Forgot your password?
typodupeerror
Privacy Advertising

A New Form of Online Tracking: Canvas Fingerprinting 194

Posted by Unknown Lamer
from the subverting-features-for-evil-and-profit dept.
New submitter bnortman (922608) was the first to write in with word of "a new research paper discussing a new form of user fingerprinting and tracking for the web using the HTML 5 <canvas> ." globaljustin adds more from an article at Pro Publica: Canvas fingerprinting works by instructing the visitor's Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user's device a number that uniquely identifies it. ... The researchers found canvas fingerprinting computer code ... on 5 percent of the top 100,000 websites. Most of the code was on websites that use the AddThis social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish. ... Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a possible way to replace cookies ...
This discussion has been archived. No new comments can be posted.

A New Form of Online Tracking: Canvas Fingerprinting

Comments Filter:
  • Privacy Badger (Score:5, Informative)

    by cmdr_tofu (826352) on Tuesday July 22, 2014 @08:15AM (#47506695) Homepage

    I guess this is probably the best place to plug privacy badger https://www.eff.org/privacybad... [eff.org] (although I'm not sure if it would defeat this... noscript + privacy badger?)

    I just learned about privacy badger 2 days ago at HOPE.

  • Re:Privacy Badger (Score:4, Informative)

    by just_another_sean (919159) on Tuesday July 22, 2014 @08:30AM (#47506787) Homepage Journal

    Yes, Privacy Badger is a great tool. It's a little tedious when loading content from CDN's, can make pages look pretty bad unless you let a little tracking in... So I also keep my privacy set to delete everything when I close the browser. I also follow the guidelines here [debian.org] ( Scroll down to the Web Browser section ). It's Debian specific but easily translated to whatever mozilla based browsing experience you're using.

    As mentioned in the HowTo you can check your "fingerprint" here: https://panopticlick.eff.org/ [eff.org].

    And all that said, I have no idea at the moment if any of the above defeats the technique from TFA.

  • Re:Identical devices (Score:5, Informative)

    by RKThoadan (89437) on Tuesday July 22, 2014 @08:31AM (#47506795)

    It looks like the technical details would be found in this link: http://cseweb.ucsd.edu/~hovav/... [ucsd.edu]

    In that first article the CEO of AddThis says that "Itâ(TM)s not uniquely identifying enough" and the guy who originally developed it says it's only 90% accurate.

  • by justthinkit (954982) <floyd@just-think-it.com> on Tuesday July 22, 2014 @08:34AM (#47506817) Homepage Journal
    There are a number of other sites that are hosting the code. Check the summary link to see what they are.

    Since the sites using this exploit are sorted by Alexa rank, I gave up looking after a while, but here are "the biggies":
    127.0.0.1 addthis.com
    127.0.0.1 ligatus.com
    127.0.0.1 cloudfront.net
    127.0.0.1 vcmedia.vn
    127.0.0.1 cloudflare.com
    127.0.0.1 kitcode.net
    127.0.0.1 pof.com
    127.0.0.1 shorte.st
    127.0.0.1 ringier.cz
    127.0.0.1 insnw.net
    127.0.0.1 domainsigma.com

    Not sure how serious this would break things, but some are hosting the exploit on Amazon's cloud: 127.0.0.1 amazonaws.com
  • Re:So (Score:5, Informative)

    by Crayon Kid (700279) on Tuesday July 22, 2014 @09:01AM (#47507013)

    Use the RequestPolicy [mozilla.org] addon in Firefox. It's a whitelist for allowing certain sites to load resources (of any kind) from other sites. If the pairing between the site you're on and another site is not explicitly added to RequestPolicy, nothing gets loaded (the request is not even made to begin with). It covers JS, CSS, images, anything.

    IMO it's a more practical approach than NoScript, although not as ultra-secure.

    In case you're wondering what's the difference between RequestPolicy and Ghostery:

    • * Ghostery is a blacklist, not a whitelist (blocks only the things in the list, allows anything else). Blacklists are usually a bad idea in security.
    • * With RequestPolicy you control the list, with Ghostery someone else does.
    • * Ghostery has a lot of extra fluff, RP has only what's needed.
  • by Dan East (318230) on Tuesday July 22, 2014 @09:16AM (#47507099) Homepage Journal

    The research paper discusses two entirely different things: Canvas fingerprinting, and "Evercookies & Respawning", which are two entirely different things. Canvas fingerprinting is just another method of trying to determine which browser the user is running, by looking at differences in the way the canvas renders text and the like. "fingerprinting doesn’t work well on mobile" because of the homogeneous nature of mobile devices - 90% of iOS devices are running version 7.1, for example, so they are all using the same web browser version and rendering code, thus they are going to draw canvas fingerprints exactly the same. Nothing in the research article says anything about canvas fingerprinting being used to track people.

    Now the other topic "Evercookies & Respawning" is about tracking users. That is using multiple storage vectors to try and keep users from deleting cookies. For example, using tiny hidden Flash apps which have their own caching, actual cookies, HTML5 persistent storage, embedding unique identifiers directly in the HTML so when the cached page is pulled up the identifier is once again active.

    So at this point canvas fingerprinting isn't about tracking, but browser identification. The leap to "A New Form of Online Tracking: Canvas Fingerprinting", as described in the Pro Publica article:

    A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.

    First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.

    Well that's completely wrong - the bold text should read "this type of tracking, called Evercookies & Respawning". The persistent tracking has nothing to do with the canvas fingerprinting. It's mainly due to Flash (which also explains why it too is ineffective on mobile devices).

  • Re: So (Score:1, Informative)

    by Anonymous Coward on Tuesday July 22, 2014 @09:42AM (#47507283)

    echo '0.0.0.0 addthis.com' | sudo tee /etc/hosts

    also works.

  • Re: So (Score:2, Informative)

    by Anonymous Coward on Tuesday July 22, 2014 @10:14AM (#47507537)

    echo '0.0.0.0 addthis.com' | sudo tee /etc/hosts

    also works.

    That'll overwrite the whole file.

    echo '0.0.0.0 addthis.com' | sudo tee -a /etc/hosts

    will append.

Do not simplify the design of a program if a way can be found to make it complex and wonderful.

Working...