Sneaky Web Tracking Technique Under Heavy Scrutiny by GDPR

What will new General Data Protection Regulation laws mean for websites that use sneaky web trackers such as browser fingerprinting to profile visitors? Privacy experts say the practice is likely illegal under the newly-enacted GDPR regulation. But they also say don’t expect the method of tracking users to disappear anytime soon, said the Electronic Frontier Foundation in a report issued Tuesday.

Using the HTML5 framework, websites are able to identify users (or a browser image) not by cookies, but the unique characteristics of a browser such as fonts, SVG widgets and WebGL—for starters. The technique is called browser fingerprinting or canvas fingerprinting. Websites harvest the browser data to produce a single, unique identifier to track users across multiple websites without any actual identifier persistence on the user’s machine.

While widespread regulations and laws – including the ePrivacy Directive and the recently enforced General Data Protection Regulation laws –  could address browser fingerprinting, websites participating in this practice “will try to skirt this law,” Bill Budington, senior staff technologist at the EFF, told Threatpost.

“Looking at how web fingerprinting techniques have been used so far, it is very difficult to imagine companies moving from deliberate obscurity to full transparency and open communication with users,” he said in a post, written along with Katarzyna Szymielewicz, co-founder and president of the Panoptykon Foundation. “Fingerprinting companies will have to do what their predecessors in the cookie world did before now: face greater detection and exposure by coming clean about their practices, or slink even further behind the curtain, and hope to dodge European law.”

Browser fingerprinting is a handy tool for marketers. Browser fingerprinting can identify users over time, track them across websites, and store that information in their servers to build an advertising profile of them.

That’s separate from cookies, which can be deleted by the user. Interestingly, browser fingerprinting can be used to recreate a tracking cookie for a user after the user knowingly become aware of the cookie and deleted it.

The Impact of Existing Regulation

GDPR rules, which went into effect May 25, have left privacy experts scratching their heads about what the data privacy protection crackdown means for methods such as browser fingerprinting.

GDPR doesn’t specifically call out fingerprinting – instead using “neutral language” that can quickly adapt to new emerging technologies or methods in the future,  Budington said.

“Fingerprinting can be used to identify users, and the individual characteristics of the browser can be identifiable via this method… That requires basic interactive consent of the user,” said Budington. “Under GDPR, you would need a clear way to mark that you consent to the tracking.”

That path won’t be easy for browser fingerprinters to get the green light by EU regulators, the EFF said in its post.

Companies using browser fingerprinting would have to first reveal the fingerprinting before it is executed and secondly wait for users to give their informed consent. Sites that relied on fingerprinting would also need to lay out a “legitimate interest argument for end users,” meaning that it would need to prove that its interest in tracking is not overriding the rights of users to data privacy.

The site would also need to share detailed information to users subjected to fingerprinting about the purpose and legal basis of such data processing, said Budington.

On top of GDPR, another data privacy protection law exists called the ePrivacy Directive (aka “the cookie clause”) which sets conditions on the use of device and browser identifiers.

“This is something that is an additional standard above and beyond GDPR,” Budington told Threatpost. As it stands, one specific part of the ePrivacy Directive shows that device fingerprinting requires user consent:

However, the EU is expected to pass an updated ePrivacy Regulation in 2019 that may hone in on browser fingerprints and offer more direct definitions of user data privacy consent.

While GDPR and the ePrivacy Regulation both address browser fingerprinting,  there’s no evidence in practice that these rules would ultimately end sneaky browser practices like this method.

However, many non-EU sites who track individuals in Europe using fingerprinting may ignore these laws under the belief that they can escape the consequences, Budington said.

“There’s nothing legitimate about this method of tracking: that’s what privacy laws like the GDPR recognize, and that’s what regulators will act upon,” Budington said in the post. “Before we see results of their actions, browser companies, standards organizations, privacy advocates, and technologists will still need to work together to minimize how much third-parties can identify about individual users just from their browsers.”