> “Fingerprinting has always been a concern in the privacy community, but until now, we had no hard proof that it was actually being used to track users,” said Dr. Nitesh Saxena, cybersecurity researcher, professor of computer science and engineering and associate director of the Global Cyber Research Institute at Texas A&M. “Our work helps close that gap.”
Maybe if you live in a bubble where documentation published outside of academia doesn't exist. Tracking vendors themselves have claimed to be fingerprinting users' browsers in their privacy policies for over a decade.
This isn't about bubbles or ignorance of the "Real World (TM)". I think this reading shows own biases about academia vs industry more than anything else.
They provide proof that fingerprinting is not only actively used, but also used effectively at that. That vendors claimed they could and would use this is still not proof, let alone gives any insight into its effectiveness or the magnitude of the problem. So this is useful work.
Especially since the extent to which it is effective in "benign" ads is also indicative of the extent to which it would be successful for tracking by other agencies.
Tracking pixels aren't for fingerprinting, they're just regular tracking. You can block them fairly easily (just block the 3rd party request to the known tracker). Fingerprinting is a lot more difficult to detect and prevent. Companies claiming they reserve the right to do it is a good reason to take precautions, but without insight into what is actually being done, that's hard to effectively do (without resorting to blocking all possible vectors, like Tor Browser).
Aren't the companies who say they're doing this actually selling these capabilities to others? So it's in their interest to pretend to be able to do more / better than what they actually can do. Especially when the clients have little capability to verify what actually happens. So no, their saying "we can do it" doesn't actually mean that they can.
As a user who doesn't have a horse in this race (I work for a "captive clients" company, so ads don't help much, nor do we sell any ads), what I notice is that ads I'm served are absolutely absurd. It's either Google Maps trying to sell me some hotel 50 meters from my home (I live alone, so I fail to see any reason why I'd go for that), or Instagram which somehow figured I'd be interested in buying bras for pregnant women (I'm a male, and I'm single).
More recently, Instagram tries to sell me Range Rovers. Where I live, there's a tax on "heavy vehicles", traffic is absolutely crazy, and we have usable public transit (which I use – while scrolling Instagram). Buying a big-ass car wouldn't help me in any conceivable way, and would be an all-round nuisance.
What leaves me flabbergasted, is that my only interactions with Instagram are around photography. I only follow photographers, who shoot landscapes and similar, I always leave the app when I'm presented with naked girls or other "reels'. So I could maybe, possibly, be convinced to buy some new camera or photo gear. Guess what I never see advertised on Instagram?
As a viewer of ridiculous ad placements, and as a frustrated buyer of online ads, I continue to conclude That adtech Is largely snake oil. In fact, I encourage you to look into the well-founded claims and research which call into question the very activity of marketing as a whole.
So then:
What to do with this massive infrastructure and billions of dollars of investment and workers employed by this global machine?
> As a viewer of ridiculous ad placements, and as a frustrated buyer of online ads, I continue to conclude That adtech Is largely snake oil. In fact, I encourage you to look into the well-founded claims and research which call into question the very activity of marketing as a whole.
At least from my own anecdotal observations (including conversations with confused less technical friends and relatives started by questions like "how does this website know enough about me to show me that ad?"), the issue to me seems less that ad tech doesn't ever produce relevant ads, but that in practice very few people actually click ads, much less buy things from the destination, regardless of whether the ads are relevant or not. If anything, seeing a well-targeted ad often makes people feel creeped out, and their reaction isn't to go "oooh yes, that's perfect for me, let me click it", but to immediately close the browser tab and maybe even avoid the website that showed it to them in the future (because it's not obvious to a lay user that the ads are usually sourced from another party rather than the website itself). Slightly more tech-savvy users might even be aware of how ads are sometimes a vector for malware and avoid clicking them because the risk of getting something nasty isn't worth the probably quite low reward of buying something they could probably find just as easily on their own by actively looking. In practice, I have to wonder if it even matters whether adtech is effective at targeting or not, because I'm skeptical that the way people interact with ads ever would generate enough revenue to be worth it.
You're coming at it from this type of tracking being an accusation of bad behaviour and the company having to admit it, like they have to admit a security breach losing personal data.
That's a reasonable approach. It's also incorrect. These companies think tracking users is a great thing. They aren't admitting it, they are boasting about it.
They consider me to have different visitor IDs when opening their demo page[1] in a regular window, and an incognito window on the same device. If this is state of the art I'm not too worried.
Hell, before that, we knew Flash was being used to get the list of fonts you have installed (for tracking purposes). You're right that these quotes are just plain wrong.
This has suddenly made me wonder how often fingerprinting of installed fonts is used to find targets working for particular companies. Quite a lot of organisations now have their own font, or a particular uncommon font they favour for brand purposes at least.
Well, nobody has Flash installed anymore (I hope) and I don't believe there is a "modern" way to obtaining a font list (that works on all/majority of browsers). So, at face value, looking at installed fonts doesn't sound like a meaningful attack vector these days.
I believe you can do some stuff with CSS by providing a list of fonts to try and then comparing the size of a block of text, but yes, it is quite a bit harder now.
I’m not saying we should stop caring about online privacy, but the extent to which we fight fingerprinting while not actually solving the problem has made the web worse. It’s kinda like the argument for gun control: the unsavory folk will still fingerprint your browsing while the well-mannered sites suffer from lack of features due to aversion to any persistent handle on the users they might provide, like strong crypto because uh-oh a pub key would give your a “super-cookie” so we can’t have that.
I think the nuance here is that academic research often wants concrete, measurable evidence that can't just be hand-waved away by "well, it was mentioned in a privacy policy."
Maybe if you live in a bubble where documentation published outside of academia doesn't exist. Tracking vendors themselves have claimed to be fingerprinting users' browsers in their privacy policies for over a decade.