You were familiar with cookie identification, but have you ever heard of fingerprinting? This method of identifying Internet users has been talked about recently, after the publication of an investigation by the Washington Post. The American media revealed that several apps stalk Internet users against their will.
A Washington Post investigation, published on September 23, 2021, points to weaknesses in the privacy protection tools offered by Apple. Based on a study by the company Lockdown (which markets an application to fight against digital tracking), the American media explains how several applications track iPhone owners without their consent, including the very popular Subway Surfers.
Since April 2021, Apple has deployed a tool to combat advertising targeting called App Tracking Transparency on iPhones and iPads. This theoretically allows users to block access to their IDFA, an authentication token used by advertisers to create a personalized advertising profile. Deprived of this access, some applications began to hunt down the public in another way: via fingerprinting.
What is fingerprinting?
If we stick to the official definition of the CNIL, fingerprinting is ” a probabilistic technique aimed at uniquely identifying a user on a website or mobile application using the technical characteristics of their browser “. To put it simply, your web browser transmits a lot of information about your machine to every website or app it comes across.
Your IP address is obviously communicated (it is essential to establish a connection), but many other data are also communicated. The version of your operating system, the definition of your screen, the configuration of your browser, the presence of extensions, as well as many other characteristics can be collected by the editor of a website. With enough data points, it becomes possible to establish a digital “footprint” of your web presence. Imprint that can be used to serve you targeted advertising without your consent.
According to a 2010 Electronic Frontier Foundation study, the data collected can be so numerous, and their technical characteristics so diverse, that 94.2% of web browsers have a unique fingerprint that no other Internet user shares. In an era where more traditional tracking methods (particularly via cookies) are increasingly frowned upon, fingerprinting offers a discreet and effective alternative for identifying Internet users. Often against their will.
Fingerprinting, is it possible on iPhone and Android too?
This method of identification is not limited to the web browser, as the Cnil writes. Your phones, whether Android or iOS, can also transmit a lot of information to establish a personalized profile.
As the Washington Post explains in its investigation, some applications on iPhone are reporting a huge amount of information to advertisers, despite the fact that the owner has objected to tracking. The most curious software can access the name of your phone, the name of your operator, your time zone, the date of your last restart (to the nearest second), your display settings (text size, mode dark), battery percentage, sound volume settings, phone model, and more. The situation is not unique to iPhones, Android phones are quite capable of bringing up so much information.
Collecting as many data points as possible makes it possible to identify Internet users with precision, even if certain characteristics change. If my battery percentage changes, but all of my iPhone’s other features remain the same, there’s a good chance the phone that has logged into the same website or app two days in a row will be the same. The method is not infallible, but with a sufficiently large panel of data, it makes it possible to establish fairly high statistical certainties.
What can I do ?
Well unfortunately, not much. Hiding all of your information every time you grab your phone or computer takes a lot of knowledge and a lot of investment. Fortunately, fingerprinting is a fairly well-known practice today. As a result, more and more operating systems and web browsers have started to fight this tracking. Safari and Firefox, for example, offer options to scramble the sending of this information.
According to Apple’s instructions, it is also forbidden to rely on fingerprinting to identify an Internet user browsing on iOS. The applications pinned by the Washington Post therefore appear to be in violation of the rules established by Apple. According to the American media, however, even after alerting the company to these fraudulent practices, the situation does not seem to have changed. Now that this information is public, we can hope to see things change. With, why not, better protections against fingerprinting.
