Overview:
1. A user’s device’s hardware, operating system, browser, and configuration are all included in a set of data called a “browser fingerprint.”
2. Via a simple script running inside a browser, a server can collect a wide variety of information from public interfaces called application programming interfaces (APIs), HTTP headers, device information, etc.
3. The method of gathering data from a web browser to create a device fingerprint is known as “browser fingerprinting.”
Cookies vs Browser Fingerprinting:
Cookies Fingerprinting:
- Small pieces of data are stored on a user’s computer by a web browser when they visit a website. They are used to store information about the user, such as preferences and browsing history, and to track user behaviour on the website.
- They are typically used to improve the user experience by remembering information about the user and their preferences, but they can also be deleted, blocked, or turned off entirely.
- Cookie tracking involves placing a unique identifier on a person’s web browser, and fingerprinting occurs when a company (the website owner) creates a profile of the device’s unique characteristics.
- The General Data Protection Regulation (GDPR) regulates the rules for covert data collection, which is why websites often ask users to approve or disapprove of cookies.
Browser Fingerprinting: Information includes details about the browser, network, and device, such as the language used, keyboard layout, time zone, cookie settings, operating system version, etc.
- By combining all this information into a fingerprint, advertisers can recognise a user as they move from one website to another.
- Studies have shown that around 80–90% of browser fingerprints are unique.
- This is done by advertising technology companies that insert their code onto websites and collect data about online activity.
- Once established, a fingerprint can potentially be linked with other personal information, such as data held by brokers.
GDPR:
Browser fingerprinting also falls under the purview of the GDPR to protect user privacy. However, nothing has been explicitly mentioned about it.
The GDPR establishes six legal grounds that enable the processing of data, including user consent and the “legitimate interest” or consent of the person doing the tracking:
In the context of browser fingerprinting, these general rules apply as follows:
Companies using fingerprinting must ensure that their interests in tracking user information do not override the user’s fundamental rights and freedoms, including their privacy.
The website must also provide detailed information to the user about the scope, purposes, and legal basis of the data processing.
Fingerprinting should be transparent when using and processing data about anonymous visitors.
*Browser fingerprint technology has enabled marketers to run targeted campaigns on the internet at any stage of the marketing funnel.
Parameters and the Math:
Uniqueness: It means to provide enough ground for identification; the more unique a fingerprint, the more identifiable it is. When the fingerprint has an attribute, whose value is only present once in the whole dataset or when the combination of all its attributes is unique in the whole dataset.
Stability: This links the browser fingerprints that belong to the same device. For stability, the quantity of modified information (each time the user’s fingerprint is obtained) should be as small as possible.
Entropy: Defines the amount of uniqueness that a specific property exposed by the browser (such as the User-Agent header) introduces into a browser fingerprint. Usually expressed in bits, the higher the entropy, the more unique and identifiable a fingerprint will be.
After the new dataset is tested repeatedly, giving similar correlated probability outputs, we can say that a technique is effective in terms of its ability to say that a fingerprint is unique!
Blueprint: Using Browser Fingerprinting for Authentication
Information gathered:
Browser fingerprinting can gather a lot of information (more than 100 data attributes) from a browser, for example:
- Device model
- Operating system
- Browser version
- User time zone
- Preferred language settings
- Keyboard layout
- Ad blocker used
- Screen resolution
- Tech specs of the CPU
- graphics card, etc.
The logic is to have enough specifics about a user’s device and settings to pinpoint them in a sea of internet users.
A specific fingerprinting technology employs several cutting-edge browser identification methods to gather over 100 individual signals.
These signals are combined with server-side analysis and deduplication to generate a visitor ID, providing a persistent and valuable abstraction of a browser fingerprint, which can be volatile if a user changes settings or updates software on their device.
Watch out this space for Part 2!
Author:
Vaibhav Chandel, Product Manager
Wibmo A PayU/Naspers FinTech Company