The privacy problem of cookie-free tracking methods: device fingerprinting

natfam-4086Cookie regulation in Europe is quite strict. In a previous blog we discussed the cookie law of France, Germany, Italy and the UK, focusing on information to users, user consent and consequences of violations. However, cookies are not the only method to track users. There are cookie-free tracking methods that are similarly invasive, for example “web-based device fingerprinting”. You might wonder if they are subject to a similar regulation.

What is web based device fingerprinting. A device fingerprint is a set of elements that “uniquely identifies particular devices or application” (see Article 29 Working Party’s Opinion 9/2014 on the application of Directive 2002/58/EC, E-Privacy Directive, to device fingerprinting). Web-based device fingerprinting combines benign characteristics of a browser’s environment (e.g., screen dimensions, list of installed fonts, date and language, clock information) to identify a unique fingerprint for that device. Such a fingerprint distinguishes one device from another and can be used to monitor internet-browsing behavior and to track users.[1] Device fingerprinting applies to a broad range of internet-connected devices (not only computers): electronics and applications, including those running on mobile FEDERICA_ROMANELLIdevices, smart TVs, gaming consoles, e-book readers, internet radio, in-car systems or smart meters.[2]

Privacy concerns. Unlike cookies, device fingerprinting is very difficult to detect; in fact, there are no visible effects. If end-users are not informed that they are being fingerprinted, they have no perception of it. In addition, opting out is basically impossible. Worse, users continue to be fingerprinted even if they have checked “Do Not Track” in their browser’s preferences (see here).

I.European perspective. Because no cookies are used, some authors maintain that no privacy concerns arise with fingerprinting and that the E-Privacy Directive does not apply. This being the case, websites would not be required to obtain users’ informed, specific, and freely given consent according to Article 5(3).

While there is no express provision dealing with fingerprinting, the WP29 opined that privacy rules apply to it. On November 25, 2014, the WP29 adopted Opinion 9/2014 on the application of Directive 2002/58/EC, as amended by Directive 2009/136 to device fingerprinting. According to Opinion 9/2014, Article 5(3) of the E-Privacy Directive is applicable to device fingerprinting.

Opinion 9/2014 expands upon the earlier Opinion 04/2012 on Cookie Consent Exemption. It indicates that Article 5(3) E-Privacy Directive does not apply exclusively to cookies but is also applicable to “similar technologies”:

 When a fingerprint is generated through the storage of or access to information stored in the user’s terminal device, the E-Privacy Directive applies. …

[Therefore, the processer of] device fingerprints which are generated through the gaining of access to or the storing of information on the user’s terminal device (…) may do so only with the valid consent of the user (unless an exemption applies).

 The WP29 disagrees with those who believe that “the use of unique codes or other values does not involve the processing of personal data”. Referring to Opinion 05/2014, the WP29 notices that the purpose of collecting and processing such data is “the delivery of personalised content and advertisements” to a specific user. It is therefore undeniable that “such unique identifiers qualify as personal data”.

The coming into force of the General Data Protection Regulation (GDPR) will not bring any clarification with regard to device fingerprinting. In light of the GDPR adoption, the E-Privacy Directive will have to be reviewed in order to ensure consistency with the content of the new Regulation. To prepare for this task, a study adopted by the European Commission considered the relationship of the E-Privacy Directive to the proposed Regulation. The outcome of the study was published as a report in June 2015. The document mentions the use of new technologies (like Javascripts and browser fingerprinting) that do not necessarily “store information or gain access to information already stored on the end-user’s equipment”. This document merely refers back to Opinion 9/2014 without providing any further specification. Therefore the situation should not change with the GDPR: Article 5(3), E-Privacy Directive, should remain applicable to cookies and to “similar technologies” (e.g., device fingerprinting).

To date it remains uncertain how consent to fingerprinting should be obtained, i.e. whether implied consent is adequate or if a more affirmative action such as an explicit opt-in is required. The Report proposes “explicitly requesting specific, active and prior consent in all cases where cookies or similar techniques are used for direct marketing purposes”.   The Report also highlights how also the scope of Art. 5(3) of E-Privacy Directive remains partially unclear. “Under which conditions is this provision applicable to providers established outside the Union and how can this provision be enforced in such cases? Which national law is applicable inside the Union?” It is basically unclear how device fingerprinting carried out by websites based outside the EU shall gather user’s valid consent.

Read WP29’s Opinion 9/2014 on device fingerprinting.

 II. US perspective. In the U.S. there is no specific regulation of device fingerprinting, either. The FTC has called upon Congress to provide technology neutral legislation:

The FTC supports legislation that permits consumers access to information collected about them and encourages security bills recently introduced. The handful of Congressional bills that are of greatest interest to Fingerprinters and data aggregators focus on limiting the volume of data that could be collected about children online, increases in data-aggregation transparency (both online and offline), and – most notably – Do Not Track. See here.

Bills in Congress are pending which focus on the accuracy of the data collected, transparency about collection, and ability of the individuals to express preferences on the use of the information collected.[3]

Self-regulatory principles exist, however. For example the Fair Information Practice Principles (FIPPs), suggesting that users should have notice and provide consent when identifying information is transferred. On June 23, 2016, the FTC updated its page offering consumers information about online tracking.

The National Advertisers Initiative (NAI), an advertising self-regulation organization, promotes responsible data collection and requires its members to provide users with notice, choice, transparency, and data security.

However, the FTC believes that self-regulation “has not gone far enough”. See here. As suggested in this article, “given how far data is distributed with fingerprinters, data aggregators, and data brokers, even the most comprehensive contract or code of conduct could leave users unprotected at various stages of the data lifecycle.” Let alone the fact that this type of tracking and storage of data may take place in several different countries.

Conclusion. The proliferation of means used to track online users behavior (cookie methods or cookie-free methods), which changed the classical conception of Personal Identifiable Information (PII) call for new solutions to address the social and ethical concerns of data collection.

For more information, Francesca Giannoni-Crystal and Federica Romanelli.

 

[1] In 2010, the Electronic Free Foundation’s Peter Eckersley demonstrated that among the half-million users with Java or Flash who visited panopticlick.eff.org, 94.2 percent of them could be identified and tracked without the need for browser or Flash cookies” but just by using the benign characteristics of a browser’s environment transmitting upon a website’s request.

[2] A study from KU Leuven-iMinds explains that fingerprinting is used for two main reasons: security and marketing. As for cybersecurity, think of fraud detection, protection against account hijacking, anti-bot and anti-scraping services, enterprise security management, protection against DDOS attacks, detection of stolen credentials. As for marketing, think of real-time targeted marketing, campaign measurement, reaching customers across devices, and limiting number of access to services. Research has shown that device fingerprinting is a technique already widely exploited and often utilized.

[3] In March 2015, Senator Ed Markey introduced S. 668, Data Broker Accountability and Transparency Act of 2015.  In February 2016, Senator Henry Johnson Jr. introduced H.R. 4516, Data Broker Accountability and Transparency Act of 2016.