New user tracking technique used by many top sites

Advertisers really want to track you. Your browsing history is one of the best clues as to what ads you are most likely to see. Perhaps more nefariously, advanced tracking methods can help other entities (like the NSA) know what privacy-oriented web surfers are doing on the web.

A new method of tracking, called canvas fingerprinting, is catching on fast and can jeopardize the privacy of those who think they have taken adequate precautions to disable ad tracking.

What is it?

While the method has been known at least since 2012 when it was described in an academic presentation by Keaton Mowery and Hovav Shacham, it had previously been unknown whether and how much it has been in use. Work from Belgian researchers and researchers at Princeton sought to quantify the extent and nature of its use “in the wild.”

As reported by ProPublica, the research looked into the 100,000 most visited web sites to see which used canvas fingerprinting. Of those, about 5.5% were using this technology. Interestingly, the vast majority (around 95%) were using script from AddThis, a company best known for providing webpages with social media sharing buttons.

While social sharing buttons and widgets have been known to contain user tracking technology, these could usually be blocked somewhat easily by users by configuring one’s browser to block third-party cookies. Canvas fingerprinting does not require cookies of any kind to be enabled and does not even store anything on the user’s browser.

The way canvas fingerprinting works is by using Javascript to prompt the user’s browser to draw an image using HTML5 technology. HTML5 is a new protocol that has a bevy of uses, including a newer method for rendering images. The canvas fingerprint will ask the browser to draw an image in the background (invisible to the user) that reveals subtle details about the browser.

Each computer and browser will draw it slightly differently, meaning typical privacy protections do not conceal a person’s identity. Below is a collage of the different canvas fingerprints the researchers discovered in their research.

Who is using it?

According to AddThis, they sometimes aren’t using this information for ad-targeting but rather for internal research and development. On government websites, they assure that no ad-related information is collected. No promises, otherwise. Further, not all sites with AddThis code use canvas fingerprinting.

Some of the headlining websites found with canvas fingerprinting from AddThis include:

  • (see note below, though)
  • PlentyOfFish (
  • Basically every federal agency’s .gov site

See the full list of URLs here.

As pointed out by the Electronic Frontier Foundation, the presence of the AddThis code on the White House’s website probably violates its own privacy policy. YouPorn immediately removed AddThis from their site upon hearing about canvas fingerprinting. The truth is that the majority of the sites using AddThis did not know about canvas fingerprinting and won’t even benefit from the ad information collected by AddThis, since they’re just using the service for the sharing buttons.

Interestingly, AddThis told ProPublica that they’re considering nixing the entire thing. Not because of a sudden surge of ethics, but because it isn’t quite as accurate as they had hoped, especially on mobile devices. For others, especially for surveillance purposes, the degree of accuracy is probably plenty high.

How do you stop it?

To defend yourself, there are some options. First of all, the Tor Browser by default displays a prompt asking you permission before rendering HTML5 canvas content, warning that it may reveal identifying information. Between that and its other privacy features, it is your best bet – and my in-depth review found that it is indeed easy enough to use for novices.

Other options can do an adequate job. EFF’s Privacy Badger browser extension for Firefox and Chrome should take care of AddThis, at the least. Rather than using a list or blacklisting all of a certain type of web element, it detects what sites and cookies are trying to track you or load malicious code and blocks them on an ad hoc basis to keep from unnecessarily breaking the functionality of webpages.

The NoScript extension for Firefox or disabling Javascript on Chrome will also do away with most canvas fingerprinting. However, many sites (including GeekSided) are borderline useless without Javascript so you’ll have to manually enable Javascript for trusted sites (and the third parties that load necessary scripts on these sites). This can get annoying.

Lastly, using AdBlock Edge on Firefox or AdBlock on Chrome along with the EasyPrivacy list should yield good results blocking known canvas fingerprinting scripts (any ad-blocking extension that can use the EasyPrivacy list should work). Being list-based, the third party trying to fingerprint you will have to be known to the developers before it will be blocked. This is perhaps the easiest measure, however, and will keep AddThis scripts away.

Featured image by William Clifford (Flickr).