On May 25th 2022, an allegation was published coming from an international NGO organization which stated improper collection of user information and violation of privacy of a certain user of Spider AF. The allegation is that improper collection of user information was done through the use of canvas fingerprinting technology used in the anti-fraudulent advertising countermeasure service, Spider AF. However, Spider AF rejects this allegation and confirms that the accusations reported upon are highly inaccurate.
As a cyber security company, Spider AF takes privacy and security seriously. We are currently conducting further investigations into these allegations alongside continued fact-finding. Additionally, our company’s viewpoint regarding this issue is as follows:
1 About our business
We are a “Digital Advertising Fraud Prevention Business”, and our service “Spider AF” is a tool that detects fraudulent methods of exploiting advertising fees such as illegally increasing impressions and ad clicks through automated programs for performance based ad distribution.
The report states that our business is "targeted ad serving," but we do not engage in any such business (i.e., serving advertisements requested by advertisers).
The report also states that there was no response to their request for comment, but no such requests were received bySpider AF.
2 Canvas fingerprinting technology
“Canvas Fingerprinting” is a technology that allows the browser operated by the user (hereafter, “user”) of a website where a tag is placed to draw an image using canvas functionality, and acquire hash information of the generated pixel data as “fingerprint”(identifying data). This technology is widely and commonly used by both advertisers and in web analysis tools.
Using this technology a user’s browser environment (OS, hardware, browser, etc.) is used to generate a particular hash data (being the fingerprint in question). However, there are different levels of fingerprint granularity and not all can be used to identify a specific user.
In other words, the fingerprint, consisting of the hashed data gained from the technology in question, is nothing more than the fixed values from the original data requested by the specific calculation protocol, which by itself is simply meaningless information, not possessed of any function beyond identifying, at most, “a user who has the same browser environment.”
Additionally, it is supposed to be set with varying degrees of precision, for example, some only identify the type of device (i.e.android or iPhone), or the type of browsers used (i.e.chrome or Firefox) and not all "browser environment characteristics" are necessarily hashed.
3 Spider AF’s use of canvas fingerprinting technology
Spider AF uses canvas fingerprinting technology for the sole purpose of ad fraud detection, and its accuracy is limited only to a hash of "device/browser type" only. We do not compute a granular fingerprint of the user’s environment and are unable to identify users based on this information. We use canvas fingerprinting to identify a device-type rather than a specific user. By obtaining a device type’s fingerprint, we are able to investigate whether an access is authentic or not.
Accesses occurring from browser environments that are not authentic (i.e. spoofed) are often related to fraudulent attempts to abuse a service. For example, we investigate whether users are disguising their devices by obtaining fingerprints, such as displaying advertisements that are originally only delivered to mobile devices on a virtual machine environment, and we use other information to determine the likelihood that a particular access is ad fraud on behalf of our customers.
The fingerprints that we obtain are used only for our internal judgment as to whether or not a site’s access is likely to fall under the category of ad fraud, and are not intended to be used for the purpose of ad distribution, nor provided to users of Spider AF or other third parties.
4 Regarding how Spider AF handles personal information gained from canvas fingerprinting technology
The Spider AF user, referenced in the report, had been using our service for some period of time to detect fraudulent advertisements related to services sold in Japan.
The party involved placed Spider AF's tag on the landing page of the service (as of this writing, this tag has already been removed), and the "Canvas Fingerprinting" technology was used to send fingerprints (hash information only limited to "device type") of the visitors to the landing page to our servers.
However, we are aware that there is no violation under the relevant law governing personal information or other applicable laws and regulations in Japan with regard to this transaction, and we do not believe it is appropriate to conclude the transaction as unjustified collection of information or invasion of privacy.
In addition, during the said party's use of Spider AF (prior to March 31, 2022), there were no special regulations under relevant laws regarding the acquisition and use of fingerprints (not linked to other personal information), which by themselves do not identify an individual.
Meanwhile, from April 1st of this year, it has been clearly stated in writing that as regards to the revised law in question, regulations governing “personal information” (being information related to an extant person, not being applicable to personally identifiable information, pseudonym processing information, or anonymity processing information) may now potentially apply to fingerprinting as a form of “personal information.”
However, even within the context of the content of said regulations, the “personal information” in question only applies if shared with third parties, being Spider AF’s users or third parties overseas. (Articles 31 and 28 of the same law.)
In summary, as demonstrated above, our company only uses fingerprints internally and does not disclose said fingerprints to third parties, meaning that the regulations put down in writing from April 1st of this year do not apply to the fingerprints used by our company.
It is truly regrettable that the above matter has been reported without sufficient confirmation of the facts. It has caused great concern to the organization involved in the report, Spider AF clients, partners, and all related parties.
We hope that you will continue to use Spider AF with peace of mind, as we are committed to providing our services in compliance with relevant laws and regulations, and in consideration of the privacy of our users, as we work to prevent fraudulent advertising.
END OF STATEMENT
<To get in contact regarding this incident>
Spider Labs, Ltd. Public Relations: Ryan Meegoda
E-mail: pr@spider-labs.com