Jump to content

Cre8asiteforums Internet Marketing
and Conversion Web Design


Visitor Identification

  • Please log in to reply
No replies to this topic

#1 iamlost


    The Wind Master

  • Site Administrators
  • 5,517 posts

Posted 15 December 2011 - 04:39 PM

An article in Search Marketing Land ( :)) by Daniel Waisberg UK On Cookie Compliance: Website Owners “Must Try Harder”, 15-December-2011, is well worth reading even for those of us not in the UK/EU. While the 'cookie' provisions being discussed are only a tiny part of quite an encompassing digital electronic regulatory framework they have an inordinate importance to many webdevs.

One of the web's biggest hurdles is that HTTP is a stateless protocol - it has no memory. A common solution is a session id, the identifier portion given to the visitor known colloquially as a cookie. One drawback of this method is that it is an 'active' tracker: the server (website) originates the communication and the client (visitor) either accepts or declines. Many sites, especially in ecommerce, are functionally unusable if the cookie is refused.

So I thought I'd write about something a little different: visitor fingerprinting. Not biometric fingerprinting but device/browser fingerprinting. Why? Because it is an alternative or backup to cookies.

As with most things on the web, browser fingerprinting is not new and only those utilising the process know whether it is improved. Why? Because unlike cookies there is little or no (depending on methodology) recognised communication between the server and the browser.

There are two main classes of remote visitor device fingerprinting that can be utilised by a website:
* passive: observation and analysis of communication traffic with the browser/device.
* semi-passive: after the browser initiates communication the server then interacts.
The third class, active, requires that the server initiate the connection; most sites would rather opt for serve a cookie, as active fingerprinting can be identified and may contravene local regulation/law.

What data points can be used to differentiate devices?
---TCP/IP implementation.
---OS configuration.
Note: even the presence of 'scrubbers' are of value as an identifier.
---browser identification via web retrieval flow analysis
Note: flow analysis can identify browsers even when set to 'another' user agent.
---clock timing skew.
---browser plug-ins, versions, mime types.
---system fonts.
---firewall, router identification and configuration.
---wireless settings
---screen resolution
and many more. To operate devices, be they hardware or software, need to communicate, to share specifications. Basic passive finger printing from several years ago could differentiate ~8-bytes (64 bits) of identifying data sufficient to uniquely identify over 80% of visitors.

Granted this is far short of what is functionally necessary for an ecommerce shopping cart. :D However, unsubstantiated reports suggest current passive, semi-passive combination methodologies are closer to 98%. Even if true and released publicly still short of cookie performance.

However, fingerprinting is totally invisible and long lived (short of significant upgrade or replacement. Note: 'significant' is a moving target as statistical analysis can increasingly look past device changes if IP remains static or vice versa). Certainly sufficiently robust for remarketing, definitely valuable for non-ecommerce sites, and a reasonably reliable failover/extension for ecommerce businesses.

So, when the cookie crumbles know that all is not lost in the fight to induce memory onto a stateless web.

RSS Feed

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users