People using the word “fingerprinting” instead of probabilistic identifiers do so because they wish to make others believe a crime is taking place. Nothing illegal is taking place when data that might be used to form a probabilistic identifier is made available to others. A crime is only taking place if that data is used to make a decision that impacts someone.
The debate is draining, creating a “tax” on businesses.
Collectively we need to stop using the word “fingerprinting” in 2025 and focus on good data practices, enforcement, and challenging the Big Tech privacy narrative including use of the word “fingerprinting”.
Identifiers and Identity - Guess Who?
Data such as the User-Agent (UA), User-Agent Client-Hints (UACH), Type Allocation Code (TAC), made available in network protocols or via client-side APIs is used by 51Degrees to identify the make and model of the device, OS and browser or application name and version, and details of identified crawlers, spiders, and bots.
Data like the IP address can be used to identify an inaccurate geographic location or network provider.
Such information is not analogous to hats, glasses, beards, and eye colour in the children’s game Guess Who as some might claim. Nothing in this information provides the identity of a person.
It’s impossible from this information to be able to identify Bernard, Philippe, Lucas, or any person. Nothing in the data conveys the person’s identity.
It might be possible with the right legal basis to narrow down a probable web browser or application at a specific point in time for the purposes of making a likely decision about someone. If such processing is applied a probabilistic identifier becomes the result.
Privacy Laws
In Europe, permission must be obtained before certain data can be stored on a device (ePrivacy) and a lawful basis for personal data use needs to be established (GDPR).
Data like UA, UACH, TAC, and IP are not covered by ePrivacy because no data is being stored on the device.
Data that has no impact on a person or does not relate to a person is excluded from GDPR. It is simply not personal data.
Data that might be used to form a probabilistic identifier which is then used to make a decision that impacts a person only becomes personal data when it is used for that purpose.
An Example
Deciding on the advert to show using a probabilistic identifier which is used to join together browsing or application activity over time would likely mean the resulting probabilistic identifier is personal data and is covered by GDPR requiring permission from the person using the web browser or application.
Such a decisions might be showing an advert for lawn mowers because the probabilistic identifier has been previously associated with someone visiting garden centre web sites.
Another decision could be choosing not to show an advert for health care insurance because the probabilistic identifier is associated with visits to web sites related to chronic illness.
Using the same raw data for optimization, fraud prevention, preventing too many adverts from the same advertisers being shown over a period of time, or analytics is out of scope for GDPR.
Probabilistic identifiers are safe to use when there is no impact on people, or the right legal basis is established. No crimes are taking place.
Simple
Controllers of personal data, typically the web site operator or the application provider, do need to establish the right legal basis for any personal data use. There are two options.
- To avoid ambiguity explicitly restrict the use of UA, UACH, TAC, and IP in their agreements with their suppliers so that the data can not be used to form a probabilistic identifier which impacts people or might be used to identify them. Add a sentence explaining this into their privacy policy to make it crystal clear.
- Where a probabilistic identifier is being created and used to impact a person either directly or by suppliers then use a consent dialogue to gain permission. Include the suppliers client services policy where applicable in the privacy policy.
It’s really that simple.
Big Tech’s Role
We do not ban the use of stones because they might be used to hit people over the head. Whilst there is free will in the world there will always be bad people. We need to increase the incentives not to commit crimes by increasing the risk of being caught.
By observing how the web site or application varies it becomes possible to determine if a probabilistic identifier is being used. AI is particularly well suited for this task given sufficient data. Where there is an impact on people, and consent has not been provided where the relevant law requires it, then authorities can be informed so that they can enforce the law.
Browser vendors like Apple and Google could meaningfully improve privacy by providing evidence to regulators. Instead, they adopt the dystopian position of restricting interoperability due to the ever-possible risk of harm argument that just doesn’t stand up.
It is for that reason 51Degrees is a founding member of Movement for an Open Web (MOW) and taking a lead on genuinely improving privacy, including within Apple and Google. We fully support MOWs Data Governance and Accountability position.