability to opt-out of being tracked.
“And then if they do choose to opt-in, the terms of service need to indicate very clearly what is going to go on.”
This might mean sending more, and clearer, notifications to users to let them know they are being tracked. Alongside the “cookie law” notifications that EU users now see on almost every website, further notifications warning that behavior may be tracked through device fingerprints could become common – or even legally obligatory in more privacy-aware jurisdictions.
In other places which have been slower to impose legislation on what marketers can do with personal information, such as the US, the implications could be greater.
“Something we had a significant conversation with our lawyers about was, who owns this data?” Hale tells me.
“Access points can often be provided by third parties – you have a big retail chain with thousands of stores, and a third party managing their access points.
“Who controls that data? The customer needs to be aware and notified at opt-in that [the terms of service apply to] the company which has the retail stores, not for the access point provider, who can actually resell that data if they wanted to.”
For anyone who doesn’t want to be tracked, be it via cookies or device fingerprinting, there are solutions that include the use of virtual private networks (VPNs) that make it look as if we are connecting from a different machine, anonymous internet protocols such as TOR, and operating systems designed to only publish device information which will keep you indistinguishable from other users. Unless you are a whistleblower or want to hide from a despotic regime, these may seem like overkill if you simply want to avoid your bank or supermarket finding out too much about you.
But it is a strategy which is becoming increasingly popular. Last month YouGov reported that 16% of UK internet users have used a VPN, and 25% of those did it in order to avoid advertisers tracking their behaviour.