AdExplainer: What you need to know about device fingerprinting |  Ad Exchange

AdExplainer: What you need to know about device fingerprinting | Ad Exchange

AdExplainer first version

For more than a decade, the ad tech industry has attempted to replace the term “fingerprinting” with euphemisms, such as probabilistic modeling.

But too bad for ad tech, because the term stuck.

All of the major browser and mobile operating system makers – primarily Google and Apple, with a bit of Mozilla and Microsoft in the mix – now explicitly cite “fingerprinting” as inadmissible.

Fingerprints are also a target for political actions.

But what is the fingerprint?

Fingerprints are a way for marketing and technology companies to roughly identify users or devices without an actual user ID.

Even without an ID, sites and apps collect data that can be used to create a type of digital signature – a fingerprint, if you will.

This data includes information about a user’s browser or operating system type, battery and processor details, screen size and orientation, clock type, language, keyboard plug-ins, etc.

If, for example, a publisher doesn’t have a user’s email address or other user-level identifier, they may still be able to guess if someone is revisiting their site by triangulating data points, such as connecting the same phone model, operating system, and browser type, as well as the person using dark mode, a specific emoji keyboard, and a 24-hour time for their clock.

In 2018, before fingerprints became a major target for browser operators, ad tech companies like Flashtalking and Criteo and cross-device graphics providers used these non-identifying data points to improve hit rates. correspondence.

Another form is called Canvas fingerprint. Canvas is an HTML5 API that enables graphics and animations through the use of JavaScript. When a site is running Canvas in the background to output something on the page, such as graphics, font size, or background color setting, differences in the graphics processing unit of the device create slight changes in rendering that can be buffered and recognized.

Why is this allowed?

In many cases this is not allowed. After all, fingerprinting is a tracking method that people cannot refuse or adopt.

Both Apple and Google have made it harder for ad tech companies to engage in fingerprinting. Google has taken steps to restrict fingerprinting since at least 2019, and Apple has explicit anti-fingerprinting policies in place.

But fingerprints are still not actively enforced.

The mobile ad tech industry was on hot coals at Apple’s Worldwide Developers Conference in June, as many expected Apple to issue technical guidelines to ban fingerprinting.

There was a collective sigh of relief after fingerprints weren’t mentioned during the WWDC keynote. And while Apple threw shade at the fingerprints during one of the follow-up development sessions, it didn’t share any app blueprints.

“With permission, tracking is allowed — but fingerprints are never allowed,” said Julia Hanson, Apple’s privacy engineer, during the WWDC session. “Regardless of whether a user gives your app permission to track, fingerprinting – or using device signals to try to identify the device or user – does not is not authorized by the Apple Developer Program License Agreement.”

And even without specific application guidelines for apps, Apple has been cracking down on web fingerprinting for years through Intelligent Tracking Prevention. (Mozilla did the same thing on Firefox, by the way.)

Although Google has followed Apple a few years behind in removing fingerprint data, it has taken steps to phase out HTML user agent strings (historically used to inform sites how to display correctly) and zero out the Android Advertising ID so it can’t be used for ad targeting.

In browser parlance, user agent strings and mobile ad IDs are called “fingerprint surfaces”. They have a declared use, but can also be co-opted for other purposes. The idea is to have as little surface area as possible in order to avoid fingerprints while balancing the user experience while supporting publishing businesses.

The same goes for mobile operating systems and app developers. If Apple flipped a switch and started enforcing its definition of fingerprinting in apps, popular mobile metrics providers with large SDK networks could be in violation and all apps that carry them would suddenly be disrupted.

What can be done?

Although fingerprinting has not been completely removed, Apple, Google, Mozilla, Microsoft and others have developed built-in browser features to limit the practice and removed data exhaustion to make fingerprinting much less effective. .

Although a fingerprint can seem like it should last forever, after a day or two the constellation of data points that were used to create a device fingerprint usually no longer hold together, Grant Simmons, head of analytics customers to mobile attribution platform Kochava, previously told AdExchanger.

The challenge is that stricter enforcement of fingerprinting comes with real trade-offs.

Removing all fingerprint surfaces hurts the user experience. After all, developers and publishers collect device data and run Canvas for convenience. They should have interactive features, know when to go into low-power mode, how to render images based on phone type, and know the user’s time of day.

Firefox is working on a fingerprint protection feature, but warns users that it’s “likely” the feature “may degrade your web experience, so we only recommend it to those who want to try out experimental features.”

So what common issues arise for Firefox users who download fingerprint protection?

Not all fonts are available, their time zone is reported as UTC (Greenwich England), their microphone and webcam preferences are disabled, and their site-specific zoom settings or other services may be disrupted. That’s just to name a few of what Mozilla calls “a non-exhaustive list” of features that can be tweaked or disabled.

I guess there is still no easy switch for fingerprinting.

#AdExplainer #device #fingerprinting #Exchange

Leave a Comment

Your email address will not be published. Required fields are marked *