Data PrivacyThe Impact of Browser Fingerprinting on Privacy Protection

INTRODUCTION

Browser fingerprinting means the collection of unique digital footprint left by the user’s web browser as they browse the internet. It encompasses various details such as their  time zone, browser type, default language, and other factors that collectively distinguish them from other internet users allowing websites to identify them.

While physical fingerprints are distinguished by arches and loops, browser fingerprints include elements like stored WebGL data, screen resolution, and graphics card settings. It should be noted that browser fingerprinting is different from collecting cookies as cookies can be cleared whereas browser fingerprints persistently track the  online movements.

WORKING OF BROWSER FINGERPRINTING

For example: Imagine that browsing the Internet is the same as walking into a big party where everybody is wearing masks. When a website employs browser fingerprinting, it gives each browser a special, invisible name tag. This tag helps them to distinguish  the user from the crowd, even though they are  wearing a different mask each time they visit. What makes browser fingerprinting tricky is that, it silently collects all sorts of data about their browser without the knowledge of users..

With the collection of these minute details, the website secretly keeps track of the user as they move from one party to another  or in this case, from one website to another. Through this data, a detailed picture can be built of what the user is  interested in and accordingly tailor their offerings.

But the trickiest part lies in the control which one has over browser fingerprinting. Unlike cookies, browser fingerprinting cannot be easily deleted or blocked and is harder to shake off. Therefore, it acts like an invisible tracker following the user all around during their internet surfing.

PERSONALLY IDENTIFIABLE INFORMATION AND BROWSER FINGERPRINTING

Personally Identifiable Information (hereinafter referred to as “PII”) and browser fingerprinting are both concepts related to data collection and privacy, but they serve different purposes and involve different types of information. Unlike PII, browser fingerprinting does not directly identify individuals by name or other personal attributes. Instead, it creates a digital fingerprint that can be used to recognize and track users across different websites and online sessions.

Browser fingerprinting is often used for purposes such as targeted advertising, analytics, fraud detection, and website customization. It can also be used to enhance security measures, such as detecting and preventing fraudulent access attempts. While both PII and browser fingerprinting involve the collection of data for various purposes, PII specifically pertains to personal information that directly identifies individuals, whereas browser fingerprinting focuses on gathering technical data to create a unique identifier for devices and browsers, without necessarily identifying individuals by name or personal attributes.

GDPR & ePrivacy Directive compliance: Browser fingerprinting vs Cookies

The General Data Protection Regulation (hereinafter referred to as “GDPR”) primarily addresses the issues concerning the processing of personal data, while the ePrivacy Directive regulates electronic communications and instances where the data involved is non-personal. Therefore, cookies are subjected to the ePrivacy Directive.

It mandates that users must provide informed consent prior to the storage of cookies on their devices or tracking their browsing activities. This necessitates the implementation of a cookie policy, a cookie banner and the provision of consent prior to the user for installation of any non-exempt cookies on the user’s device.

Under the GDPR, the companies are required to ensure the visibility of fingerprinting to users, akin to the requirements for cookies under the ePrivacy Directive. It is pertinent to note that when fingerprinting is used for tracking individuals, it automatically falls under the category of “personal data processing” and is thus subject to the regulations outlined in Article 5 of the GDPR i.e., “Principles relating to processing of personal data”.

Article 5 of the GDPR enforces data privacy principles, namely, lawfulness, fairness, and transparency in data processing. It ensures that data collection is limited to specified purposes, and that such data is relevant and kept up to date. Furthermore, it mandates that personal data should only be retained till appropriate security measures are in place.

Although the GDPR per se does not explicitly specifies fingerprinting, the general rules under the GDPR are designed to be adaptable to various technological changes, including those beyond fingerprinting and cookies. Therefore, while implementing fingerprinting technologies companies must ensure compliance with these principles.

Fingerprinting is allowed under two conditions: Either explicit consent is obtained from the user, indicating that fingerprinting is necessary to provide a specific service, and it is exclusively used for this purpose during data transfer, or there exists another legal basis, such as legitimate interest as outlined in Article 6(1)(f) of the GDPR.

 Article 6(1)(f) reads as follows: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

IS BROWSER FINGERPRINTING TRULY THE PRIVACY SAVIOUR AS IT CLAIMS TO BE, OR IS IT ANOTHER DUBIOUS PROMISE?

Browser fingerprinting is claimed to be a more privacy-conscious technique that substitutes personal information with more general data. However, the credibility of this promise is subject to scrutiny. Browser fingerprinting offers a level of anonymity by avoiding direct personal identifiers with user activities. However, there is a huge array of issues to be addressed which includes continuous tracking of users online, issues related to transparency, consent of users, and practices involved to obtain such data.

Browser fingerprinting poses unique challenges as opposed to collecting cookies. Cookies can be managed by the users through browser settings and can be cleared by the user, but on the contrary browser fingerprints operate in the background, and perpetually collect data about a user’s online behaviour.

This is a potential threat as users lack control over browser fingerprints. This possibly acts as a threat to the GDPR’s emphasis on fairness and transparency in data processing. The lack of transparency and control underscores the need for heightened awareness and regulation of browser fingerprinting to safeguard user privacy in the digital era.

BROWSER FINGERPRINTING AND POTENTIAL RISK MODELS

The potential threats to user autonomy, fairness, and transparency under Article 5 of the GDPR includes

1. User Identification:

Browser fingerprinting presents a significant risk as it identifies users which is a potential threat compromising their anonymity on the web. It correlates the browser fingerprints with identifiable information which includes email addresses, government-issued IDs etc.

2. Correlation with Browsing History:

Browser fingerprinting correlates the browsing activity across multiple sessions and websites. Even without revealing offline identities, this practice allows online entities to make detailed user profiles without prior consent of the users. Therefore, this ability to develop comprehensive browsing histories reflect the need for enhancing awareness among users and control over the data collected and correlated.

3. Tracking without control:

Browser fingerprinting raises challenges as it operates without clear indications of effective controls for the users in terms of transparency and user autonomy. Unlike cookies, browser fingerprinting empowers the collection of user data without explicit consent. This hinders users’ ability to manage and track their online activities. Therefore, user control mechanisms serve as an urgent need to safeguard user privacy online.

ENSURING DATA PRIVACY: THE WAY FORWARD

The following mechanism will serve as the potential course of action to combat the issues raised in the above section.

a. Transparent Mechanism: Websites using browser fingerprinting must disclose the objective to collect such data collection. Along with that they must provide detailed information on what data is being collected and how long this data will be retained by them. This will ensure a transparent mechanism for users to make informed decisions about their activities on the internet.

b. Explicit User Consent: Akin to cookies, the websites must take the consent of the users to browser fingerprinting. This consent must be clear and unambiguous. These websites must ensure that users understand the implications of such collection and usage of data. Furthermore, users must have the autonomy to revoke consent at any time.

c. Granular Control Mechanisms: Implementation of granular control mechanisms will enable users to effectively manage their online privacy. This could provide users wide arrays to options to choose which part of their browser data can be collected, or to opt out entirely.

d. Privacy-Enhancing Technologies (hereinafter referred to as “PETs”): Developing and implementing PETs can help users to manage and mitigate the risks associated with browser fingerprinting. PETs focus on enhancing user privacy as it minimizes the amount of identifiable data that is exposed to online forums. Techniques used include anonymization, data minimization, and differential privacy can be employed to achieve the end goal.

e. Regulatory Compliance and Enforcement: Compliance with GDPR principles ensures data privacy and transparency. The enforcement agencies must penalize the entities breaching the compliances. This will serve as a deterrent against unethical practices which lack accountability in the use of browser fingerprinting technologies.

f. Education and Awareness: Initiatives must be taken to ensure digital literacy among users and encourage them to demand a transparent mechanism and control over their personal data.

These above actions can potentially address the challenges posed by browser fingerprinting. This will ensure compliance with GDPR principles and safeguarding user privacy in the digital era.

AMLEGALS REMARKS

This analysis helps us understand that browser fingerprinting poses challenges to user privacy. While the claims suggest it to be privacy-friendly, there are several concerns about identifying users, linking their browsing history, and tracking them which needs to be addressed.

The GDPR, mandates data processing on certain principles which include lawfulness, fairness, and transparency. This compliance becomes paramount in mitigating risks associated with browser fingerprinting.

The mechanism must protect the users by prioritizing transparency, obtaining explicit user consent, and implementing robust control mechanisms. It would ensure that stakeholders can understand the intricacies of browser fingerprinting while upholding user privacy rights. Therefore, it serves as a foundation for compliance, accountability and transparency as a building block for ensuring the standards of GDPR are met and strengthen user trust in the digital era.

– Team AMLEGALS assisted by Ms. Srishti Dwivedi

For any queries or feedback feel free to reach out to mridusha.guha@amlegals.com or jason.james@amlegals.com