RSA 2009: Benefits and dangers of device fingerprinting

Device fingerprinting is the practice of giving all end user systems a unique signature

Security experts and privacy advocates weighed the merits of device fingerprinting on Thursday.

The RSA conference panel discussed current and emerging forms of the practice, which involves identifying each device used to access an account with a unique tag or signature.

With each device assigned its own 'fingerprint', administrators can then be instantly alerted to potential fraud.

For some companies, the practice is already paying big dividends. Wachovia Bank online customer protection specialist Chirs Mathes said: "Device fingerprinting gives us a very powerful tool to look at devices as they are coming in. If I have already identified a device as being owned by a bad guy, I can decide whether or not I even want to let them in the front door."

The practice is not, however, without its critics. Electronic Frontier Foundation civil liberties director Jennifer Granick warned that the information banks gather from the digital fingerprints could be used for more than just security.

"The question is what kind of privacy protection is there, and the answer is very little," said Granick.

"One thing we really do not want is for this information to be shared with affiliates who do advertising or marketing, because then you have the same problem we have with cookies, but much worse."

While the situation appears to put security and privacy at odds, there may be a system that can allow for a compromise.

41st Parameter founder and chief executive Ori Eisen suggested that banks look to adopt so-called 'tagless' fingerprinting, which uses components such as JavaScript and system profiling rather than simpler cookie or IP tracking 'tag' components.

Eisen said that not only could the tagless system be far more accurate and reliable than tag systems, but the collected data would also be less likely to raise privacy concerns.

"What we are going to ask is 300 questions that you could ask about the vendor's APIs, but none of it is personally identifiable information, I would never know who is on the other end."