Spanish Data Protection Supervisory Authority, AEPD, published guidelines on device fingerprinting.
What is fingerprinting?
Beyond cookies or pixels, there are other techniques of identification and monitoring on the Internet that allow the realization of profiles and potential profitability of the data associated with them. This category displays the so-called fingerprinting of the device, which is defined as a systematic compilation of information about a particular remote computer in order to identify it and singularize it. While it can be done for a legitimate purpose such as enabling multiple-authentication mechanisms, it can also be used for tracking and profiling, with the ultimate goal of exploiting such data, although initially the information is collected with a technical purpose.
How is Privacy affected by fingerprinting?
Given that people usually tend not to share their devices, singling out a device involves in general terms the identification of an individual, which points out the need of applying Data Protection rules. An additional concern in this regard comes from the possibility to reassign the linked information to the user even when cookies have been deleted, so fingerprinting prevents the loss of the traceability of the user’s browser habits or indeed It can be used for the tracking as such, which increases the risk for the rights and freedoms of the individuals, who most times are not even aware of the tracking.
There are three main elements which allow the identification of a singular device, thus its user by means of fingerprinting:
- Gathering a set of massive discrimination data.
- Global nature of the internet.
- Unique ID.
Can users block the fingerprinting?
Even if there is no current option to completely block fingerprinting, most browsers allow users to set up their privacy preferences. World Wide Web Consortium (W3C) proposed a mechanism called Do Not Track (DNT) which gives the user an option to disable web tracking on the device. W3C claims that DNT should be opted-in by default without requiring any positive action from the user.
That said, websites should check this parameter through javascript function calls to the user’s device, in order to allow the controller to know the user’s preferences, thus their options for processing such data. However, an analysis carried out by the AEPD showed that only 16,72% of sites check DNT before processing their users’ information, and most of the cases where the DNT option is activated, the sites kept collecting the fingerprint, ignoring the user’s wishes. Furthermore, those programs even use the DNT request itself as an additional unique identification factor.
Other alternatives to protect Privacy on the internet:
- Installation of blockers.
- Disabling use of Javascript.
- Alternating different browsers.
- Execution of access to internet in virtual machines.
- Limiting the installation of browser extensions.
Privacy and data protection requirements for the industry
For manufacturers and developers:
- Products with privacy settings.
- Maximum level of data protection by default.
Controllers that use fingerprinting:
- Checking DNT preferences before processing any data.
- Gathering users’ consent (even where DNT is disabled).
- Including fingerprinting in the record of processing activities.
- Data Protection Officer Advice and overview.
- Risks analysis and Data Protection Impact Assessment where relevant, considering:
- The impact of the disclosure of profiling information contained in the database.
- In relation to the above, access to said information by governmental or political organisations.
- The use of social, cultural or racial bias leading to automatic decisions.
- Access by employees or third parties to specific users’ data.
- The use of the data to social, political or general harassment.
- The excessive collection of data and their retention for excessive periods.
- The impact on the perception of the freedom of use of profiling information.
- The manipulation of user’s wishes, beliefs and emotional state.
- In relation to the above, the risk of re-identification.
Fingerprint risks are covered by GDPR Article 30, which generically refers to online identifiers, which means data protection rules directly apply to fingerprint.