Canvas fingerprinting and privacy

July 30, 2014 |

Pro publica has run a number of very important stories on internet privacy, in particular regarding on line tracking such as Why Online Tracking Is Getting Creepier, and It’s Complicated: Facebook’s History of Tracking You and Privacy Tools: How to Block Online Tracking.

Pro publica’s story Meet the Online Tracking Device That is Virtually Impossible to Block has caused something of a stir given the concerns about tracking tools.  As the article notes it has prompted at least one site to remove the program.

It provides:

Update: After this article was published, YouPorn contacted us to say it had removed AddThis technology from its website, saying that the website was “completely unaware that AddThis contained a tracking software that had the potential to jeopardize the privacy of our users.” A spokeswoman for the German digital marketer Ligatus also said that is no longer running its test of canvas fingerprinting, and that it has no plans to use it in the future.

…….

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.

First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.

Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit — profiles that shape which ads, news articles, or other types of content are displayed to them.

But fingerprints are unusually hard to block: They can’t be prevented by using standard Web browser privacy settings or using anti-tracking tools such as AdBlock Plus.

The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5 percent of the top 100,000 websites. Most of the code was on websites that use AddThis’ social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish. (A list of all the websites on which researchers found the code is here).

Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a possible way to replace “cookies,” the traditional way that users are tracked, via text files installed on their computers.

“We’re looking for a cookie alternative,” Harris said in an interview.

Harris said the company considered the privacy implications of canvas fingerprinting before launching the test, but decided “this is well within the rules and regulations and laws and policies that we have.”

He added that the company has only used the data collected from canvas fingerprints for internal research and development. The company won’t use the data for ad targeting or personalization if users install the AddThis opt-out cookie on their computers, he said.

Arvind Narayanan, the computer science professor who led the Princeton research team, countered that forcing users to take AddThis at its word about how their data will be used, is “not the best privacy assurance.”

Device fingerprints rely on the fact that every computer is slightly different: Each contains different fonts, different software, different clock settings and other distinctive features. Computers automatically broadcast some of their attributes when they connect to another computer over the Internet.

Tracking companies have long sought to use those differences to uniquely identify devices for online advertising purposes, particularly as Web users are increasingly using ad-blocking software and deleting cookies.

In May 2012, researchers at the University of California, San Diego, noticed that a Web programming feature called “canvas” could allow for a new type of fingerprint — by pulling in different attributes than a typical device fingerprint.

How You Can Try to Thwart Canvas Fingerprinting

  • Use the Tor browser (Warning: can be slow)
  • Block JavaScript from loading in your browser (Warning: breaks a lot of web sites)
  • Use NoScript browser extension to block JavaScript from known fingerprinters such as AddThis (Warning: requires a lot of research and decision-making)
  • Use a browser extension that blocks JavaScript from known ad tracking companies such as AddThis. Extensions include Disconnect or AdBlockPlus browser extension with the EasyPrivacy filter installed. (Warning: Only blocks known ad tracking companies; other websites could still employ canvas fingerprinting)
  • Try the experimental browser extension Chameleon that is designed to block fingerprinting (Warning: only recommended for tech-savvy users at this point)
  • Install opt-out cookies from known fingerprinters such as AddThis (Warning: fingerprint will likely still be collected, companies simply pledge not to use the data for ad targeting or personalization)

In June, the Tor Project added a feature to its privacy-protecting Web browser to notify users when a website attempts to use the canvas feature and sends a blank canvas image. But other Web browsers did not add notifications for canvas fingerprinting.

A year later, Russian programmer Valentin Vasilyev noticed the study and added a canvas feature to freely available fingerprint code that he had posted on the Internet. The code was immediately popular.

But Vasilyev said that the company he was working for at the time decided against using the fingerprint technology. “We collected several million fingerprints but we decided against using them because accuracy was 90 percent,” he said, “and many of our customers were on mobile and the fingerprinting doesn’t work well on mobile.”

Vasilyev added that he wasn’t worried about the privacy concerns of fingerprinting. “The fingerprint itself is a number which in no way is related to a personality,” he said.

AddThis improved upon Vasilyev’s code by adding new tests and using the canvas to draw a pangram “Cwm fjordbank glyphs vext quiz” — a sentence that uses every letter of the alphabet at least once. This allows the company to capture slight variations in how each letter is displayed.

AddThis said it rolled out the feature to a small portion of the 13 million websites on which its technology appears, but is considering ending its test soon. “It’s not uniquely identifying enough,” Harris said.

AddThis did not notify the websites on which the code was placed because “we conduct R&D projects in live environments to get the best results from testing,” according to a spokeswoman.

She added that the company does not use any of the data it collects — whether from canvas fingerprints or traditional cookie-based tracking — from government websites including WhiteHouse.gov for ad targeting or personalization.

The company offered no such assurances about data it routinely collects from visitors to other sites, such as YouPorn.com. YouPorn.com did not respond to inquiries from ProPublica about whether it was aware of AddThis’ test of canvas fingerprinting on its website.

This has prompted a response from Slate who suggests that canvas fingerprinting may not be effective. But as both articles make clear that the individual is most likely going to have to take some steps to thwart the program.  Why should they?

The Slate article provides:

Cookies have been around since the ’90s Internet, so it’s not surprising that after all these years there’s a new game in town. But it’s concerning that the new tracking apparatus, canvas fingerprinting, was called “virtually impossible to block” by ProPublica’s Julia Angwin. And now the Internet is responding.  

 Canvas fingerprinting uses a script to render an extra and invisible part of a webpage along with the regular site you’re looking for. The extra piece is there specifically to evaluate minor things about your computer that your system reveals in the process of loading the site. They’re little things like which browser you’re using and which version of it you’re running, but when enough of them are put together, says Angwin, they can turn into a unique profile or fingerprint, and then companies can use this identifier to track your browsing.

A service called AddThis is primarily responsible for the advent of canvas fingerprinting, and according to ProPublica, certain high-traffic sites—even WhiteHouse.gov—use AddThis. Many of them probably didn’t even really know what AddThis did before the ProPublica story. Since publication of the piece, YouPorn, another big site that used AddThis, has already said that it has discontinued using the tracking service. And the Electronic Frontier Foundation points out that AddThis’s functionality violates the White House’s own cookie-related privacy policy.

But maybe it’s not even worth fighting canvas fingerprinting. Internet filtering company AdBlock Plus, which was mentioned in the ProPublica article, posted a blog post by lead developer Wladimir Palant on Wednesday that argues that canvas fingerprinting is doomed to fail because sheer volume of users should stymie the approach. He explains that canvas fingerprinting uses available information about users’ graphics drivers, browsers, operating systems, and other parameters to identify them on different sites based on their system’s unique combination of attributes. But he notes that even if a tracker looks at tons of criteria, it’s pretty likely that groups of people will have the same combinations. Palant says,

All this taken into account, my guess is that canvas fingerprinting can work to identify users on smaller websites with a fairly stable community. However, as soon as you start talking about millions of users (e.g. if you want to track users across multiple websites), it is just too likely that different users will have exactly the same configuration and won’t be distinguishable by means of canvas fingerprinting.

Palant also cites problems with canvas fingerprinting that the ProPublica article itself brings up, like the fact that canvas fingerprinting doesn’t work so well for tracking mobile users. Even AddThis is skeptical  continuing to use the approach. But if that doesn’t satisfy your concerns about canvas fingerprinting, Palant suggests using AddBlock Plus (naturally) and its EasyPrivacy filter list as a way of ensuring anonymity. The Electronic Frontier Foundation says that its Privacy Badger plugin can also help you go off the canvas fingerprinting grid.

Angwin says that Palant isn’t quite getting the point. “I don’t think you should dismiss every threat just because it doesn’t seem effective,” she said. If companies are tracking you, it’s worthwhile to know how, and what you can do about it, instead of passively allowing it. But Angwin says she is heartened by the large response to her piece. “It reminded me that people still do care about this stuff,” she said.

One Response to “Canvas fingerprinting and privacy”

  1. Canvas fingerprinting and privacy | Australian Law Blogs

    […] Canvas fingerprinting and privacy […]

Leave a Reply