In the context of online advertising and marketing, fingerprinting is a way for technology companies to identify an individual's browser or device based on its unique configuration. In this article, we will provide some context about fingerprinting and details about how Sourcepoint's Diagnose tool scans vendors for the possibility of fingerprinting.
- IAB references to fingerprinting
- Methods used for Possible Fingerprinting metric
- Determine method used for vendor discovered in scan
Fingerprinting is a hotly debated topic within the privacy and identity space due to its invasive nature. Some large companies such as Apple and Google have publicly made statements condemning the use of fingerprinting.
Although many companies do not openly talk about it, fingerprinting became popularized in the ad tech space when Apple introduced Intelligent Tracking Prevention (ITP) on Safari and other browsers slowly followed suit in terms of reducing the ability for companies to drop cookies on users. In the absence of cookies, fingerprinting became a way for companies to become more addressable, and therefore more valued by advertisers.
Unlike cookies that are stored client side (i.e. on a browser or device), fingerprints are stored server-side (i.e. in a database). This means that it is nearly impossible to determine if a technology is indeed fingerprinting or not, but certain pieces of information can give this away.
Below are some examples of information that could be used in combination to form a fingerprint:
- IP address
- HTTP request headers
- User agent string
- Installed plugins (ironically, using plugins like ghostery, do not track me, privacy badger may make it easier for you to be fingerprinted)
- Client time zone
- Information about the client device: screen resolution, touch support, operating system, language
- Flash data provided by a flash plugin
- List of installed fonts
- Silverlight data
- List of mime-types
IAB references to fingerprinting
The IAB TCF references fingerprinting in the following ways:
IAB TCF Features 1, 2, and 3
The IAB TCF features are disclosures of how vendors participating in the IAB TCF carry out a purpose.
- Feature 1: Store and/or access information on a device
- Feature 2: Link different devices
- Feature 3: Receive and use automatically-sent device characteristics for identification
These features are generally seen as part and parcel of IAB TCF Purpose 1 - Store and/or access information on a device (for example, storing the IP address or cookies found on a device as part of a profile in a server for identification).
IAB TCF Special Feature 2: Actively scan device characteristics for identification
Typically, the IAB TCF Special Feature 2 is the form of fingerprinting which is generally frowned upon by the framework and requires the end-user to explicit consent from the end-user. Publishers are given controls over Special Features such that they can give a signal within the framework to vendors that they are not allowed.
For Diagnose’s Possible Fingerprinting metric, it is the more invasive techniques that we are looking for which coordinate with Special Feature 2.
Methods used for Possible Fingerprinting metric
The swfPath refers to a file location which can be called to display elements like fonts.
This ratio determines the physical pixel count in relation to the resolution in CSS pixels for the current device size. It is most commonly used when the site needs to determine the difference between rendering on a standard display vs many modern displays like HiDPI or Retina Display (which have a higher pixel density).
For example, a devicePixelRatio of 2 means that every digital pixel will be rendered by 4 physical pixels on the screen (2 vertically and 2 horizontally). Since this value is tied to a physical device's properties - it can be used for fingerprinting. However, the method by itself, can not be used to identify devices with sufficient identification accuracy, but it is often applied alongside many others to increase accuracy.
Note: Editorial content can trigger this method which is not considered fingerprinting. However, third party vendors should not be doing this.
For example, one of the critical ways that browsers differ is in font rendering. Anti-aliasing, hinting, and font availability can produce different results depending on your operating system, hardware, and settings. Additionally, differences in GPU or graphics drivers can further differentiate the image output. Drawing background colors and shapes on top of the text can help highlight these differences. Even a single pixel’s color is slightly different - it is enough to compare them.
Ability to fingerprint a wider array of fonts to increase fingerprint definition of the user.
If the end-user is using Internet Explorer, this method checks if any plugins are available. Browser plugins are one of the most common methods for identifying users and creating unique user profiles.
Determine method used for vendor discovered in scan
When a vendor is flagged in scans for the Possible Fingerprinting metric, we include the method used to flag the vendor in the export of the Detailed Breakdown table.
Navigate to the Detailed Breakdown table on the Possible Fingerprinting dashboard and click the export icon.
A CSV will be downloaded onto your local machine. From the CSV file, the method used to flag each vendor will appear underneath the fingerprint_methods column.