Digital certificates - a modern solution to privacy, fingerprinting, device collision concerns

Technology Security
Device collision
Since the late nineteenth century, law-enforcement agencies around the world have used fingerprint identification methods to positively identify the suspects and victims of crime. Since its inception, fingerprinting has become a highly sophisticated forensic science – one on which technology has had an immense impact.

What is a device's fingerprint?

Mobile devices like phones and tablets, and even browsers, have sets of characteristics that make it possible to uniquely identify each device. These characteristics include data points like the IP address, operating system, screen resolution, language, time zone, and installed fonts. Together, these constitute the device fingerprint.

This ability to positively identify a device is important to several organizations; fraud prevention being an especially important use case. For example, when a user logs into a bank account from a different device or location than usual, the activity is flagged as potentially suspicious prompting the bank to send an authentication request to verify that the user is who they say they are.

Targeted online advertising

Another use case for device fingerprinting, and one that has come under fire for violating increasingly strict privacy regulations, is targeted online advertising. By tracking users’ site activity through cookies, or device or browser fingerprinting, advertisers gather and monetize data by personalizing the ads that users see. The reasoning is that a user is drastically more likely to respond favorably to a targeted ad than one that takes the hit-and-miss approach. And the stakes are high – advertisers are forking out billions to ensure they appear on the right users’ screens. In 2020, it is predicted that worldwide digital ad spending will rise by 15.5% to $384.96 billion.

Browser fingerprinting vs. privacy regulations

One of the biggest issues that privacy activists and consumer watchdogs highlight when it comes to gathering consumers’ personal data is that most of the data is gathered and traded without users’ consent, and often without their knowledge. As the Electronic Frontier Foundation argues in a blog, “browser fingerprinting is on a collision course with privacy regulations.”

Regulations like the European Union’s General Data Protection Regulation (GDPR), which came into effect in May 2018, focus on protecting consumers’ personal data, and giving them more control over how their data is shared. The GDPR, as one website states, “will fundamentally reshape the way in which data is handled across every sector, from healthcare to banking and beyond.” In fact, Gartner estimates that 50% of people on European marketing lists will be deleted by the end of 2020.

Across the pond, regulations are making equally big waves. The California Consumer Privacy Act took effect on 1 January 2020, and will also significantly restrict how organizations are allowed to collect and manage consumer data, giving the latter more control over their personal information.

Restrictions for improved privacy

In retaliation to this tightening of data protection regulation, big tech companies, and especially browser providers, are bringing their own weapons to the “war on browser fingerprinting.” “Because fingerprinting is neither transparent nor under the user’s control,” a Chromium blog argues, “it results in tracking that doesn’t respect user choice. This is why Chrome plans to aggressively restrict fingerprinting across the web. One way in which we’ll be doing this is reducing the ways in which browsers can be passively fingerprinted so that we can detect and intervene against active fingerprinting efforts as they happen.”

Chrome is not the only browser that will restrict fingerprinting. Apple, Mozilla, and Microsoft all announced updates to privacy policies that would include “anti-tracking” measures, blocked fingerprinting, and ultimately make it “drastically more difficult for data companies to identify” consumers’ devices and track them.

Where device collision creeps in

The world wide web consortium argues that “exposure of settings and characteristics of browsers can harm user privacy by allowing for browser fingerprinting.” However, efforts to restrict fingerprinting do not come without side effects. As browser providers implement measures to make devices appear less unique, like identifying only the main instance of a device’s OS version (for example, iOS 12 instead of iOS 12.4.3), more devices will provide the same fingerprint. So, when attempting to log in to an online banking website, for example, your device may appear the same as another to your bank’s security system, resulting in a so-called device collision that can set off fraud alerts.

Digital certificate technology

The question then is whether there is a solution that can harness the positive applications of uniquely identifying a device without violating a user’s privacy – or being blocked by browsers’ privacy measures. And without running the risk of device collision. The answer is yes.

By using digital certificate technology, it is possible to issue a unique certificate to every device or browser, which can verify that the device or browser can be trusted. Because the certificate is issued to the device or browser, it is never linked to the user and therefore ensures privacy. By relying on the unique and secure digital certificate – instead of a device or browser fingerprint – an organization can agree with each of its customers that a specific device or browser can be trusted. Because every certificate is unique, device collisions, where two separate devices, or browser or app instances have the same certificate ID, cannot occur.

Another benefit of digital certificate technology is that unlike browser fingerprinting, it is not possible to track what a user has been doing online; it is only possible to identify a device returning to a previous site. So, while it is a strong fraud prevention mechanism, it cannot be abused to secretly track a user’s online behavior.

Entersekt’s web security solution combines digital certificate technology, device fingerprinting, and web-based cryptographic binding technology to create a unique browser identity that you can trust. Read more on our Omnichannel Authentication solution.