Privacy Information: Cookieless Identification and Tracking of Devices

This blog post is entirely written by Christina Catenacci, BA, LLB, LLM, for First Reference Talks. Christina is currently pursuing a PhD at the University of Western Ontario with a focus on privacy law.

cookieless identificationOn August 21, 2017, the Office of the Privacy Commissioner of Canada released an informative piece regarding cookieless identification and tracking of devices. Interestingly, there is a new technique called, “fingerprinting”, which can work to enable website operators, advertising companies, and other organizations to track users – even when they clear their cookies. The document explains the implications and what people can do to protect their privacy interests.

In a nutshell, any device and web browser can be fingerprinted to record information that is unique to the user. For instance, some unique characteristics that can be recorded include: plug-ins installed in the web browser; fonts installed on the device; Internet Protocol (IP) addresses of the device (even when a Virtual Private Network (VPN) is utilized; and other technical information involving the web browser details, system files of the device, flash cookies on the device, and graphics rendering particulars for 2D and 3D).

What does this mean?

Regardless of whether a user has tried to block cookies, companies that fingerprint a device or web browser can ultimately identify the user, correlate browsing activities within and across browsing sessions, and track the user.

How does this work?

When a user visits a website, browser information combined with the IP address can uniquely identify the device; this occurs without the user even knowing because all of this takes place on the server without sending any extra commands or instructions to the web browser. Moreover, cross device connections, also known as “probabilistic matching”, can enable statistical connections between devices.

There is more

Websites can purposely track users with extra tools to determine characteristics that uniquely identify the computer (such as serial numbers for hard drives). In fact, “canvas fingerprinting” involves running specific code on a user’s computer and drawing a hidden line of text or graphics that captures variations in processing on the device. These variations are then converted into digital tokens that uniquely identify the device and that are subsequently shared with third parties to track activities such as website browsing. This more active form of fingerprinting is easier to detect because it is necessary to have actual code running on the computer.

Here is something interesting – some cookies have special qualities. A “flash cookie” can include the same information as HTTP cookies so, even if a user deletes a website’s HTTP cookies, revisiting the website can cause the cookies to be re-created with the original tracking information in the deleted HTTP cookies. What’s more, a “super cookie” enables possible re-identification of a device using storage locations in a user’s web browser to save information about the user. This is so even in cases where the user has attempted to delete cookies or browsing history. One thing the user can do is deliberately clear the specific cache locations in the browser.

Some may become alarmed when they read this information, especially when they discover that cookieless tracking is becoming more common. The concerning thing is that users believe they are in control when they delete or block HTTP cookies. Even more disturbing, many companies typically do not explain their fingerprinting procedures in their privacy policies.

What does this mean for employers?

It is important to be aware of what is taking place and appreciate the understandable concern regarding privacy. One lesson that can be gleaned from this information is that it is important to have updated privacy policies and to be as transparent as possible when it comes to what activities are taking place in the workplace (and with customers). In the employment context, is important for employers to be clear with their employees about existing privacy policies, train the employees on the policies, and consistently enforce those policies.


  1. One thing your post doesn’t address is what people can do, if anything, to safeguard against their privacy being breached given what you’re saying in the article?

  2. Can this identification and tracking be done even if Tor is used?

  3. If tor is used and all javascript and extensions (flash etc) are blocked then no I don’t think that these techniques would work.

    The concern would be going to an incognito session in an attempt to isolate cookies then your identity could still be mapped to your previous browsing sessions.