Thousands of Sites Found Tracking Users Through Practically Unblockable ‘Fingerprint’ Mechanism

The rise of sophisticated new online tracking mechanisms, including one known as ‘canvas fingerprinting’ that’s been infiltrating the Internet, could soon raise the ire of privacy conscious users.

The rise of sophisticated new online tracking mechanisms, including one known as ‘canvas fingerprinting’ that’s been infiltrating the Internet, could soon raise the ire of privacy conscious users.

A recent study, a collaborative effort between researchers at Princeton University and researchers from KU Leuven in Belgium, warns of the relatively new and mostly unblockable mechanism, pointing out that while previously unseen, over five percent of the top 100,000 websites now feature it.

The researchers unveiled their work in a paper “The Web Never Forgets: Persistent Tracking Mechanisms in the Wild” (.PDF) that made its way online this week.

The method – first theorized back in 2012 (.PDF) by researchers at the University of California, San Diego – uses browsers’ Canvas API to draw invisible images and pulls what the paper calls a “long-term fingerprint” of the user. At the time, researchers warned that an attacker could use it to “exploit the subtle difference in the rendering of the same text to extract a consistent fingerprint that can easily be obtained in a fraction of a second without user’s awareness.”

While the concept has been established for two years now, this is the first time examples of it have been discovered being used on websites.

With the mechanism, technically the API renders a smattering of letters and numbers. The hodge-podge of letters and numbers depend on several variables: the computer’s operating system, font library, graphics card, etc. The API then takes the pixel data and turns it into a hash; this is the fingerprint.

The site then uses that fingerprint to recognize users on their return visit, similar to how cookies work. Unlike cookies and other tracking mechanisms however, the researchers caution that canvas fingerprinting can directly subvert users’ wishes not to be tracked as it inherently resists removal.

In their study the researchers found that the lion’s share of sites running canvas fingerprinting scripts are using technology from a single media web-tracking technology, AddThis.

In their study the researchers found that the lion’s share of sites running canvas fingerprinting scripts are using technology from a single media web-tracking technology, AddThis. Ninety-five percent of the sites the researchers found with “canvas fingerprinting,” or 1 in every 18, were running code by the Virginia-based company that specializes in social media sharing tools.

In combing the sites, a slew of popular ones, including CBS, cheezburger.com, Starbucks.com, barstoolsports.com and even whitehouse.gov, run canvas fingerprinting scripts on their homepages, according to the researchers.

Other sites running the fingerprinting code include ones using technology from the German digital marketer Ligatus and the Canada-based dating site PlentyofFish.

A complete list of the nearly 6,000 sites the researchers dug up can be found here.

Rich Harris, AddThis’ Chief Executive, acknowledged in interviews with both ProPublica and Mashable this week that the company first began using the mechanism as a way to get away from cookies, previously considered to be industry standard when it comes to tracking users online.

“We’re looking for a cookie alternative,” Harris said, adding that the company only deployed the mechanism in a small handful of the 13 million websites it comes rolled up in.

Harris admits that the company to date has only used the data it’s gathered so far for research and development and that for what it’s worth it’s considering ending the test soon.

Defending the company’s choice to use canvas fingerprinting, Harris claims its activity is “well within the rules and regulations and laws and policies that we have.”

Legal nitpicking aside, concerned users can always opt out of having the information AddThis tracks sent to advertisers but that hasn’t stopped researchers from stressing the clear leg up the company could have when it comes to tracking its users.

“By collecting fingerprints from millions of users and correlating this with cookie based identification, the popular third party trackers such as AddThis are in the best position to both measure how identifying browser features are and develop methods for monitoring and matching changing fingerprints,” the researchers warned.

The paper also spends time discussing cookie syncing and the Evercookie, a persistent Javascript API, first introduced back in 2010, that produces extremely stubborn cookies.

As far as canvas fingerprinting in concerned, on the whole, it looks like there’s little users can do to thwart the new technology. Save for a recent campaign by Mozilla to enumerate plugins, most browser manufacturers do not have a built-in defense against the mechanism.

Chameleon, a Tor-like Chrome browser extension, is working on protecting against canvas fingerprinting, but since it’s still in pre-alpha, developer-only mode, its creators can’t yet promise complete defense.

Meanwhile, plugins like AdBlock Plus and Ghostery can block third-party content but can’t stop fingerprints from being extracted.

The researchers claim the only way to successfully protect against canvas fingerprinting would be to use the Tor Browser, which as of June, returns an empty image from the API when it’s asked to read the fingerprint.

The discovery should no doubt make another hurdle for those truly concerned about their privacy online.

But on the other side of the coin, there continues to be no shortage of new privacy tools flooding the internet. The Electronic Frontier Foundation, following the one year anniversary of the Edward Snowden debacle last month, circulated a handful of such tools, including the aforementioned Tor, HTTPS Everywhere, Textsecure, and others.

A similar new tool, the EFF’s Privacy Badger browser extension designed to mitigate online tracking via social media, was also launched this week. Kurt Opsahl, part of the EFF’s Privacy Badger team acknowledged Tuesday that the tool detects AddThis cookies and blocks JavaScript but if a site was running just a canvas fingerprinting script, without cookies, it would be more difficult to detect.

“Privacy Badger is an algorithmic program,” Opsahl said, “[on AddThis sites] it will show the cookie from AddThis.com and block the tracker, which has the effect of the canvas being drawn.”

Suggested articles