Case Study: Disclosure of Indirect Device Fingerprinting in Privacy Policies

TL;DR

This study examines how indirect device fingerprinting, specifically Canvas fingerprinting, is disclosed in privacy policies and finds that such disclosures are often insufficient, making detection and blocking difficult for users.

Contribution

It provides a detailed analysis of privacy policy disclosures of indirect fingerprinting, highlighting their inadequacy compared to direct fingerprinting disclosures.

Findings

Disclosures of indirect fingerprinting are often vague and insufficient.

Many websites clearly disclose direct fingerprinting methods, aiding detection.

Indirect fingerprinting remains difficult to detect and block due to poor disclosures.

Abstract

Recent developments in online tracking make it harder for individuals to detect and block trackers. Some sites have deployed indirect tracking methods, which attempt to uniquely identify a device by asking the browser to perform a seemingly-unrelated task. One type of indirect tracking, Canvas fingerprinting, causes the browser to render a graphic recording rendering statistics as a unique identifier. In this work, we observe how indirect device fingerprinting methods are disclosed in privacy policies, and consider whether the disclosures are sufficient to enable website visitors to block the tracking methods. We compare these disclosures to the disclosure of direct fingerprinting methods on the same websites. Our case study analyzes one indirect fingerprinting technique, Canvas fingerprinting. We use an existing automated detector of this fingerprinting technique to conservatively detect its use on Alexa Top 500 websites that cater to United States consumers, and we examine the privacy policies of the resulting 28 websites. Disclosures of indirect fingerprinting vary in specificity. None described the specific methods with enough granularity to know the website used Canvas fingerprinting. Conversely, many sites did provide enough detail about usage of direct fingerprinting methods to allow a website visitor to reliably detect and block those techniques. We conclude that indirect fingerprinting methods are often difficult to detect and are not identified with specificity in privacy policies. This makes indirect fingerprinting more difficult to block, and therefore risks disturbing the tentative armistice between individuals and websites currently in place for direct fingerprinting. This paper illustrates differences in fingerprinting approaches, and explains why technologists, technology lawyers, and policymakers need to appreciate the challenges of indirect fingerprinting.