Apple’s fingerprinting conundrum

Apple’s fingerprinting conundrum

ePrivacy

In 2002 the ePrivacy Directive was established to safeguard the privacy of European citizens using online services. It mandated giving individuals the ability to refuse the use of data stored in their online devices, complementing the 1995 Data Protection Direcive that regulated personal data processing.

Internet access is "stateless" in nature, in that no record of activity needs retaining between transactions. Even the IP address, the fundemental routing idenifier, is in most cases ephemeral and usually unlinkable to individuals. in order for web services to track individuals they need to store identifying data, e.g. a cookie, in their browsers or devices, so that the individual's device can be recognised in subsequent transactions. The ePrivacy laws ensure that this mechanism can not be used without agreement. 

In 2009, the ePrivacy Directive underwent a significant revision, transforming the storage control requirement from an opt-out to an opt-in model. This change mandated that client-side storage could only be utilized with the user's prior, explicit, informed consent. 

The Fingerprinting Myth

That same year, the U.S. based Electronic Frontier Foundation, a civil society body significantly funded by major tech and surveillance companies, released results from an experiment suggesting that online user tracking could be achieved without cookies, through browser fingerprinting. This method involves unique identifiers generated from patterns in data inadvertently leaked by browsers during web access. 

This finding was seized upon by the extensive network of lobbyists, and advocates in the surveillance industry to support their attempts to undermine ePrivacy. They argued that if users could be tracked through the unique patterns of data sent to web servers without prompting, then privacy laws mandating user consent for browser storage could be deemed irrelevant, drained of support and ultimately defeated. However, their efforts were thwarted in 2014 when the the Article 29 Working Party, the forerunner of the European Data Protection Board, published Opinion WP224. This document clarified that the ePrivacy Directive's Article 5(3) also covered device fingerprinting, requiring user consent for processing such data. 

Nonetheless, as we highlighted in 2012, relying on fingerprinting for user identification and tracking is too imprecise for surveillance marketing or most commercial purposes. This was corroborated in 2018 by experimental evidence which showed that only a third of desktop users and less than a fifth of mobile users could be uniquely identified through this method, rendering it ineffective for behavioral advertising. This evidence was subsequently accepted by previous proponents of the fingerprinting threat.

DNT, the original universal opt-out signal

In 2011, the W3C's Tracking Protection Working Group was chartered to develop international standards for online user tracking control, with representation from major tech firms, civil society, and regulators, including the Article 29 Working Party.

A viable Do-Not-Track (DNT) specification emerged by 2013. However, its implementation in the U.S. was compromised due to surveillance industry lobbying, leading to an amendment in California's Online Privacy Protection Act of 2003, AB370. This amendment merely required companies to disclose their response to DNT signals, without obliging them to honor them. 

Apple drops DNT

In this context, Apple's decision, prompted at a meeting of browser company representatives during the 2018 W3C TPAC conference in Lyon, to disable Safari users' DNT setting, citing a “fingerprinting risk” resulting from the addition of a single bit of entropy, was clearly aligned with the industry's broader efforts to downplay DNT. This move was questionable given the limited impact a single additional bit would have on making fingerprinting a viable commercial tracking method.

Enter the CCPA

Now, Apple faces a new challenge. In December 2023, the California Privacy Protection Board endorsed proposals to amend the CCPA, arguably the most significant recent U.S. state privacy law. The proposed amendments mandate browser companies to implement a "universal opt-out mechanism" or signal, and requiring companies tracking Californian residents to honor it. 

Companies will be encouraged to respond to this signal in a "frictionless manner",  which avoids intrusive "pop-up" banners while transparently indicating the users current opt-in status, akin to the approach  pioneered by the Baycloud Consent Management Platform.

One such signal, the Sec-GPC header ("GPC"), a simplified version of the W3C developed DNT (DNT:1 - Do-Not-Track preference expression) signal, will probably end up specified in the legal text. While this is designed not to be directly applicable in Europe the "frictionless manner" concept could be adopted there with minor rule changes to help stop European residents being bombarded with unnecessary cookie consent requests.

The Conundrum

But how will Apple explain a Safari implementation of GPC, with its similar insertion of a 1 bit "fingerprinting risk", while continuing to refuse to implement DNT?

DNT is supported by European law going back to 2009, even recently having been featured in German court rulings. Obviously the DNT "wrecking amendment" AB370 has no relevance in Europe.

Meanwile, while they deliberate, we are proud to announce our own implementation of the CCPA amendments.

Our Baycloud solution can be implemented for any Californian website, any other US or Canadian jurisdiction, or globally by automaticaly determining the relevant compliance requirements via the visitor's IP Source address. It ensures sites using it will respect all current and future universal opt-out mechanisms, including DNT:1 and GPC.

Check out our other blog posts