Let’s talk about a term called “device fingerprinting“
The reason for this post is a very recent publication of an opinion by the EU’s think tank on privacy, Article 29 Data Protection working party, called Opinion 9/2014 on the application of Directive. In this article, the think tank comes to the logical conclusion that the process of device fingerprinting falls under European data protection laws and therefore requires consent similar to cookies, even though it’s a more recent technology.
The key takeaway in the words of the publication:
The key message of this Opinion is that Article 5(3) of the ePrivacy Directive is applicable to device fingerprinting.
What is device fingerprinting?
The opinion piece links to a definition made by IETF.org and then goes on to define what Article 29 itself sees as device fingerprinting. The following excerpt is copied verbatim from the document:
RFC69739 defines a fingerprint as “a set of information elements that identifies a device or application instance”. This Opinion uses the term in a broad sense, meaning that it includes a set of information
that can be used to single out, link or infer a user, user agent or device over time. This includes, but is not limited to, data derived from:
- (a) the configuration of a user agent/device; or
- (b) data exposed by the use of network communications protocols.
There are many types of data that can form a fingerprint, including the following examples:
- (a) CSS information;
- (b) JavaScript objects (e.g., document, window, screen, navigator, date and language);
- (c) HTTP header information (e.g., the number of bits of information in the User Agent string, HTTP header ordering, HTTP header variation by request type);
- (d) clock information (e.g., clock skew and clock error);
- (e) TCP stack variation;
- (f) installed fonts;
- (g) installed plugin information (e.g., configuration and version information);
- (h) the use of internal Application Programming Interfaces (API) exposed by the user agent/device; or
- (i) the use of external API’s of Web services the user agent/device is communicating with.
The point is that a single information element processed in isolation is not generally considered a privacy risk. However, a number of information elements can be combined to provide a set which is sufficiently
unique (especially when combined with other identifiers such as the originating IP address) to act as a unique fingerprint for the device or application instance.
The problem with device fingerprints as opposed to HTTP cookies, however, is that they are much harder to avoid for the user.
Device fingerprinting and consent
The Opinion indicates to third-parties who process device fingerprints which are generated through the gaining of access to or the storing of information on the user’s terminal device that they may only do so with the valid consent of the user.
The legal framework of the e-Privacy directive allows for an exemption. Article 5(3) allows for processing to be exempt from the requirement of consent, if one of the following criteria is satisfied:
CRITERION A: technical storage or access “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”.
CRITERION B: technical storage or access which is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”
Device fingerprinting and exemption
To make it easier to understand the exemption rules, we can take a look at the examples provided by the Opinion.
Use case: First-party website analytics
A number of online services have proposed device fingerprinting as an alternative to HTTP cookies for the purpose of providing analytics without the need for consent under Article 5(3). In Opinion 04/2012 the Working Party recognised the need for a third exemption for the consent requirement for first party analytics:
“provided that they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user friendly mechanism to opt-out from any data collection and comprehensive anonymization mechanisms that are applied to other collected identifiable information such as IP addresses.”
However, the Opinion also stated that currently there is no exemption to consent for cookies that are strictly limited to first party anonymised and aggregated statistical purposes. Therefore, first-party website analytics through device fingerprinting do not fall under the exemption defined in CRITERION A or B and consent of the user is required.
Use case: Adapting the user interface to the device
Accessing device information such as the screen size can be useful to optimise the layout of content.
For example, a media website could switch to a low graphics mode or single column layout for mobile devices. Alternatively a website, or the third-parties serving content through that website, might query the device to ascertain technical capabilities such as which video formats are supported.
Where a third-party requests access to information stored on the user’s device for the sole purpose of adapting the content to the characteristics of the device, then CRITERION B is valid. This means that for short-term UI customisation consent is therefore not required.
If this information however is also used for secondary purposes, this exemption no longer applies.
Read: Article 29 Data Protection working party, called Opinion 9/2014
