back to article Device fingerprinting tech: It's not a cookie, but 'cookie' rules apply

Website operators that turn to new "device fingerprinting" technologies to track internet users' behaviour in place of "cookies" have to obtain users' consent in accordance with the same EU legal standards that apply to the use of cookies, an EU privacy watchdog has said. In a new opinion it has issued, the Article 29 Working …

  1. Doc Spock
    Alert

    Opt-In

    As long as 'obtaining a user's consent' is not just permitted in the same way that it was recently mandated for cookies. That is, something which simply says 'your continued use of this site implies consent'.

    It must be possible for users to opt out of all forms of tracking that are not critical to the function of a web site while still being able to make full use of that site.

    1. Anonymous Coward
      Anonymous Coward

      Re: Opt-In

      Where does your god-given right to access any website, regardless of the site owner's wishes, come from? If you're informed of the terms of use but don't like them then you're still free to bog off.

      1. Anonymous Coward
        Anonymous Coward

        Re: Opt-In

        Where does web site owners' God-given right to ignore EU law come from?

        The EU are saying that website operators must respect the privacy of their users. As such, a web site operator cannot say "by the way, we don't respect your privacy" and force users to go elsewhere if they don't agree.

        1. Anonymous Coward
          Anonymous Coward

          Re: Opt-In

          As such, a web site operator cannot say "by the way, we don't respect your privacy" and force users to go elsewhere if they don't agree.

          Yes they can. The website operator isn't saying "we don't respect your privacy", they're telling you what the privacy implications of using the site are, so that you can make your own mind up. That's precisely why you see the stupid cookie consent pop-ups just about every EU website operator has to litter their sites with - pointless and annoying for all concerned, to the extent that there's even a Firefox extension specifically to block them!.

        2. Trevor_Pott Gold badge

          Re: Opt-In

          God doesn't exist. Rights granted by a non-extant entity are irrelevant. Thus the "god-given" right to view a website, or to track someone are non-extant. The rights are as they have been defined in various documents, starting with the UDHR and ending with local bylaws.

          Comply.

  2. Anonymous Coward
    Anonymous Coward

    "all forms of tracking that are not critical to the function of a web site"

    But you can make anything 'critical to the function of your web site'. I could make clicking a red button critical to the function of my website and anyone who doesn't click it would not be able to access it. So you would have to redefine it that the 'website would not be able to provide the same functionality without the use of that feature'.

    However now the privacy commissioner would have to employ a team of programmers to look at the source code for the sites and find ways that the functionality could have been achieved without that feature. However what if my developer skills weren't the same as the commissioner's developers or I just hadn't thought of that way of doing something, or I was in a rush and did it the easiest way after a 15hour shift?

    That is why it would become difficult to enforce....

    1. Anonymous Coward
      Anonymous Coward

      re: or I was in a rush and did it the easiest way after a 15hour shift?

      Oh that's fine, the law doesn't count if you're tired and in a rush....

      1. Anonymous Coward
        Anonymous Coward

        Re: re: or I was in a rush and did it the easiest way after a 15hour shift?

        Eh? What law?

        1. Anonymous Coward
          Anonymous Coward

          Re: Eh? What law?

          E U privacy law.

          You know the article we're talking about, the first line is:

          Website operators that turn to new "device fingerprinting" technologies to track internet users' behaviour in place of "cookies" have to obtain users' consent in accordance with the same EU legal standards that apply to the use of cookies, an EU privacy watchdog has said.

  3. Frankee Llonnygog

    oh great!

    So now we can look forward to the ICO making all us law abiding folk put another stupid message on our websites. Meanwhile, the baddies continue to flout the law and the ICO does nothing, because they are shit-scared of taking on web giants who can afford more and better lawyers.

    There's nothing wrong with cookies, Flash objects, etc. If you need to use them to make a web app work, fine. Our website uses device tracking to step up security when we detect abnormal usage - to protect your money!

    These stupid laws and guidelines penalise the people using cookies in the legitimate way they were intended to be used. Meanwhile, the cowboys carry on storing your inside leg measurement and sexual preferences with impunity, even though all you did was click on an ad for a shed.

    To paraphrase the NRA, cookies don't track people, Google does!

    1. sabroni Silver badge

      Re: to protect your money!

      Can I have that back now please? Not sure how you got it in the first place....

      1. Frankee Llonnygog

        Re: to protect your money!

        You loaned it to us, and we pay you interest (that's a clue as to what sort of site we are)

        1. Fatman Silver badge

          Re: to protect your money!

          You loaned it to us, and we grudgingly pay you as little as we can get away with in interest (that's a clue as to what sort of site we are)

          FTFY!!!!

          1. Frankee Llonnygog

            Re: to protect your money!

            Sorry, you're wrong - I could say more but that would give the game away.

    2. VinceH Silver badge

      Re: oh great!

      "So now we can look forward to the ICO making all us law abiding folk put another stupid message on our websites."

      Quite...

      I don't mind websites putting cookies on my computer, because my computer is set up so that those cookies don't survive beyond the session. And while your average Joe and Joanne might not know how to do that, they could be educated (or the annoying ones could ask people like us to set up their system appropriately to start with.)

      Overall, that would have been much better - but instead we get the silly law.

      The silly law that means because of my sensible cookie management, I have to see the annoying pop-ups about cookies every bloody time I visit many websites.

      The silly law that means they have to clarify things because those that don't like not being able to track us are now looking at other ways to do it - and are thus looking for ways to track those of us who didn't need protection from the law in the first place.

      Stop legislating when educating is better. Grr!

      1. Adam 52 Silver badge

        Re: oh great!

        Not this one again. Please actually read the legislation. It's not about cookies. It's about unauthorised storage on your machine. Just because you know how to delete cookies doesn't mean you know how to delete the data stored by my new plugin that I just invented and haven't told you about.

        You'd have thought IT people would understand the concept of abstraction.

        1. VinceH Silver badge

          Re: oh great!

          "It's not about cookies ... You'd have thought IT people would understand the concept of abstraction."

          And I'd have thought someone replying to the posts above would have heard about thread drift and understood how (and why) we got from one topic to another.

      2. Robert Helpmann?? Silver badge
        Joke

        Re: oh great!

        Stop legislating when educating is better.

        Follow the cynical logic with me:

        1) This is a problem.

        2) Something must be done to correct it.

        3) We are legislators.

        4) We pass laws.

        5) Passing laws is doing something.

        6) We passed laws about the problem.

        7) Something has been done about the problem.

        8) We have corrected the problem.

  4. This post has been deleted by its author

    1. Ole Juul

      Re: good idea, difficult to enforce

      Like using encryption to prevent snooping and filtering to prevent spam, in the end it's going to come down to users protecting themselves. I'm glad the EU privacy watchdog is looking at this, but encouraging browser developers to address the issue might be more productive.

      1. Brewster's Angle Grinder Silver badge

        @Ole

        How can the user protect themselves against HTML canvas fingerprinting?

        1. Allan George Dyer Silver badge

          Re: @Ole

          @Brewster's Angle Grinder

          Turn off Javascript?

          1. Ole Juul

            Re: @Ole

            @Allan George Dyer: I don't think turning off Javascript is enough. Brewster's Angle Grinder is right, it's a difficult situation. Look at this EFF web site and you will see that you are very identifiable. According to them 1 in 4 million. I recently just decided to spoof my OS and browser because it became clear to me that the number of people who would have the combination of just those two bits of information were less than the number of people in the world who would have my exact first and last name.

            1. Anonymous Coward
              Anonymous Coward

              Re: @Ole - Identifiable

              The 1 in 4 million (I got the same) is that you are unique in the number of sites they have sampled.

              As the sample size increases, I'd expect the number to go to say 1 in 10 million etc.

              Ok, I did have JavaScript disabled for the EFF site so many of the tests simply won't run on my machine.

              Plus I did it in a private window.

            2. Allan George Dyer Silver badge

              Re: @Ole

              @Ole Juul - I was making the point about HTML canvas fingerprinting specifically, which, if I understand correctly, depends on Javascript to work, therefore it fails when it is off. The downside, of course, is the loss of useful stuff that depends on Javascript.

              Yes, my browser is unique among those the EFF site has tested, but if I turn off Javascript, then there are, apparently, three others that are indistinguishable in the ~4 million tested. Not really much of a gain.

          2. This post has been deleted by its author

        2. Ole Juul

          Re: @Ole

          I don't presume to know the way but I don't think we need to assume that we will all be using the same browser and OS version in the future. It seems to me that TOR style browsers could become a norm. Perhaps the ISP could play a role. Of course there are downsides to such an approach but many of us are already using VPNs to overcome at least some of those. My feeling is that if I'm not logged into some place (like here) or using a bank, then nobody needs to be able to identify me. Don't you think that can be done?

          1. GavinC

            Re: @Ole

            @Ole "My feeling is that if I'm not logged into some place (like here) or using a bank, then nobody needs to be able to identify me. Don't you think that can be done?"

            But that's just it - we need to be able to identify you to see if you are logged in or not. This is exactly what cookies were designed for. Granted nowadays they are abused by the ad networks, but they do have a lot of legitimate uses, such as recording whether you acknowledged the cookie warning, ironically. If we couldn't use cookies or uniquely identify you, then we would need to ask you if we could every time you visit, and force you to re-login every time you return to the site too.

            1. This post has been deleted by its author

        3. Anonymous Coward
          Anonymous Coward

          Re: @Ole

          "user protect themselves against HTML canvas fingerprinting"

          Most obvious is for browser writers to include a small amount of pseudo-random dithering in the canvas draw so no two images are ever *exactly* the same, not from system to system, but from visit to visit, result is no useful info in the resulting hash.

          1. Anonymous Coward
            Anonymous Coward

            Re: @Ole

            Also check out the CanvasFingerprintBlock plugin for Chrome.

            But really, something should be done as standard by browser suppliers to make all machines look identical so tracking is not possible without user-controlled cookies.

            1. Brewster's Angle Grinder Silver badge

              Re: @Ole

              "Also check out the CanvasFingerprintBlock plugin for Chrome."

              And for $other_browser?

              Ole's point was "in the end it's going to come down to users protecting themselves." So I provided an example of something I believed a user couldn't protect themselves against, even if they knew about it. (Which most wouldn''t.) That there's a fix for that one problem on one browser doesn't undermine my point. What about the font list or any of the other problems that will arise? As Ole concludes, it's down to browser authors and regulators and us pressuring them to fix it. But don't blame the users.

              And FWIW I don't want every browser to look identical, I just want new values for each metric when I restart my browser, launch a private window, or press a button that says "reset now".

  5. Terry Cloth
    Terminator

    Lie to them

    Is there a browser plug-in that allows you to specify the info supplied? I remember Mozilla used to have an about:config string that let you set the User Agent string, but my current Firefox doesn't seem to have anything of that sort.

    It would be nice if we could get a plug-in that returned a ``standard'' set of identity strings, so all of a sudden every browser would look like IE 12 on MS Windows 10, say. Or even have a number of such standards, and rotate them pseudo-randomly. What fun!

    Icon: mask, because we'd all be hiding behind one.

    1. Ole Juul

      Re: Lie to them

      @ Terry Cloth: Firefox has a plugin, Random Agent Spoofer 0.9.3.1, which does fixed or random agent spoofing. It works, and it's a good start, but there's much more to identify you.

  6. Anonymous Coward
    WTF?

    Third Party Trackers are cookies too

    Ghostery tells me about trackers on almost every site there is out there. These trackers are often in double digits. Does the EU cookie law apply here too? If not, I'd prefer them to replace 'cookie' with 'tracker' in the law retroactively.

  7. JeffyPoooh Silver badge
    Pint

    Secure cookie-less browser at work

    I still get tailored ads.

    One MS ad showed me the three exact items that I had recently purchased from them. In case I wanted to buy spares I guess...

  8. Primus Secundus Tertius Silver badge

    MS Windows

    Never mind the websites. Microsoft use device fingerprinting to enforce their Windows licences.

    Is that to become illegal?

    1. Fatman Silver badge

      Re: MS Windows

      Never mind the websites. Microsoft use device fingerprinting to enforce their Windows licences.

      Is that to become illegal?

      DAMN good question.

      It is already well publicized that with some versions of Windows WindblowZE, certain changes in hardware configuration causes WGA (or whatever they call that piece of shit these days) to spout warnings about being non-genuine. (hint: http://en.wikipedia.org/wiki/Windows_Genuine_Advantage#False_positive_rate )

      BUT I would not hold my breath, I am sure that accommodations for software integrity mechanisms will be forthcoming.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019