What is Device Fingerprinting? (2024)

As advertising shifted online, advertisers gained the ability to target individuals based on behaviors like past website visits and data, such as location, rather than relying solely on contextual cues (like placing croissant ads in a bakery).

From the mid-2000s, this behavior-based targeting became standard, mainly using web cookies. But cookies have become less reliable, as users delete them, browsers restrict them, and ad blockers rise in popularity. To maintain behavioral targeting, advertisers developed a more resilient tracking method: device fingerprinting.

Device fingerprinting is a powerful tool for identifying and tracking users across the web, with advantages evident not only in targeted advertising but also in preventing online fraud. Today, almost every industry employs device fingerprinting to analyze user behavior and detect fraudulent activities.

Let’s explore the intricacies of device fingerprinting technology, its uses, and its benefits.

What is device fingerprinting?

Device fingerprinting is a technology used to identify and track individual devices based on unique combinations of attributes rather than traditional identifiers like IP addresses or cookies. These attributes include hardware specifications, software configurations, operating system details, browser settings, and other distinctive features such as screen resolution, plugins, and installed fonts. By analyzing these characteristics, device fingerprinting creates a distinctive “fingerprint” that is often unique to a specific device.

This fingerprint is used for purposes such as enhancing security, preventing fraud, personalizing user experiences, and tracking devices across online sessions.

How does device fingerprinting work?

Device fingerprinting works by collecting a set of attributes and characteristics of a device and creating a unique identifier from this data. Here’s a closer look at the process:

• Data collection: Device fingerprinting involves gathering extensive information about a device’s hardware and software configurations. This includes:
  • Browser information: Details about the web browser, including its type, version, and installed plugins.
  • Hardware specifications: Attributes like screen resolution, CPU type, and available fonts.
  • Network information: IP address, time zone, and geolocation data.
  • User behavior: Interaction patterns such as mouse movements and typing speed.
• Feature extraction: Once the data is collected, specific features are extracted that are unique to the device. These features are selected based on their consistency across multiple sessions. For example, two devices with different graphics processing units (GPUs) will render images differently due to hardware variations, which can be captured as part of the fingerprinting process.
• Unique identifier creation: The collected data is processed to generate a unique identifier or “device fingerprint.” This identifier can be hashed for privacy, ensuring that only the profile (and not individual data points) is shared or stored.
• Tracking and analysis: When a device accesses a website or application, its fingerprint is generated anew based on the current data points. This new fingerprint is then compared against a database of previously recorded fingerprints to determine if it matches an existing device or if it’s new to the system. This process allows for ongoing tracking and identification across different sessions and interactions.

Cookie vs. device fingerprinting

Cookies are small text files that websites store on a user’s device to remember information about them, like login details or preferences. They enable sites to recognize returning users and tailor experiences, such as keeping items in a shopping cart. Cookies also support targeted advertising by tracking user behavior across different websites. There are two main types: first-party cookies, set by the website you’re visiting, and third-party cookies, set by other sites mainly for advertising purposes. However, due to privacy concerns, many users delete cookies or block them, and browsers are increasingly limiting their use.

While both cookies and device fingerprinting can track and identify users, there are fundamental differences between the two methods:

• Functionality: Cookies are commonly used for various purposes, such as remembering login details, personalizing experiences, and tracking user behavior for analytics and advertising. “Digital fingerprints” are often used for more advanced tracking and identification purposes, such as fraud prevention, device recognition, and enhancing security measures.
• Storage: Cookies are small files stored on a user’s device that websites can access and update over time. In contrast, device fingerprinting doesn’t require any information to be stored on the device, as it relies on the data that the device automatically shares when interacting with websites or applications.
• Persistence: Cookies can be deleted or blocked by users, limiting their effectiveness. Device fingerprints, on the other hand, are challenging to erase, as they rely on inherent device attributes rather than data saved on the device. This makes them more persistent and harder for users to control.
• Privacy impact: Device fingerprinting is often more invasive, because users don’t have an easy way to detect or prevent it, unlike with cookies. This difference has implications for privacy, as device fingerprinting offers fewer user control options.

In summary, while both cookies and digital fingerprints are tools used for tracking users online, digital fingerprints are generally more covert, persistent, and sophisticated in their tracking capabilities compared to cookies.

Use cases of device fingerprinting

The following industries use device fingerprinting to prevent various kinds of fraud:

1. Online banking and financial security

• Device trust scoring: Use device fingerprints to classify devices as trusted or untrusted for sensitive transactions.
• Credential stuffing prevention: Identify and block devices involved in credential-stuffing attacks using known breached credentials.

2. E-commerce and retail

• Promo abuse detection: Prevent users from exploiting discount codes, free trials, or referral programs by using multiple accounts on the same device.
• Order validation: Flag potentially fraudulent orders by identifying mismatched devices, such as placing orders from different countries or unusual devices.
• Cart abandonment tracking: Recognize returning customers who abandoned carts without relying on cookies.

3. Advertising and marketing

• Audience segmentation: Use device fingerprints to group users based on hardware, operating systems, or browser capabilities for targeted advertising.
• Ad fraud prevention: Detect click farms or fake impressions by identifying unusual patterns across devices.
• Cross-device tracking: Link the same user across multiple platforms (e.g., mobile and desktop) without relying solely on cookies.

4. Regulatory compliance

• Identity verification: Strengthen Know Your Customer (KYC) processes by associating specific devices with users during identity verification.
• GDPR and CCPA Compliance: Ensure legitimate data usage and help prevent unauthorized access to sensitive user data.

5. Online gaming

• Cheating detection: Detect and block devices involved in unfair practices, such as using hacks or multiple accounts to gain an advantage.
• Account sharing prevention: Identify when multiple users access a single account from different devices in violation of terms of service.
• User behavior analytics: Track device-level activity for better insights into player engagement.

Suggested read: Bonus Abuse in Gambling—How to Detect and Prevent It (2024)

6. Healthcare and telemedicine

• Session security: Authenticate returning patients and prevent unauthorized access to medical records or appointments.
• Device spoofing prevention: Ensure that telemedicine sessions are conducted on authorized devices.

7. Education

• Exam proctoring: Verify the identity of students during remote exams by linking them to specific devices.
• Preventing plagiarism and cheating: Track devices to ensure that students aren’t bypassing rules or using unauthorized means.

8. Subscription services

• Shared account control: Prevent account sharing or monitor the number of devices accessing subscription services.
• Geo-restriction enforcement: Enforce licensing agreements by identifying devices attempting to bypass geo-restrictions via VPNs or proxies.

9. Cybersecurity

• Intrusion detection: Spot anomalies in device usage that might indicate a compromised system.
• Advanced threat detection: Monitor patterns to detect advanced persistent threats (APTs) and unauthorized devices in networks.

Suggested read: Multi-Accounting: What Industries are Under Threat and How to Stop It (2024)

Device fingerprinting and privacy regulations

GDPR

Device fingerprinting raises privacy concerns, particularly in regions where regulations like the General Data Protection Regulation (GDPR) apply. The GDPR considers data used to identify individuals as “personal data,” meaning that device fingerprints, which can often trace back to individuals, fall under its purview. Here’s how GDPR impacts device fingerprinting:

• Consent requirement: Under GDPR, businesses must obtain explicit consent from users before collecting data that could be used to identify them. Device fingerprinting, therefore, often requires user consent if the collected data is used for tracking purposes.
• Transparency: Organizations are required to inform users about what data they are collecting and for what purpose. With device fingerprinting, this transparency can be challenging, as the fingerprinting process often happens in the background without the user’s awareness.
• User control: GDPR emphasizes giving users control over their personal data. While users can delete cookies, they have limited control over device fingerprinting. As a result, businesses using device fingerprinting must implement methods to respect users’ choices, such as providing options to opt out of tracking.
• Data minimization: GDPR advocates for collecting only the data needed for a specific purpose. Device fingerprinting practices that collect excessive or irrelevant data may not comply with this principle, potentially leading to fines and legal issues.

Thus, the GDPR (General Data Protection Regulation) in the EU places strict limits on device fingerprinting, as it considers any identifier that can trace back to an individual as “personal data.” To use device fingerprinting, companies must obtain explicit user consent, provide transparency, and allow users to opt out. Failure to comply can result in substantial fines.

CCPA

The California Consumer Privacy Act (CCPA) and its update, the CPRA (California Privacy Rights Act), require that businesses give California residents the ability to opt out of data collection and sharing for personalized advertising, which includes device fingerprinting. While it doesn’t explicitly forbid fingerprinting, it enforces transparency and user rights, similar to GDPR.

LGPD

Brazil’s LGPD (Lei Geral de Proteção de Dados) aligns closely with GDPR in terms of scope and regulation. Device fingerprinting falls under its definitions of personal data processing, meaning companies must collect consent, inform users of data collection, and provide opt-out mechanisms.

PIPL

China’s Personal Information Protection Law (PIPL) requires explicit consent for data collection, especially for personal information that can identify an individual, which would include device fingerprints. The PIPL emphasizes user rights over their data, consent, and transparency.

PIPA

In South Korea, under the Personal Information Protection Act (PIPA), collecting data that can identify an individual, such as through device fingerprinting, must be clearly disclosed, and user consent is required. PIPA is one of the stricter privacy laws in Asia regarding personal data collection and user rights.

How device fingerprinting can help fight fraud

Device fingerprinting is a powerful tool in the fight against fraud, as it offers several ways to strengthen security measures and detect fraudulent activities:

Monitoring behavioral patterns: Device fingerprinting can help build profiles based on the typical behavior of legitimate users. Fraudulent users tend to exhibit patterns inconsistent with those of regular users, making it easier to detect and flag unusual activity.

Suggested read: Why Behavioral Analytics is Key to Fraud Detection Today

Detecting bot activity: Device fingerprints can help distinguish between legitimate users and bots. By analyzing multiple attributes, fingerprinting identifies anomalies typical of automated activity, like rapid mouse movements or the use of headless browsers.

Preventing account takeover: By analyzing the device used to access an account, companies can spot unusual login patterns. For instance, if a user who typically logs in from a specific device in New York suddenly attempts to access the account from a different device in another country, additional verification steps can be triggered.

Preventing payment fraud: Device fingerprinting allows for risk assessment during payment processing by analyzing the characteristics of the device making the transaction. If a device shows characteristics associated with known fraudulent behavior, such as using anonymizing proxies or outdated browsers, the transaction can be flagged or declined.

Suggested read: Payment Fraud Protection: Use Cases

Complying with security regulations: Many regulatory frameworks encourage businesses to use advanced tools for fraud prevention. Device fingerprinting can help organizations comply with these requirements by providing an additional, often non-intrusive, security layer.

Fraud prevention with Sumsub

Sumsub provides a comprehensive Fraud Prevention solution designed to protect businesses from unauthorized activities and enhance operational security. It monitors device usage and user behavior to detect anomalies and irregularities, tracking devices accessing accounts, identifying new or suspicious devices, and verifying consistency with historical user data. Real-time monitoring of user actions helps identify patterns such as failed login attempts, unusual transactions, or sudden changes in account settings.

Sumsub offers customizable risk assessment rules, enabling businesses to define specific fraud indicators, such as mismatched payment methods, unrecognized devices, or irregular transaction amounts. Automated alerts notify administrators of high-risk activities for immediate action.

In addition to behavioral analysis, Sumsub integrates identity verification processes to ensure user authenticity and mitigate risks like identity theft or account impersonation. It supports compliance with regulations such as GDPR and AML, helping businesses meet legal requirements while maintaining security. With flexible API integration and a user-friendly dashboard, Sumsub provides scalable solutions for businesses of all sizes and industries to combat fraud effectively.