Is it bad if I use fingerprinting to track anonymous users so that I can provide them with a great UX without requiring them to give me all their personal details? Or should I only use cookies, that the user might delete? I don't see an issue with either for this purpose.
Imagine you sat one of you users down, and explained the details of how your fingerpriting system worked.
You explain that their browser has all kinds of little, subtle leaks of information about what software they're using, what operating system they're using, whether it's up to date, what hardware they're running, whether they're in a public space or an office or a home, which city they're in, what ISP they use, how they've configured their monitor and screen, what settings they set in their browser, what language they use at home, etc etc
You explain that you can collect all this information without them knowing you were doing it, without them really being able to stop you if they wanted to, and that you can collate it into an identifier that lets you know every time they visit your site even if they don't tell you themselves in some way, and with no way to ask you to stop.
And you explain that you do this for them, to make their experience of your site better for them, and harder for them to accidentally break.
How do you think they'd respond?
To be clear, I'm not asking this as some rhetorical trick. There absolutely are users who wouldn't care in the least, and who might even see you as really clever for doing it.
But that's how you can know if it's bad or not. If you think your users would be creeped out or otherwise troubled by it, or might feel like you've invaded their privacy or their right to control their own experience in their own browser, then you already know it's bad. If you think they wouldn't mind, then -- and only then -- maybe it's not.
I think that's a solid model to use, however, I would argue that its safe to assume that: ** There absolutely are users who wouldn't care in the least, and who might even see you as really clever for doing it.** Makes up >= 95% of recurrent anonymous users by default.
You should be using a cookie for this purpose, you could in fact just store the ui settings directly in the cookie.
It becomes tracking once you say “I have an ID in a cookie, and I’m going to look up the settings for that ID in my own giant DB”.
What you’re suggesting - using fingerprinting - is the worst. It’s not reliable nor robust, it implicitly requires tracking (you have to record the fingerprint<=>setting db and look it up), and user cannot opt out of it nor trivially change state at will, etc.
There is fundamentally no legitimate reason to ever use fingerprinting over the actual explicit mechanisms for persistent storage.
Facebook, Apple and Google use people faces to track them. Governments use public cameras to track people. Google and Facebook also use other kind of tracking people.
But somehow it's immoral for average Joe to track not people but browsers.
Um, as far as I know apple does not use faces to track people.
I'm not sure about google, but my experience with the folk working their make me suspect that even they would not start correlating faces across accounts/users (though I suspect they aren't as careful as apple to avoid that information being visible to them).
But more to the point you're saying "if entity X tracks people it's immoral for anyone else to not track people" rather than "it's immoral for entity X to track people", which is some kind of gross mental gymnastics, and applies to pretty much anything: "if person X gets away with assault, then I should also get away with assault", etc
