Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

The GDPR and Browser Fingerprinting: How It Changes the Game for the Sneakiest Web Trackers

From: "Dave Farber" <farber () gmail com>
Date: Thu, 21 Jun 2018 15:37:54 +0900



Begin forwarded message:


From: Dewayne Hendricks <dewayne () warpspeed com>
Date: June 21, 2018 at 14:52:01 GMT+9
To: Multiple recipients of Dewayne-Net <dewayne-net () warpspeed com>
Subject: [Dewayne-Net] The GDPR and Browser Fingerprinting: How It Changes the Game for the Sneakiest Web Trackers
Reply-To: dewayne-net () warpspeed com

The GDPR and Browser Fingerprinting: How It Changes the Game for the Sneakiest Web Trackers
By KATARZYNA SZYMIELEWICZ AND BILL BUDINGTON
Jun 19 2018
<https://www.eff.org/deeplinks/2018/06/gdpr-and-browser-fingerprinting-how-it-changes-game-sneakiest-web-trackers>

Browser fingerprinting is on a collision course with privacy regulations. For almost a decade, EFF has been raising 
awareness about this tracking technique with projects like Panopticlick. Compared to more well-known tracking 
“cookies,” browser fingerprinting is trickier for users and browser extensions to combat: websites can do it without 
detection, and it’s very difficult to modify browsers so that they are less vulnerable to it. As cookies have become 
more visible and easier to block, companies have been increasingly tempted to turn to sneakier fingerprinting 
techniques.

But companies also have to obey the law. And for residents of the European Union, the General Data Protection 
Regulation (GDPR), which entered into force on May 25th, is intended to cover exactly this kind of covert data 
collection. The EU has also begun the process of updating its ePrivacy Directive, best known for its mandate that 
websites must warn you about any cookies they are using. If you’ve ever seen a message asking you to approve a site’s 
cookie use, that’s likely based on this earlier Europe-wide law.

This leads to a key question: Will the GDPR require companies to make fingerprinting as visible to users as the 
original ePrivacy Directive required them to make cookies?

The answer, in short, is yes. Where the purpose of fingerprinting is tracking people, it will constitute “personal 
data processing” and will be covered by the GDPR.

What is browser fingerprinting and how does it work?

When a site you visit uses browser fingerprinting, it can learn enough information about your browser to uniquely 
distinguish you from all the other visitors to that site. Browser fingerprinting can be used to track users just as 
cookies do, but using much more subtle and hard-to-control techniques. In a paper EFF released in 2010, we found that 
majority of users’ browsers were uniquely identifiable given existing fingerprinting techniques. Those techniques 
have only gotten more complex and obscure in the intervening years.

By using browser fingerprinting to piece together information about your browser and your actions online, trackers 
can covertly identify users over time, track them across websites, and build an advertising profile of them. The 
information that browser fingerprinting reveals typically includes a mixture of HTTP headers (which are delivered as 
a normal part of every web request) and properties that can be learned about the browser using JavaScript code: your 
time zone, system fonts, screen resolution, which plugins you have installed, and what platform your browser is 
running on. Sites can even use techniques such as canvas or WebGL fingerprinting to gain insight into your hardware 
configuration.

When stitched together, these individual properties tell a unique story about your browser and the details of your 
browsing interactions. For instance, yours is likely the only browser on central European time with cookies enabled 
that has exactly your set of system fonts, screen resolution, plugins, and graphics card.

By gathering that information together and storing it on its own servers, a site can track your browsing habits 
without the use of persistent identifiers stored on your computer, like cookies. Fingerprinting can also be used to 
recreate a tracking cookie for a user after the user has deleted it. Users that are aware of cookies can remove them 
within their browser settings, but fingerprinting subverts the built-in browser mechanisms that allow users to avoid 
being tracked.

And this doesn’t just apply to the sites you visit directly. The pervasive inclusion of remote resources, like fonts, 
analytics scripts, or social media widgets on websites means that the third parties behind them can track your 
browsing habits across the web, rather than just on their own websites. 

Aside from the limited case of fraud detection (which needs transparency and opt-in consent for any further 
processing), browser fingerprinting offers no functionality to users. When the popular social media widget provider 
AddThis started using canvas fingerprinting in 2014, the negative reaction from their users was so overwhelming that 
they were forced to stop the practice.

[snip]

Dewayne-Net RSS Feed: http://dewaynenet.wordpress.com/feed/
Twitter: https://twitter.com/wa8dzp






-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-a538de84&post_id=20180621023805:A4D4CF12-751D-11E8-A98A-80A530D7E2DE
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: