Saturday, July 26, 2014

'Canvas fingerprinting' tracking is sneaky but easy to halt

A method for tracking users across the Internet called "canvas fingerprinting" is simple to stop, but average Internet users may not know how to do it.

A research paper concluded that code used for canvas fingerprinting had been in use earlier this year on 5,000 or so popular websites, unknown to most. Most but not all the sites observed used a content-sharing widget from the company AddThis.

The researchers, from KU Lueven in Belgium and Princeton University, described how companies are looking for new ways to track users in order to deliver targeted advertising and move away from cookies, which can be easily deleted or blocked.

"The cookie is dead," wrote Rob Shavell, a cofounder of Abine, a company that develops privacy tools, via email. Advertising and data collection businesses need to evidence that their targeting is working for paying clients, he wrote, but most users are unaware of how they're being tracked in new ways.

Following media coverage, AddThis admitted it ran a five-month test using canvas fingerprinting within its widget but said the canvas fingerprinting code was disabled earlier this month. Acknowledging privacy concerns, the company said it would provide more information on such tracking tests before starting one.

It worked like this: When a browser loaded the AddThis widget, JavaScript that enabled canvas fingerprinting was sent. The script used a capability in modern Web browsers called the canvas API that allows access to the computer's graphics chip, which is intended for use with games or other interactive content.

An invisible image was sent to the browser, which rendered it and sent data back to the server. That data can then be used to create a "fingerprint" of the computer, which could be useful for identifying the computer and serving targeted advertisements.

But of several emerging tracking methods, canvas fingerprinting isn't the greatest: it's not terribly accurate, and can be blocked.

Canvas fingerprinting may work best on smaller websites with stable communities, wrote Wladimir Palant, creator of AdBlock Plus browser extension, in a blog post. But it is less effective on a larger scale.

"As soon as you start talking about millions of users (e.g. if you want to track users across multiple websites) it is just too likely that different users will have exactly the same configuration and won't be distinguishable by means of canvas fingerprinting," he wrote.

Widgets such as AddThis can be entirely blocked with tools such as AdBlock Plus or DoNotTrackMe from Abine, both extensions that can block web trackers.

DoNotTrackMe, for example, can spot a browser making a request to AddThis for content and block it, meaning AddThis couldn't transmit JavaScript for canvas fingerprinting, wrote Andrew Sudbury, CTO and cofounder of Abine, via email.

AdBlock Plus can also block these kinds of JavaScript requests, but not by default, wrote Ben Williams, public relations manager for AdBlock Plus, in an email.

The extension is intended to be used with a series of filters, or lists, that enable certain kinds of blocking. Williams wrote that a user would need to install the EasyPrivacy filter. The AddThis widget would be blocked, along with any other JavaScript, he wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


View the original article here

No comments:

Post a Comment