Bulletproof privacy in one click
Discover the world's #1 privacy solution
Coming soon
Coming soon
Coming soon
Web browser fingerprinting is one of the most potent threats to user privacy since third-party cookies. The insidious tracking technology allows governments, advertisers, and hackers to track a user’s activities across multiple websites, even if they don’t log in, and even if they use a VPN!
But an advertising industry watchdog is striking back against the use of browser fingerprinting. We’ll cover the recent ruling from the industry body and the potential impact that it has on the future of privacy.
The Digital Advertising Accountability Program (DAAP) is a self-regulation initiative launched by major advertisers throughout North America. It provides a set of standards that are adopted by members, which often become the ‘best practices’ that later national legislation is based on.
The DAAP is an enforcement body, meaning that membership comes with a price: Breaking the rules gets one publicly named and shamed, and excluded from activity and cooperation with other members. Normally this wouldn’t be a big deal, but the DAAP has some huge names on its roster:
Adobe, BP, Consumer Reports, Disney, eBay, Facebook, Google… and that’s just up to the G’s. A full list of companies can be found here.
In February of 2022, the DAAP handed down a surprisingly strict interpretation of its advertising privacy standards. They said, in essence, that there was no functional difference between third-party cookies and browser fingerprinting, as far as corporate responsibility goes.
The operative line in the statement is as follows:
“An entity collecting Cross-App Data and using it for Interest-Based Advertising (“IBA”)—or allowing another entity to do so—may need to provide Notice, Enhanced Notice, or Consent to the user, depending on the entity’s relationship to the user and the details of the collection.”
This little paragraph is sending shockwaves throughout the industry. Here’s why.
The new guidelines say that advertisers and media companies need to provide notice and in some cases ask for consent if they want to collect or use data from browser fingerprinting. They equate a browser fingerprint with any other type of user ID or persistent identifier and apply all appropriate rules and penalties to a fingerprinting situation as they would any other type of illicit targeted advertising.
Mind you, we’re talking about organization members that include three of the top ten media companies in the world, including the top two by a huge margin (Google and Facebook, with Disney much lower in the top ten).
It’s also worth noting that the DAAP is an arm of the Better Business Bureau (BBB). They have immense political clout and household name recognition as a watchdog with teeth. They provide everything from governmental guidance on industry issues to consumer information on what companies can be trusted.
Although it’s too early to tell who is going to accept this ruling, who will object, what lines will be drawn, and the exact parameters of notice VS consent, one thing is for certain - there’s going to be a power struggle, and the larger companies will want to know exactly where they need to provide additional useful information and fingerprinting verification.
In short - this decision is going to lead to a fight.
No Official Reaction From Google Or Facebook
Though they are clearly the largest players in this field, and their intent to use browser fingerprinting in next-generation advertising is clear, neither Facebook nor Google have commented on this decision from the DAAP.
One has to wonder if they intend to remain a member of the organization for much longer. Membership is, after all, voluntary. Quietly dropping out of the DAAP rather than trying to wage a war that would end up with all participants bloody might be their best bet.
It’s possible that such a ‘sidestep’ would only be partly effective, however. As the BBB points out:
“BBB National Programs today oversees more than a dozen leading national industry self-regulation programs.”
The Better Business Bureau is an umbrella for a massive number of related industries. Seeking to evade this ruling might cause the media and advertising giants to drop out of half a dozen other related industry collectives as well. The negative press associated with such a move would be chilling, to say the least.
Fingerprinting Mobile Devices Also In The Crosshairs
As part of the same statement, the DAAP reiterated that their ruling applied equally to mobile devices, mobile browsers, and web apps executed from mobile operating systems.
“The Accountability Program reiterates that message and hereby restates it in the context of mobile devices.”
This is a move that seems to expand and future-proof the ruling against member organizations that are looking for loopholes. They’re stating that the participation medium doesn’t matter, be it desktop, mobile device, or otherwise. This ruling potentially extends into the realm of device fingerprinting as well, including trying to detect and use things like Apple hardware IDs, phone carrier IDs, network adapter MAC addresses, and wireless access point handshaking.
Such a move would be in line with the other declarations of principles that the DAAP has made in the past. They intend to make guidelines medium-agnostic, applying equally across all hardware and software platforms whenever possible.
Next Steps
One of the issues with self-policing industry organizations is that they live and die by the clout of their membership. When a ruling hurts the plans of two of their largest members, they need to walk a fine line between credibility and effectiveness.
Luckily, there’s a company in their ranks that is even bigger than Alphabet/Google and Meta/Facebook: That being Microsoft, the third biggest corporation in the world. Although not an advertising giant, their presence provides a solid core of credibility to the DAAP. And though Microsoft is likely to be impacted somewhat by the new ruling (via a vis Bing), if they’re on board, then the organization will continue to wield some clout even if there are some defectors.
And an exit from Google or Facebook might prompt the largest corporation in the world to step in and take their place - that being Apple. They’ve been known to make dramatic gestures in the name of user privacy, and they’ve been anti-fingerprinting from the start. It isn’t out of the realm of possibility.
But for now, the ball is in Google’s court. And if this digital tennis game wasn’t strange enough, it has an odd doubles partner in the form of Facebook. We’ll need to see if there are any stated policy changes over the next few weeks.
Then by the end of Q1 2022, prompted by either action or inaction, it will be the DAAP’s turn.
To learn more about fingerprinting, take a look at our Full Device and Browser Fingerprinting Guide.
Will is a former Silicon Valley sysadmin and award-winning non-functional tester. After 20+ years in tech, he decided to share his experience with the world as a writer. His recent work involves documenting government hacking methods while probing the current state of privacy and security on the Internet.
Chapter 14: IoT Hacks
Dive into the unsettling world of government-controlled GPS tracking!
Trash Talk: How your garbage can be exploited by hackers, law enforcement, and government agencies
It’s time to uncover how government surveillance gets personal.
Discover the world's #1 privacy solution
Coming soon
Coming soon
Coming soon