1

I learned that a device probably has a device fingerprint to the eyes of a company that operates online. I'm not sure how this fingerprint is managed by its collectors, but it's plausible that it could be shared and spread between the companies themselves, as it could be easily found out in some online news.

However I've never managed to find to what extent your personal data is related to your device fingerprint apart from the most technical data that can be deduced from your pc (like canvas fingerprint, evercookies, mouse movement tracking, ...). With that I mean: what about e-mail, phone number, pictures, or any other personal and recognisable data about me? Are they related to my device or "personal" fingerprint?

I'd like to explain myself better with an example.

Let's suppose I create different accounts on a platform and everything about those accounts is different: e-mails, IP addresses, pictures, names, login devices... Everything but the phone number. All those accounts have the same phone number linked to them. It's a personal information more than a technical one, however it's a unique and recognisable string that can be easily linked with my identity.

I feel like it would be so trivial to group all of those accounts together and start to gather data from all of them on the same fingerprint, due to that shared particular.

  • Just some little tool to understand _your_ device fingerprint: https://amiunique.org/ , a site that reveals and list the browser elements that companies can use to characterize your fingerprint. –  Dec 19 '19 at 02:59

1 Answers1

0

The device fingerprint is calculated using several technical parameters sent by the client, like the IP, the default language, the screen size, etc. and may also include data gathered with some "tricks" involving HTML canvas, etc. Normally people will not consider this to be "personal information", however the GDPR (European law on privacy) says that personal data is any data that can be used to identify you, even indirectly. Here's a few relevant quotes from the GDPR:

Article 4 (1): [...] ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, [...]

Recital 26: [...] To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. [...]

Recital 30: [...] Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. [...]

So a device fingerprint is a piece of data that can be used to identify you indirectly. By definition, it does not contain personal data like your name or your phone number, but only technical information about your client (which on the web is your browser). The fingerprint alone won't identify you, it's just technical data.

Let's suppose YouTube uses fingerprinting. And for some reasons I actually suspect it does, but I'm not sure anyway. You watch some videos while logged in with your account, John Doe. Then you log out, clear the cache, turn off the computer, and go to bed. The next day you go to YouTube, you don't log it, and you will expect YouTube won't recognize you. But you are using the same browser, sending the same user agent, with the same viewport size, same language, same "whatever" coming from whatever trick can be done with HTML/JS/CSS. Plus, you are even watching videos at the usual time, clicking on stuff the same way as usual, searching stuff using your usual keywords... YouTube says: "Guess what, I'm pretty sure this is our friend John Doe. Let's try to suggest some videos that we know John Doe likes".

I hope the concept is clear. The fingerprint alone is pretty useless. It may become valuable once it gets liked to other data: at that point it can be used to identify you, or track you on the same site or cross-site. It's like a cookie that is hard to delete, and is not very reliable (lots of people may share the same fingerprint). Like a cookie, alone, it doesn't mean anything, it's just a random string, but it becomes useful once it's linked to other data for a purpose.

Community
  • 1
reed
  • 15,398
  • 6
  • 43
  • 64
  • Thank you for the very detailed answer. As you explained, the fingerprint could identify you with a sort of "convergence of information" that link your behaviour more and more to you. That's why I wondered if phone number or similar could actually be used along all those technical information. You know, a hypothetical "phoneNumberID" string would be a veeery explicit identifier, maybe even more than some other cookies. However as you said, by definition this elements do not belong to a device fingerprint. –  Dec 18 '19 at 05:01