Post authors: Stephanie Nguyen and Mihir Kshirsagar
We published a technical briefing on device fingerprinting as part of a series of plain-language explainers for regulators on technical topics that arise in their work. The brief walks through how fingerprinting works technically, who provides the technology, and why it is spreading.
As third-party cookies face restrictions from browsers and platform privacy controls, the tracking industry has shifted toward fingerprinting — a technique that identifies users not by storing something on their device, but by observing the device itself. Screen resolution, installed fonts, graphics card behavior, audio processing quirks: combined, these signals produce an identifier that most users cannot see, change, or clear.
Browser fingerprinting was first detected by Jonathan Mayer at CITP in 2009. But it has received renewed attention since Google’s decision in December 2024 to reverse its longstanding ban on fingerprinting in its advertising products. Google had called the practice a subversion of user choice, but has since changed its mind.
Three themes are worth flagging here.
First, fingerprinting sits outside the usual notice-and-choice regime that claims to protect people’s privacy. Often, companies are expected to disclose data practices, often through dense, hard-to-read legalese to obtain users’ “agreement.” Cookie banners, browser privacy settings, and tools like Global Privacy Control are built on the idea that tracking relies on something stored on your device, like cookies.. But fingerprinting doesn’t work that way. When you tap “Ask App Not to Track” or turn on a privacy signal, you’ve made a choice – and yet fingerprinting can continue anyway.
Second, the use of fingerprinting is made worse with a process called “Identifier bridging.” In the past, companies often guessed whether two devices belonged to the same person. Now they can directly connect a device’s fingerprint to a more stable identifier – usually a hashed email captured at login. This lets the company build a long lasting profile of you that still works even if you use private browsing mode, clear your cookies, or turn on a VPN..
Finally, the dual-use problem needs scrutiny. Fingerprinting technology is often justified as a way to prevent fraud. But many of the same tools and data used for security can also be used for ads, targeted marketing, or changing prices based on who you are. If privacy laws say data should only be used for a specific purpose, the repurposing and reuse is a serious concern.
To learn more about a company’s practices, the briefing concludes with some open questions that could be posed to firms.
Technical brief authors: Adam Pickersgill, Patrick Yurky, Varun Gadh, Stephanie T. Nguyen, and Mihir Kshirsagar. The brief is produced by researchers affiliated with the Center for Information Technology Policy at Princeton University in collaboration with the Institute for Technology, Law & Policy at Georgetown Law.
Leave a Reply