Online Privacy: How a Button Found on Many Web Pages Might Be Very Hazardous to Your Online Privacy
Update: Privacy tools worth knowing about and using (all free) including:
block a variety of tracking scripts, cookies, etc. including the canvas fingerprinting script from AddThis discussed below. We highly recommend your awareness and use of these tools. While these tools can assist in enhancing your online privacy they are NOT a total and simple solutions to the problem. Awareess and vigilance are still 100% essential.
Here’s the official announcement with details about new Internet privacy research. It looks how at least one company is utilizing a “share” button that is currently found on many websites to track your online movement without your consent. This might not be all that new but what’s different is that unlike cookies and other tracking methods this method called canvas fingerprinting is extremely difficult to block without the user having to make some major changes to their online behavior. In fact, the authors of the research go as far to say, “there is no available solution for doing so with fingerprints.”
We’ve also included a link at the bottom of the post to an excellent article about canvas fingerprinting from ProPublica that includes comments from the CEO of the company named in the research.
From KU Leuven University in Belgium:
1 in 18 of the world’s top 100,000 websites track users without their consent using a previously undetected cookie-like tracking mechanism embedded in ‘share’ buttons. A new study by researchers at KU Leuven and Princeton University provides the first large-scale investigation of the mechanism and is the first to confirm its use on actual websites.
The mechanism, called “canvas fingerprinting”, uses special scripts – the coded instructions that tell your browser how to render a website – to exploit the browser’s so-called ‘canvas’, a browser functionality that can be used to draw images and text.
When a user visits a website with canvas fingerprinting software, a first script tells the user’s browser to print an invisible string of text on the browser’s canvas. Another script then instructs the browser to read back data about the pixels in the (invisibly) rendered image.
These data contains important information about the user’s browser type, graphics card, system fonts and even display properties. Because this grouping of data is highly likely to be unique for each user, it can be reliably associated to individual users, like a fingerprint.
Once a website has determined a device’s fingerprint, it can easily recognize the user on subsequent site visits, much in the same way cookies do.
But while unwanted cookies can be flagged or blocked to enhance a user’s online privacy, there is no available solution for doing so with fingerprints.
In this study, the researchers used automated ‘crawlers’ to scan the world’s top 100,000 websites for canvas fingerprinting scripts. They found canvas fingerprinting scripts on 5,542 of the internet’s top 100,000 websites, a prevalence of 5.5 percent.
Surprisingly, the researchers traced 95 percent of canvas fingerprinting scripts back to a single company: AddThis. AddThis is the world’s largest content sharing platform and provides free website plugins such as share buttons, follow buttons and content recommendation features. The company reaches an estimated 97.2% of Internet users in the United States and receives 103 billion page views each month.
Can users protect themselves against canvas fingerprinting? Acar and his colleagues studied the effect of ad-industry opt-out tools offered by the Network Advertising Initiative (NAI) and the European Interactive Digital Advertising Alliance. No websites included in the opt-lists stopped collecting canvas fingerprints after activating the opt-out option. At present, only one browser, Tor, can prevent canvas fingerprinting scripts, but this added security comes with major trade-offs in performance, functionality and content availability.
Many websites, including sensitive sites such as health and government websites, unknowingly contain canvas fingerprinting – by using one of AddThis’ free plug-ins for example.
Read the Complete Study: The Web Never Forgets (via KU Leuven)
See Also: Meet the Online Tracking Device That is Virtually Impossible to Block
Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a possible way to replace “cookies,” the traditional way that users are tracked, via text files installed on their computers. “We’re looking for a cookie alternative,” Harris said in an interview. Harris said the company considered the privacy implications of canvas fingerprinting before launching the test, but decided “this is well within the rules and regulations and laws and policies that we have.” He added that the company has only used the data collected from canvas fingerprints for internal research and development. The company won’t use the data for ad targeting or personalization if users install the AddThis opt-out cookie on their computers, he said.
The article includes a section titled, “How You Can Try to Thwart Canvas Fingerprinting”
Read the Complete Article
About Gary Price
Gary Price (email@example.com) is a librarian, writer, consultant, and frequent conference speaker based in the Washington D.C. metro area. He earned his MLIS degree from Wayne State University in Detroit. Price has won several awards including the SLA Innovations in Technology Award and Alumnus of the Year from the Wayne St. University Library and Information Science Program. From 2006-2009 he was Director of Online Information Services at Ask.com. Gary is also the co-founder of infoDJ an innovation research consultancy supporting corporate product and business model teams with just-in-time fact and insight finding.