With the the e-Privacy Directive now entering into force across Europe with it’s upgraded cookie rules, it could have been disappointing to read this new academic article about “browser profiling“, a practise that achieves profiling without using cookies.
The e-Privacy Directive does not mention cookies by name in its Article 5.3, although they are referred to in the recitals. Instead the Article addresses “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user“. The notion was of a unique identifier (UID) stored on the users computer enabling successive visits to a website to be matched. The provision is beginning to fail one the EU’s stalwart regulatory principles – technology neutrality.
Browser profiling involves a webpage loading a script that combines a set of relatively unique (‘high entropy’) features of the browser’s environment, in particular the list of fonts available, into a UID sent back to the website. The resulting profile is unique in seemingly 95%+ cases, and does not require the local storing of information.
But while the Directive does not apply, the industry responses to policy maker anxiety about cookies do. The IAB Europe self-regulation rules and the Do Not Track (DNT) provisions refer to the practise of ‘tracking’ or ‘profiling’, rather than technologies. While the main online ad companies and publishers are complying with these rules, the article’s authors lament the fact that the sites they found using finger-printing (404 of the top 1 million sites, see chart) were also not respecting the DNT signal. That can hardly be a surprise as few were providing details of their practises in their privacy notices either.
So the real issue is enforceability against bad actors. This is a function of the enforcement agent’s (data protection agencies) determination, and the assistance the law provides in proving a transgression. I believe that privacy-based ‘collection & processing of personally identifiable information’ approaches are poorly suited in these instances. Recall that browser profiling is based on looking at installed fonts!
Are there other approaches possible? The draft EU Privacy Regulation promises a ban on profiling, which passes the technological neutrality test, but in the process has been criticised for over-broadly inhibiting all manner of legitimate business activity. Another is to look at this kind of practise from a cybercrime perspective – for example Article 13.4 of the e-Privacy Directive provides that “the practice of sending electronic mail for the purposes of direct marketing which disguise or conceal the identity of the sender … shall be prohibited“. Interestingly the article refers to the practise of some browser profiling code to delete itself after having sent the fingerprint back to the site owner (presumably to make itself harder to detect).