They will probably not disappear, but their use will decrease considerably: cookies, these small files used to identify a user and record their navigation, are one of the essential links of targeted advertising on the Internet, and both concentrate l attention of regulators, Internet browser publishers and privacy advocates. But cookies are not the only tool that spies on users' browsing. Another technology, relatively well known, allows in many cases to assign a unique identifier to a user, to follow his online activity: “fingerprinting”, or fingerprinting.
This practice starts from a simple observation: the vast majority of Internet users use, to surf the Web, a terminal which has certain characteristics: its operating system, the resolution of its screen, the type of browser and its version number … By crossing these different parameters, we can arrive at an “imprint” which has a good chance of being unique as long as we multiply the measurement points; millions of French internet users use a Chrome browser from a Windows PC, but there is possibly only one that uses Chrome on a Windows 8 PC, with a screen resolution of 1024 x 768 pixels, and has installed five specific extensions on his browser.
In theory, a spy who measures all these parameters could therefore identify the Internet user reliably, like a merchant who would take a photograph of all the people passing by his shop window. But these techniques, which sometimes also use very sophisticated tools, are far from perfect. Several studies involving a few hundred thousand Internet users showed that it was possible to identify more than 80% of Internet users in this way; but another carried out on two million users on a commercial site, concluded that only one third of the fingerprints were unique.
A lack of reliability
“Two factors mainly explain these differences”, estimates Pierre Laperdrix, CNRS researcher within the Spirals project-team, common to Inria and the CRISTAL laboratory, and creator of the site amiunique.org, which allows you to check the footprint of your browser. “First, the larger the user base, the more statistically likely you are to have identical fingerprints. And previous studies were generally conducted on specific sites, which could introduce a form of bias with an overrepresentation of users on Linux, for example. ”
This lack of reliability, compared to cookies, means that fingerprinting has never imposed itself on advertisers. Large-scale studies on the most visited sites in the world show that less than 4% of sites use this technique, which also has legitimate security uses, for example to identify automated machines or check if a user uses well his usual machine to connect to the site of his bank.
“Today, fingerprinting is not efficient enough to be able to identify a user with certainty in a unique way. If you want to apply it in an advertising system, with a potential user base of a billion people, it is not possible “, says Mr. Laperdrix. “Furthermore, the current advertising ecosystem is very dependent on the real-time-bidding [enchères en temps réel]. This system needs to be able to identify the person very quickly. However, fingerprinting requires long tests, with much longer information collection times than when using cookies. “
For its part, the advertising industry seems to be thinking about a systemic solution but still very vague
Despite everything, some browsers, like Firefox or Brave, have already started to technically limit the possibilities of “fingerprinting”, anticipating a possible development of these techniques, more insidious than cookies since, in the absence file on his machine, it is more difficult for the user to know what information is collected.
For its part, the advertising industry seems to be thinking about a systemic solution but still very vague. The Internet Advertising Bureau (IAB), the main professional organization for online advertising, announced on February 11 that it is working on a “Rearc project”, a vast technical project aimed at establishing a “Unique and encrypted identifier system” who “Will respect privacy” Internet users while allowing to continue to offer targeted advertising. No technical details on this project, still in the state of reflection, have been communicated; “If we succeed, it will be an evolution comparable to the first step on the Moon”, conceded Jason White, member of the board of directors of the IAB.