Device fingerprinting, the ability to create a uniqueprofile of each Internet-connected digital device, is a leadingfraud prevention tool for e-commerce merchants. It will also have arole to play in the coming mobile commerce world.
The technology is also becoming a hot topic among privacyadvocates and the Federal Trade Commission. The Wall StreetJournal’s excellent series on online security and privacy haspicked up on the topic, too.
The FTC’s just released draft document, ProtectingConsumer Privacy in an Era of Rapid Change, is designedto provide a framework for business and policymakers makingdecisions on proper use of tracking data. That tracking data, inits myriad forms, is at the heart of the $23 billion US onlineadvertising business. It is also the lightening rod for publicdiscussion over the use of what is, despite its potential for abuseon the marketing side, an extremely powerful tool in the fraudprevention tool chest.
The FTC’s recommendations include a strong “do not track”capability that is made available to consumers as well as cleardisclosures about use of private information. It’s laudable stuffwith multiple implications.
A number of device fingerprinting firms exist. One, BlueCava, claims to have profiled over 200 million devices and is ontrack to fingerprint 1 billion by the end of 2011. Blue Cava is allabout providing its resources to the online advertising industry.While a number of these firms began operations as security andfraud mitigation aids to financial institutions and others, devicefingerprinting vendors are hoping to find a richer economic vein inthe world of targeted online advertising. That could be tip toeingalong a very thin privacy line.
These firms must be careful. Studies have demonstratedit’s possible to identity an individual through inferencetechniques based on even a handful of online signals. Given that adevice fingerprint may call on hundreds of individualcharacteristics, the ability to identity an individual by name isthere. That means strict data segregation is required and that willbe challenging to accomplish.
Earlier this year, I conducted payment security researchwith the leading e-commerce merchants and largest onlineproperties. The vast majority viewed data-driven decisioning as thefoundation for their fraud management programs. A majority of fraudand risk managers were enthusiastic users of device fingerprintingas an effective fraud mitigation tool.
In my discussions with privacy advocate the ElectronicFrontier Foundation, there are no issues with the use of devicefingerprinting for securing e-commerce and payment. But sellingthis data for advertising and marketing crosses the privacyRubicon.
The danger in the current discussion is that a powerfulfraud prevention tool could be weakened or eliminated if theindustry gets it wrong. If the FTC finds its best practicesuggestions are ignored or fumbled by those who profit from devicefingerprinting, then federal mandates may be in order and those,while excellent for airline safety, may leave a lot to be desiredin a fast changing technology landscape.
There are advantages for consumers from all of that onlineadvertising. No small portion of that $23 billion funds thedevelopment of “free content.” Advertisers will be less anxious tofund that model if the effectiveness of their campaigns isdiminished. There’s no doubt that the advertising system needsimprovement. Privacy abuses are real.
The payments industry, including all e-commerce merchants,has to make a vigorous case that data analytics, including deviceinformation, is the major bulwark against online fraud and cannotbe weakened if we hope to expand electronic transactions whilekeeping the fraudsters under control.