On virtually every website you visit, you will come across them: cookie notifications. Often, without thinking about it at length, you click "accept" or "reject" (or similar buttons) and continue your browsing adventure. And, of course you understand roughly how cookies work. But what exactly happens behind the scenes, what the many possibilities of cookies are and what is (legally) permissible remains vague. Do you recognize yourself in this? In a number of different blogs, I answer all your questions. With today the third part: how are cookies used to identify Internet users?
In my previous blogs we read that cookies are used for various purposes. One of them is to "track," or follow, Internet users. Various techniques are often used to identify the person behind information requests, whether by analyzing data entered by him or her and/or browsing behavior, or by identifying peripheral devices. Tracking cookies have been under a magnifying glass for some time, yet there are still many ambiguities and misunderstandings about them. Therefore, today I explain how tracking techniques work and what is involved.
Third-party cookies allow large amounts of data to be collected and linked. This is widely used in the online advertising world. In order to make money through advertising, many websites are affiliated with advertising platforms. When you connect to this website through your browser, tracking cookies may be placed in your browser. Only these are not from the web store itself, but from a large platform - let's take Google's AdSense as an example. Google, after placing the cookies, ensures that advertisements are automatically placed on the website owner's website. This is attractive to a website owner, as it can easily generate revenue through AdSense. After all, this Google advertising platform is very well known and used by many advertisers. For advertisers, there is the advantage that through its technology, Google can "target" people on the Internet in a very targeted way. And advertisers are happy to pay (a lot of) money for that.
But, in the end, the big winner is Google: it can generate a lot of revenue with relatively little work (since the process is automatic). And since a lot of websites are affiliated with AdSense, it can keep track of all information about all visitors to its partner websites, such as which websites were visited at what times, with what device, et cetera. This, on the one hand, makes ads increasingly relevant, which makes Google increasingly popular with advertisers and can generate even more revenue. But there is another advantage: since Google itself holds a lot of personal data - for example, the data obtained through online applications such as Gmail - it can also link all the data collected by AdSense to the personal data known to it. Thus, through its advertising service, it learns more and more about its existing customers.
Fingerprinting is an even smarter technique for identifying website visitors. It works like this: when you connect to a website, it can request information about your browser and device and then analyze it. This can be done, for example, by executing a script that works via Javascript or Flash. In my case, it can be seen that I have a Macbook, version 10.14, on which I have Dutch set as my primary language, and my time zone set to UTC +2. This is also known as device fingerprinting. This can be done using the above as an example (and fairly generic) data, but more and more is possible. A study by the University of Cambridge, for example, shows that devices on 'globally' unique manner could be identified by (purely) analyzing sensor data from smartphones.
In addition to device fingerprinting, canvas fingerprinting also exists. This involves requesting a specific element from the Internet user's device in the form of an image. Depending on the properties of the device (such as the operating system, but also installed fonts), the image is rendered in a certain form and sent back to the Web server. The image is then analyzed, and from it, information about the website visitor's device can then be derived. The big advantage of device and canvas fingerprinting, is that no text files in the form of cookies need to be placed with the website visitor (so in fact they are not cookies, but at the same time they are subject to cookie legislation, about which more later). This makes fingerprinting difficult to track. This - combined with the fact that fingerprinting works so easily - means that there are major privacy concerns about fingerprinting. What's added to this is that website owners are combining different techniques to most effectively identify you. We saw in my previous blog that this can be particularly objectionable; after all, it allows you to be identified even if you browse from different devices, and even if you delete your cookies regularly.
To get right to the point: at the end of the day, you can't (virtually) be completely anonymous on the Internet. Against tracking cookies, however, the use of a good Adblocker seems to help (somewhat). But with fingerprinting, it is a different story, since a lot is possible with device analysis (remember the sensor data example). A first step that could be taken against fingerprinting is to disable scripts, such as Javascript and Flash. By doing so, fingerprinting scripts can no longer be executed on the one hand, but on the other hand you also miss out on a lot - after all, a lot of websites use these techniques, and some websites can no longer even be visited if you have disabled them. So this doesn't really seem to be a good solution. However, there are some good browsers and plugins available that can reduce fingerprinting. However, I dare to question whether this is effective at all times.
Using a VPN service, which actually "reroutes" your Internet traffic to another server, could also be an option. After all, if you always browse behind a VPN connection, this prevents your fingerprint from being linked to your real IP address. However, if you do not browse from your VPN connection once, your IP address can be linked to the VPN address again, it seems to me. Most effective, is when different techniques are used. Many illegal forums on the "dark web," for example, use VPN services, anonymous browsers, an anonymous network and anonymous search engines to be as anonymous as possible in that context. But, even this is not always enough. For example, some "drug marketplaces" were busted by European authorities about a month ago. There, however, considerably more effort was put into identification by authorities. Commercial parties (I don't think) have the resources to be able to identify even in these cases, so for now this seems to be the only recommendation I can make that I'm (reasonably) sure of.
See also: Cookies: how do they work and why do they exist?
See also: Cookies: what types of cookies are there and what do they do?
This article can also be found in the e-Privacy dossier
More from SOLV Lawyers
