Why Cross-Device Tracking May Put Company Data at Risk


By Aaron Hightower October 27, 2017

Cross-device tracking—like those ads that follow you from Amazon to Facebook, from your computer to your smartphone—could cause major headaches for HR and IT professionals tasked with keeping data secure.

Employees who visit websites that track their online surfing habits across their computer and smartphone may be inadvertently leaving their work devices vulnerable to hacking.

Cross-device tracking is a huge, yet little-known, security flaw. It's a method of collecting online information from various devices and linking them to a single user—without the user's knowledge.

Companies use the information to create a user profile that could include sensitive personal and workplace information, which could leave organizations susceptible to a security breach.

"When you think of security breaches…companies [using cross-device tracking] can collect lots and lots of information—basically whole profiles about individuals can be set up," said Alja Poler De Zwart, an associate in Brussels for the San Francisco-based law firm Morrison Foerster, speaking during a recent webinar.

Cross-device tracking does not leave a digital footprint, added Julie O'Neill, a partner in Boston for Morrison Foerster, so detection is virtually impossible.

So, too, is controlling it.


[SHRM members-only toolkit: Record-Keeping Policy: Safeguarding Social Security Numbers]


"The biggest threat on multiple-device usage is mainly from an employee using a personal device to complete work-related tasks, assuming the appropriate safeguards are already in place," said Anthony Dagostino, global head of cyber risk in New York City for the-London-based advisory firm Willis Towers Watson, in an interview with SHRM Online.

For example, "e-mailing a work-related file and opening it on a personal device can be a big point of exposure for an organization. Employees using personal devices to complete work tasks are now exposing their organization," he said.

How It Works

There are two types of cross-device tracking: deterministic and probabilistic identification.

Deterministic identification tracks a single user from the information the user gives voluntarily on different devices, such as login information, passwords and answers to security questions. For example, if a user logs into Facebook from his or her smartphone and laptop using the same login information, Facebook can link those devices together as having the same user.

Probabilistic identification collects information from the unique configurations of the devices. Compiling operating systems, apps, IP addresses and plugin details creates a unique fingerprint that connects these devices and makes it highly probable that they are used by the same person. It is this type of tracking that allows ads to appear on a laptop that match a search that a user may have done earlier on his or her smartphone.

Both tracking methods work like cookies—small files that are stored on a user's computer by a browser to customize a website for the user's future visits. But, unlike cookies, cross-device tracking cannot be erased or disabled after a web browser is closed.

The Solution

"One of the most critical areas in cybersecurity is endpoint security and the mobile device is one of the most exposed endpoints for an organization, so it's important for HR and information security professionals to be orchestrated in their approach to managing the risk, not just through technology but through their people as well," Dagostino said.

The European Union (EU), where cross-device tracking is more pervasive, will be updating its cybersecurity regulations, according to De Zwart. Two new laws regulating the collection of data from users will go into effect May 25, 2018: The General Data Protection Regulation (GDPR) and the ePrivacy Regulation.

The GDPR will give people control over their personal data by requiring user consent to engage cross-device tracking, unifying all EU regulations of data protection and making it easier for non-EU companies to comply. Companies that violate the new laws will face stiff penalties.

Although there isn't a unilateral privacy law in the U.S., the Federal Trade Commission (FTC) has given recommendations to companies that use cross-device tracking:

  • Provide notice of cross-device activity.
  • Have reasonable security in place to protect data.
  • Be careful about representation that "personal data" is not used.
  • Be clear about the scope of opt-outs.
  • Honor opt-outs.
  • Obtain opt-in consent for the collection of sensitive data

The Digital Advertising Alliance (DAA) is an independent U.S. nonprofit organization led by advertising and marketing trade associations. Its DAA Application of Self-Regulatory Principles of Transparency and Control guidance recommends, among other things, that users be provided with notice and the choice to opt out when their browsing activity on one device may be used to deliver ads to them on another device.

Experts say it's best to combat this problem on the company level by training employees.

"The best approach is a multifaceted approach managing cyberrisk through three risk lenses: people, technology and capital," said Dagostino. "The people risk should be addressed through continual training of employees, awareness programs to foster a cyber-savvy work environment, and having a strong mobile device and computer usage policy in the code of conduct or terms of employment."


Aaron Hightower is a freelance writer in Detroit.

Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.


Job Finder

Find an HR Job Near You
Search Jobs
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect