Commentary

Supercookies, Digital Fingerprinting Undermine Trust In Web, W3C Says

The influential standards group World Wide Web Consortium, directed by Web guru Tim Berners-Lee, has come out strongly against digital fingerprinting, “supercookies,” and other forms of online tracking that are difficult for users to control.

“Tracking users' activity without their consent or knowledge is ... a blatant violation of the human right to privacy,” the W3C's Technical Architecture Group said today in a written finding about what it calls “unsanctioned tracking.”

The Technical Architecture Group -- made up of Lee and eight other experts -- warns that “unsanctioned tracking” might “undermine user trust in the Web itself.”

Examples of unsanctioned technologies include digital fingerprinting (which involves tracking users based on the characteristics of their devices) and “supercookies” (technology that lets companies recreate data after users delete their more traditional cookies).

One of the major concerns identified by the W3C -- and other privacy advocates -- is that users lack the tools to prevent tracking via digital fingerprints and supercookies.

By contrast, users can block or delete traditional cookies, effectively preventing their Web-surfing history from being seen by ad networks and other third parties.

Many ad companies argue that online tracking doesn't pose a privacy threat because it's “anonymous”: companies are not collecting users' names, addresses, phone numbers or other so-called personally identifiable information. (Privacy advocates have long disputed that idea, partly because people can be identified based on data that appears to be anonymous -- like a series of search engine queries.)

The W3C's Technical Architecture Group clearly feels that even “anonymous” tracking can be problematic.

“Unsanctioned tracking can be harmful even if non-identifying data is shared,” the group writes. “The sharing of an opaque fingerprint among a set of unrelated online purchases can provide enough information to enable advertisers to determine that the user of that browser is pregnant -- and hence to target her with pregnancy-specific advertisements even before she has disclosed her pregnancy,” the W3C writes.

The W3C's report comes at a time when the online ad industry appears increasingly interested in using non-cookie technology for tracking. Just two months ago, the self-regulatory group Network Advertising Initiative issued guidance aimed at enabling ad networks to track people with techniques like digital fingerprinting, without violating the group's privacy standards.

The NAI's recent guidance requires ad companies to disclose their use of “non-cookie technology,” in order to inform consumers that rejecting third-party cookies won't necessarily block tracking and ad targeting. (The NAI's longstanding privacy rules require ad companies to inform consumers about behavioral advertising -- regardless of tracking technology -- and allow them to opt out of receiving ads targeted based on Web activity.)

The W3C clearly doesn't agree that the self-regulatory group's guidance will go far enough to protect Web users' privacy. Instead, the W3C is calling on browser developers to create tools that potentially could help users defeat fingerprinting efforts.

The group ends its critique by urging policy makers “to be aware that unsanctioned tracking may introduce privacy, security and consumer protection concerns within their jurisdiction, and to consider appropriate action.”

Next story loading loading..