Tracking is also possible without cookies

With the help of the network address, which every Internet-capable device has, the owner of the device can be identified. This address is also called IP address. In addition to the network address, there are a number of other ways to identify a visitor to a website. This fingerprint is capable of uniquely identifying and tracking a user even without cookies.

Many people think that if no cookies are used, data protection is guaranteed. This is not true at all. Even without cookies and even without knowing a user’s network address, the user can be identified. The key word is digital fingerprint. The term browser fingerprint, i.e. the fingerprint of the user system, plays a decisive role here. Here you can see your digital fingerprint, which was determined when you visited this page.

This is your browser fingerprint (excerpt):

  • Language
  • Platform
  • Screen resolution
  • Color depth
  • Time zone
  • Touch screen support
  • Browser Plugins
  • Browser
  • Cookies

Your digital fingerprint has just been detected – in real time – when accessing this page. It corresponds (reduced by a few information) to what Google & Co get from you every time you call up a web page that uses, for example, Google Maps or Google Fonts. These tools were only mentioned as examples, in reality it concerns all tools, files, scripts, images, maps and videos that are loaded from a server of a so-called third party.

This information is transferred from you to the website every time you visit it. In addition to this, your fingerprint consists of other data not specified here:

  • Exact address of the visited website
  • Exact time of the visit
  • Your IP address
  • Technical settings of your browser
  • As well as if applicable: installed fonts

Below is an additional option for browser fingerprinting, which allows personal identification even from anonymized data.

The following graphic shows why a nearly unique identification and thus tracking of a user is possible at any time without cookies, but with browser information. Tracking even without cookies. With the help of the browser information, which is shown rudimentarily in the image, you can be identified as a unique user with a high degree of probability.

Browser Tracking Test

The service is provided by a third-party provider. Here is an example result. Panopticlick browser tracking test result. One can access more details about the result, such as the browser fingerprint. One is surprised how much information each web page call reveals about oneself. The information on the right side is blurred to avoid giving away sensitive information. Take the test yourself and see the real information your browser reveals about you.

Users are almost uniquely identifiable

The browser fingerprint shows a large amount of data, computer scientists talk about bits. A bit is a unit of information, that is, a statement about you as a user. According to Panopticlick, the above browser fingerprint contains 16.8 bits of information. For comparison, if you refine the method of data analysis, you get 5000 data points, as the Cambridge Analytica case shows.

The network address is sent along by the browser every time a web page is called up. This is necessary so that the remote station knows where to send the response (=view of the web page) back to. With the help of the IP address you can at least roughly check who is behind it.

Reverse Lookup

If your computer is in a company network with its own network address, then the company name can be found out with some certainty. This may require additional tools, such as this one: Determine company via IP address. In this respect, the processing of a network address for the purpose of identifying a person is not permissible without the person’s consent. Since it is not known in advance whether an address leads to a person or a company, the question of permissibility in the B2B area rarely arises.

Apart from that, the IP address of website visitors may and even must be stored to prevent hacker attacks and denial of service attacks. You just have to understand that data collection is different from data use. In fact, the use of collected data is allowed only within narrow limits, as the example with the prevention of hacker attacks shows.

Deanonymizing anonymized data

Even if individual data records have been completely anonymized, it is still possible to determine the person behind them if a few different data records on a user are known. The scientist Yves-Alexandre de Montjoye, together with others, showed that only a few data records are sufficient to assign them to a person. And that even if the data records were completely anonymized. There is a contribution by de Montjoye to the 36th Chaos Communication Congress (36C3).

There is a demo for this, but it only works for USA and UK. The gist is that four data points can be enough to identify a person. So, if you have anonymized movement data from 1.5 million drivers, four location data points about a driver are enough to assign the person to it. Even methods like Diffix, which put noise on data, can be leveraged. Only the effort required for deanomization then increases by a few percentage points. Further information on the method can be found in an article in the journal Nature.

A number of conclusions can be drawn from the consequences of the digital fingerprint of every user on the Internet:

  1. Companies like Google and Facebook, but also XING, collect a great deal of data about Internet users and try to monetize it.
  2. Monopolies emerge.
  3. This user tracking is easier to do with cookies than without them, but almost as easy to do without them. Only the database has to be large enough, i.e. the amount of user interactions that can be tracked.
  4. Almost all tools, scripts and videos from larger third-party providers are illegal unless they are included without prior user consent.

The recommendations for websites are:

  1. Don’t use tracking tools like Google Analytics, Adobe Analytics, Facebook Pixel. Reach for alternatives like Matomo (Piwik) or eTracker. If you have a WordPress website, take WP Statistics or eTracker, as there is a good plugin for these tools.
  2. Stop embedding YouTube videos on your website. Put the videos locally or link to the videos only. When linking, you can use a thumbnail image as long as you have the copyrights to the video.
  3. Do not use social media plugins such as those from Facebook, Twitter, Instagram, Linkedin or XING. If you would like to do so, then use a so-called two-click solution. This allows the user to agree to the privacy policy before loading the plugin.

In general, make sure not to load any critical scripts, tools, plugins or videos before the user has agreed. Because this is technically demanding, we strongly advise the alternatives mentioned.

Tracking is also possible without cookies
Scroll to top