Browser fingerprinting isn’t a new tactic, but it’s newly in the headlines as all of the primary web browsers – Safari, Firefox and now Chrome – crack down on the practice in the name of privacy.
The main problem with fingerprinting from a privacy perspective is that there’s no way for a consumer to opt out or to even know it’s happening.
The main problem from a digital marketing perspective, good, bad or indifferent, is that fingerprinting may soon no longer be a viable workaround to try and establish identity or do attribution when cookies or other device identifiers are not available.
But anyone who’s relying on this common practice in ad tech as a backup plan for when third-party cookies are blocked – either by default or by user choice – needs an alternative.
“The much bigger issue for us is what happens to cookies over time,” said Tanwir Danish, managing partner and head of data and analytics platforms for GroupM in North America. “The reality is that the same privacy concerns that apply to cookies apply to fingerprinting, especially when it comes to targeting consumers based on that information.”
But what exactly is fingerprinting, how effective is it, how pervasive, what use cases does it support – and what really happens when it goes away?
Behind the scenes
When a browser loads something, it acts as an agent on behalf of a user – hence the term “user agent” – to retrieve requested content. The browser, as the user agent, sees information about a device and the network it’s on, which the developer can use to customize the on-site experience to the visitor’s browser.
Every browser has a unique user agent string so that a server can know which browser it’s negotiating with to load content.
The fine print
Browser fingerprinting links device attributes and compresses that information into a hashed ID, usually in the form of a short numerical string.
The latter could include the collection of hundreds of seemingly generic data signals that wouldn’t mean much on their own, but together can be used to probabilistically determine identity and create persistent statistical identifiers in the absence of cookies.
In addition to the user agent string, sophisticated browser fingerprinting relies on collating everything from language settings, screen resolution, color depth, time zone, underlying operating system, the OS version and device type to the plug-ins, the type of graphics hardware being used and even whether someone has Do Not Track enabled (not that anyone actually respects it).
Another approach involves a practice called canvas fingerprinting that involves exploiting an element within HTML5 that helps graphics appear on a webpage, and can be used to create a unique fingerprint of visitors. Unlike cookies, this data is not stored locally on a device, so users can’t opt out or delete the information.
That lack of transparency about where and how the data is sourced, how it’s commingled and how the models are developed is what has made fingerprinting such a black box, said Rohan Philips, global chief product officer at iProspect.
Fingers in many pies
Ask measurement or impression tracking vendors how effective fingerprinting is, and they’ll say it’s something like 95% accurate – although that’s a difficult number to verify, Hanford said.
Noting slight differences between devices can effectively pin a mostly unique ID to a browser when cookies aren’t available, dataxu’s Simmons said.
Dig a bit deeper, however, and the accuracy of fingerprinting over time isn’t all that great, said Grant Simmons, head of client analytics at mobile attribution platform Kochava.
Compared with deterministically matched attribution, fingerprinting is 98% accurate when the fingerprint match is made within the first 10 minutes, which is also when the majority (56%) of attribution occurs. If the attribution window is between 10 minutes and three hours, accuracy drops to 80%. Between three and 24 hours, using fingerprinting logic is a coin flip – only 50% accurate.
When the attribution window is longer than a day, forget about it.
“Once you get outside of 24 hours, it’s more wrong than right,” Kochava’s Simmons said. “The point being that fingerprinting can be accurate, but only within a narrow timeframe.”
A world without fingerprinting
Although it’s unclear exactly how the browsers plan to limit or scramble fingerprinting, let’s pretend that when we wake up tomorrow, the tactic is completely scuppered. What would happen?
Impression tracking, frequency capping, sequential targeting, multitouch attribution – anything that relies on persistent identity – will become more difficult or even impossible, Hanford said, and the open web will probably have to go back to earlier forms of targeting, like contextual, which is happening in any case thanks to stringent privacy regs like GDPR.
While privacy advocates would obviously be delighted, there could be collateral damage as the browsers reduce the signals available for fingerprint building, said dataxu’s Simmons.
The user experience could also suffer if the delivery of media is disjointed and there’s no easy way to create an omnichannel journey that flows for the consumer, GroupM’s Danish said.
But from the agency perspective, the loss of fingerprinting technology wouldn’t be a major blow, according to Chris Apostle, chief media officer at iCrossing.
“In the short term, I don’t see an overly significant impact to advertisers,” he said, “mainly because of companies like LiveRamp and others, which allow us to be much more capable of targeting without having to rely solely on the use of device data."