Fingerprinting and what it means for privacy?
This week we discuss device fingerprinting.
Firstly though we want to know do you feel safe against online identifiers? Do you frequently delete cookies?
It’s time to up your game and here’s why…
what is fingerprinting?
Beyond cookies or pixels, there are other techniques of identification and monitoring on the Internet. While it can be done for a legitimate purpose such as enabling multiple-authentication mechanisms, it can also be used for tracking and profiling, with the ultimate goal of exploiting such data, although initially the information is collected with a technical purpose.
Privacy is affected by fingerprinting and here is how:
-Given that people usually tend not to share their devices, singling out a device allows the identification of an individual, which points out the need for applying Data Protection rules.
-An additional concern comes from the possibility to reassign the linked information to the user even when cookies have been deleted.
An individual can be identified using fingerprinting and there are 3 main elements, which allow the identification of a singular device, which are:
-The Global nature of the Internet.
-A Unique ID.
Fingerprint risks are covered by GDPR under recital 30, which generically refers to online identifiers, which means data protection rules apply directly.
Tips for users:
-Set up your preferences in the browser settings.
-Opt-in to the Do Not Track mechanism, which will allow you to disable web tracking on the device.
Tips for data controllers using fingerprinting:
-Check DNT preferences before processing any data.
-Gather users’ consent even where DNT is disabled
-Include fingerprinting in the record of processing activities.
We advise you to:
-Carry out a risk analysis and Data Protection Impact Assessment where relevant, considering the impact of the disclosure of profiling information contained in the database.
-Avoid the use of social, cultural or racial bias leading to automatic decisions.
-Create access controls for employees or third parties to specific users’ data.
-Avoid the excessive collection of data and retention for excessive periods.
-Consider the impact on the perception of the freedom of use of profiling information.
-Avoid the manipulation of user’s wishes, beliefs and emotional state.
-Lastly in relations to the above, consider the risk of re-identification.
If you need advice on your AI product, Aphaia offers both AI ethics and Data Protection Impact Assessments.