How Web Sites Might Know If Your Computer Has a Bad Reputation

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

I don't have much patience for tech vendors with names that begin with lower-case letters. It's like the guy who named it couldn't be bothered to hit the shift key. I mean, if the company is that lackadaisical, is innovation even in its vocabulary? Such was my thinking when I encountered an online fraud and abuse prevention outfit that calls itself iovation.


What Portland, Ore.-based iovation does is capture identification data from the computers that access the Web sites of its subscribers, and creates a "device print" that identifies that particular computer. It then logs that device print in a shared database of all the data collected from all the computers that access the Web sites of all of its subscribers. If a particular computer is used to engage in fraudulent or abusive activity, it's flagged accordingly and a "device reputation" history is created. For a credit card company that's trying to mitigate fraud, or a social media site that wants to screen out abusive people, being able to identify a device that has a sullied reputation is a beautiful thing.


Any one of your financial services providers, your favorite gambling site, or your casual gaming destination of choice may well be an iovation subscriber. If it is, every time you go to that site, iovation automatically tries to identify your computer. Last week I spoke with Scott Waddell, iovation's vice president of technology, and this is how he explained the process:

For those customers that have a native application, such as a video game client, we can integrate a native library into that client. Then you have native code access to the device, and you can collect all kinds of attributes from the device: hard drive serial number; depending on the operating system, you might have a specific device serial number provided by the OS; MAC [Media Access Control] address from network cards; and so on. You can also store the equivalent of cookies on the hard drive for later retrieval. That's the strongest case.

A lot of customers don't have a native client, so they're looking at a Web-only integration. In that case we are constrained, just as everyone else is, by the browser sandbox in terms of the kinds of things you collect. So you no longer have access to things like the MAC address from the network card, but anything you can collect through the browser from a Web-analytics standpoint -- which still includes things like the operating system, cookies, Flash-stored objects, all of the usual suspects that are involved from the ad companies and the Web trends-type companies -- are the same kinds of things that we collect. When those are collected, they come back in real time during the transaction, and we look for a match on all of those collected attributes.


If that creeps you out, it probably shouldn't. There is no personally identifiable information collected by iovation-just a bunch of numbers associated with various attributes of your computer. On the other hand, if you're engaging in fraudulent or abusive activity online, you have reason to be bummed, because the Web site will find out if your computer has a naughty reputation.


Personally, I think what iovation is doing is pretty cool. After speaking with Waddell, I'm even willing to overlook the stupid lower-case name. If there's one thing that company's not, it's lackadaisical.