Last month I received a number of fun and friendly birthday wishes on Facebook. Though this was a sweet and kind gesture by each of the well-wishers, I felt guilty. That’s because … it was not my birthday! Facebook thinks my birthday is June 22, 1910, but the day, the month, and the year are all wrong.
So you may wonder: Why would I intentionally lie about my birthday on Facebook?
About 15 years ago, I attended a conference held by a prominent market research firm. The purpose of the event was to present, discuss and evaluate various strategies and tactics in the new field of Internet marketing. Along with the other conference attendees, I came to learn what works — and what doesn’t — for promoting products and services on the Internet.
The key question on everyone’s mind was “what will motivate a visitor to provide information on a website contact form?”
Back in those days, the hot marketing research topic was the consolidation and cross correlation of disparate databases — with the aim of compiling an in-depth profile for specific individuals. If, for example, you can combine driver’s license data with major retail store data,the result is often to increase the total information for any individuals that are found in both databases. Going further to connect this information to web browser cookies (that track a visitor’s pathway through a website) can often provide key insight into potential buyer behavior.
By the end of the conference, I came to this realization: if these new mechanisms can uncover visitor identities and pathways through the website, who cares if a visitor completes the form?
Of course, that insight was not on the list of goals for the conference! Today, the question is even more laughable to me. Why? Although the forms technically give the organization behind the website permission to contact a particular web visitor, an astute organization will already knows the identity of the visitor and will already have influence on the interactions of that visitor — through the duration of the visit.
How is this possible?
Today we have device fingerprints. Websites collect information about a remote computing device for the purpose of identification. A device fingerprint is a distinctive set of identifying data collected from a specific remote computing device. This fingerprint is useful for full or partial identification of individual users and/or devices even when browser cookies are disabled.
Effectively, this means that any device you use to access the Internet has a unique profile. The profile consists of a combination of the following:
All of these items, taken together, identify the browser configuration. What’s more, this identity also forms a unique profile for you as a user. At first glance, this might be difficult to believe. With billions of Internet users, how could this combination of seemingly common items form a unique identity for you? The Electronic Freedom Foundation (EFF) provides an answer through the results of its ongoing research project, Panopticlick. On their website, you can see for yourself by testing your own browser.
Here are some of the surprising results from testing my Chrome browser:
Within our dataset of several hundred thousand visitors, only one in 227348.5 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 17.79 bits of identifying information.
Just as it is unlikely that two individuals have the same fingerprints on their hands, it turns out that any particular browser will also have an individual fingerprint. This is how you can be uniquely identified. To achieve this browser/user identification, nothing additional is loaded onto your device — no cookies, no scripts, no additional data.
Of course, most web visitors assume that any website they visit is tracking them, and some users will take great pains to protect their anonymity. Such users will employ Tor to conceal their location and usage from any site that performs network surveillance or traffic analysis.
Another tactic is to use anonymous search engines like DuckDuckGo. These engines don’t store your search history or track you in and out of private browsing mode. Such users believe they achieve anonymity when they enable “private browsing” or “incognito mode”. However, these modes merely prevent other users of your computer from examining your search history. Any website that you visit is still able to identify and track you, because you still have the same device fingerprint.
For the user that wants to maintain privacy, this is extra work. While some of it may be helpful, there is a parallel solution that might be more effective.
It can be difficult to track you online if your profile cannot be cross-correlated among the marketing databases. So, you can make it your goal to avoid providing any of the keys that would permit linking or correlating your record in one database with a record in another database.
You could begin by keeping all of your information separate. In the U.S., for example, only the Social Security Administration, the Internal Revenue Service, and your employer should have your social security number. Only the entity issuing driver’s licenses, or officers of the law, should have your driver’s license number. When registering your information in online forms, you could use your middle name, your initials, or the name of your pet — instead of your first name. For any photograph, you could substitute a profile picture, not a full facial shot. Or you could wear sunglasses.You could supply one of your alternate email addresses. A major disadvantage of this approach is tracking what particular information you supplied to each website.
Here’s an intriguing fact about birthdays: marketing companies do not target anyone with an age of 90 years or greater. That’s because someone of that age is typically not a buyer; a caretaker is making the purchasing decisions. So when I set my year of birth to be 1910, that made me 107 years old. No company wants to waste its time selling products or services to me.
Your attempts to sow misinformation with all these databases will result in confusion. Companies that perform the data scrubbing and cross-correlations cannot be certain that Buffy Wellens is the same person as Chris Wellens. They will be unable to correlate and combine the records because they cannot verify a match. Our misinformation rebellion is somewhat successful, as we do our part to wreck the cross-correlation and pollute these databases.
There is one problem. If, at any point, you link your actual name and contact information to the digital fingerprint of one of your devices, your identity is exposed! This event is likely to occur when you use any of the resources within an an online realm. Online realms include the Google ecosystem, the Facebook ecosystem, the Apple ecosystem, and some others. For example, if you login to Gmail, visit YouTube, search with Google, visit Google Maps, store photos on Google Photos, store files on Google Drive, purchase product on Google Shopping, then your identity will be known to Google.
Even if you take great pains to give Google false information (normally a violation of the Terms of Service), they will still target you. That’s because you are known to them as Mr. Fake Name who searches for, uploads pictures, gets directions, and purchases particular items. Google machine learning algorithms will continue to make informed guesses about other things that would interest Mr. Fake Name — and will use the profile it develops to make presentations to you in other contexts. This occurs not only in the commercial realms ; machine learning algorithms can also work to influence your political views, censor specific information, and present filtered news to you.
Another noteworthy concern: when you visit a website that gives you the option to login with your Facebook or Google credentials, such logins are supplementing and enhancing your digital fingerprint and identity profile. What seems like a convenience to you is also giving consent to more data collection about you and your behavior.
As it stands today, the digital fingerprinting experts are way ahead of the ability of any web visitor to fight back. However, there’s a great opportunity here for a software entrepreneur to create a mechanism for generating random device fingerprints each time you use your browser. The randomized device fingerprint would present a different screen resolution, color palette, IP address, et cetera — a fingerprint that is quite different than the specification of your device. As of this writing (July 2017), no such products exist to protect you.
It’s important to realize that engaging in such efforts to pollute the databases is a violation of the terms of service — for most organizations. Facebook, for example, requires that you truthfully supply correct information, and they reserve the right to terminate your usage of their system. However, if the web user enables “Do Not Track” and such companies ignore it, then a strong argument can be made that the Terms of Service do not apply due to the failure to establish a contract.
I see myself as a pioneer engaging in civil disobedience, or “Facebook nullification”. With eyes wide open, I’m prepared to accept the consequences. At the same time, I realize that wielding a fake birthday against the power of device fingerprinting is probably a losing proposition. Like Hamlet, I raise arms against a sea of troubles and — by opposing them, — hope to bring an end to them.
But wait. What about all those people who wish me a happy birthday? Well, Facebook now allows its users to set the date of birth to “private”. This means that no announcement will go out on my fake birthday. It’s a small comfort to me that at least one problem is solved.