Two fingered salute: Privacy regulators focused on cookies, email identifiers outflanked as firms hone tracking techniques, but fingerprinting next in firing line
Regulators and lawmakers are working up rules that prevent tracking and data collection without explicit informed consent. But a vast trove of probabilistic data can be harnessed to build accurate alternatives. UM's global media chief Joshua Lowcock, Civic Data co-founder Chris Brinkworth and Havas data and adtech lead Kevin Fernandes think fingerprinting is alive and kicking for now – but may be next in the firing line. Publishers and adtech firms take note.
What you need to know:
- The firm states its tech is for fraud prevention. But others warn similar probabilistic systems, being assessed by some of Australia's publishers, could build unique profiles of users that could be used to retarget them without consent. It is “very likely” to become illegal, said Civic Data’s Chris Brinkworth. UM global media boss Joshua Lowcock said it shows how regulators are playing catch-up to tech.
- Fingerprinting replacing cookies – and evading regulation – would be a poor outcome for users, per Havas ad tech and data chief Kevin Fernandes.
Fck the cookies
Third party cookies may be disappearing from Google Chrome, but there are dozens of digital signals that can still be collected and bundled together – without consent – from tens of millions of Australian users. And it’s possible these signals could create a replacement for the cookie.
And while the Australian government is looking hard at re-defining certain data points as personally identifiable information – IP addresses, location data, and other metadata, for example – it’s unlikely the information included in these fingerprinting services would be included.
Why? Because each individual piece of information is virtually untraceable, and software like FingerprintJS is used for fraud detection – not ad targeting.
“It's possible for unscrupulous individuals and organisations to use this approach to circumvent privacy regulations and privacy controls and use it for ad targeting,” UM Worldwide’s Global Chief Media Officer, Joshua Lowcock, said.
“The proof-of-concept demonstrates that regulators are at a disadvantage when it comes to an industry that rapidly evolves and where some people will seek to circumvent the spirit and intent of laws.”
The Australian government is planning new privacy legislation that accounts for the explosion of data, digital platforms and digital advertising. But they’re being outgunned so far, Lowcock said, adding that privacy regulators would need powers to audit the ad tech ecosystem for compliance on the spot, rather than just retrospective punishments.
“Using methods to identify someone, without their consent or knowledge will very likely become illegal in Australia,” Civic Data’s Chris Brinkworth said.
“It's very clear that this will cover fingerprinting as it does in other parts of the world. That means that while tools such as FingerprintJS are very valuable and considered legal under Europe’s General Data Protection Regulation (GDPR)/California Consumer Privacy Act (CCPA) for fraud detection, if that same process is used outside of the very specific 'fraud' use case those GDPR/CCPA [and, very likely Australian Privacy Act] consent rules must still be obeyed.”
One organisation that supports victims of identity theft, IDCARE, specifically raised the point of “digital fingerprints” in its submission to the government, urging the Attorney-General to include it in the list of personal information as some people’s IDs are sold on the dark web.
"No different to a cookie"
Fingerprinting has been around in various forms for more than a decade. While cookies were the standard universal tracking currency there’s increasing concern that building profiles of users based on other signals could prove more pervasive as third party cookies are culled.
What most people, even the privacy conscious, may not realise is that this information is collected anyway by default. “You’re probably using a VPN – it doesn’t block fingerprinting,” Havas’ Head of Data Solutions and Ad Tech Kevin Fernandes said.
“Cookies and fingerprints are pretty much the same thing, but the latter, nobody has explored because they’re focused on cookies.”
Aaron Woolf, CEO of Trendii, a contextual advertising platform, said: “When all these pieces are combined together it creates a profile of a person which in essence is a unique identifier and therefore no different to a cookie.”
But he echoes Civic Data's Chris Brinkworth in suggesting cookie workarounds will be heavily regulated – soon.
“The biggest issue in my opinion is we are still trying to create alternatives to a solution [cookies] which the consumer clearly does not want,” Woolf said, “when we should be focusing on solutions which put the consumer first and at the centre of the product.”
FingerprintJS, meanwhile, said it recommends its technology is used not for advertising but for fraud prevention.
Can its services be used to target individuals based on profiles, known as deterministic advertising?
“If by ‘deterministic’, you mean a unique identifier that can be used to track an individual person, then no,” Mostsevenko said.
“Device and browser fingerprinting methodologies are considered to be probabilistic as they are not tied to any PII or login information and don’t uniquely identify a visitor. Many people can have the same features or signals, and users can change their features, e.g. change the screen size or the system language.”
Conversely, he said the reason fingerprinting using these signals is useful for fraud detection is that “everybody has them, they are left unintentionally [and] they are hard to change”.
Where regulators eventually land remains to be seen, but consent to track browsing habits and collect data, plus what constitutes PII has never been higher on the agenda, locally and globally.
The lack of talent isn’t going to improve in the short-term – it’s global and people aren’t going to flood in from overseas any time soon. That means employers have to take a different approach to hiring and retention, says Atomic 212° Head of Strategy, Asier Carazo. Here’s how the firm hired two strategists that it might not normally have considered – and who are now knocking it out of the park.
Curated marketplaces: How marketers can reach culturally diverse audiences – at scale – without Facebook or Google
Brands say they want to spend their ad dollars in diverse environments, but often just wind up going with the easy tech of Google and Facebook. Ironically, good tech is the answer to the Big Tech problem, Xandr’s Erika Blakslee writes. Reaching diverse audiences on niche publications – that need support – used to need individual relationships, but a curated digital marketplace has changed that, and brands can measure the diversity of their media spend and benchmark it.