Fingerprint detection is more likely to make us think of Sherlock Holmes with his magnifying glass and deerstalker than a technique associated with connected internet devices, yet device 'fingerprinting' is the name for a development in the connected world that is raising particular privacy concerns.

What is device fingerprinting?

Device fingerprinting is a way of capturing and combining a range of information attributes for internet connected devices or applications that people use in order to single out or infer over time, those attributes to particular devices or users. It can be applied across a wide range of internet connected devices such as mobile phones, tablets and apps as well as domestic and consumer electronics including smart TVs, and smart energy meters, games consoles or internet connected radios.

The open architecture of the communication protocols behind the internet means that connected devices will transmit or expose certain information elements about themselves. These information elements may not individually identify a device or user but when combined, they can create a unique set of characteristics or a 'fingerprint' for a device, enabling it or, potentially, its user, to be distinguished from others.

What information are we talking about?

There is a whole host of information elements that could be used to build a fingerprint.  This includes http header information, device clock information, plug-in software identity and version details as well as characteristics like screen size, colour depth or system font variables, among others. Fingerprinting techniques vary but can involve, for example, using JavaScript to identify plug-ins and fonts and logging these characteristics or (in the case of canvas fingerprinting) by prompting the device browser to generate an invisible text or graphic file that is converted into a digital token to store and reveal variations in the graphics processing unit of the device.  Once a device can be uniquely recognised using a combination of these and more elements, then it is possible to tailor content, services or advertising to that device in the same way as is already possible using cookie technology.

Privacy concerns

Fingerprinting is practically invisible to device users and can be difficult to block.  Connected device users do not currently have access to readily available in-device tools or settings that flag when fingerprinting is being carried out, (equivalent to adjustable browser settings in the case ofcookies), and there is no clear and simple way to prevent the collection of this information or to reset a device in order to change the information elements that are available. Removing JavaScript may prevent fingerprinting that uses JavaScript but it is not a practical solution given the importance of JavaScript to the normal functioning of many devices. Canvas fingerprinting, on the other hand, can be blocked by downloading script blocking add-ons to the device browser but most people will not be sufficiently informed about the technology or how to control its use to download these tools.

Some have speculated that the growth of fingerprinting has been not only due to the fact that it can be used covertly across a wide range of devices but, also, due to an incorrect assumption that the technology falls outside the scope of the notice and consent rules relevant to cookies within the European e-Privacy Directive (Directive 2002/58/EC).  This  assumption is one that the group representing the data protection authorities of each of the EU member states, the Article 29 Working Party (WP) has been prompt to correct with an Opinion published on 25 November 2014, on the application of the e-Privacy Directive to device fingerprinting.

The Application of the e-Privacy Directive

The WP makes clear from the outset that device fingerprinting "presents serious data protection concerns for individuals". The WP points to a range of different software, platforms and APIs that offer up access to the different information elements of a device and they flag the inherently covert nature of this information collection by content publishers and also third parties who may be contributing site content and be in communication with a  user's device.  

The focus of the Opinion is on the application of Article 5(3) of the e-Privacy Directive. Article 5(3) is not concerned with whether the information at issue is user personal data, rather it treats both personal data and non-personal data equally.  Of course, where personal data is processed, then the the general data protection Directive (95/46/EC) must also be complied with.

Although Article 5(3) of the e-Privacy Directive may be thought of as simply setting down rules for the use of cookies, it is technology neutral.  Article 5(3) makes clear that the requirement to give clear and comprehensive information about the purposes of processing and to obtain the consent of the subscriber or user applies to any " storing of information, or the gaining of access to information already stored in the terminal equipment of a subscriber or user".  This means it does not apply exclusively to the use of cookies but can also be applied to other technologies that store or gain access to device information.

It is important to understand that this requirement applies to storing or accessing of information so fingerprinting is caught even though certain information elements are not stored. Access to read only information within a device will also be covered and require user notice and consent.

Is any fingerprinting exempt?

There are limited exemptions from the requirement at Article 5(3) for notice and consent where:

  1. technical storage or access is only for the purpose of transmitting a communication over an electronic communications network (the 'network communication exemption') ;or
  2. the storage or access is strictly necessary to provide an information society service explicitly requested by the subscriber or user of the service (the 'strict necessity exemption').

The Opinion recognises that these exemptions may still be relevant to certain scenarios involving fingerprinting, for example:

  • where certain information elements of a user's device may need to be transmitted to enable the proper functioning of a communications network, such as when managing the connection between wireless devices and a wireless network in order to maintain connections, or to route data packets (network communication exemption);
  • where certain  user-centric features are only used to enhance the security of a service requested by the user (such as identifying repeated failed log-in attempts) (strict necessity exemption); or
  • where the information elements are only used to adapt the content requested to the user's device (e.g. compressing the content so that it appears on a smaller device screen) (strict necessity exemption).

However, access to or storage of device information in connection with other uses such as analytics, online behavioural analysis, or to control a user's access to a service to a number of specific devices would not be exempt.

So the e-Privacy Directive does not offer a 'get out' for fingerprinting. Those using fingerprinting techniques that are not exempt, must still ensure that they are transparent with connected device users and first collect their consent before creating the fingerprint. It will be interesting to see whether, going forward, technology developments will offer users more visibility and features to manage their privacy proactively where fingerprinting is involved.