[mdominguez]

I work on fraud prevention for a web company that provides financial services. My last job was the same thing. From the more technical side, not only there's a need to understand business, but to think about hard problems like these.

An IP address is not a good indicator and wouldn't replace fingerprinting. IPs may change over time, there bay me non-static IP addresses from residential connections (so, not only data centers) and today, in our mobile world, change much more frequently than in the past.

IP is just another marker that can be useful, sometimes. Even the subnet may be useful. But unfortunately, for fighting fraud we have to rely on techniques such as a device fingerprinting with the canvas exploit. There's a much simpler approach, though, but it works only on some occasions: a cookie.

So, you just check if the cookie is present and it matches the previous cookie from the same user. Done, the device matches and you're good to go (keep in mind that if someone owns your device and credentials, there's not that much we can currently do - although the behavioural biometrics proponents would have you believe otherwise).

But what if there's no cookie be cause the user logged out or opened their browser using incognito mode, or just changed browsers. In that case, we would have a false positive for the user having and using a new device. Which, from our point of view, highly correlates with fraud. This is industry-wide, from the fraud prev POV and not just some specific business (like, for example, an ecommerce website), at least most of people I have spoken with over the years have mentioned why fingerprinting is really important, and I've seen it first-hand.

So, we don't sell your data. We're not looking to match you with... whatever you can come up with in terms of a fingerprinting-data-matching-nightmare. In most cases, the only people that have the fingerprinted data are from the fraud prevention team. And we generally hate bad players, both from outisde and the inside of the company.

What we wanna do (and, again, this is generally) is try to create a better user experience for our good users. So we may relax some rules if your device is known. Or we may give you access to some features that other users don't have (let's say, a beta for a new service that we start offering).

This works by collecting as much data as possible from the device and then trying to differentiate small changes (let's say, your internal storage free memory in MBs) from big changes that could in fact mean that the user is using a new device.

So, for example, we could force you to go to account verification to login to a new device vs relaxing some rules about login from a good, trusted device for that user.

I'm sure there are exceptions, and that there may be some bad players abusing their fingerprinting capabilities. But at the same time, I'm pretty sure that most people are not OK with using that data with another purposes - even the execs. And even if we did, let's say, track our ads in a way that when you sign up we get an ID related to a particular ad that we ran - we can see that although you're a new user and by extension you have a new device, you still came to our business because we placed an ad. Which we couldn't do another way, and then the UX suffers because of decisions made to deal with that.

What I'm trying to get across with all of this is: fingerprinting is, in fact, very useful for fraud prevention, and I would argue that disabling the Canvas API exploit would affect most, if not all, machine learning models for fraud prev running on production.

EDIT: and, BTW, most companies that are trying to buy data from other companies are trying to get user behavior. What your users are doing in your app, maybe involving their product in some way (i.e. you're Spotify and are trying to get data from Shazam in order to understand user behavior with regards to the type of songs they've shazamed in the past). Again, I'm NOT saying that there may be companies tying data from outside sources that are iffy at best. And at least the more modern companies I've work at, they're not cool with merrily sending data over to another company, even if they pay. It seems like everyone is starting to understand that their data is as important as their intellectual property.

[XCSme]

What if you just use a remote device and change it each time (eg. get a VPS)? If someone really doesn't want to get detected, they will always find ways around it. It's a never-ending race.

[mdominguez]

Yeah, they have to setup a completely different environment every time, or delete all cookies and then change the environment so as to fool the "feature change / new device" model. This can have different consequences depending on the company and how they model user behavior. One could be that the user is treated as a risky user - always having new devices. Another could be that the user is treated as an outlier and nothing more than that - not risky, not safe. And then, maybe if the user has a good previous history, you let them do their thing and see what happens. Maybe you're uncovering new fraudulent behavior or maybe you have new false positive example.

Nevertheless, the amount of users that go to these lenghts to mask themselves in the general population (i.e., all users of a 50m monthly active users app) is so miniscule that's not even a discussion, the opportunity cost is huge vs just focusing on your 99.998% (number I just came up with, not a real metric) of users and understanding their behavior and how to model a "good user". New users have stable device behavior? Well, then that VPS customer is probably gonna be traced frequently. This is how some banks do things as well (not fingerprinting, but transaction monitoring in general).

EDIT: as an aside, I think the most important point to understand about how companies and spaces like the ones I have experience in use fingerprinting is - it gives you outliers and only works as long as you have a nice mass of good users. These users are not trying to game you, so they don't tamper with our fingerprinting. The ones that do tamper are either tech savvy or fraudsters. But if everyone tampered with it... You see where I'm going with that.

[greggman2]

> (let's say, your internal storage free memory in MBs)

How is that determined? I didn't know that was possible

[mdominguez]

This isn't possible in a web context (or it wasn't possible sometime ago last I looked at it). It is possible in a mobile app though.