Device fingerprinting tech: It's not a cookie, but 'cookie' rules apply Website operators that turn to new "device fingerprinting" technologies to track internet users' behaviour in place of "cookies" have to obtain users' consent in accordance with the same EU legal standards that apply to the use of cookies, an EU privacy watchdog has said. In a new opinion it has issued, the Article 29 Working …
As long as 'obtaining a user's consent' is not just permitted in the same way that it was recently mandated for cookies. That is, something which simply says 'your continued use of this site implies consent'.
It must be possible for users to opt out of all forms of tracking that are not critical to the function of a web site while still being able to make full use of that site.
Where does web site owners' God-given right to ignore EU law come from?
The EU are saying that website operators must respect the privacy of their users. As such, a web site operator cannot say "by the way, we don't respect your privacy" and force users to go elsewhere if they don't agree.
As such, a web site operator cannot say "by the way, we don't respect your privacy" and force users to go elsewhere if they don't agree.
Yes they can. The website operator isn't saying "we don't respect your privacy", they're telling you what the privacy implications of using the site are, so that you can make your own mind up. That's precisely why you see the stupid cookie consent pop-ups just about every EU website operator has to litter their sites with - pointless and annoying for all concerned, to the extent that there's even a Firefox extension specifically to block them!.
"all forms of tracking that are not critical to the function of a web site"
But you can make anything 'critical to the function of your web site'. I could make clicking a red button critical to the function of my website and anyone who doesn't click it would not be able to access it. So you would have to redefine it that the 'website would not be able to provide the same functionality without the use of that feature'.
However now the privacy commissioner would have to employ a team of programmers to look at the source code for the sites and find ways that the functionality could have been achieved without that feature. However what if my developer skills weren't the same as the commissioner's developers or I just hadn't thought of that way of doing something, or I was in a rush and did it the easiest way after a 15hour shift?
That is why it would become difficult to enforce....
E U privacy law.
You know the article we're talking about, the first line is:
Website operators that turn to new "device fingerprinting" technologies to track internet users' behaviour in place of "cookies" have to obtain users' consent in accordance with the same EU legal standards that apply to the use of cookies, an EU privacy watchdog has said.
So now we can look forward to the ICO making all us law abiding folk put another stupid message on our websites. Meanwhile, the baddies continue to flout the law and the ICO does nothing, because they are shit-scared of taking on web giants who can afford more and better lawyers.
There's nothing wrong with cookies, Flash objects, etc. If you need to use them to make a web app work, fine. Our website uses device tracking to step up security when we detect abnormal usage - to protect your money!
These stupid laws and guidelines penalise the people using cookies in the legitimate way they were intended to be used. Meanwhile, the cowboys carry on storing your inside leg measurement and sexual preferences with impunity, even though all you did was click on an ad for a shed.
To paraphrase the NRA, cookies don't track people, Google does!
"So now we can look forward to the ICO making all us law abiding folk put another stupid message on our websites."
Quite...
I don't mind websites putting cookies on my computer, because my computer is set up so that those cookies don't survive beyond the session. And while your average Joe and Joanne might not know how to do that, they could be educated (or the annoying ones could ask people like us to set up their system appropriately to start with.)
Overall, that would have been much better - but instead we get the silly law.
The silly law that means because of my sensible cookie management, I have to see the annoying pop-ups about cookies every bloody time I visit many websites.
The silly law that means they have to clarify things because those that don't like not being able to track us are now looking at other ways to do it - and are thus looking for ways to track those of us who didn't need protection from the law in the first place.
Stop legislating when educating is better. Grr!
Not this one again. Please actually read the legislation. It's not about cookies. It's about unauthorised storage on your machine. Just because you know how to delete cookies doesn't mean you know how to delete the data stored by my new plugin that I just invented and haven't told you about.
You'd have thought IT people would understand the concept of abstraction.
Stop legislating when educating is better.
Follow the cynical logic with me:
1) This is a problem.
2) Something must be done to correct it.
3) We are legislators.
4) We pass laws.
5) Passing laws is doing something.
6) We passed laws about the problem.
7) Something has been done about the problem.
8) We have corrected the problem.
This post has been deleted by its author
Like using encryption to prevent snooping and filtering to prevent spam, in the end it's going to come down to users protecting themselves. I'm glad the EU privacy watchdog is looking at this, but encouraging browser developers to address the issue might be more productive.
@Allan George Dyer: I don't think turning off Javascript is enough. Brewster's Angle Grinder is right, it's a difficult situation. Look at this EFF web site and you will see that you are very identifiable. According to them 1 in 4 million. I recently just decided to spoof my OS and browser because it became clear to me that the number of people who would have the combination of just those two bits of information were less than the number of people in the world who would have my exact first and last name.
The 1 in 4 million (I got the same) is that you are unique in the number of sites they have sampled.
As the sample size increases, I'd expect the number to go to say 1 in 10 million etc.
Ok, I did have JavaScript disabled for the EFF site so many of the tests simply won't run on my machine.
Plus I did it in a private window.
@Ole Juul - I was making the point about HTML canvas fingerprinting specifically, which, if I understand correctly, depends on Javascript to work, therefore it fails when it is off. The downside, of course, is the loss of useful stuff that depends on Javascript.
Yes, my browser is unique among those the EFF site has tested, but if I turn off Javascript, then there are, apparently, three others that are indistinguishable in the ~4 million tested. Not really much of a gain.
This post has been deleted by its author
I don't presume to know the way but I don't think we need to assume that we will all be using the same browser and OS version in the future. It seems to me that TOR style browsers could become a norm. Perhaps the ISP could play a role. Of course there are downsides to such an approach but many of us are already using VPNs to overcome at least some of those. My feeling is that if I'm not logged into some place (like here) or using a bank, then nobody needs to be able to identify me. Don't you think that can be done?
@Ole "My feeling is that if I'm not logged into some place (like here) or using a bank, then nobody needs to be able to identify me. Don't you think that can be done?"
But that's just it - we need to be able to identify you to see if you are logged in or not. This is exactly what cookies were designed for. Granted nowadays they are abused by the ad networks, but they do have a lot of legitimate uses, such as recording whether you acknowledged the cookie warning, ironically. If we couldn't use cookies or uniquely identify you, then we would need to ask you if we could every time you visit, and force you to re-login every time you return to the site too.
This post has been deleted by its author
"user protect themselves against HTML canvas fingerprinting"
Most obvious is for browser writers to include a small amount of pseudo-random dithering in the canvas draw so no two images are ever *exactly* the same, not from system to system, but from visit to visit, result is no useful info in the resulting hash.
"Also check out the CanvasFingerprintBlock plugin for Chrome."
And for $other_browser?
Ole's point was "in the end it's going to come down to users protecting themselves." So I provided an example of something I believed a user couldn't protect themselves against, even if they knew about it. (Which most wouldn''t.) That there's a fix for that one problem on one browser doesn't undermine my point. What about the font list or any of the other problems that will arise? As Ole concludes, it's down to browser authors and regulators and us pressuring them to fix it. But don't blame the users.
And FWIW I don't want every browser to look identical, I just want new values for each metric when I restart my browser, launch a private window, or press a button that says "reset now".
Is there a browser plug-in that allows you to specify the info supplied? I remember Mozilla used to have an about:config string that let you set the User Agent string, but my current Firefox doesn't seem to have anything of that sort.
It would be nice if we could get a plug-in that returned a ``standard'' set of identity strings, so all of a sudden every browser would look like IE 12 on MS Windows 10, say. Or even have a number of such standards, and rotate them pseudo-randomly. What fun!
Icon: mask, because we'd all be hiding behind one.
Never mind the websites. Microsoft use device fingerprinting to enforce their Windows licences.
Is that to become illegal?
DAMN good question.
It is already well publicized that with some versions of Windows WindblowZE, certain changes in hardware configuration causes WGA (or whatever they call that piece of shit these days) to spout warnings about being non-genuine. (hint: http://en.wikipedia.org/wiki/Windows_Genuine_Advantage#False_positive_rate )
BUT I would not hold my breath, I am sure that accommodations for software integrity mechanisms will be forthcoming.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
