Let's not cry wolf too soon
Nice write up, I see the KUL folks are at it again with their pears at Princeton and as I read their initial paper about fingerprinting some months ago, I'm happy to see there's a follow up with stuff we've been facing for a while.
The comment by David R. Carr is an important one from a legal perspective and something I've been struggling with as well following this new write up: is something being installed on the users' device or not? Of what I had understood so far, digital fingerprinting as explained by the Electornic Frontier Foundation through their Panopticlick tool https://panopticlick.eff.org/, only pinged some data related to the browser used to uniquely identify a device. In the analytics sector, we've been doing this for a while to circumvent for certain browsers or setttings blocking cookies. So typically, unique ID would be attributed using these browser features and some server side data like IP. It's not ideal and far from accurate but helps to identify returning visitors. So far, this did not install anything on the user's machine. It seems that with canvas fingerprinting we migth be talking about something else and if something is indeed placed on the device, then according to EU legislation (the infamous Cookie Directive), this needs to be declared.
DNT is another issue all together and a more US based approach to online tracking. I have some clients who are exploring this as it's up to them to decide wether or not they want to respect DNT. Typically the header sends a DNT=1 variable but the website using the tracking technology can choose to respect this request or not. So while it's interesting for the user to have this blanket set-up from a browser perspective (as opposed to having to opt-out for every website), it's still not bullet proof as it doesn't mean the other side of the equation actually respects the header. Most analytics tools have some kind of way of working with this and typically Tealium, one of the major tag management solutions actually has 2 options: to first track and report on the header request and then actually block the setting of the cookie if indeed the DNt hear is set to 1.
So this brings it back to the responsiblilty of the website or digital property owner to respect the users whishes for less Privacy invasive technology. For now, the stance has been to hide behind "oh but we don't collect personal information or PII" but as the Californian Privacy Protection Act (CalOPPA) requires website owner to delcare how they reponsd to DNT we have more and more clients looking into the issue of being compliant without loosing too much data. It's interesting to see how the US based DNT principles partially overlap with the EU Cookie Directive.
And this boils down to understanding what your tracking technology is doing exactly in terms of data flows. More often than not, a website owner has no idea what exactly happens behind the scenes, let alone the terms and conditions of certain tracking tools. So I've seen companies being slapped on the wrist by data protection agencies because a Flash file firing LSO objects. I've also seen analytics tools having to settle lawsuits for ETags.
Digital property owners need to start thinking about what is acceptable in terms of tracking and about where their company might be liable. Imagine an analytics vendor suffers a data breach (Adobe ran into some trouble a couple of months ago) and the company using their analytics tools did not respect the Terms and Conditions, they will be badly positioned in court. Analytics vendors need to become more transparent so that we can find a balance that works for both users and website owners. Same goes for mobile with tools like MyPermissions, showing you what is being collected. We are getting there, slowly but surely but it's indeed not an ideal equilibrium as deviation from best practices can always be defended by the "oh but we had no idea" stance, certainly for companies who's initial business is data.