Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
At the end of December, just before the holidays, Google has announced a policy change which caused both cheers and jeers.
Starting February 16, Google said it will no longer ban fingerprinting for companies using its advertising products.
Oh, how times have changed.
From not at all to good
A fingerprint identifies a device by combining multiple signals into one digital ID: screen size, browser type, OS type, battery level, language settings, screen resolution, keyboard attachments, IP address and hundreds of other data.
In 2019, Justin Schuh, Google’s Director of Chrome Engineering, it’s called a fingerprint “opaque” technique and highlighted Google’s plans to “more aggressively” block it.
“Unlike cookies, users cannot delete their fingerprints,” Schuh wrote at the time, “and therefore cannot control how their data is collected. We think this undermines user choice and is wrong.”
Fast forward to now, not “unlike a cookie” – actually, just like cookies – Google makes an unexpected turn. (Yes, yes, I know, some of you provided for the cancellation of the suspension of third-party cookiesbut I was still surprised; sue me 😭)
A Google spokesperson explained the company’s AdExchanger fingerprint change this way: “We’ve updated our platform policies to reflect new privacy-enhancing technologies that reduce risks and support the emergence of new channels like connected TV.”
In other words, instead of a blanket ban on companies using IP addresses (a key ingredient in any device’s fingerprint) for ad targeting and measurement, Google will be less strict about it, as long as the data is handled safely and securely.
‘Possibilities’
Advertisers and ad groups are predictably happy with Google’s turn around fingerprinting.
- Jon Halvorson, global SVP of consumer experience and digital commerce at Mondelēz: “This update opens up more opportunities for the ecosystem in an increasingly fragmented and growing space, while respecting customer privacy.”
- Leigh Freund, president and CEO of the Network Advertising Initiative: “This update will open up new opportunities to help us responsibly enable private protective measurement across devices.”
- And Tony Katsur, CEO of the IAB Tech Lab: “This update provides opportunities for the ad ecosystem to deliver better user experiences while reducing privacy risks.”
I sense a theme here.
Privacy advocates, meanwhile, are a mix of horrified and cynically unsurprised. And privacy lawyers are pragmatic as usual.
Google’s policy change doesn’t change reality, said Daniel Rosenzweig, founder of boutique law firm DBR Data Privacy Solutions.
“While allowing IP-based ad targeting seems to signal a shift from previous approaches, the legal foundations haven’t changed much in my opinion,” Rosenzweig said. “Most privacy laws still classify identifiers used to fingerprint a device, such as an IP address, as personal data.”
The Information Commissioner’s Office, the UK’s data protection authority, put an even finer point on it.
On December 19, the day after Google notified customers of its fingerprint update, ICO’s executive director of regulatory risk, Stephen Almond, published a post calling the change “irresponsible” and warning companies that they are “not free to use fingerprints as they wish”.
“Like all advertising technology,” Almond writes, fingerprinting “must be legal and transparently set up — and if it’s not, the ICO will act.”
Small print
Which begs the question: Is there any way to apply fingerprinting “legally and transparently” at all?
“Theoretically, yes,” said Cillian Kieran, chief executive and co-founder of privacy compliance startup Ethyca. But “in practice it is almost impossible.”
And therein lies the problem.
One of the main problems with fingerprinting from a privacy perspective is that people can’t find out it’s happening, let alone opt out.
It’s a little difficult to achieve transparency and trust “when the underlying technology is designed to work behind the scenes,” Kieran said.
“Fingerprinting is based on opacity; it’s about silent data collection without the user being aware of it,” he said. “Making that process transparent would require a radical rethinking of how it’s applied and what the day-to-day user experience is like.”
But the problem with fingerprinting may be even simpler than that, according to Arielle Garcia, COO of Check My Ads, which is that it’s a loophole to maintain the status quo of online data collection and ad tracking.
Because if there is transparency and consent, who needs fingerprinting?
“If and when people are consciously willing to be tracked, fingerprinting and other probabilistic methods are basically irrelevant,” Garcia said. “This in itself is a workaround for offering and respecting informed choice.”
🙏 Thanks for reading – especially at the end of the first full week at work after the holidays. This will be me in a few hours. I’m bummed, but I love getting feedback. As always, feel free to contact me at [email protected] with any comments, suggestions, hot shots or cat videos.
