Are privacy and fingerprints compatible in digital advertising?

The trend: Device fingerprinting has once again come under the spotlight.

A few days from now, on February 16, Google will relax its restrictions on the use fingerprinting as a means for ad targeting and user tracking across a wide range of devices. Their December 2024 announcement reigniting debates about privacy, security and the role of passive device identification in digital advertising. It’s a radical reversal since 2019, when Google announced it would block fingerprinting for its lack of transparency. But with this recent change of heart, Google now refers to fingerprinting as a technology designed to make it easier for advertisers to reach audiences across the open Internet and to harness the hyper-growth of connected TV (CTV) programmatic advertising.

Google justifies their about-face because, they suggest, advances in privacy-enhancing technologies (PETs) make it possible to protect audience data—including IP address and device fingerprints—in ways that are now more sophisticated than they were in the past.

In this issue of Symitri’s Private Eye, we’ll take a closer look at some of the industry’s debate and reaction on the subject, and we’ll share our own opinion and insights. We encourage you to join the conversation HERE.

Featured article

“Are PETs Enough to Mitigate the Privacy Risks of Device Fingerprinting?”
by Allison Schiff, January 16, 2025

Published on AdExchanger, this article unpacks the implications of Google’s decision and explores whether PETs can address the inherent risks of fingerprinting.

Expert opinions are reasonably consistent on the subject:

• Arielle Garcia, Check My Ads: Raises concerns about its permanence and argues that fingerprinting undermines user choice.
• Julie Rooney, OpenX: Acknowledges the strides made by PETs but warns about risks when more data changes hands.
• Cillian Kieran, Ethyca: Describes PETs as protective but insufficient to address transparency and consent issues inherent to fingerprinting.

How Symitri thinks about fingerprints.

Prism, Symitri’s real-time, performance-optimized data collaboration platform, is compatible with multiple commercial identity systems, including IDs that utilize hashed email (HEM) and those built from device fingerprints. David Kohl, Symitri’s cofounder, provides a nuanced perspective on the challenges associated with device fingerprinting and why keeping these IDs behind the firewall can mitigate a lot of the risk. He also explains why “privacy” and “fingerprinting” often seem at odds. 

“No one should be surprised when privacy professionals express a visceral negative reaction to the concept of fingerprinting,” said Kohl. “It’s entirely reasonable to be concerned.”

1. Fingerprinting happens in the background. Capturing a device signature is passive. Consumers typically don’t know it’s happening and usually can’t do anything to stop it before the fingerprint has been created.
2. Fingerprints are forever. Above-board commercial ID vendors provide consumers with tools to opt out, but almost no one outside of the experts in our industry even knows the names of these vendors or how to activate such a choice. For everyone else, a fingerprint is essentially a permanent ID tied to the device for its entire lifespan. Unless you get a new device, your ID doesn’t change.
3. You can’t put the genie back in the bottle. Once a fingerprint is introduced into the digital supply chain, there is no reliable way to take it back. The fingerprint and the attributes attached to it become part of an ecosystem that’s notoriously opaque and complex. Opting out has little to no practical effect.

Although PETs can obscure fingerprints, Kohl emphasizes their limitations. “While PETs can obfuscate fingerprints through encryption, ephemeral tokens, and other means, the challenge is this: for these IDs to have value in digital advertising, multiple parties need access to the keys. This effectively cancels out any upstream PET-enabled protections.”

Despite these risks, Kohl warns “not to throw out the baby with the bathwater.” Device fingerprints serve an important commercial purpose. “The lion’s share of the open Internet remains unauthenticated,” said Kohl, “which means that, absent a third-party browser cookie or mobile device ID, deterministic addressability and measurement are simply impossible.” To put this commercial challenge into perspective:

• Apple’s Safari browser, which does not support third-party cookies, accounts for 31% of the U.S. browser market. Firefox adds another 4%, meaning that 35% of the U.S. web is unreachable and unmeasurable.
• For in-app advertising, Apple mobile devices hold a 58% market share in the U.S.
• Since Apple introduced App Tracking Transparency (ATT) in 2021, 56% of U.S. Apple mobile device owners have entirely opted out of third-party tracking.
• The remaining 44% selectively opts in.

There’s clearly a tension that requires advertisers and publishers to balance the business benefit of addressability and measurement, the underlying economic value of each party’s customer data and intelligence, and the importance of privacy—both in the face of regulation and in the context of consumer trust.

Kohl cautions that fingerprints aren’t the only identifiers raising privacy concerns. “Fingerprints often get a bad rap because they’re created in the background. But it’s equally reasonable to have the same concerns about email-based IDs,” Kohl explains.

While email-based identifiers typically start with explicit user consent, Kohl argues that they face similar risks. “The initial data exchange between the consumer and the first party advertiser or publisher is explicit. But once an email address is shared, the IDs created around it are just as permanent—and subject to the same ‘spray-and-pray’ data leakage risks as fingerprints.”

Kohl underscores Symitri’s philosophy of keeping data securely locked between the consumer and the first-party entity they trust. Kohl explains, “Our guiding principle is simple: what advertisers and publishers put in, stays in. The buck stops with us.”

In practical terms, Symitri’s approach to data protection ensures:

• Controlled data usage. When clients activate a device fingerprint or any other identifier through Prism, that data and its attributes remain locked between the consumer and the first party.
• Privacy-first activation. Prism enables real-time addressable advertising using anonymous deal IDs that never include individual identity data. The approach ensures privacy and control.
• Instant opt-outs. If a consumer opts out, the effect is immediate. There’s no risk of downstream data leakage.

Symitri’s position is clear: “We treat all IDs of any kind with the same uncompromising promise of privacy, all while supporting the commercial needs of open-internet advertisers and publishers. It’s our opinion that these types of protections dramatically reduce the risks associated with permanent IDs, whether based on fingerprints, emails or otherwise.”

As the industry grapples with the evolving landscape of identity and privacy, the debate over fingerprinting underscores a broader truth: no identifier—whether fingerprint-based, email-derived, or otherwise—is without risk. The key lies not in avoiding identifiers altogether but in implementing strong, enforceable protections that preserve consumer trust while enabling addressability, measurement and performance across the digital ad ecosystem. 

At Symitri, we believe that privacy and performance are not mutually exclusive. By keeping identity and consumer attribute data locked behind the firewall, we’re proving that advertisers and publishers don’t need to sacrifice security for scale and performance. As Google’s policy shift reignites the debate over digital identity, one thing remains clear: solutions that prioritize transparency, consent and control will define the future of responsible digital advertising.

Dive deeper:

“Does Google’s U-Turn on Fingerprinting ‘Open New Opportunities’ Or Is It Irresponsible?”

1. • Published: January 13, 2025
   • Source: AdExchanger
   • Read here

“How Google’s Pivot on Digital Fingerprinting Will Enable Better Cross-Device Measurement”

• • Published: January 9, 2025
  • Source: eMarketer
  • Read here

“Google Policy Update Faces ICO Scrutiny for Fingerprinting”

• • Published: December 20, 2024
  • Source: AdTechRadar
  • Read here

“Biggest Privacy Erosion in 10 Years? On Google’s Policy Change Towards Fingerprinting”

• • Published: December 20, 2024
  • Source: Lukasz Olejnik’s Blog
  • Read here