Imagery Majestic - Fotolia
I read that browser or device fingerprinting are the "undeletable" cookies of the future. How do these fingerprinting methods work, and what kind of risks do they present to enterprises?
Cookies provide an acceptable method of identifying people and are now reasonably well understood by users. Most importantly, cookies put users in control of their privacy as they can be deleted at any time. However, fingerprints and other undeletable tracking methods change that as they are solely for the benefit of those wanting to covertly track users across the Internet. Existing countermeasures are of limited use; private browsing and incognito mode have no effect, and perversely, browser plug-ins that manage cookies and other tracking mechanisms are likely to make a user's fingerprint more distinct. Privacy plug-ins like Ghostery, though, should be able to control fingerprinting code served from known, third-party domains used for advertising or tracking.
Internet privacy laws have mainly proved ineffective at protecting users from aggressive tracking technologies, but a European Union privacy watchdog has confirmed that consent rules in the EU's Privacy and Electronic Communications (e-Privacy) Directive are applicable to device fingerprinting and other cookie-alternative technologies. Fingerprints can constitute personal data; therefore the processing of that information is subject to data protection laws. Website administrators need to provide clear and comprehensive information about how any data collected is used and obtain users' consent for the purposes of using the information for targeted advertising, though it will be a lot harder to determine whether website admins honor the obligatory opt-out policy. Fingerprint data can be used without consent, of course, if it's used only for adapting the user interface to the device, for the provision of a service explicitly requested by the user, or as a security control to prevent unauthorized access to services. However, using fingerprinting as part of a broader mechanism for verifying the identity used to provide them with access to services would require the user's consent.
Ask the Expert:
Perplexed about application security? Send Michael Cobb your questions today. (All questions are anonymous.)
For U.S. companies, EU cookie compliance calls for website changes
Dig Deeper on Web browser security
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading