Did you know that you can identify web browsers without using cookies or asking for permissions?
This is known as βbrowser fingerprintingβ and it ...
For further actions, you may consider blocking this person and/or reporting abuse
That's super interesting. But also deeply troubling.
What measures does FingerprintJS put in place to stop it's users from abusing it?
What's to stop someone using FingerprintJS for extortion? Or a oppressive regime using it to identify disidents?
Hi Nathaniel - I answered some of this in my response to Pankaj - dev.to/savannahjs/comment/1ck9e
More specifically to your question though: browser fingerprinting aims to uniquely identify identifies browsers, but it is not able to identify individual people. In that way, this technology behaves very similarly to cookies, though is a little more difficult to spoof.
We do try to ensure our customers use the technology for anti-fraud, and we never do cross-domain tracking.
Could you clarify that statement. In what sense does it identify the browser but not the individual using the browser?
A browser fingerprinting script generates a hash using signals collected via the browser. This hash serves as a "fingerprint" of that a specific site visitor's browser that remains stable between browsing sessions. If you were generating and storing browser fingerprints for your website, you would be able to tell if a visitor returned and associate multiple browsing sessions with the same browser.
It's tricky to ever know exactly who is visiting on a specific browser. You could associate the fingerprint with account information if the visitor has ever logged in, but that's probably as close as you can get. As we don't do cross-domain tracking, a website would only be able to associate browsing information for users of their site only.
Hopefully that answers your question - forgive me if I'm on the wrong track!
So the distinction is that you can identify the device but not the person using the device?
Either I'm fundamentally misunderstanding, or that's misleading thing to say.
I'm sure the vast majority of devices are used by a single individual βΒ and with the exception of libraries and internet cafes, are used by a close knit group.
If it has the same capability of indentifying users as
cookiesthen it definitely can 100% identify an individual person.So is this statement true or false?
Just because it can't identify everybody 100% of the time it doesn't mean it can't identify an individual.
I hope you can appreciate why people find this disturbing.
The distinction I'm trying to make is that even if you assume a device is used by a single individual, you still need to associate that device with additional data sources (like user data) to know that person's name, email, or phone number (to tie back to your dissident example).
I totally understand your concern though. To your argument, while there's clearly a difference between a hashed ID and a user's name or address, GDPR considers cookies and fingerprints 'personal' data, which allows it to extend protections around how this information is stored, when consent is required, and the conditions under which personal data must be deleted. We are 100% on board with this type of governance as it ensures a healthy balance between privacy and security.
Okay, I think I understand.
In a sense it's the same as cookies, but it's for people who have explicitely taken steps to avoid being tracked online.
If one of fingerprintJS's users breaks the law and invades my privacy with it, who is held responsible?
Is there a list of organizations that use FingerprintJS?
I couldn't find any on the site.
To the cookies comment - yes that's right.
For breaking laws (as it pertains to GDPR and the EU), there are different rules for 'data processors' and 'data controllers'. We have responsibilities as a data processor that include data encryption, ensuring proper authorization access and confidentiality of data, and security incident reports and auditing. The data controller also has its own set of requirements, including asking for consent to track for marketing purposes. The Information Commissionerβs Office (who enforces GDPR) can levy significant fines against either the processor, the controller, or both, depending on who is breaking the rules. So in short, it depends, but we take our end of upholding privacy laws very seriously.
For organizations using us - we have some logos on our homepage but other than that we don't provide a full list!
I'm sorry to belabour the point.
The privacy and security implications of this go beyond legal questions into ethical ones. Tools like this are always abused βΒ and it's often the most vulnerable people who pay the price.
I'm sure you take all kinds of strict security and legal measures, but in my opinion this is going to hurt people. I hope I'm wrong.
I'm in complete agreement here. It may also be subject to the same restrictions as cookies, but we all know cookies are regularly abused when different websites pool their data on individuals.
I suppose a big advantage of having this as a open-source project is it might make it easier to develop tools to circumvent it. We know that many unscrupulous websites are already fingerprinting users (try running some websites to use through Blacklight, the results can be scary), so knowing how they are doing so is better than having to guess.
The prevalence of tracking scripts and finger-printers is the reason I do most of my day to day browsing using Tor browser. Just because I'm not doing anything illegal doesn't mean I want websites tracking everything I do.
Thanks for the link to Blacklight β that's a really interesting website.
Looking at the Github for FingerprintJS there's an thread about the ethical implications of the project: #430.
The authors defend themselves by saying the library helps defend users from privacy violations by being open source, and therefore bringing to light these issues.
They build weapons so world can better defend itself against people who use their weapons.
@savannahjs Does fingerprintJS also maintain an opensource library for protecting users?
Good explanation on how Audio can be used for Fingerprinting
Though now I am wondering why do we need this extensive Fingerprinting, can you please elaborate?
Hi Pankaj!
Our company (FingerprintJS) focuses on using browser fingerprinting as one tool of many to fight online fraud. Generally, a very small percentage of a website's traffic is responsible for the lion's share of fraudulent activity - cracking account logins, testing stolen credit cards, etc. By identifying fraudulent visitors via first-party tracking, websites can require additional authentication or other security workflows without gumming up the user experience for everyone else.
As far as ensuring that our paid product is used for anti-fraud reasons, we do work to ensure our customers are GDPR compliant, as sites using browser fingerprinting need to follow the same rules as cookies. Our pricing model also makes our solution not particularly viable for advertising use cases, which requires a very high volume of tracking.
For our open-source project, we can't control how our solution is used (and browser fingerprinting is already endemic on the web), but we feel that being transparent about the technology is better for the developer community at large.
I fully appreciate that controlling how your product is used is basically impossible on the web. Saying that your product focuses on fighting online fraud (and that what you do is already endemic on the web), however, does feel like a bit of a cop-out; as it totally ignores the implications of any other possible uses people might make of it.
For me personally (and I'm sure for many others), spying on everyone who visits a website in-case they are one of the small percentage of bad actors mentioned does not feel like a reasonable trade-off to reduce additional authentication. Especially as that is a trade-off that is almost certainly being made without a visitors consent or knowledge.
I appreciate you being open and transparent with the developer community, but how open and transparent is your company being with visitors?
can you see different browser versions with that approach?
with your charts, I don't see the difference between Firefox Windows and my Firefox MacOs. Is it because of visual representation or it's intended
Yes, it should be able to distinguish between Firefox instances (and Chrome and Safari too) if the underlying OS or hardware is different. It might be just that the visualization doesn't show enough detail to see it!
Darn, this is scary! As Pankaj Patel said, please explain what you do at FingerprintJS.
Hey Lars - I wrote a more in-depth response to Pankaj's comment. Hopefully answers your question! dev.to/savannahjs/comment/1ck9e
Thanks for your explanation, Savannah.
So we all know the ethical implications of this but this tool is not more/less ethical than wireshark/nmap.
It is a dual use software and we should treat it like such:
It's hard to see this as anything but "tracking for users that don't want to be tracked". The privacy implications of being able to uniquely identify browsers anonymously is precisely why GDPR was created. Adherence to GDPR is a good thing but this library is an exploit of it. Given others' responses it seems I'm not alone. I think it's a matter of time before privacy conscious browsers thwart this. Being transparent about this technology is better than not being transparent about it, so thanks for that I guess, but I just can't put FingerprintJS in my good books.
I'll suggest you change the tags
#webdevand#typescriptto#privacyand#security.This is unsurprising but terrifying.
Wow this was very insightful good read.
Hi Savannah,
thank you for this absolute interesting article!
Kind regards
theroka
Thanks for the kind words theroka! Glad it was interesting :)