Canvas fingerprinting: new feature, same old story


Written by:

stop_canvas_fingerprintingBy now you’ve probably heard about Canvas fingerprinting. In a nutshell, this whole story is about analytics and advertising companies abusing a new feature in order to try and track your browsing behavior. And in a way that is harder to stop.

The good news is that DoNotTrackMe has always blocked AddThis, the US company known to have been doing this. In the end, as Internet technologies evolve to be increasingly rich user experiences, the potential for abuse also increases. Individual users are increasingly hard-pressed to stop this kind of tracking on their own.

Let’s dig into what Canvas Fingerprinting actually is…

What is Canvas Fingerprinting?

Canvas fingerprinting is a tracking technique that abuses a new feature in the latest version of the hypertext mark-up language (HTML5) that makes up website content. This technique works by asking your web browser to draw a picture in a hidden window. It then looks at the picture to see the  unique differences in how it looks to identify your computer so it can track you across different websites and visits.

In this case, the tracking code draws a set of words (that you can’t see), looks at words it just drew, and then records the small differences in how the words look due to your specific computer setup.  The drawings from different browsers and computers will be slightly different.  Just like a fingerprint, this set of small differences help uniquely identify your web browser, hence “Canvas Fingerprinting”.

Unlike cookies, Canvas fingerprinting doesn’t store things on your computer, instead it sends this fingerprint back home to tracking servers where they are stored.  Then, the next time that you visit a website that is using AddThis tracking technology, the same thing happens – your browser draws a picture and sends your fingerprint back to it’s tracking servers.  This way they can track you as you browse from website to website.  They’ve got your digital fingerprints on file.

There is some evidence that Canvas elements can even be used to identify what video hardware you have in your computer. (Here’s a great site with more details.)

DoNotTrackMe already blocks Canvas Fingerprinting by AddThis

DNTMe by default blocks tracking by AddThis and it is just one of the many tracking companies blocked by DNTMe. When DNTMe blocks a tracking company, it stops your browser from loading their tracking code. This means they can’t use or write cookies, or do other things like Canvas fingerprinting.

So when you visit a website using AddThis, their fingerprinting code never gets loaded or run on your computer. They don’t get to take your Canvas Fingerprint and they don’t get to look you up in their fingerprint database.

This is a good thing as according to Julia Angwin (reporting for ProPublica): “The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5 percent of the top 100,000 websites.”

Why is Canvas now in HTML – what’s it for?

The Canvas feature that was added in HTML5 was intended to give websites a better way to draw things on the fly. This would make is easier and more efficient to have graphics for games, charts, and graphs and other visual objects in webpages. However, as with most technologies, the capabilities this feature adds to the browser can (and have) also led to unintended uses.

Unintended consequences and intentional abuse

We’ve seen this story before, where some capability of the web gets abused to track users. Examples include 1-pixel images, the cookie overload, invisible iframes, storage of Flash objects and now Canvas fingerprinting. In each of these cases companies are directly trying to profit by using a feature in a way that was not anticipated or expected. While that’s innovation, what sets these “innovations” apart is that they route around the user’s ability to control their web experience and if they are being tracked.

Each case is the same old story, tracking company X wants more information about a user:

  • Want to know if somebody has opened your email? Stick a tiny invisible picture in it!
  • Want to know what websites a user is visiting? Stick an invisible iframe in the webpage and load up on the cookies!
  • Somebody’s cleaning out their cookies? Stick the cookie values on their computer with Flash so they won’t be deleted!
  • Somebody’s blocking cookies and doesn’t have flash? Use canvas to fingerprint them instead!

Quotes from the AddThis CEO show this clearly (again, thanks to Julia Angwin for ProPublica): “We’re looking for a cookie alternative” – Rich Harris, CEO of AddThis

But don’t fear as Rich is sure that,“this is well within the rules and regulations and laws and policies that we have.”

Since all you’d have to do to block this (according to AddThis) is install a cookie from AddThis on your computer, don’t remove it if you remove other cookies, and hope that their voluntary self-regulatory rules work to protect your privacy. (Spoiler alert: We’ve already seen that they don’t with several other tracking companies.)

Tracking companies have consistently shown a capability and a desire to overcome what little control most users have over their online privacy.  The normal browser features, such as clearing cookies, simply does not work effectively to stop online tracking anymore. Companies like AddThis have moved beyond relying on cookies.  And other features like private browser mode can help, but are designed to keep your browsing activity off of your own computer, not stop online tracking companies.  This is why there need to be companies like Abine, working on the side of the user, and creating their own innovations to protect user’s online privacy instead of seeking additional way to track them.

4 Replies to “Canvas fingerprinting: new feature, same old story”

  1. Doug says:

    Awesome! Thanks for helping us fight back!

  2. Penny Kanefield says:

    Not sure I understand it all, but happy I have you to help. Will reread again, when I have more time. Thank you.

  3. John says:

    From an article on the Eset website [WeLiveSecurity pages], this canvas fingerprinting requires the surfer to be using a browser which supports web page designers’ interest in using JavaScript, rather than HTML, to shove “content” at surfers. Another reason to disable JavaScript whenever possible?

Leave a Reply