23 July 2014 | 3,846 views

Clear Your Cookies? You Can’t Escape Canvas Fingerprinting

Check For Vulnerabilities with Acunetix

So tracking is getting even trickier, it seems canvas fingerprinting would work in any browser that supports HTML5 and is pretty hard to stop as a user, as it’s a basic feature (a website instructing your browser to draw an image using canvas).

And it turns out, every single browser will draw the image slightly differently, so they can track you regardless of your cookie/privacy settings by asking your browser to redraw the image then I assume quickly scanning a database of image checksums for a match.

Canvas Fingerprinting

It wouldn’t exactly tie to your identity (unless you did it on a site that requires/supports login) but it would tie your usage together across sites, especially any sites using AddThis (which I could never stand).

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.

The type of tracking, called canvas fingerprinting, works by instructing the visitor’s web browser to draw a hidden image, and was first documented in a upcoming paper by researchers at Princeton University and KU Leuven University in Belgium. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.

Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit — profiles that shape which ads, news articles or other types of content are displayed to them.

But fingerprints are unusually hard to block: They can’t be prevented by using standard web browser privacy settings or using anti-tracking tools

The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5% of the top 100,000 websites. Most of the code was on websites that use AddThis’ social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish. (A list of all the websites on which researchers found the code is here).

A lot of sites use AddThis, so a lot of users are being tracked, the article/research states 5% of the top 100,000 websites. So at least 5000 high traffic sites are capturing user data in this rather underhanded way.

I can foresee a lot of people removing AddThis from their sites if this news gets any kind of traction.

You can find a list of the sites with the fingerprinting code here – Sites with canvas fingerprinting scripts

Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a possible way to replace “cookies,” the traditional way that users are tracked, via text files installed on their computers.

“We’re looking for a cookie alternative,” Harris said in an interview.

Harris said the company considered the privacy implications of canvas fingerprinting before launching the test, but decided “this is well within the rules and regulations and laws and policies that we have.”

He added that the company has only used the data collected from canvas fingerprints for internal research and development. The company won’t use the data for ad targeting or personalization if users install the AddThis opt-out cookie on their computers, he said.

Arvind Narayanan, the computer science professor who led the Princeton research team, countered that forcing users to take AddThis at its word about how their data will be used, is “not the best privacy assurance.”

It’s all pretty shady, but honestly we have to assume people are doing this type of stuff because one of those most valuable things you can create from the Internet is user data. Especially usage/consumption patterns, even if it doesn’t tie to specific humans – the data itself is very valuable to people making marketing decisions based on it.

Plus whatever AddThis is doing isn’t regulated in any way, so they can say they are gonna stop/change but just continue on anyway. If you wear a Tinfoil hat, you are probably already using Tor Browser anyway – so good for you.

The full paper is also available here – The Web Never Forgets [PDF]

Source: Mashable



Recent in Privacy:
- tinfoleak – Get Detailed Info About Any Twitter User
- Google DID NOT Leak 5 Million E-mail Account Passwords
- Massive Celeb Leak Brings iCloud Security Into Question

Related Posts:
- Tracking Users Via the Browser Cache
- SinFP – Next Generation OS Detection Tool
- browserrecon – Passive Browser Fingerprinting

Most Read in Privacy:
- Browse Anonymously at Work or School – Bypass Firewall & Proxy - 176,265 views
- Hacking Still Can’t Outdo Stupidity for Data Leaks - 125,073 views
- Anonymous Connections Over the Internet – Using Socks Chains Proxy Proxies - 120,776 views

Advertise on Darknet

6 Responses to “Clear Your Cookies? You Can’t Escape Canvas Fingerprinting”

  1. Jim 24 July 2014 at 7:57 pm Permalink

    Easy fix for AddThis (and a lot of others): Ghostery https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij

    • Darknet 24 July 2014 at 11:12 pm Permalink

      Yah it blocks AddThis (As in the cookies) but it DOES NOT block canvas fingerprinting (which this article is about..).

  2. fracbak 25 July 2014 at 9:11 am Permalink

    Many ways to block it:

    https://github.com/gorhill/httpswitchboard/wiki/About-these-%22%E2%80%98virtually-impossible%E2%80%99-to-block%22-fingerprinting-tools

    • Darknet 25 July 2014 at 8:11 pm Permalink

      Erm, that’s not many ways – that’s one way (mentioned above) which causes various site degradations – blocking JavaScript and/or the origin domains. What if the JavaScript is moved off onto the domain you are accessing, rather than a 3rd party domain like addthis.com? And would one of my non-technical colleagues or relatives be able to do that? No.

  3. Phil 28 July 2014 at 8:02 am Permalink

    So, wouldn’t this allow tracking of TOR users? If the TOR browser bundle (or any browser used by other TOR users) is fingerprinted, it would allow tracking of a user within the TOR network. Won’t link sessions inside TOR to anything outside, but still allows tracking of what sites TOR user visits within a session, and potentially across sessions.

    • Darknet 28 July 2014 at 6:57 pm Permalink

      Tor users yes, Tor Browser users no, as mentioned in the paper “The team found the Tor Browser to be the only software to successfully protect against canvas fingerprinting. This browser returns an empty image from all the canvas functions that can be used to read image data”.