Browser fingerprinting isn’t a new tactic, but it’s newly in the headlines as all of the primary web browsers – Safari, Firefox and now Chrome – crack down on the practice in the name of privacy.
The main problem with fingerprinting from a privacy perspective is that there’s no way for a consumer to opt out or to even know it’s happening.
The main problem from a digital marketing perspective, good, bad or indifferent, is that fingerprinting may soon no longer be a viable workaround to try and establish identity or do attribution when cookies or other device identifiers are not available.
But anyone who’s relying on this common practice in ad tech as a backup plan for when third-party cookies are blocked – either by default or by user choice – needs an alternative.
“The much bigger issue for us is what happens to cookies over time,” said Tanwir Danish, managing partner and head of data and analytics platforms for GroupM in North America. “The reality is that the same privacy concerns that apply to cookies apply to fingerprinting, especially when it comes to targeting consumers based on that information.”
But what exactly is fingerprinting, how effective is it, how pervasive, what use cases does it support – and what really happens when it goes away?
Behind the scenes
JavaScript usually detects device attributes to properly render a webpage or an application so the content looks right, the language is correct or, for example, to ensure that a mobile version of a site loads when it’s accessed on a phone.
When a browser loads something, it acts as an agent on behalf of a user – hence the term “user agent” – to retrieve requested content. The browser, as the user agent, sees information about a device and the network it’s on, which the developer can use to customize the on-site experience to the visitor’s browser.
Every browser has a unique user agent string so that a server can know which browser it’s negotiating with to load content.
The fine print
Browser fingerprinting links device attributes and compresses that information into a hashed ID, usually in the form of a short numerical string.
Advertisers use two types of fingerprinting, said Bill Simmons, CTO and co-founder of dataxu: a basic version that only uses two fields (IP address and user agent string to create a very rough identifier) and more sophisticated techniques that use JavaScript to read many different settings and configurations.
The latter could include the collection of hundreds of seemingly generic data signals that wouldn’t mean much on their own, but together can be used to probabilistically determine identity and create persistent statistical identifiers in the absence of cookies.
In addition to the user agent string, sophisticated browser fingerprinting relies on collating everything from language settings, screen resolution, color depth, time zone, underlying operating system, the OS version and device type to the plug-ins, the type of graphics hardware being used and even whether someone has Do Not Track enabled (not that anyone actually respects it).
Another approach involves a practice called canvas fingerprinting that involves exploiting an element within HTML5 that helps graphics appear on a webpage, and can be used to create a unique fingerprint of visitors. Unlike cookies, this data is not stored locally on a device, so users can’t opt out or delete the information.
That lack of transparency about where and how the data is sourced, how it’s commingled and how the models are developed is what has made fingerprinting such a black box, said Rohan Philips, global chief product officer at iProspect.
Fingers in many pies
Most ad tracking is tied to cookies – ad verification, multitouch attribution, cross-device tracking. But as the browsers increasingly clamp down on cookies, particularly the third-party variety, ad tech companies turn to fingerprinting to shore up their solutions, said Peter Hanford, chief commercial officer of digital marketing consultancy Digital Decisions.
Even though fingerprinting and tracking cookies are in the same boat (persona non grata on the privacy front), some ad tech companies are toiling away on persistent ID solutions that use fingerprinting, “a move directly related to the limitations of cookie tracking,” Hanford said.
Others see the writing on the wall, Philips said. Thanks to GDPR, the dominance of identity-based platforms, the rise in DTC brands and agencies investing in building their own identity solutions, the use of fingerprinting has declined significantly, he said, reflected in the reduction of cross-device companies using probabilistic models.
“We don’t expect this particular change announced by Google to have a significant impact on our investments,” Philips said.
But advertising isn’t the only use case for fingerprinting. It can be used to identify botnet characteristics and for user authentication. Banks employ fingerprinting to spot suspicious behavior, like multiple withdrawal attempts originating in odd locations or login attempts from an unfamiliar device.
Does it work, though?
Ask measurement or impression tracking vendors how effective fingerprinting is, and they’ll say it’s something like 95% accurate – although that’s a difficult number to verify, Hanford said.
Noting slight differences between devices can effectively pin a mostly unique ID to a browser when cookies aren’t available, dataxu’s Simmons said.
Dig a bit deeper, however, and the accuracy of fingerprinting over time isn’t all that great, said Grant Simmons, head of client analytics at mobile attribution platform Kochava.
Compared with deterministically matched attribution, fingerprinting is 98% accurate when the fingerprint match is made within the first 10 minutes, which is also when the majority (56%) of attribution occurs. If the attribution window is between 10 minutes and three hours, accuracy drops to 80%. Between three and 24 hours, using fingerprinting logic is a coin flip – only 50% accurate.
When the attribution window is longer than a day, forget about it.
“Once you get outside of 24 hours, it’s more wrong than right,” Kochava’s Simmons said. “The point being that fingerprinting can be accurate, but only within a narrow timeframe.”
A world without fingerprinting
Although it’s unclear exactly how the browsers plan to limit or scramble fingerprinting, let’s pretend that when we wake up tomorrow, the tactic is completely scuppered. What would happen?
Impression tracking, frequency capping, sequential targeting, multitouch attribution – anything that relies on persistent identity – will become more difficult or even impossible, Hanford said, and the open web will probably have to go back to earlier forms of targeting, like contextual, which is happening in any case thanks to stringent privacy regs like GDPR.
While privacy advocates would obviously be delighted, there could be collateral damage as the browsers reduce the signals available for fingerprint building, said dataxu’s Simmons.
“The reduction of JavaScript APIs could break some websites that depend on them,” he said. “And anti-fraud tools that verify a device … using a fingerprint would need to migrate to another method.”
The user experience could also suffer if the delivery of media is disjointed and there’s no easy way to create an omnichannel journey that flows for the consumer, GroupM’s Danish said.
But from the agency perspective, the loss of fingerprinting technology wouldn’t be a major blow, according to Chris Apostle, chief media officer at iCrossing.
“In the short term, I don’t see an overly significant impact to advertisers,” he said, “mainly because of companies like LiveRamp and others, which allow us to be much more capable of targeting without having to rely solely on the use of device data.”