1

A site I'm working on tracks users before they sign up or log in to determine things like which pages drive the most users to sign up for the service, etc.

Currently we make use of a browser fingerprinting library. We fingerprint the browser, save the result in a cookie, and use this cookie to uniquely determine users. However, many browsers end up computing the same fingerprint as other browsers. eg. We see a lot of the same fingerprint from Safari on an iPad, even though it's distinct iPads.

We only use the fingerprint on our own first-party site, so I'm thinking that perhaps fingerprinting wasn't even the correct approach to begin with. I'm thinking of switching to a system where the server hands out unique tokens to each client. The client would store the received token as a cookie in place of the old fingerprint, and if it already has one of these server-side created tokens, then it ignores the new one, or maybe doesn't request it in the first place.

Does this plan make sense? Am I overlooking anything obvious?

I'm aware that inclined users can read though our client side code and change the values of their cookies to mess with us. I'm not worried about that small percentage of users, this is to get a broad picture of what's going on with the site.

Improve this question
1
  • Do you have a suspicion that you missed something? Commented Jan 3, 2020 at 21:05

2 Answers 2

Reset to default
3

Your plan makes sense. It is essentially how traffic tracking tokens for advertisers work. The ad embeds a tracking cookie with a unique identifier, and if you click on the ad the identifier shows the ad server that they have a positive click-through.

If your site is a Single Page App (SPA), then you can essentially perform the same thing without using cookies. Just store the tracking ID as a JavaScript variable, and present it with every request. You can use a custom header like X-Tracking-Id to send the information so the server side can grab it and log it.

Biggest caveat is legal

In many locales, there are increased stringency on what you can and cannot legally do. I recommend looking at the user privacy laws for where your users live. For example, the United Kingdom's privacy laws are more strict than the United States' privacy laws.

Improve this answer
1

Yes, you miss privacy and privacy protecting technology:

In other words, you intend to use a technology that will soon be useless: once you'll seemingly have only a couple of apparent browser configurations around, your tracking will be useless if not misleading.

To the technical aspects your legal department would anyway have to add legal considerations: fingerprinting requires user consent under GDPR, since it is a collection of data that could allow you to identify an individual, and retroactively determine the users interests if he/she registers before he/she registered and given consent.

Finally, marketing should also have a word to say, since some browsers like FireFox warns users of fingerprinting attempts, which may not give the most transparent image of your web site, if you didn't inform your users -- registered or not -- on beforehand.

Disclaimer: nothing above is a legal advice. For legal advice, please consult a lawyer or a qualified legal expert in your jurisdiction.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.