A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.
First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.
Advertising companies will become increasingly… ‘Creative’ to find some way of tracking us that circumvents known laws and technological barriers. However, I doubt you have to worry about the small fish – worry about what the biggest internet advertising company in the world has cooking in its labs.
It isn’t ‘virtually impossible’ to block. Noscript can be set to block canvas requests even when you have Javascript enabled, and has had this capacity for ages. By the standards of tracking technologies, this makes canvas fingerprinting relatively easy to block.
I agree that your typical web surfer has probably never heard of Noscript, but that doesn’t mean it’s hard to block – it just means most people won’t block it even though it isn’t particularly hard.
<programmer>
I don’t get this trick. Basically it is asking to gather some browser info and draw some things on a canvas with all available fonts to generate a hash of the resulting drawing. Wouldn’t it work with just requesting that same browser info and the list of available fonts without doing the canvas drawing?
</programmer>
Also: Bad trackers!
Outside canvas, they already have various mechanisms in place to prevent that sort of thing elsewhere so it’s possible that you need the canvas to bypass those protections.
For example, I know for a fact that, to prevent CSS history sniffing, :visited styles can’t affect page layout and getComputedStyle() always returns the un-visited styling data for them about them:
https://blog.mozilla.org/security/2010/03/31/plugging-the-css-histor…
…and WebGL imposes cross-domain restrictions on textures because shaders could be used to poke holes in cross-domain security otherwise:
http://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl…
It wouldn’t surprise me if this resulted in browsers restricting <canvas> to only fonts that the site explicitly sent to the user’s computer plus some default font or set of fonts that’s bundled with the browser to ensure it’s consistent across all installs.
(After all, you’ve already got easier ways to determine which browser the user is running, so that’d take the list of available fonts out of the entropy pool and, if you’ve ever dropped by Panopticlick with Javascript enabled, they’re quite a significant contributor.)
Edited 2014-07-22 11:35 UTC
avgalen,
I think you are right, but the canvas method gives you another method to get the font information.
To the contrary of what’s claimed earlier in the article “the images can be used to assign each user^aEURTMs device a number that uniquely identifies it.”, AddThis actually says the opposite:
It’s not just the fonts that are rendered, it’s /how/ they’re rendered. Each graphics card/driver renders/composes fonts slightly differently, and canvas is usually GPU rendered.
By comparing the differences, it’s fairly easy to identify the same user
How would my off-the-shell HP PC be any different from any other that Future Shop sold that week? not everyone goes out and buys a unique combination of GPU/CPU/whatever else impacts the rendering.
It might also depend on your browser version, you graphic card drivers version and other software components.
And then you can add other signals like the list of extensions you have installed, your geolocation and so on. Every signal makes you a little bit more unique.
I guess I can just see why this is possibly being abandoned. People who frequent OSAlert probably vary wildly for combinations of software and hardware, but we represent a small pool of users. The masses of homogeneous Apple (and other desktop mass market manufacturers) hardware paired with a lot of people who simply use what’s installed by default to shop on ebay, browse facebook, or watch youtube (amongst other video providers *ahem*) I just cant see this being THAT useful.
If geotagging is the only variable identifying my MacbookPro from every other MacbookPro, then just use the geotagging and ignore the extra stuff.
For reference, here’s the original paper: http://cseweb.ucsd.edu/~hovav/dist/canvas.pdf
Basically, on its own, it’s not enough to uniquely identify you, but as part of a set of detection techniques, it massively helps to narrow down the set of people you /might/ be.
Blocking javascript to avoid creating the ccanvas may noy be enought, there are still ways to draw w/o it.
http://cssdeck.com/labs/mona-lisa-with-pure-css
Edited 2014-07-22 13:13 UTC
It’s not just drawing the image, it’s then reading the image back and hashing it. So the css trick will only work if you have access to the JS apis for grabbing the rendered result as a bitmap
oskeladden,
+1
Addthis is no more “impossible to block” than any other trackers. Google analytics is far more pervasive and privacy leaking IMHO, and GA is used here on osnews.
Noscript isn’t very user friendly, IMHO. Normal users can use ghostery, which is as user friendly as adblock but will block trackers that don’t display ads, including “addthis” as pertains to the article.
https://www.ghostery.com/en/apps/addthis
Maybe this could be added to the eff’s panopticlick to gather more information, but I’d be surprised if canvas rendering didn’t correlate very highly to existing bits of entropy (like OS+browser versions and font list).
https://panopticlick.eff.org/
Ghostery does nothing about ajax.googleapis.com and the referrers / fingerprinting they collect, the developers have been notified and queried about it; their responses have varied from dismissive, rude and arrogant.
Needless to say I have not trusted Ghostery for some time, even if you ignore the buy out by a marketing company.
BushLin,
That’s true, but so far I haven’t found any better alternatives that I’d feel comfortable installing for non-savvy users. For such user’s, ghostery provides a fairly comprehensive (though not 100% as you point out) database of tracking scripts. And it even removes scripts in such a way that page dependencies are not broken. This gives normal users a much better balance of privacy and functionality than they’d get with no-script without lots of fiddling around.
Still, I agree with you, ghostery should be better, if you know of any superior alternatives that are also maintenance free, then I’d like to hear about them.
I’m afraid I struggle for recommendations for even the most tech savvy of users these days.
I’ve heard reputable people recommend NoScript and Adblock as all you need but these only stop the content from displaying or scripts from running, you still end up downloading most content which means you still send referrers and fingerprints to all the marketeers but with the false feeling of privacy.
For anyone looking to remove leakage I’d recommend pulling out your network cable before first launch or after installing an upgrade so you don’t connect to Google amongst others.
Install add-ons locally after downloading elsewhere, disabling “safe-browsing” which shows twice in options>security as ‘block reported…’, disable search suggestions and remove the search box, show a blank page at startup, disable all the options in “data choices”, have your cookies and cache automatically deleted on exit and if you must run flash, disable everything in its config tool.
in about:config set:
extensions.blocklist.enabled false
extensions.getAddons.cache.enabled false
extensions.update.enabled false
Restore ability to disable add-on compatibility checks:
https://addons.mozilla.org/en-US/firefox/addon/checkcompatibility/
Only manually allow 3rd party content using RequestPolicy, this is the best cure I’ve found for Noscipt’s shortcomings.
https://addons.mozilla.org/en-US/firefox/addon/requestpolicy/
Noscript but with CSS and ABE disbaled (CSS is covered by RequestPolicy and ABE is a leak), also disable “display release notes on updates”
https://addons.mozilla.org/en-US/firefox/addon/noscript/
Disallow 3rd party referrers by default with refcontrol
https://addons.mozilla.org/en-US/firefox/addon/refcontrol/
I’m sure there’s something else I’ve forgotten but the best solution is to monitor the traffic out of your system and see if you’re happy.
Still, it doesn’t seem very suitable for non-savvy users… Other thing is, vast majority of them don’t care I think.
I don’t go to YouPorn anymore.
Obligatory:
http://dilbert.com/2014-07-15/
Two questions after reading the linked article and skimming one or two others:
If the AddThis widgets are blocked, does that block the canvas drawing function as well? (I always block those stupid icons.)
Wouldn’t every computer of the same model create the same canvas picture? Or are there more factors than just hardware?
It’s the same model/graphics driver AND OS that’s needed to create the same fingerprint.
This PDF has some lists of what Graphics cards create the same output: http://cseweb.ucsd.edu/~hovav/dist/canvas.pdf
The article near the end basically says that everyone is abandoning this because it isn’t unique enough.. So does it matter?
Firefox build in the Tor Browser Bundle blocks it with an option to respond: accept, never for this site or not now.
Is this is it?
https://imgur.com/LYPehZ1
whitehouse.gov gives this warning.
youporn.com doesn’t.
https://panopticlick.eff.org/
See how unique your browser is, without any crazy canvas tricks – just stuff learned from standard browser probing.
I appear to have a unique footprint, and I think it is because I run at a weird resolution, since I’m visually impaired. So it seems like they’re going to track me no matter what, which I guess is alright. I mean, if I were viewing child porn or trying to start a revolution in some third world shithole, I might be concerned. As it is, my web surfing habits are actually quite uneventful, and if I wanted to view something very private, I guess I’d change resolutions and use another browser in private mode.
Your uneventful habits might be interesting to someone now or in 5 years. I mean, you don’t get to decide what’s interesting for ad & marketing companies. Maybe the fact that you stick to 3 technology-related websites *is* interesting: would you consider replacing your mouse with a bluetooth one? Here’s a brand new Logitech model that’s been good with people with < 800×600 resolution. Plus, you visited a medical site 2 months ago, you might want to look at this herbal drink for 2.99…
As long as it’s not interesting to people in black suits and ties who’ll want to lock me up for some reason, I’m good. They invented adblock for a reason Hell, I’d probably stick out more to the NSA and their ilk if I tried to block EVERYTHING, like others on this site do. As in, ‘this guy is trying to surf anonymously… he must have something to hide. Let’s keep an eye on him.’ As it is, I’ll just blend in, like millions of other people.
Edited 2014-07-23 18:02 UTC
Fascinating, and worse than I expected. With Javascript enabled, I was told:
With Javascript disabled (my usual configuration), I was told:
Which I guess means I’m one of eight visitors to their website with my configuration.
I usually have my browser deliver a random user-agent, which should also throw fingerprinting off a bit. But this, now, is an example of tracking that really is very hard to fight.
The thing I’m appalled with is why AddThis feels the need to experiment with tracking code to begin with.
Those social sharing plugins should only do what they’re intended to do which is to show social sharing buttons. Anything beyond that including tracking users habits should be forbidden. This applies to ShareThis and AddToAny.
I think we should migrate from these single vendor plugins and switch to open sourced self-hosted plugins:
http://www.enthropia.com/labs/share/
http://expando.github.io/
Edited 2014-07-23 00:45 UTC
A free browser plug-in ported extensively to almost all know platforms was for sure not developed for free or for charity… so the most obvious assumption is that the developer is profiting in some way with his user base.
There is only one (and not perfect) way to avoid being part of some strange (and often shady) business model that you are unaware part of: using open source plug-ins.
I put together a browser fingerprinting script to test just how unique the canvas rendering actually is compared to other fingerprinting techniques.
If you don’t mind your browser being fingerprinted, please visit this URL, it will extract lots of information using java script, including the canvas technique and various browser structure enumerations.
http://hypercone.com/fingerprint/
After fingerprinting you should be forwarded to a results page where all the collected information for your own browser is displayed, including your browser’s canvas & canvas hash.
I hope to study the number of unique canvas renderings per browser&user agent and hopefully publish the conclusions. All I need from everyone is lots of sample data… so try it with as many browsers/devices as possible! And if you have any other ideas for this, just let me know.
I had a go on my company IE9 on Windows 7.
Actually it breaks in xxxDoCanvas(data) on
var c = canvas.getContext(‘2d’);
This is because IE defaults to Quirks mode, which doesn’t have the getContext() method.
In the F12 debugger, when I changed it to IE 9 Standards mode, it worked.
To enable standards mode I believe you need:
< meta http-equiv=”X-UA-Compatible” content=”IE=Edge” >
pysiak,
Done! I did not try XP+IE9.
I added a link to the fingerprinting JS source if anyone is interested. In addition to many of the fingerprint methods used in panopticlick, there are some other unconventional tests in there too, like clock drift and overflow exceptions.
I was thinking of installing more browsers in a VM, but I wonder if running IE/FF/chrome/etc from a VM would make a difference with the canvas?
I’m not sure how much we can do before the osnews comments are closed, but I will try to at least summarize the findings before then. Hey Thom, osnews needs a sister site for ongoing collaboration projects between osnews members
So, what are the findings?
For anyone who’s interested, I’ve posted some more fingerprint queries and browser details:
http://hypercone.com/fingerprint