Browser fingerprinting is on a collision course with privacy regulations. For almost a decade, EFF has been raising awareness about this tracking technique with projects like Panopticlick. Compared to more well-known tracking “cookies,” browser fingerprinting is trickier for users and browser extensions to combat: websites can do it without detection, and it’s very difficult to modify browsers so that they are less vulnerable to it. As cookies have become more visible and easier to block, companies have been increasingly tempted to turn to sneakier fingerprinting techniques.
But companies also have to obey the law. And for residents of the European Union, the General Data Protection Regulation (GDPR), which entered into force on May 25th, is intended to cover exactly this kind of covert data collection. The EU has also begun the process of updating its ePrivacy Directive, best known for its mandate that websites must warn you about any cookies they are using. If you’ve ever seen a message asking you to approve a site’s cookie use, that’s likely based on this earlier Europe-wide law.
This leads to a key question: Will the GDPR require companies to make fingerprinting as visible to users as the original ePrivacy Directive required them to make cookies?
The answer, in short, is yes. Where the purpose of fingerprinting is tracking people, it will constitute “personal data processing” and will be covered by the GDPR.
What is browser fingerprinting and how does it work?
When a site you visit uses browser fingerprinting, it can learn enough information about your browser to uniquely distinguish you from all the other visitors to that site. Browser fingerprinting can be used to track users just as cookies do, but using much more subtle and hard-to-control techniques. In a paper EFF released in 2010, we found that majority of users’ browsers were uniquely identifiable given existing fingerprinting techniques. Those techniques have only gotten more complex and obscure in the intervening years.
By using browser fingerprinting to piece together information about your browser and your actions online, trackers can covertly identify users over time, track them across websites, and build an advertising profile of them. The information that browser fingerprinting reveals typically includes a mixture of HTTP headers (which are delivered as a normal part of every web request) and properties that can be learned about the browser using JavaScript code: your time zone, system fonts, screen resolution, which plugins you have installed, and what platform your browser is running on. Sites can even use techniques such as canvas or WebGL fingerprinting to gain insight into your hardware configuration.
When stitched together, these individual properties tell a unique story about your browser and the details of your browsing interactions. For instance, yours is likely the only browser on central European time with cookies enabled that has exactly your set of system fonts, screen resolution, plugins, and graphics card.
By gathering that information together and storing it on its own servers, a site can track your browsing habits without the use of persistent identifiers stored on your computer, like cookies. Fingerprinting can also be used to recreate a tracking cookie for a user after the user has deleted it. Users that are aware of cookies can remove them within their browser settings, but fingerprinting subverts the built-in browser mechanisms that allow users to avoid being tracked.
And this doesn’t just apply to the sites you visit directly. The pervasive inclusion of remote resources, like fonts, analytics scripts, or social media widgets on websites means that the third parties behind them can track your browsing habits across the web, rather than just on their own websites.
Aside from the limited case of fraud detection (which needs transparency and opt-in consent for any further processing), browser fingerprinting offers no functionality to users. When the popular social media widget provider AddThis started using canvas fingerprinting in 2014, the negative reaction from their users was so overwhelming that they were forced to stop the practice.
Some fingerprinting tricks are potentially detectable by end-users or their software: for instance, a site changing some text into multiple fonts extremely quickly is probably scanning to see which fonts a user has installed. Privacy Badger, a browser extension that we develop at EFF, detects canvas fingerprinting to determine when a site looks like a tracker. And a W3C guidance document draft for web specification authors advises them to develop their specs with fingerprinting detectability in mind. Unfortunately, however, new and more covert techniques to fingerprint users are being discovered all the time.
Fingerprinting After the GDPR
You’ll struggle to find fingerprinting explicitly mentioned in the GDPR—but that’s because the EU has learned from earlier data protection laws and the current ePrivacy Directive to remain technologically neutral.
Apart from non-binding recitals (like Recital 30, discussing cookies), the GDPR avoids calling out specific technologies or giving exhaustive lists and examples. Instead, it provides general rules that the drafters felt should be neutral, flexible, and keep up with technological development beyond fingerprinting and cookies. Below we explain how those general rules apply to tracking Internet users, no matter what technique is used.
Browser Characteristics as Personal Data
The cornerstone of the GDPR is its broad definition of personal data.[1] Personal data is any information that might be linked to an identifiable individual. This definition not only covers all sorts of online identifiers (such as your computer’s MAC address, your networks’ IP address, or an advertising user ID in a cookie) but also less specific features — including the combination of browser characteristics that fingerprinting relies upon. The key condition is that a given element of information relates to an individual who can be directly or indirectly identified.
It is also worth noting that under the GDPR “identification” does not require establishing a user’s identity. It is enough that an entity processing data can indirectly identify a user, based on pseudonymous data, in order to perform certain actions based on such identification (for instance, to present different ads to different users, based on their profiles). This is what EU authorities refer to as singling-out[2], linkability[3], or inference.[4]
The whole point of fingerprinting is the ability of the tracking company (data controller) to be able to indirectly identify unique users among the sea of Internet users in order to track them, create their behavioural profiles and, finally, present them with targeted advertising. If the fingerprinting company has identification as its purpose, the Article 29 Working Party (an advisory board comprised of European data protection authorities) decided over ten years ago, regulators should assume that “the controller … will have the means ‘likely reasonably to be used’ to identify the people because “the processing of that information only makes sense if it allows identification of specific individuals.” As the Article 29 Working Party noted, “In fact, to argue that individuals are not identifiable, where the purpose of the processing is precisely to identify them, would be a sheer contradiction in terms.”[5]
Thus, when several information elements are combined (especially unique identifiers such as your set of system fonts) across websites (e.g. for the purposes of behavioral advertising), fingerprinting constitutes the processing of personal data and must comply with GDPR.[6]
Can Fingerprinting Be Legal Under The GDPR?
According to the GDPR, every entity processing personal data (including tracking user behavior online, matching ads with user profiles, or presenting targeted ads on their website) must be able to prove that they have a legitimate reason (by the definitions of the law) to do so.[7] The GDPR gives six possible legal grounds that enable processing data, with two of them being most relevant in the tracking/advertising context: user consent and the “legitimate interest” of whoever is doing the tracking.
How should this work in practice? User consent means an informed, unambiguous action (such as change of settings from “no” to “yes”).[8] In order to be able to rely on this legal ground, companies that use fingerprinting would have to, in the first place, reveal the fingerprinting before it is executed and, then, wait for a user to give their freely-given informed consent. Since the very purpose of fingerprinting is to escape user’s control, it is hardly surprising that trackers refuse to apply this standard.
It is more common for companies that use fingerprinting to claim their own, or whoever is paying them to fingerprint users, “legitimate interest” in doing so.
The concept of legitimate interest in the GDPR has been constructed as a compromise between privacy advocates and business interests.[9] It is much more vague and ambiguous than other legal grounds for processing data. In the coming months, you will see many companies who operate in Europe attempt to build their tracking and data collection of their users on the basis of their “legitimate interest.”
But that path won’t be easy for covert web fingerprinters. To be able to rely on this specific legal ground, every company that considers fingerprinting has to, first, go through a balancing test[10] (that is, verify for itself whether its interest in obscure tracking is not overridden by “the fundamental rights and freedoms of the data subject, including privacy” and whether it is in line with “reasonable expectations of data subjects”[11]) and openly lay out its legitimate interest argument for end-users. Second, and more importantly, the site has to share detailed information with the person that is subjected to fingerprinting, including the scope, purposes, and legal basis of such data processing.[12] Finally, if fingerprinting is done for marketing purposes, all it takes for end-users to stop it (provided they do not agree with the legitimate interest argument that has been made by the fingerprinter) is to say “no.”[13] The GDPR requires no further justification.
Running Afoul of the ePrivacy Rules
Fingerprinting also runs afoul of the ePrivacy Directive, which sets additional conditions on the use of device and browser identifiers. The ePrivacy Directive is a companion law, applying data protection rules more specifically in the area of communications. The Article 29 Working Party emphasised that fingerprinting—even if it does not involve processing personal data—is covered by Article 5(3) of the ePrivacy Directive (the section commonly referred to as the cookie clause) and thus requires user consent:
Parties who wish to process device fingerprints[14] which are generated through the gaining of access to, or the storing of, information on the user’s terminal device must first obtain the valid consent of the user (unless an exemption applies).[15]
While this opinion focused on device fingerprints, the logic still applies to browser fingerprints. Interpretations can vary according to national implementation and this has resulted in an inconsistent and ineffective application of the ePrivacy Directive, but key elements, such as the definition of consent, are controlled by the GDPR which will update its interpretation and operation. The EU aims to pass an updated ePrivacy Regulation in 2019, and current drafts target fingerprinting explicitly.
Looking at how web fingerprinting techniques have been used so far, it is very difficult to imagine companies moving from deliberate obscurity to full transparency and open communication with users. Fingerprinting companies will have to do what their predecessors in the cookie world did before now: face greater detection and exposure by coming clean about their practices, or slink even further behind the curtain, and hope to dodge European law.
Conclusion
When EFF first built Panopticlick in 2010, fingerprinting was largely a theoretical threat, in a world that was just beginning to wake up to the more obvious use of tracking cookies. Since then, we’ve seen more and more sites adopt the surreptitious methods we highlighted then, to disguise their behaviour from anti-tracking tools, or to avoid the increasing visibility and legal obligations of using tracking cookies within Europe.
With the GDPR in place, operating below the radar of European authorities and escaping rules that apply to commercial fingerprinting will be very difficult and—potentially—very expensive. To avoid severe penalties fingerprinting companies should, at least, be more upfront about their practices.
But that’s just in theory. In practice, we don’t expect the GDPR to make fingerprinting disappear any time soon, just as the ePrivacy Directive did not end the use of tracking cookies. The GDPR applies to any company as long as they process the personal data of individuals living within the European Economic Area for commercial purposes, or for any purpose when the behavior is within the EEA. However, many non-EU sites who track individuals in Europe using fingerprinting may decide to ignore European law in the belief that they can escape the consequences. European companies will inevitably claim a “legitimate interest” in tracking, and may be prepared to defend this argument. Consumers may be worn down by requests for consent, or ignore artfully crafted confessions by the tracking companies.
The rationale behind fingerprinting, as it is used today, is to evade transparency and accountability and make tracking impossible to control. If this rationale holds, fingerprinters won’t be able to convince the EU’s courts and regulators that, indeed, it is their legitimate interest to do so. In fact, there’s nothing legitimate about this method of tracking: that’s what privacy laws like the GDPR recognize, and that’s what regulators will act upon. Before we see results of their actions, browser companies, standards organizations, privacy advocates, and technologists will still need to work together to minimize how much third-parties can identify about individual users just from their browsers.
[1] Article 29 Data Protection Working Party, Opinion 4/2007 on the concept of personal data; GDPR Rec. 26 and 30; Art 4 (1)
[2] Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques, pp 11-12. Singling-out: “the possibility to isolate some or all records which identify an individual in the dataset.”
[3] Article 29 Working Party, Opinion 05/2014 on Anonymisation Techniques, pp 11-12. Linkability: “the ability to link, at least, two records concerning the same data subject or a group of data subjects (either in the same database or in two different databases). If an attacker can establish (e.g. by means of correlation analysis) that two records are assigned to a same group of individuals but cannot single out individuals in this group, the technique provides resistance against ‘singling out’ but not against linkability.”
[4] Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques, pp 11-12. Interference: “the possibility to deduce, with significant probability, the value of an attribute from the values of a set of other attributes.”
[5] Article 29 Data Protection Working Party, Opinion 4/2007 on the concept of personal data; see also Article 29 Data Protection Working Party, Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting.
[6] It is possible to collect information on a browser’s fingerprint without allowing for indirect identification of a user, and therefore without implicating “personal data” under the GDPR, For example, because no further operations, such as tracking user behaviour across the web or collecting the data allowing one to link non-unique browser characteristics to other data about the user, take place. This would be unusual outside of rare cases like a fingerprinting research project. In any event, the ePrivacy Directive also applies to non-personal data. See Article 29 Data Protection Working Party, Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting; ePrivacy Directive Art 5(3).
[7] GDPR Rec 40 and Art. 5(1)(a)
[8] GDPR Rec and 42 Art. 4(11); Article 29 Data Protection Working Party, Guidelines on consent under Regulation 2016/679
[9] Article 29 Data Protection Working Party, Opinion 6/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC; GDPR Rec 47 and Art 6(1)(f)
[10] See Recital 47 EU GDPR, "The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller."
[11] Article 29 Data Protection Working Party, Opinion 6/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC; GDPR Rec 47 and Art 6(1)(f)
[12] GDPR Art 13
[13] GDPR Art 21(2)
[14] See Article 29 Data Protection Working Party, Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting "The technology of device fingerprinting is not limited to the configuration parameters of a traditional web browser on a desktop PC. Device fingerprinting is not tied to a particular protocol either, but can be used to fingerprint a broad range of internet connected devices..." (p.4)
[15] Article 29 Data Protection Working Party, Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting