I read that browser or device fingerprinting are the "undeletable" cookies of the future. How do these fingerprinting...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
methods work, and what kind of risks do they present to enterprises?
Cookies provide an acceptable method of identifying people and are now reasonably well understood by users. Most importantly, cookies put users in control of their privacy as they can be deleted at any time. However, fingerprints and other undeletable tracking methods change that as they are solely for the benefit of those wanting to covertly track users across the Internet. Existing countermeasures are of limited use; private browsing and incognito mode have no effect, and perversely, browser plug-ins that manage cookies and other tracking mechanisms are likely to make a user's fingerprint more distinct. Privacy plug-ins like Ghostery, though, should be able to control fingerprinting code served from known, third-party domains used for advertising or tracking.
Internet privacy laws have mainly proved ineffective at protecting users from aggressive tracking technologies, but a European Union privacy watchdog has confirmed that consent rules in the EU's Privacy and Electronic Communications (e-Privacy) Directive are applicable to device fingerprinting and other cookie-alternative technologies. Fingerprints can constitute personal data; therefore the processing of that information is subject to data protection laws. Website administrators need to provide clear and comprehensive information about how any data collected is used and obtain users' consent for the purposes of using the information for targeted advertising, though it will be a lot harder to determine whether website admins honor the obligatory opt-out policy. Fingerprint data can be used without consent, of course, if it's used only for adapting the user interface to the device, for the provision of a service explicitly requested by the user, or as a security control to prevent unauthorized access to services. However, using fingerprinting as part of a broader mechanism for verifying the identity used to provide them with access to services would require the user's consent.
Ask the Expert:
Perplexed about application security? Send Michael Cobb your questions today. (All questions are anonymous.)
For U.S. companies, EU cookie compliance calls for website changes
Dig Deeper on Web browser security
Related Q&A from Michael Cobb
Android for Work's sandboxing tools, which split work and personal profiles, can be bypassed with a proof-of-concept attack. Expert Michael Cobb ...continue reading
Yahoo claimed a vulnerability in its email service enabled attackers to use forged cookies to gain access to user accounts. Expert Michael Cobb ...continue reading
A researcher discovered 76 iOS apps containing sensitive user data that were vulnerable to man-in-the-middle attacks. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.