A new, invisible web tracking tool bypasses the protections privacy-conscious web users rely on (including browser privacy settings, do-not-track instructions, or tools such as AdBlock Plus) and is already being used by thousands of sites – without visitors being aware, as reported by Pro Publica.
A single company which uses the ‘fingerprinting’ technique, touted as a replacement for cookies for advertisers, uses its scripts in thousands of sites including Whitehouse.gov – and reaches 97.2% of the internet-using population in the U.S., according to Comscore.
The technique, known as “canvas fingerprinting” covertly requires browsers to “draw” a short message (the user does not see this, and is not made aware of it) – and subtle differences in the way machines render the text make it easy to identify the machine, even if the user is employing cutting-edge online privacy tools, Network World reports.
The unique code can then be used to track users across sites to serve adverts, even if the user employs online privacy tools to prevent this.
Princeton University researchers found that the technique, which works in “a fraction of a second without user’s awareness” was not only theoretically possible – but already in use on more than 5% of the 100,000 sites under test.
“By crawling the homepages of the top 100,000 sites we found that more than 5.5% of the crawled sites include canvas fingerprinting scripts,” the researchers write. “Although the overwhelming majority (95%) of the scripts belong to a single provider (addthis.com), we discovered a total of 20 canvas fingerprinting provider domains, active on 5542 of the top 100,000 sites.”
“Our evaluation of the defensive techniques used by privacy-aware users finds that there exist subtle pitfalls such as failing to clear state on multiple browsers at once in which a single lapse in judgement can shatter privacy defenses,” the Princeton researchers write in an upcoming paper entitled The Web Never Forgets.
Many of the sites employing “canvas fingerprinting” were using scripts from a single provider – AddThis, which began testing the scripts in January 2014, according to the researchers. But AddThis is not alone – sites such as dating service PlentyOfFish also employ the technology.
The researchers suggest that by correlating this information with identifying information provided by cookies, advertising companies are actually “advancing technology beyond the scientific literature.”
AddThis in particular employs techniques more advanced than those detailed in previous scientific papers.
“By requesting a non-existent font, the test tries to employ the browser’s default fallback font. This may be used to distinguish between different browsers and operating systems,” the researchers write. “This has serious implications for any web user wishing to avoid being tracked – and to avoid “personalised” adverts. Even sophisticated users face great difficulties in evading tracking techniques”
“According to a recent ComScore report, AddThis solutions”reaches 97.2% of the total Internet population in the UnitedStates and get 103 billion monthly page views,” the researchers write.
Blocking canvas fingerprinting is not easy, the researchers admit – there are solutions, but these involve radical changes to the browsing experience.
The privacy focused browser Tor offers a function which notifies users when a script requests a canvas fingerprint – but as Pro Publica warns, this can be slow.
Author Rob Waugh, We Live Security