3 research outputs found
Case study: disclosure of indirect device fingerprinting in privacy policies
Recent developments in online tracking make it harder for
individuals to detect and block trackers. This is especially true for de-
vice fingerprinting techniques that websites use to identify and track
individual devices. Direct trackers { those that directly ask the device
for identifying information { can often be blocked with browser configu-
rations or other simple techniques. However, some sites have shifted to
indirect tracking methods, which attempt to uniquely identify a device
by asking the browser to perform a seemingly-unrelated task. One type
of indirect tracking known as Canvas fingerprinting causes the browser
to render a graphic recording rendering statistics as a unique identifier.
Even experts find it challenging to discern some indirect fingerprinting
methods. In this work, we aim to observe how indirect device fingerprint-
ing methods are disclosed in privacy policies, and consider whether the
disclosures are sufficient to enable website visitors to block the track-
ing methods. We compare these disclosures to the disclosure of direct
fingerprinting methods on the same websites.
Our case study analyzes one indirect ngerprinting technique, Canvas
fingerprinting. We use an existing automated detector of this fingerprint-
ing technique to conservatively detect its use on Alexa Top 500 websites
that cater to United States consumers, and we examine the privacy poli-
cies of the resulting 28 websites. Disclosures of indirect fingerprinting
vary in specificity. None described the specific methods with enough
granularity to know the website used Canvas fingerprinting. Conversely,
many sites did provide enough detail about usage of direct fingerprint-
ing methods to allow a website visitor to reliably detect and block those
techniques.
We conclude that indirect fingerprinting methods are often technically
difficult to detect, and are not identified with specificity in legal privacy
notices. This makes indirect fingerprinting more difficult to block, and
therefore risks disturbing the tentative armistice between individuals and
websites currently in place for direct fingerprinting. This paper illustrates
differences in fingerprinting approaches, and explains why technologists,
technology lawyers, and policymakers need to appreciate the challenges
of indirect fingerprinting.Accepted manuscrip