Home AdExplainer AdExplainer: What You Need To Know About Device Fingerprinting

AdExplainer: What You Need To Know About Device Fingerprinting

SHARE:
fingerprinting crackdown?

For more than a decade, the ad tech industry has tried to replace the term “fingerprinting” with euphemisms, like probabilistic modeling.

But too bad for ad tech, because the term stuck.

All of the major browsers and mobile operating system makers – mainly Google and Apple, with a little Mozilla and Microsoft in the mix – now explicitly cite “fingerprinting” as impermissible.

Fingerprinting is also a target for policy actions.

But what is fingerprinting?

Fingerprinting is a way for marketing and tech companies to approximately identify users or devices without an actual user ID.

Even without IDs, sites and apps collect data that can be used to create a type of digital signature – a fingerprint, if you will.

This data includes information about a user’s browser or OS type, battery and CPU details, screen size and orientation, clock type, language settings, keyboard plugins and more.

If, for example, a publisher doesn’t have a user’s email or other user-level ID, it might still be able to make an educated guess as to whether a person is revisiting their site by triangulating data points, such as connecting the same phone model, operating system and browser type, as well as the person using dark mode, a specific emoji keyboard and 24-hour time for their clock.

In 2018, before fingerprinting became a major target for browser operators, ad tech companies like Flashtalking and Criteo and cross-device graph providers used these non-identifier data points to improve match rates.

Another form is called Canvas fingerprinting. Canvas is an HTML5 API that enables graphics and animations through the use of JavaScript. When a site runs Canvas in the background to produce something on the page, such as graphics, font size or the background color setting, differences in the graphics processing unit of the device create slight changes in the rendering that can be stamped and recognized.

Comic: "Did you opt into this?"Why is this allowed?

In many cases, it’s not allowed. After all, fingerprinting is a tracking method that people can’t opt out of or into.

Apple and Google have both made it harder for ad tech companies to engage in fingerprinting. Google has made moves to restrict fingerprinting since at least 2019, and Apple has instituted explicit anti-fingerprinting policies.

But fingerprinting is still not actively enforced against.

The mobile ad tech industry was on tenterhooks during Apple’s Worldwide Developer Conference in June, because many expected Apple to release technical guidelines to prohibit fingerprinting.

There was a collective a sigh of relief after fingerprinting didn’t get a mention during the WWDC keynote. And although Apple did cast shade on fingerprinting during one of the follow-up developer sessions, it didn’t share plans for enforcement.

“With permission, tracking is allowed – but fingerprinting is never allowed,” said Julia Hanson, an Apple privacy engineer, during the WWDC session. “Regardless of whether a user gives your app permission to track, fingerprinting – or using signals from the device to try to identify the device or user – is not allowed per the Apple Developer Program License Agreement.”

And even without specific enforcement guidelines for apps, Apple has been cracking down on web-based fingerprinting through Intelligent Tracking Prevention for years. (Mozilla has been doing the same over on Firefox, for that matter.)

Although Google has tracked a few years behind Apple on the removal of fingerprinting data, it’s made moves to phase out HTML user-agent strings (historically used to inform sites how to render properly) and zero out the Android Advertising ID so that it can’t be used for ad-targeting.

In browser parlance, user-agent strings and mobile ad IDs are known as “fingerprinting surfaces.” They have a stated use, but can also be co-opted for other purposes. The idea is to have as little surface as possible so as to prevent fingerprinting while balancing the user experience and still supporting publisher businesses.

The same goes for mobile operating systems and app developers. If Apple did flip a switch and begin to enforce its definition of fingerprinting in apps, popular mobile measurement vendors with large SDK networks might be in violation and all the apps that carry them would be suddenly thrown into disarray.

What can be done?

Although fingerprinting hasn’t been completely quashed, Apple, Google, Mozilla, Microsoft and others have developed built-in browsers features to limit the practice and removed data exhaust to make fingerprinting much less effective.

Although a fingerprint might sound like it should last forever, after a day or two, the constellation of data points that were used to create a device fingerprint typically no longer hold together, Grant Simmons, the head of client analytics at mobile attribution platform Kochava, previously told AdExchanger.

The challenge is that tougher enforcement against fingerprinting comes with real tradeoffs.

Removing all fingerprinting surfaces is detrimental to user experience. After all, developers and publishers collect device data and run Canvas for practical reasons. They need to have interactive features, know when to turn to low-power mode, how to render images based on the type of phone and know the user’s time of day.

Firefox is working on a fingerprinting protection feature, but warns users it’s “likely” the feature “may degrade your Web experience so we recommend it only for those willing to test experimental features.”

So, what common issues crop up for Firefox users who download the hardcore fingerprint protection?

Not all fonts are available, their time zone is reported as UTC (Greenwich England), their microphone and webcam preferences are turned off and their site-specific Zoom settings or other services could be disrupted. That’s to name just a few of what Mozilla refers to as “not an exhaustive list” of features that may be altered or disabled.

Guess there’s still no easy off switch for fingerprinting.

Must Read

With Match Rates Falling, Is Effective Attribution Just An Illusion?

Attribution isn’t all it’s cracked up to be. Just ask Cimin Ahmadi Cohen, founder and CEO of Idea Peddler, a full-service agency based in Austin Texas.

Google’s Meridian And Meta’s Robyn: A Gift To Measurement Or Trojan Horses?

Google and Meta are quietly rewriting the rules of ad measurement, and they’re doing it with open-source marketing mix modeling tools that many marketers don’t even realize they’re using.

This New Training Framework Gives Publishers A Say In How AI Uses Their Work

The SAIL initiative compensates publishers when AI scrapes their content and guarantees the outputs adhere to the same cultural standards they apply to their own coverage.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

AI Is Spreading Inaccurate Information About Brands. This Tool Can Help Fix That

Brands can’t just focus on how often they show up in AI search. They also need to pay attention to accuracy – and know what to do when AI gets it wrong.

This K-Beauty Brand Is Collapsing The Marketing Funnel To Grow Its US Customer Base

The “K” in “K-beauty” stands for “Korean.” But it should also stand for “kaboom” because Korean beauty product sales are exploding internationally, especially in the US market.

LinkNYC Kiosks Have Started Airing World Cup Games – TV Ads And All

The cinematic trope of people stopping to watch the news on a storefront TV display feels pretty out of date today. But sometimes, life can still imitate art.