F5 Distributed Cloud Authentication Intelligence™ Privacy Statement

Published on: 28 September 2021


From a user perspective, being forced to re-authenticate to a website can be a hassle, especially if the user has good password practices, like having a different long, unique password for each website. This increases the likelihood that the user can’t remember the password and must perform a password reset at a critical time, and sometimes users can’t complete the password reset either (for example, because they don’t remember the username either, or can’t remember the answer to a security question). However, meeting user demand for logins to persist for longer can create a risk to the user when they login from a browser that they share with others, like browsers on computers in hotel business centers, common living areas, or certain workplace computers. In those cases, keeping a user logged in may result in exposing that user’s account to the next person to use the same browser. Website operators want to give users the full login sessions they desire, but only when it’s safe to do so. Shape Recognize™ (the “Service”) helps them do that.

The Service works by assessing whether the visitor’s browser is likely to be shared by multiple individuals. If not, the website can keep the visitor logged in for the desired duration. If so, the website operator can require earlier re-authentication. This Privacy Statement applies to the data that the Service uses.

Roles of the Parties

Under the data protection laws of the EU and similar jurisdictions, F5 is a processor of the data about the customer’s users, and the customer is (or acts on behalf of) a controller of such data, to the extent it contains personal data.

Personal Data Collected by the Service

The Service collects data from the browsers and devices of visitors to the customer’s website. We use automated means to collect this data. 

The Service uses the following data:

  • Current IP address of the device that is using the customer’s online property;
  • A collection of technical data about the browser or device, which sometimes may be unique to the browser or device (though Shape cannot determine when that is the case); and
  • Where applicable, a record of whether that the combination of that IP address with that collection of technical data (a “Combination”) is associated more than one account with at least one customer.

Processing of the Personal Data

If a Service customer’s user is visiting the customer’s website from a non-unique Combination, Shape will alert the customer, who can choose to take defensive measures, such as requiring the user to log in again sooner than would normally be the case, especially prior to when the user engages in a logged-in activity that the customer determines should be private to the authentic user (like completing a purchase or reviewing account details).

More Information

To exercise your rights with respect to the customer data that F5 processes when providing the Service to a customer, please contact that customer. For more information about F5’s privacy practices, please see the F5 Privacy Notice.