Should we be worried? Google's new digital fingerprinting scheme is coming

In My Humble Opinion
1

This article from Forbes is pretty alarming, if what it says is accurate.

“Fingerprinting involves the collection of pieces of information about a device’s software or hardware, which, when combined, can uniquely identify a particular device and user,” explains Stephen Almond, representing the UK’s Information Commissioner’s Office. “The ICO’s view is that fingerprinting is not a fair means of tracking users online because it is likely to reduce people’s choice and control over how their information is collected. The change to Google’s policy means that fingerprinting could now replace the functions of third-party cookies.

The ICO says that “when you choose an option on a consent banner or ‘clear all site data’ in your browser, you are generally controlling the use of cookies and other traditional forms of local storage. Fingerprinting, however, relies on signals that you cannot easily wipe. So, even if you ‘clear all site data’, the organisation using fingerprinting techniques could immediately identify you again. This is not transparent and cannot easily be controlled. Fingerprinting is harder for browsers to block and therefore, even privacy-conscious users will find this difficult to stop.”

At its simplest, while tracking cookies are a nasty underpin to the internet, they can be seen and controlled, whether by those website popups or electing to use some form of private browsing that blocks such cookies altogether. Digital fingerprinting is not as obvious and so is harder to spot and to block, it’s also more open to clever manipulation as the tracking industry tests boundaries.

The article doesn’t give much guidance about what could be done to mitigate or thwart such tracking.

What do our local tech experts think? Is this as bad as this writer makes it sound? Can something be done, or do we just lie back and let Google screw us again?

Can one live in the digital 21st century and have leave no (or minimal) traces with Google or the other tech giants?

2

No matter what, after you clear your data, sites will start to track you again. Clearing is unrelated to tracking. If you don’t want to be tracked, you need to install a plugin to block tracking.

If they have cleared your data then they can’t link your new data back to your old data, since your old data was cleared. That is, unless you’re a registered customer and the company needs to maintain details about you for non-advertising purposes. That may or may not mean anything, though, depending on the following.

If you’re an account holder, today, whether you are linked back to your account through tracking is going to be a bit hit and miss if you are not logged into your account. Your devices already have a number of identifiers that may or may not be accessible through device APIs. Any company can already use an amalgamation of those to identify a device if they so choose.

All significant websites are tracking your activity.

  1. They want to catch broken parts of the website, determine places where the users are getting stuck, test whether new features are more effective than previous, etc. Tracking users, like watching customers in a store, allows you to spot and respond to issues, and form ideas about ways to improve the customer experience.
  2. They want to know how you arrived on the website, so they can determine the best advertisements and how effective their advertising has been on various platforms.

For these companies, it is probably not worth spending so much effort trying to find a unique ID and trying to track it back to a registered customer. Once you log in, that’s easy enough to do. If you don’t, probably it doesn’t matter too much since they can still answer the above questions.

For companies that only do advertising, there’s more value in creating a unique device ID so that they can continue to target ads at you effectively.

But, for most advertising companies, you don’t have a registered account. If you clear your data, there will be nothing that remains to tie you to a previous you. Yes, they start tracking you again, right after the clearing, but it doesn’t give them anything historical.

For Google, you probably do have an account. They probably already have ways to tie you back to your account through various device IDs - an authoritative device ID just makes that process more complete - but that’s all rather redundant if you’re logged into your Google account 24/7, on your devices. All the device ID does is let them connect your device to your account when you’re logged out.

That said, if we’ve cleared all of our non-essential information - username, password, payment info, etc. - then your device IDs may be part of the information that was cleared and definitely your search history, likes and dislikes, etc. have all been purged. If you used to keep searching up the baby Jesus butt plug and you’re trying to get Google to stop recommending the thing to you, then clearing your data would work to end that association. … Right up to the moment that you go searching for baby Jesus again.

Now I know that Google does maintain a list of devices associated with your account for security purposes. If you log in on a new device, it will email you to warn you of the matter. It allows you to log in on a known device without doing such.

Given that this is a security use case and not a advertising use case, that device listing data might be protected from deletion when you ask them to purge your tracking data. It’s security data, not tracking data.

As said at the top, if you don’t want to be tracked, you need to install plugins to block tracking. If you’re using Chrome, you’re permanently logged into your Google account, etc. then you’ve formed a holy union with at least one advertiser. You’re not escaping that. They don’t need your device ID if you’re logged in and refreshing your account every few moments through your browser, Google drive, etc.

In general, I’d say that if you don’t want to be associated with the baby Jesus butt plug then you shouldn’t search for it to begin with. If you can’t refrain from doing so, just because it titillated you - even though you’re on a work computer - then awareness and self-control are also suspects here. Don’t do questionable things on a work computer.

3

You’ve had a more or less equivalent digital fingerprint for your devices since about 2005.

This “news” is just about a version upgrade from e.g. v3 to v4. If you want to be scared or outraged you’re 20 years too late.

4

Digital fingerprinting is not new.

See this site for an explanation, and a demonstration of how a website can examine various crumbs to identify you.

5

Like LSLGuy said, this is nothing new. But I do agree that it’s very worrisome and pretty hard to circumvent.