Dusting for device fingerprints

BlueCava can identify specific Internet-connected devices and how they're used. Is this the future of tracking?

In a previous Strata Week post, I wrote about BlueCava, an Orange County, Calif.-based company that has patented a way of identifying the unique fingerprint of any electronic device connected to the Internet. Last October, they closed a $5 million round of series-A funding led by Mark Cuban.

Recently, BlueCava announced the formation of an advisory board, which includes executives from Facebook, MasterCard, HP, FirstData, Bill to Mobile, and Merchant Warehouse. I caught up with CEO David L. Norris to discuss device identification, reputation technology, online fraud, and consumer privacy.

Our interview follows.


Tell me a bit more about what BlueCava does and how it works.

David NorrisDavid Norris: BlueCava provides a platform that enables businesses to identify devices that are coming to their website. First, we identify the device and then we provide additional information about the device that would be useful to our customers in making decisions about how to interact with that device. One application is finding fraud. Another interesting area is social networking sites: a site may choose not to allow certain users to participate if they have a history of trollish behavior.

As we identify devices, we build information about each device. One of the things we can tell about a device is if it’s a shared computer being used by multiples users. We can also determine the specific level of use — whether it’s a household computer in the kitchen with a handful of users or an Internet cafe computer with hundreds of users.

It sounds like BlueCava is largely used to identify negative behavior. Can the technology also be used to identify devices or users with a positive history?

David Norris: In some ways it’s better to identify a good device rather than the bad ones — it’s much harder to mimic or fake a “clean” machine that has no history. So we’ve taken on the task of identifying a broad set of devices. This year, we’ll identify more than 1 billion devices.

From there, among the partnerships we’ve signed up, we’re going to assign direct financial benefits to those with a positive history, such as discounts and rewards. We’ll be announcing further details soon. For site managers, it you have a historical reputation that’s good, there’s an opportunity to reduce some of the costs associated with interacting with you, like performing extensive background checks. So they can afford to pass some of those savings on to users who merit it.

What about the privacy issues associated with device identification?

David Norris: We do not collect any personal information. We don’t collect Social Security numbers or email addresses. We identify devices and we characterize a device’s behavior. For devices with GPS receivers built in, we collect information at a ZIP-code level, not a granular level. That would be a violation of privacy.

We’ve also implemented what the FTC is calling “do not track,” so users can either opt out or set their preferences when it comes to online marketing.

There’s a difference between being identified and being tracked: if you turn tracking off, we can still identify a device but we don’t keep track of which websites it’s been to.

Since no system is perfect, what are the remedies available to users whose devices or histories are misidentified?

David Norris: If a question comes up about a particular device, the user can go to the merchant or site owner, who can then escalate the issue in a review queue. It becomes a human process at that point.

So BlueCava is not making direct recommendations about user accounts?

David Norris: We’re very careful not to position ourselves as a fraud solution. We are a tech company that can be part of an existing fraud solution, but device identification is only part of the story. We’re gathering information that’s already available and has been used for years by other companies. What we’re doing differently is using it in a unique way.

Imagine that you’re a store owner, and one day someone walks into your store and then walks out. The next day, they walk in again, and your recognize them. You’d do that naturally based on hair color, eye color, the shape of their face, etc. And you could recognize them even if they were wearing a different shirt, because you know that their shirt can change but their face won’t. We do the same thing with devices. Our technology is adaptive, and allows for change to occur. But it’s up to each individual client how to use that information.

Some users may find this kind of device identification intimidating because it seems like “magical spying.” What would you say to them?

David Norris: Cookies used to seem magical too. But then people got used to the idea of them.

Our technology, I believe, will replace cookies eventually. It just observes your machine instead of reaching into it and dropping something there.

Device identification is an improvement over cookies in part because if you choose to opt out, you’re opted out and that’s it. If you opt out using cookies, the system actually drops an opt-out cookie on your machine — if you clear your cookies, then you’re opted back in! Also, you have to opt out on multiple browsers. From a device identification standpoint, it’s much cleaner: you opt out once and it’s done.

This interview was edited and condensed.

tags: , ,

Get the O’Reilly Data Newsletter

Stay informed. Receive weekly insight from industry insiders.

  • Alex Tolley

    Does anyone still need reminding that if you use “fingerprinting”, e.g. biometric data, criminals will just appropriate the source of the fingerprint?

    What this will mean for devices is more device theft. Like cell phones. I suppose that is better than having your thumb hacked off…

    As for identifying “clean” devices, haven’t we been here before with Microsoft Windows? Change the components of your desktop and your OS shuts down and requires a call to tech support to get running again. Very popular with the buyer.

    Plus ca change…

  • http://logicalextremes.com Logical Extremes

    This practice is completely unacceptable. Opaque accumulation of unique device fingerprint dossiers with no data access or opt out by end users. This kind of technology should be opt in only by banks or other entities that truly need highly secure fraud solutions. There will be class action privacy lawsuits against these companies, if not direct legislation against these practices. I doubt the practice is highlighted in the privacy policies of most of the companies that use the tech. This is an unwarranted intrusion into the rights of netizens to surf the web anonymously. Disgusting.