Close to 1.5 percent of the Internet's top websites track users without their knowledge or consent, even when visitors have enabled their browser's Do Not Track option, according to an academic research paper that raises new questions and concerns about online privacy.
Device fingerprinting serves many legitimate purposes, including mitigating the impact of denial-of-service attacks, preventing fraud, protecting against account hijacking, and curbing content scraping, bots, and other automated nuisances. But fingerprinting also has a darker side. For one, few websites that include fingerprinting code in their pages disclose the practice in their terms of service. For another, marketing companies advertise their ability to use fingerprinting to identify user behavior across websites and devices. That suggests device fingerprinting may be used much the way tracking cookies are used to follow people as they browse from site to site, even though fingerprinting isn't covered by most laws governing cookies and websites' Do Not Track policies. And unlike user profiling that relies on "stateful" browser cookies that are usually easy to delete from hard drives, most end users have no idea that their computers are being fingerprinted, and they have few recourses to prevent the practice.