Fingerprinting evolved with the development of web browsers and is intertwined with the history of the web. As browsers have matured, they’ve communicated more with servers — via APIs and HTTP headers — about people’s device settings, says Bielova, who has studied the development of fingerprints. The Electronic Frontier Foundation (EFF) first identified fingerprints in 2010. Since then, fingerprinting has become increasingly common as advertisers try to circumvent cookie blocks and restrictions placed by Google and Apple on ad tracking.
So how bad is it?
While there is little transparency around the companies that run fingerprint scripts, the practice is apparently widespread on the web. Many of the websites you visit will fingerprint your device; 2020 survey found that a quarter of the world’s top 10,000 websites run fingerprinting scripts.
New ways of capturing fingerprints are also being created. “Existing fingerprint algorithms are not the upper limit in terms of trackability,” says Gaston Pugliese, a research associate at the Friedrich-Alexander-Universität in Germany who has studied the long-term impact of fingerprints. For example, earlier this year researchers proved they could fingerprint GPUs to identify people. Tracking people across browsers is also possible.
But not all fingerprints are bad. David Em, chief security researcher at Kaspersky, says the technique can often be used as a way to detect potential fraud, such as banks using it to identify suspicious behavior.
However, the widespread use of fingerprints to target advertising and track people’s online movements raises legal issues. Regulators across Europe are calling for restrictions on cookie banners that appear on websites and ask people if they give their permission to be tracked. Banners are so ubiquitous (and frustrating) that people largely click Accept and don’t understand how they’re consenting to being tracked—this leaves aside the fact that many cookie banners may not even do what they claim.
In Europe, fingerprints fall under the same general data protection regulation and marketing rules as cookies, says Al Todd, partner specializing in data and technology at law firm Reed Smith. European regulators have warned since 2014 that fingerprints “present serious data protection concerns”, and Todd says many websites don’t tell users they can track people with fingerprints. “I think a lot of companies don’t realize and think it’s a good way to get around cookie rules,” she says.
How can you stop it?
Unlike cookies, it is difficult to stop fingerprinting. Cookies are stored in your browser and it is possible to delete your cookie history, block them or turn them off completely. “With fingerprints, everything is invisible,” says Em. “People don’t know about it; they don’t see it.” When in 2010 The EFF first produced a detailed fingerprint, which it said was “like a cookie that cannot be deleted.”
Various browser plug-ins claim to help reduce or stop footprints, but there is a mix in quality. 2019 survey by a Snap researcher and two US scientists found that many anti-fingerprint tools are not that useful. The biggest thing you can do to stop fingerprinting is to choose a browser that limits tracking and increases privacy.