Security

Canvas fingerprinting is tracking you, and you don’t even know what it is

Canvas fingerprinting?

Popular, heavily trafficked websites are increasingly turning to “canvas fingerprinting” in order to track your online movements. Canvas fingerprinting is extremely hard to block, hard to detect, and has become a unique identifier that logs your ‘Net history as you jump from site to site without you knowing about it — on desktop and mobile devices.

Adam Kujawa, the head of intelligence at Malwarebytes, said canvas fingerprinting is a step above cookies and is exceptionally complex.

“Canvas fingerprinting is the act of extracting information from a user’s browser and using it paint a semi-unique identifiable token. The method requires the use of HTML5, which is a commonly used standard today, being used from making web apps to games,” Kujawa said.

“By utilizing the built-in canvas features of HTML5 and requesting various operations being made –out of the view of the user — by the browsers instance of HTML5, identifiable information can be extracted.”

Researchers from Belgium’s Ku Leuven University and Princeton University here in the States recently released their report on the tracking tool that comes from a little-known software company in Virginia called AddThis and several others firms, including Canadian-based dating site Plentyoffish.com.

The AddThis homepage blares: “Get more traffic with beautifully simple website tools.” (Disclosure: VentureBeat used AddThis in the past, although the tool is not in use on our site now.)

According to the researchers, canvas fingerprinting is in use on over 5,000 of the world’s most trafficked websites, including the White House, porn sites, and others. The researchers of the report put it this way:

“By crawling the homepages of the top 100,000 sites we found that more than 5.5 percent of the crawled sites include canvas fingerprinting scripts. Although the overwhelming majority (95 percent) of the scripts belong to a single provider (addthis.com), we discovered a total of 20 canvas fingerprinting provider domains, active on 5,542 of the top 100,000 sites.”

You can read the canvas fingerprinting report here. The study is still ongoing.

The shocker for the researchers is that while standard cookies, primarily on desktop, have long tracked your movements, with users being able to opt out with ad-blocking software, canvas fingerprinting actually takes control away from the users and is virtually impossible to detect.

Kujawa said canvas fingerprinting identifiers reside in your browser.

“For example, the browser version, operating system and graphics card can be derived from things such as how the font ‘Arial’ is presented in the browser as well as analyzing the object returned by HTML5 when a script requests that a pixel be drawn,” he said.

“Utilizing a script to execute the algorithm from multiple websites can create a new method of tracking users without using cookies.”

Canvas fingerprinting was first reported by the investigative blog ProPublica.com.

This means that with canvas fingerprinting, your browsing history — including your use of social and family networks and your work activity — is being aggregated by deployers of the software.

Alas, end users are advertisers, your boss, and insurance companies compiling dossiers on your history, all without your knowledge, according to researchers.

In fact, Adblock and other programs designed to thwart attempts to follow you from website to website don’t traditionally work with canvas fingerprinting, according to Kujawa.

However, Kujawa said canvas fingerprinting does have its flaws and isn’t impervious to those using the right tools to block it.

“While it has been claimed thatAdBlocking add-ons for the browser can’t block canvas fingerprinting, it can block the script that executes the fingerprinter process, meaning that without the algorithm working to determine the token, the user won’t be tracked,” he said.

Incredibly, AddThis chief Richard Harris told ProPublica that accrued data was for “internal research and development” purposes and that canvas fingerprinting was more or less an experiment whose time would soon end.

I asked an Addthis spokeperson to put me in touch with Addthis chief executive, and the firm did not respond by press time.

While Google, Twitter, and analytic outfits are able to track users with cookies on their desktops, they can’t on mobile, which instead relies primarily on PIs (Personal Identifiers) to follow what sites you’re visiting. Canvas fingerprinting, without your knowledge, follows you across multiple devices.

Not having an opt-out switch, or ad block software downloaded on your machine that can successfully eliminate the ability to track you, means that the amount of data AddThis is collecting is vast. And that’s exactly the kind of data sought by advertisers, insurance companies, or mortgage brokers sizing you up as potential clients — or law enforcement.

Canvas fingerprinting is here to stay, Kujawa said, and will likely evolve into a more comprehensive technology as its flaws are analyzed and parsed off.

“Because of these issues, canvas fingerprinting in its current state might not be adopted as widely as a lot of folks believe, however the initial research into the technology will no doubt spawn additional development in new ways to track users,” Kujawa said.

More information:

Powered by VBProfiles

3 comments
Marcus Greenwood
Marcus Greenwood

Canvas fingerprinting can only detect your computer configuration. The only difference between this and looking at your browser identifier is that FP can also detect the graphics card type. This is no big deal despite all the coverage it is getting.