Device Fingerprinting: Don't Throw the Baby Under the Bus

by George Peabody 0

Every PC and mobile device has a nearly unique configuration -one that can be scanned by service providers like Kount andiovation to create a unique device fingerprint. Devicefingerprinting looks at the IP address, browser version andconfiguration, operating system, patch levels, and scores of othersignals that combine to form a profile that’s unique to the device:the device fingerprint.

Device fingerprinting is improving, and for some merchants hugelyimproving, the problem of online payments fraud. Leading financialinstitutions are using this technique to allow, or prevent, accessto online banking accounts. It is among the tools, for example,used by Bank of America to authenticate the device itsaccountholders use to access their online banking service. Manye-commerce retailers use it, among many other tools, to drive downcard not-present fraud rates. In effect, the fingerprint of the PCor phone making the payment becomes a unique identifier.

Unfortunately, device fingerprinting is also being used by onlineadvertisers and marketers. This is raising the ire of privacyadvocates and federal regulators and the specter of devicefingerprinting’s elimination as a fraud and risk management tool.More than one baby’s been thrown out with the bath water.

Privacy and Consumer Control
The Wall Street Journal’s 2010 series on data security and privacyexplored to extent to which an online user’s behavioral data isused by marketers and advertisers. And, in no small measure due tothe Wall Street Journal series, awareness of the downside risks ofdevice fingerprinting technology has grown.

The ability of device fingerprinting technology to track aunique device across connections, browser, and software updates isremarkable. And, when used for advertising and marketing purposes,it is considered by privacy advocates to be a breach of privacy.Privacy guidelines from the Federal Trade Commission envision a donot track browser setting similar to the do not call list that soeffectively managed the telemarketing industry’s robo-dialingassault on dinnertime. Several bills have been introduced toCongress and a Senate version is under development.

Device fingerprinting is a powerful tool for payment security. Therisk with this legislative effort is that this useful tool isoutlawed because of its misapplication by the online advertisingand marketing industry. Online privacy is very likely to be high onthe congressional agenda for 2011 – partly because of its high PRvalue. It will be important for payment security experts to provideguidance to the FTC and legislators to keep this potent tool in thesecurity kit.