Dave Farber
2018-06-21 06:37:54 UTC
Date: June 21, 2018 at 14:52:01 GMT+9
Subject: [Dewayne-Net] The GDPR and Browser Fingerprinting: How It Changes the Game for the Sneakiest Web Trackers
The GDPR and Browser Fingerprinting: How It Changes the Game for the Sneakiest Web Trackers
By KATARZYNA SZYMIELEWICZ AND BILL BUDINGTON
Jun 19 2018
<https://www.eff.org/deeplinks/2018/06/gdpr-and-browser-fingerprinting-how-it-changes-game-sneakiest-web-trackers>
Browser fingerprinting is on a collision course with privacy regulations. For almost a decade, EFF has been raising awareness about this tracking technique with projects like Panopticlick. Compared to more well-known tracking âcookies,â browser fingerprinting is trickier for users and browser extensions to combat: websites can do it without detection, and itâs very difficult to modify browsers so that they are less vulnerable to it. As cookies have become more visible and easier to block, companies have been increasingly tempted to turn to sneakier fingerprinting techniques.
But companies also have to obey the law. And for residents of the European Union, the General Data Protection Regulation (GDPR), which entered into force on May 25th, is intended to cover exactly this kind of covert data collection. The EU has also begun the process of updating its ePrivacy Directive, best known for its mandate that websites must warn you about any cookies they are using. If youâve ever seen a message asking you to approve a siteâs cookie use, thatâs likely based on this earlier Europe-wide law.
This leads to a key question: Will the GDPR require companies to make fingerprinting as visible to users as the original ePrivacy Directive required them to make cookies?
The answer, in short, is yes. Where the purpose of fingerprinting is tracking people, it will constitute âpersonal data processingâ and will be covered by the GDPR.
What is browser fingerprinting and how does it work?
When a site you visit uses browser fingerprinting, it can learn enough information about your browser to uniquely distinguish you from all the other visitors to that site. Browser fingerprinting can be used to track users just as cookies do, but using much more subtle and hard-to-control techniques. In a paper EFF released in 2010, we found that majority of usersâ browsers were uniquely identifiable given existing fingerprinting techniques. Those techniques have only gotten more complex and obscure in the intervening years.
By using browser fingerprinting to piece together information about your browser and your actions online, trackers can covertly identify users over time, track them across websites, and build an advertising profile of them. The information that browser fingerprinting reveals typically includes a mixture of HTTP headers (which are delivered as a normal part of every web request) and properties that can be learned about the browser using JavaScript code: your time zone, system fonts, screen resolution, which plugins you have installed, and what platform your browser is running on. Sites can even use techniques such as canvas or WebGL fingerprinting to gain insight into your hardware configuration.
When stitched together, these individual properties tell a unique story about your browser and the details of your browsing interactions. For instance, yours is likely the only browser on central European time with cookies enabled that has exactly your set of system fonts, screen resolution, plugins, and graphics card.
By gathering that information together and storing it on its own servers, a site can track your browsing habits without the use of persistent identifiers stored on your computer, like cookies. Fingerprinting can also be used to recreate a tracking cookie for a user after the user has deleted it. Users that are aware of cookies can remove them within their browser settings, but fingerprinting subverts the built-in browser mechanisms that allow users to avoid being tracked.
And this doesnât just apply to the sites you visit directly. The pervasive inclusion of remote resources, like fonts, analytics scripts, or social media widgets on websites means that the third parties behind them can track your browsing habits across the web, rather than just on their own websites.
Aside from the limited case of fraud detection (which needs transparency and opt-in consent for any further processing), browser fingerprinting offers no functionality to users. When the popular social media widget provider AddThis started using canvas fingerprinting in 2014, the negative reaction from their users was so overwhelming that they were forced to stop the practice.
[snip]
Dewayne-Net RSS Feed: http://dewaynenet.wordpress.com/feed/
Twitter: https://twitter.com/wa8dzp
-------------------------------------------Subject: [Dewayne-Net] The GDPR and Browser Fingerprinting: How It Changes the Game for the Sneakiest Web Trackers
The GDPR and Browser Fingerprinting: How It Changes the Game for the Sneakiest Web Trackers
By KATARZYNA SZYMIELEWICZ AND BILL BUDINGTON
Jun 19 2018
<https://www.eff.org/deeplinks/2018/06/gdpr-and-browser-fingerprinting-how-it-changes-game-sneakiest-web-trackers>
Browser fingerprinting is on a collision course with privacy regulations. For almost a decade, EFF has been raising awareness about this tracking technique with projects like Panopticlick. Compared to more well-known tracking âcookies,â browser fingerprinting is trickier for users and browser extensions to combat: websites can do it without detection, and itâs very difficult to modify browsers so that they are less vulnerable to it. As cookies have become more visible and easier to block, companies have been increasingly tempted to turn to sneakier fingerprinting techniques.
But companies also have to obey the law. And for residents of the European Union, the General Data Protection Regulation (GDPR), which entered into force on May 25th, is intended to cover exactly this kind of covert data collection. The EU has also begun the process of updating its ePrivacy Directive, best known for its mandate that websites must warn you about any cookies they are using. If youâve ever seen a message asking you to approve a siteâs cookie use, thatâs likely based on this earlier Europe-wide law.
This leads to a key question: Will the GDPR require companies to make fingerprinting as visible to users as the original ePrivacy Directive required them to make cookies?
The answer, in short, is yes. Where the purpose of fingerprinting is tracking people, it will constitute âpersonal data processingâ and will be covered by the GDPR.
What is browser fingerprinting and how does it work?
When a site you visit uses browser fingerprinting, it can learn enough information about your browser to uniquely distinguish you from all the other visitors to that site. Browser fingerprinting can be used to track users just as cookies do, but using much more subtle and hard-to-control techniques. In a paper EFF released in 2010, we found that majority of usersâ browsers were uniquely identifiable given existing fingerprinting techniques. Those techniques have only gotten more complex and obscure in the intervening years.
By using browser fingerprinting to piece together information about your browser and your actions online, trackers can covertly identify users over time, track them across websites, and build an advertising profile of them. The information that browser fingerprinting reveals typically includes a mixture of HTTP headers (which are delivered as a normal part of every web request) and properties that can be learned about the browser using JavaScript code: your time zone, system fonts, screen resolution, which plugins you have installed, and what platform your browser is running on. Sites can even use techniques such as canvas or WebGL fingerprinting to gain insight into your hardware configuration.
When stitched together, these individual properties tell a unique story about your browser and the details of your browsing interactions. For instance, yours is likely the only browser on central European time with cookies enabled that has exactly your set of system fonts, screen resolution, plugins, and graphics card.
By gathering that information together and storing it on its own servers, a site can track your browsing habits without the use of persistent identifiers stored on your computer, like cookies. Fingerprinting can also be used to recreate a tracking cookie for a user after the user has deleted it. Users that are aware of cookies can remove them within their browser settings, but fingerprinting subverts the built-in browser mechanisms that allow users to avoid being tracked.
And this doesnât just apply to the sites you visit directly. The pervasive inclusion of remote resources, like fonts, analytics scripts, or social media widgets on websites means that the third parties behind them can track your browsing habits across the web, rather than just on their own websites.
Aside from the limited case of fraud detection (which needs transparency and opt-in consent for any further processing), browser fingerprinting offers no functionality to users. When the popular social media widget provider AddThis started using canvas fingerprinting in 2014, the negative reaction from their users was so overwhelming that they were forced to stop the practice.
[snip]
Dewayne-Net RSS Feed: http://dewaynenet.wordpress.com/feed/
Twitter: https://twitter.com/wa8dzp
Archives: https://www.listbox.com/member/archive/247/=now
Modify Your Subscription: https://www.listbox.com/member/?member_id=26461375
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=26461375&id_secret=26461375-c2b8a462&post_id=20180621023805:A4D4CF12-751D-11E8-A98A-80A530D7E2DE
Powered by Listbox: http://www.listbox.com