I read that browser or device fingerprinting are the "undeletable" cookies of the future. How do these fingerprinting...
methods work, and what kind of risks do they present to enterprises?
Cookies provide an acceptable method of identifying people and are now reasonably well understood by users. Most importantly, cookies put users in control of their privacy as they can be deleted at any time. However, fingerprints and other undeletable tracking methods change that as they are solely for the benefit of those wanting to covertly track users across the Internet. Existing countermeasures are of limited use; private browsing and incognito mode have no effect, and perversely, browser plug-ins that manage cookies and other tracking mechanisms are likely to make a user's fingerprint more distinct. Privacy plug-ins like Ghostery, though, should be able to control fingerprinting code served from known, third-party domains used for advertising or tracking.
Internet privacy laws have mainly proved ineffective at protecting users from aggressive tracking technologies, but a European Union privacy watchdog has confirmed that consent rules in the EU's Privacy and Electronic Communications (e-Privacy) Directive are applicable to device fingerprinting and other cookie-alternative technologies. Fingerprints can constitute personal data; therefore the processing of that information is subject to data protection laws. Website administrators need to provide clear and comprehensive information about how any data collected is used and obtain users' consent for the purposes of using the information for targeted advertising, though it will be a lot harder to determine whether website admins honor the obligatory opt-out policy. Fingerprint data can be used without consent, of course, if it's used only for adapting the user interface to the device, for the provision of a service explicitly requested by the user, or as a security control to prevent unauthorized access to services. However, using fingerprinting as part of a broader mechanism for verifying the identity used to provide them with access to services would require the user's consent.
Ask the Expert:
Perplexed about application security? Send Michael Cobb your questions today. (All questions are anonymous.)
For U.S. companies, EU cookie compliance calls for website changes
Dig Deeper on Web browser security
Related Q&A from Michael Cobb
A technique called Process Doppelgänging was used by the SynAck ransomware to bypass security software. Expert Michael Cobb explains how this ... Continue Reading
A Telegram malware called Telegrab targets Telegram's desktop instant messaging service to collect and exfiltrate cache data. Expert Michael Cobb ... Continue Reading
Android P integrates Android Protected Confirmation, which provides sufficient trust in the authentication process. Learn more about this new feature... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.