I read that browser or device fingerprinting are the "undeletable" cookies of the future. How do these fingerprinting...
methods work, and what kind of risks do they present to enterprises?
Cookies provide an acceptable method of identifying people and are now reasonably well understood by users. Most importantly, cookies put users in control of their privacy as they can be deleted at any time. However, fingerprints and other undeletable tracking methods change that as they are solely for the benefit of those wanting to covertly track users across the Internet. Existing countermeasures are of limited use; private browsing and incognito mode have no effect, and perversely, browser plug-ins that manage cookies and other tracking mechanisms are likely to make a user's fingerprint more distinct. Privacy plug-ins like Ghostery, though, should be able to control fingerprinting code served from known, third-party domains used for advertising or tracking.
Internet privacy laws have mainly proved ineffective at protecting users from aggressive tracking technologies, but a European Union privacy watchdog has confirmed that consent rules in the EU's Privacy and Electronic Communications (e-Privacy) Directive are applicable to device fingerprinting and other cookie-alternative technologies. Fingerprints can constitute personal data; therefore the processing of that information is subject to data protection laws. Website administrators need to provide clear and comprehensive information about how any data collected is used and obtain users' consent for the purposes of using the information for targeted advertising, though it will be a lot harder to determine whether website admins honor the obligatory opt-out policy. Fingerprint data can be used without consent, of course, if it's used only for adapting the user interface to the device, for the provision of a service explicitly requested by the user, or as a security control to prevent unauthorized access to services. However, using fingerprinting as part of a broader mechanism for verifying the identity used to provide them with access to services would require the user's consent.
Ask the Expert:
Perplexed about application security? Send Michael Cobb your questions today. (All questions are anonymous.)
For U.S. companies, EU cookie compliance calls for website changes
Dig Deeper on Web browser security
Related Q&A from Michael Cobb
A recently discovered Drupal vulnerability in its open source CMS allowed attackers to control websites. Learn how almost one million sites were ... Continue Reading
Google instituted an aggressive ban on all cryptomining extensions for Chrome after cryptojacking attacks started to become more common. Learn how ... Continue Reading
With enterprises testing DNS over HTTPS to encrypt domain name traffic, some fear the potential privacy issues. Discover the challenges and benefits ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.