Our New Approach to Address the Rise of Fingerprinting

First, what is fingerprinting?

Digital fingerprinting is a method of tracking that identifies you or your particular device based on unchanging properties of your browser, device, or network, without using cookies or other data stored locally on your device. Hidden from plain site and without leaving a trace fingerprinting technology allows companies to secretly track your private online activity across many websites, apps, and your internet connected devices.

So for example, a prominent fingerprinting company might see that at 11:31pm you used your iPhone at your exact home address to visit app X, then watch video 1 four times in a row, then visit website Y and watch videos 2, 3, 4, 5, then click ad Z, and at 2:34am buy products A, B, and C. That same company might also be capable of seeing what you're watching on your SmartTV, what articles you read on your tablet while at work, and any purchases you make on your laptop wherever you may be. And of course, this same company could use your unique fingerprint to combine ALL the data they collect about you to create one big fat profile that just keeps on ingesting information that you'd prefer be private.

This privacy invasive technology has been in use for decades and Disconnect's solutions have addressed this threat since 2011. But in the last few years, data trackers have increasingly moved away from traditional cookie based tracking to embrace fingeprinting. So today we are changing up our approach to address this new challenge, introducing a new definition of fingerprinting along with two sub-categories: invasive and general fingerprinters.

Most popular apps and websites have fingerprinters integrated

Last year, we worked with the Washington Post to research the prevalence of fingerprinters that abuse browser APIs on the web and the results of our testing were surprising even to us. It turns out that more than one third of the top 500 U.S. websites used fingerprinting code that took advantage of browser APIs and were capable of individually identifying your computer or phone.

But the full picture is actually much worse because fingerprinters don't just utilize browser APIs in order to track you. In fact, most fingerprinters don't bother with APIs and live outside your browser altogether, especially on mobile where fingerprinters collect tons of information inside your apps but also inside your internet connected cameras, TVs, and other devices.

Why fingerprinting is on the rise

Data collectors are quickly adopting fingerprinting and moving away from other technologies primarily because third-party cookies are going away and technical advancements have made analysis and storage of fingerprinting data much more efficient and valuable.

You can read more about the demise of the tracking cookie here and how "the shift has the potential to drastically reshape the power dynamics of the internet and the $330 billion digital advertising industry that supports it." The short version is that as privacy concerns have become mainstream over the past decade, governments have enacted laws to protect consumers (like the EU Cookie Directive, then GDPR, then CCPA) and web browsers have made moves to limit the collection of user data, especially through the use of third-party cookies. Since at least 2015, when Disconnect first announced that our Tracker Protection lists were powering Private Browsing mode in Firefox, major browsers have increasingly taken steps to protect their users from privacy invasive trackers by default and several privacy focused browsers have emerged.

Beginning in 2017, Apple began offering tracking protections in Safari which focused almost exclusively on limiting and then blocking third-party cookies. Earlier this year Safari announced they were not only going to block third-party cookies associated with trackers, like Firefox does by referencing our list of trackers, but Apple was going to implement a blunt ban on all third-party cookies by default. Also earlier this year, Google announced that as part of their Privacy Sandbox project their Chrome browser was embarking on "A path towards making third party cookies obsolete." It's worth noting that neither of these behemoths has done much to protect users against fingerprinting and that both companies collect data about your activity in sophisticated ways across your devices without the need for third-party cookies.

Because Apple and Google are trillion-dollar monopolies (or at least oligopolies) that have massive browser market share on the platforms they control, what they say goes. So many browser based trackers (as well as the publishers and advertisers they support) have been forced to begin implementing alternative data collection technologies that don't rely on third-party cookies. More often than not, these alternative tracking methods involve some form of fingerprinting users.

How our approach to fingerprinting is changing

As we mentioned above, we've been blocking fingerprinters for nearly a decade. That's because our tracker protection blocks all connections to an entity we've identified as a tracker, whether that tracker is using fingerprinting, third-party cookies, tracking pixels, or whatever. But as our Tracker Protection lists have been integrated by various browsers the importance of properly categorizing different trackers has become increasingly important. For example, as mentioned above we partner with Mozilla Firefox and Microsoft Edge who by default block third-party cookies from companies that Disconnect has identified as trackers. In addition, Mozilla and Microsoft, unlike Apple or Google, provides default protection against companies we've identified as fingerprinting through the abuse of specific browser APIs.

When we initially created the separate fingerprinting category in our list in February of 2019, our definition of fingerprinting read: "A tracker may be classified as fingerprinting if it abuses browser or device features in unintended ways to identify and track users." We then added entities to this list that were clearly and verifiably (through code analysis) abusing certain browser APIs. When Firefox and Edge began blocking the fingerprinting companies we had identified by default, several of the blocked companies removed their fingerprinting code and requested to be removed from the fingerprinting list. During our review of these companies, we noticed that many of the companies that were not specifically abusing browser APIs had privacy policy language and marketing materials that described what we considered fingerprinting.

So, after much consideration, we have decided to change our fingerprinting definition and to split the fingerprinting category into two sub-categories: (1) general fingerprinters and (2) invasive fingerprinters. The definition of fingerprinting now reads:

  • A tracker may be classified as a fingerprinter if it identifies particular users or devices based on the properties of the browser, device, network, or any other properties of the computing environment, without using client-side storage of cookies or other data.

    • We differentiate between two sub-categories of fingerprinters:
      • (1) A tracker may be classified as a general fingerprinter if it uses browser or device features or properties in unintended ways to identify and track a particular user or device.
      • (2) A tracker may be classified as an invasive fingerprinter if it uses an API to extract information about a particular user’s computing environment when the API was not designed to expose such information.

You can find this definition and the rest of our Tracker Protection policy here.

Our hope is that this new definition and the sub-categories will help clarify the types of activities we consider fingerprinting, which we view as an increasing threat to internet privacy. Starting today, Disconnect will block both general and invasive fingerprinters by default in our all our products. Additionally, at this point, our understanding is that Firefox and Edge will continue to block trackers in our invasive fingerprinting category by default.

The new categories

The initial general fingeprinting category includes thirty-three tracking domains that appear to very clearly meet our definition of general fingerprinting based on technical analysis, their privacy policy, and their own marketing material. Like all our categories, the general fingerpinting category is subject to change and we expect to add more domains soon. You can find the initial list of general fingerprinters and check out the description of and analysis of why these companies were included here.

The invasive fingerprinting category includes all the domains that were previously in our fingerprinting category and have been technically verified to meet our definition of invasive fingerprinting.

As always, our goal is to give you the power to determine your own optimum level of privacy and how your personal information is treated. Please feel free to reach out and give feedback on this change or any other topic anytime!