As rules on cookies tracking become stricter, new web tracking techniques have cropped up, including a new ‘canvas fingerprinting’ tool that’s almost impossible for users to block… for now.
According to a new report by ProPublica, at least five percent of the internet’s top 100,000 websites are using ‘canvas fingerprinting’, which essentially takes a ‘fingerprint’ of a user’s computer via its web browser.
The software is nearly impossible to block using conventional privacy tools, ProPublica reports.
The findings come from a forthcoming paper authored by researchers at Princeton University and Belgium’s KU Leuven University.
The technique was invented in 2012 by researchers at the University of California, San Diego, and has already been developed into commercial products by companies.
There is more than one type of ‘canvas fingerprinting’ tool available, but they most widely used publisher of the software is AddThis, reportedly used on popular websites such as Whitehouse.gov, online dating site PlentyOfFish, CBS, and even YouPorn.
View a full list here: https://securehomes.esat.kuleuven.be/~gacar/sticky/index.html
“This is an advanced tracking mechanism that misuses browser features to enable the circumvention of users’ tracking preferences. We hope that our results will lead to better defences, increase accountability for companies deploying sticky tracking techniques and an invigorated and informed public and regulatory debate on increasingly resilient tracking techniques,” says Gunes Acar, the study’s lead author.
How it works
The tool asks a user’s browser to draw a small image on their screen when they visit a website.
Certain unique characteristics of their browser and computer mean that this image is drawn in an near-unique way that can be used to identify the user.
The image is analysed, converted into a number and sent back to a third party.
All of the website visits with a matching number can then be grouped together to create a profile of what that unique user looks at and when.
As well as circumventing EU legislation, this technique also manages to evade most other methods of staying private.
Incognito or private modes commonly provided by browsers will not prevent it, nor will advert-blocking software.
The tool can be circumvented via the TOR network or via the Chamelon browser – but both require technical expertise to set up.
Industry backlash?
After ProPublica’s original article was published, a YouPorn spokesperson said the website was unaware the app was tracking users and has removed AddThis functionality.
A YouPorn.com spokesperson told ProPublica that the site was “completely unaware that AddThis contained a tracking software that had the potential to jeopardize the privacy of our users.”
AddThis chief executive Rich Harris stressed that the company does not use canvas fingerprinting for anything other than ad targeting and personalisation, and that users can stop their data from being used for advertising or marketing by installing a specific opt-out cookie on their computers.
A YouPorn.com spokesperson told ProPublica that the site was “completely unaware that AddThis contained a tracking software that had the potential to jeopardize the privacy of our users.” It has removed all AddThis technology from its site.