Canvas Fingerprinting: a web-tracking technique that's nearly impossible to block

[Himanshu Arora]

Researchers at Princeton and Belgium's KU Leuven have found a new, extremely persistent type of web-tracking technique that's being used on around 5% of the top 1000 sites on the Internet, including Whitehouse.gov, YouPorn, and more. Dubbed Canvas Fingerprinting, the technique is nearly impossible to block, which means you cannot prevent it by blocking cookies, invoking Do Not Track, and using anti-tracking tools such as AdBlock Plus.

The technique works by instructing the visitor’s web browser to draw a hidden image. Since each computer renders the image in a different way (see Device fingerprint), that drawing is used to assign the device a uniquely identifying number that allows trackers keep an eye on your browsing activity.

Researchers claim that the most widely used fingerprinting software belongs to a company called AddThis, which started testing the web-tracking technique earlier this year, rolling out the feature to a small portion of the 13 million websites on which its technology appears.

“We’re looking for a cookie alternative”, said Rich Harris, chief executive of AddThis, adding that the company uses the collected data for internal research and development.

A company spokeswoman said that they do not use any of the data collected from government websites, but gave no such assurances about other websites. The company, however, claims that the collected data will not be used for ad targeting if users install the AddThis opt-out cookie.

It is still unclear just how capable or effective the technology is, but AddThis says that the company may wind things down soon as the results are "not uniquely identifying enough".

Permalink to story.

https://www.techspot.com/news/57504-canvas-fingerprinting-a-web-tracking-technique-thats-nearly-impossible-to-block.html

 

[Guest]

So the image is rendered virtually or stored on the server itself? Obviously blocking images would prevent it, unless they're using the term loosely and it is another type of file. Of course if that was the case it could likely be blocked by identifying that file type. Now I'm very interested in how to circumvent this. Going to do research!!

 

[Guest]

NoScript prevents it. Simple enough.

 

[Guest]

Actually a better solution is Privacy Badger by EFF for Firefox and Chrome. It blocks third party cookies and scripts from tracking you. While not 100%, it should be quite effective in preventing this type of tracking since it uses a script to force your browser to draw the image.

 

[Guest]

I think you don't understand what is meant by the image rendering.
It is not really an jpeg image but a calculation done by the client (iphone, pc, mac, galaxy tab,...) which results in a vector drawing.
This calculation is done in an unique way on each device, what I personally don't believe. Anyway researchers say it works. So each device can be tracked on an unique way.

This technique is analogue to tracking by gyroscopes and compass in mobile devices. Apparently it is possible to discover small calibration differences in those sensors between the same lets say iphone type.

Privacy is history... Unless you disable scripting ans use a typewriter.

 

[Guest]

Isn't it ironic that all these tracking companies say if you just put a cookie on your system we will not track you. So by putting a uniquely identified file will stop you from being tracked, ya right....

 

[wiyosaya]

So the last paragraph says that they are considering winding things down because the results are "not uniquely identifying enough." Either that is the truth, which I suspect, or the real answer is that the tech is classified and they cannot say how effective it is.

 

[Guest]

Just generated ID's on two different work computers and I got the exact same ID. So who knows how accurate it really is...