Digital Fingerprinting

Disadvantages of cookie tracking
Tracking by means of cookies is associated with considerable effort. On the one hand, the regulations of the GDPR must be complied with at all times. On the other hand, cookie tracking can be limited at any time according to the situation. And the increasing use of mobile devices also makes reliable tracking difficult, because cookies cannot be transferred from one device to another or shared between apps. Furthermore, users can delete cookies regularly, preventing companies from tracking users permanently. The increasing use of adblocker software and privacy features also makes cookie tracking difficult.
Digital fingerprinting – how it works
Alternatives to cookie tracking already exist, because online users can be clearly identified even without the use of cookies. 
Digital fingerprinting is the common term for a whole range of user tracking techniques that are difficult to prevent via the browser’s default settings and thus work as non-erasable cookie successors. Although browser fingerprints are not quite as unique as an individual’s fingerprint, they offer a high success rate of over 80 percent in the recognition of web users. In the meantime, however, browser manufacturers are also incorporating measures into browsers that at least partially prevent digital fingerprinting. 
Digital fingerprinting works with the fact that the representation of text in canvas elements varies greatly depending on the user’s computer configuration (IP and MAC address, operating system, browser type or version, plug-ins, fonts and other special settings) and is therefore unique and can be clearly assigned, similar to a human fingerprint.
The technical side of fingerprint tracking
In order to create the user’s specific fingerprint at the time a website is visited, depends on how the technology of the visited website interacts with the user’s browser. 
Basically there are two types of browser fingerprinting:

  • Passive fingerprinting: refers to the collection of browser information that is obtained without the use of a special application, i.e. the IP address, the port used or the browser type. All this information is included in the header data of IP packets by default and reaches the web server in any case.
  • Active fingerprinting: With active fingerprinting, the browser specifically requests information that is not automatically provided when a web page is opened. For example, information about the browser, but also about the operating system and the screen (width, height, resolution).

A hidden text is passed to the browser for display. Just a few lines of program code in JavaScript are sufficient, because the unique display makes it possible to recognize the user with a high degree of probability from this point on and thus track his browsing behavior: At this moment the user has left his very individual digital fingerprint.
Fingerprint tracking and the requirements of the GDPR
Fingerprint tracking is a tracking method, where the end device of a user is clearly recognized. The fingerprint can be determined by different providers and makes it possible to track the user across different websites. It is not obvious for the user and often cannot be turned off individually.
Fingerprinting is only permitted if:

  • an explicit consent of the user is given that fingerprinting is required to provide a special service and is used in this context without exception to carry out the data transfer or
  • if there is another legal basis, such as the entitled interest (according to GDPR Art. 6 1 f), which, however, might no longer be admissible in Germany after the BGH ruling of the end of May. In other EU countries, the Beneficiary’s Interest is already no longer regarded as permissible

Our data protection experts from ePrivacy are familiar with all requirements relating to this topic. So if you have any questions about the handling of fingerprint tracking in consideration of the requirements of the GDPR, please contact us.