Fingerprint detection is more likely to make us think of Sherlock Holmes with his magnifying glass and deerstalker than a technique associated with connected internet devices, yet device 'fingerprinting' is the name for a development in the connected world that is raising particular privacy concerns.
What is device fingerprinting?
Device fingerprinting is a way of capturing and combining a range of information attributes for internet connected devices or applications that people use in order to single out or infer over time, those attributes to particular devices or users. It can be applied across a wide range of internet connected devices such as mobile phones, tablets and apps as well as domestic and consumer electronics including smart TVs, and smart energy meters, games consoles or internet connected radios.
The open architecture of the communication protocols behind the internet means that connected devices will transmit or expose certain information elements about themselves. These information elements may not individually identify a device or user but when combined, they can create a unique set of characteristics or a 'fingerprint' for a device, enabling it or, potentially, its user, to be distinguished from others.
What information are we talking about?
Some have speculated that the growth of fingerprinting has been not only due to the fact that it can be used covertly across a wide range of devices but, also, due to an incorrect assumption that the technology falls outside the scope of the notice and consent rules relevant to cookies within the European e-Privacy Directive (Directive 2002/58/EC). This assumption is one that the group representing the data protection authorities of each of the EU member states, the Article 29 Working Party (WP) has been prompt to correct with an Opinion published on 25 November 2014, on the application of the e-Privacy Directive to device fingerprinting.
The Application of the e-Privacy Directive
The WP makes clear from the outset that device fingerprinting "presents serious data protection concerns for individuals". The WP points to a range of different software, platforms and APIs that offer up access to the different information elements of a device and they flag the inherently covert nature of this information collection by content publishers and also third parties who may be contributing site content and be in communication with a user's device.
The focus of the Opinion is on the application of Article 5(3) of the e-Privacy Directive. Article 5(3) is not concerned with whether the information at issue is user personal data, rather it treats both personal data and non-personal data equally. Of course, where personal data is processed, then the the general data protection Directive (95/46/EC) must also be complied with.
It is important to understand that this requirement applies to storing or accessing of information so fingerprinting is caught even though certain information elements are not stored. Access to read only information within a device will also be covered and require user notice and consent.
Is any fingerprinting exempt?
There are limited exemptions from the requirement at Article 5(3) for notice and consent where:
- technical storage or access is only for the purpose of transmitting a communication over an electronic communications network (the 'network communication exemption') ;or
- the storage or access is strictly necessary to provide an information society service explicitly requested by the subscriber or user of the service (the 'strict necessity exemption').
The Opinion recognises that these exemptions may still be relevant to certain scenarios involving fingerprinting, for example:
- where certain information elements of a user's device may need to be transmitted to enable the proper functioning of a communications network, such as when managing the connection between wireless devices and a wireless network in order to maintain connections, or to route data packets (network communication exemption);
- where certain user-centric features are only used to enhance the security of a service requested by the user (such as identifying repeated failed log-in attempts) (strict necessity exemption); or
- where the information elements are only used to adapt the content requested to the user's device (e.g. compressing the content so that it appears on a smaller device screen) (strict necessity exemption).
However, access to or storage of device information in connection with other uses such as analytics, online behavioural analysis, or to control a user's access to a service to a number of specific devices would not be exempt.
So the e-Privacy Directive does not offer a 'get out' for fingerprinting. Those using fingerprinting techniques that are not exempt, must still ensure that they are transparent with connected device users and first collect their consent before creating the fingerprint. It will be interesting to see whether, going forward, technology developments will offer users more visibility and features to manage their privacy proactively where fingerprinting is involved.