Device fingerprinting in a nutshell
The need to identify and track people in their online activities is as old as the Web itself. Services need a way to recognize a specific user over time to serve them customized content or just to make sure they are really interacting with right person. Device fingerprinting is a set of techniques that allow online services to achieve this goal by building unique identifiers for the devices they use, such as their PCs, smartphones, etc. However, there is a fine line between using device fingerprints to increase security and using them for extensive tracking which is damaging to one’s privacy.
In the former case, a service may exploit a device fingerprint to check if the customer is actually who they are supposed to be since they are using a well-known device, used in past interactions. This is the case of banks, or other institutions wanting to prevent frauds and identity theft.
The latter case uses device fingerprints as unique identifiers to track people across services, usually for purposes of advertising. In fact, by being able to recognize the same user across multiple websites, advertisers can build very accurate profiles to serve customized content. This can be detrimental to a person’s privacy, especially if their consent to be tracked is granted implicitly or in obscure manners.
What are some common fingerprinting methods?
At the beginning there were browser cookies, little pieces of information that a website would store on your device, to be replayed during future interactions. However, cookies are rather limited in their identification and tracking capabilities and can be easily deleted.
Browser fingerprinting examines the entirety of the capabilities of your browser to build a unique identifier. There are many components of the browser or of the system that runs it that easily change from one person to another. Browser brand and version, exact screen resolution, list of fonts installed, the specific way in which certain elements of a webpage are displayed and many more are characteristics that, while not sufficiently distinctive by themselves, can form a unique pattern when combined together. And, this pattern is persistent across many browsing sessions. Some websites allow you to test if your browser fingerprint is unique. Remedies to this fingerprinting techniques exist and are easy to integrate, such as extensions that randomize the responses to the browser attributes when some snoopy website queries for them.
In the mobile space, Apple and Google supply their operating systems with built-in identifiers (see Apple’s Identifier for Advertisers (IDFA) or Google’s Android Advertising ID (AAID), so that when a third party application wants to track the device, it just needs to read this identifier. However, this approach has several issues. Those identifiers are global, which means that can be easily (mis)used to track users across applications. They can also be reset. Recently, their widespread use has been targeted by privacy concerns, and Apple has changed their policy towards IDFA to make it opt-in, i.e. applications must explicitly request permission to the user to use it.
Smartphones offer other candidates as unique identifiers such as IMEI and MAC addresses but they can be easily spoofed, so they are not robust candidates for fraud detection systems.
ToothPic’s camera fingerprint
ToothPic invented a technology that recognizes a smartphone through the sensor of its camera because each sensor has some imperfections in the way it captures light that make it unique. ToothPic is able to extract unique identifiers from the camera hardware and this has some key benefits:
- the identifier is tied to the hardware, which means it can survive software reset;
- the identifier cannot be spoofed, as it is tied to a physical property of sensors;
- the identifier can be randomized, so that an application cannot infer the identifier of another one, even though they are derived from the same camera.
These properties make ToothPic’s solution for device fingerprinting ideal for security applications, such as fraud detection, as they allow to robustly recognize the device. At the same time, privacy concerns are avoided thanks to its randomization component, which prevents its misuse for tracking purposes.
Written by Diego Valsesia, Co-founder of ToothPic and Assistant Professor of Politecnico of Torino
Who talked about us? 👉Check out this engaging article published on Pagamenti Digitali
Do you want to know more about our solution? Get in touch with us 🗨️