Linked by Thom Holwerda on Tue 22nd Jul 2014 08:49 UTC
Internet & Networking

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.

First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor's Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user's device a number that uniquely identifies it.

Advertising companies will become increasingly... 'Creative' to find some way of tracking us that circumvents known laws and technological barriers. However, I doubt you have to worry about the small fish - worry about what the biggest internet advertising company in the world has cooking in its labs.

Thread beginning with comment 592855
To read all comments associated with this story, please click here.
Noscript blocks this
by oskeladden on Tue 22nd Jul 2014 09:55 UTC
oskeladden
Member since:
2009-08-05

It isn't 'virtually impossible' to block. Noscript can be set to block canvas requests even when you have Javascript enabled, and has had this capacity for ages. By the standards of tracking technologies, this makes canvas fingerprinting relatively easy to block.

I agree that your typical web surfer has probably never heard of Noscript, but that doesn't mean it's hard to block - it just means most people won't block it even though it isn't particularly hard.

Reply Score: 9

RE: Noscript blocks this
by avgalen on Tue 22nd Jul 2014 11:09 in reply to "Noscript blocks this"
avgalen Member since:
2010-09-23

<programmer>
I don't get this trick. Basically it is asking to gather some browser info and draw some things on a canvas with all available fonts to generate a hash of the resulting drawing. Wouldn't it work with just requesting that same browser info and the list of available fonts without doing the canvas drawing?
</programmer>

Also: Bad trackers!

Reply Parent Score: 5

RE[2]: Noscript blocks this
by ssokolow on Tue 22nd Jul 2014 11:26 in reply to "RE: Noscript blocks this"
ssokolow Member since:
2010-01-21


I don't get this trick. Basically it is asking to gather some browser info and draw some things on a canvas with all available fonts to generate a hash of the resulting drawing. Wouldn't it work with just requesting that same browser info and the list of available fonts without doing the canvas drawing?


Outside canvas, they already have various mechanisms in place to prevent that sort of thing elsewhere so it's possible that you need the canvas to bypass those protections.

For example, I know for a fact that, to prevent CSS history sniffing, :visited styles can't affect page layout and getComputedStyle() always returns the un-visited styling data for them about them:

https://blog.mozilla.org/security/2010/03/31/plugging-the-css-histor...

...and WebGL imposes cross-domain restrictions on textures because shaders could be used to poke holes in cross-domain security otherwise:

http://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl...

It wouldn't surprise me if this resulted in browsers restricting <canvas> to only fonts that the site explicitly sent to the user's computer plus some default font or set of fonts that's bundled with the browser to ensure it's consistent across all installs.

(After all, you've already got easier ways to determine which browser the user is running, so that'd take the list of available fonts out of the entropy pool and, if you've ever dropped by Panopticlick with Javascript enabled, they're quite a significant contributor.)

Edited 2014-07-22 11:35 UTC

Reply Parent Score: 5

RE[2]: Noscript blocks this
by Alfman on Tue 22nd Jul 2014 11:30 in reply to "RE: Noscript blocks this"
Alfman Member since:
2011-01-28

avgalen,

I don't get this trick. Basically it is asking to gather some browser info and draw some things on a canvas with all available fonts to generate a hash of the resulting drawing. Wouldn't it work with just requesting that same browser info and the list of available fonts without doing the canvas drawing?


I think you are right, but the canvas method gives you another method to get the font information.

To the contrary of what's claimed earlier in the article "the images can be used to assign each user’s device a number that uniquely identifies it.", AddThis actually says the opposite:

AddThis said it rolled out the feature to a small portion of the 13 million websites on which its technology appears, but is considering ending its test soon. “It’s not uniquely identifying enough,” Harris said.

Reply Parent Score: 4

RE[2]: Noscript blocks this
by stestagg on Tue 22nd Jul 2014 12:50 in reply to "RE: Noscript blocks this"
stestagg Member since:
2006-06-03

It's not just the fonts that are rendered, it's /how/ they're rendered. Each graphics card/driver renders/composes fonts slightly differently, and canvas is usually GPU rendered.

By comparing the differences, it's fairly easy to identify the same user

Reply Parent Score: 7

RE[2]: Noscript blocks this
by Hiev on Tue 22nd Jul 2014 13:11 in reply to "RE: Noscript blocks this"
Hiev Member since:
2005-09-27

Blocking javascript to avoid creating the ccanvas may noy be enought, there are still ways to draw w/o it.

http://cssdeck.com/labs/mona-lisa-with-pure-css

Edited 2014-07-22 13:13 UTC

Reply Parent Score: 4

RE: Noscript blocks this
by Alfman on Tue 22nd Jul 2014 11:17 in reply to "Noscript blocks this"
Alfman Member since:
2011-01-28

oskeladden,

+1

Addthis is no more "impossible to block" than any other trackers. Google analytics is far more pervasive and privacy leaking IMHO, and GA is used here on osnews.


Noscript isn't very user friendly, IMHO. Normal users can use ghostery, which is as user friendly as adblock but will block trackers that don't display ads, including "addthis" as pertains to the article.

https://www.ghostery.com/en/apps/addthis


Device fingerprints rely on the fact that every computer is slightly different: Each contains different fonts, different software, different clock settings and other distinctive features. Computers automatically broadcast some of their attributes when they connect to another computer over the Internet.


Maybe this could be added to the eff's panopticlick to gather more information, but I'd be surprised if canvas rendering didn't correlate very highly to existing bits of entropy (like OS+browser versions and font list).

https://panopticlick.eff.org/

Reply Parent Score: 5

RE[2]: Noscript blocks this
by BushLin on Thu 24th Jul 2014 14:03 in reply to "RE: Noscript blocks this"
BushLin Member since:
2011-01-26

Ghostery does nothing about ajax.googleapis.com and the referrers / fingerprinting they collect, the developers have been notified and queried about it; their responses have varied from dismissive, rude and arrogant.

Needless to say I have not trusted Ghostery for some time, even if you ignore the buy out by a marketing company.

Reply Parent Score: 3