• by Wendy Davis , Staff Writer @wendyndavis, December 20, 2024

For years, Google has condemned digital fingerprinting -- a controversial technique that covertly tracks users based on IP addresses, the software installed on their computers and other characteristics of their devices.

“Because fingerprinting is neither transparent nor under the user’s control, it results in tracking that doesn’t respect user choice,” the company said in 2019.

This week, however, Google abruptly changed course. On Wednesday, the company said that starting February 16, it will remove a restriction on device fingerprinting and allow advertisers and publishers to target people based on their IP addresses.

The decision isn't going over well with privacy watchdogs.

“It just shows the depths to which the company has sunk on privacy,” Justin Brookman, director of technology policy for Consumer Reports, says. He adds that Google's Chrome browser lacks a built-in Global Privacy Control -- a mechanism that aims to allow people to reject targeted advertising throughout the web -- and that it abandoned a Privacy Sandbox initiative to deprecate tracking cookies. 

“They know regulators are closing in on unchecked tracking, but Google is doing everything it can to resist and delay the inevitable reckoning,” he says.

The U.K. Information Commissioner's Office separately called Google's new policy “irresponsible.”

“Fingerprinting is not a fair means of tracking users online because it is likely to reduce people’s choice and control over how their information is collected,” Stephen Almond, executive director of regulatory risk at the agency, stated.

He added that the office is “continuing to engage with Google on this U-turn in its position and the departure it represents from our expectation of a privacy-friendly internet.”

Almond also says businesses in the U.K. must comply with the country's data protection law, which requires companies to “give users fair choices over whether to be tracked before using fingerprinting technology, including obtaining consent from their users where necessary.”

A Google spokesperson says the company looks forward to discussing the policy change with the Information Commissioner's Office.

“We know that data signals like IP addresses are already commonly used by others in the industry today, and Google has been using IP responsibly to fight fraud for years,” the spokesperson said.

Google says its new policy is driven by two changes in the industry -- what it claims are “privacy enhancing technologies," and the growth of connected TV.

But neither streaming services nor so-called “privacy enhancing technologies” make device fingerprinting less objectionable. For one thing, device fingerprinting remains difficult -- if not impossible -- for users to control; after all, people can always delete tracking cookies, but can't easily mask their IP addresses.

Also, fingerprinting also remains hidden to most users. In fact, Google Privacy Sandbox still refers to device fingerprinting as “covert tracking.” (Despite Google's new policy, it plans to allow Chrome users who browse the web in incognito mode to mask their IP addresses.)

Fingerprinting is seen as so problematic that in 2015, the influential standards group World Wide Web Consortium, directed by web guru Tim Berners-Lee, called the technique a “blatant violation of the human right to privacy.”

That group argued that tracking can be harmful even when advertisers don't learn users' names.

“The sharing of an opaque fingerprint among a set of unrelated online purchases can provide enough information to enable advertisers to determine that the user of that browser is pregnant -- and hence to target her with pregnancy-specific advertisements even before she has disclosed her pregnancy,” the organization wrote.