Canvas fingerprinting/photomontage by Frank C. Müller
In Canada’s Globe & Mail, Shane Dingman recently reported on a whole new generation of super snooper privacy busters. The one grabbing the most ink is canvas fingerprinting:
Canvas fingerprinting, which can command your browser to draw a unique identifier and then log your online behaviour, is nearly impossible to detect, does not fall under “do not track” voluntary systems and evades most conventional ad-blocking software.
Security researchers at Belgium’s KU Leuven University and Princeton released a study Tuesday (link and abstract below) reporting that at least 5,542 of the top 100,000 sites use CF, mainly through AddThis, a Virginia-based online advertising firm that controls 95% of the business, according to Information Week.
Eleven identified instances of fingerprinting used software created by such providers as Ligatus and Admicro but 9 of the enterprising snoop groups had built their own software (which shows that it isn’t prohibitively difficult).
Why are firms doing this? Because Internet users evade browser cookies like Google’s DoubleClick (which pays sites to host the tracking software) either by blocking or clearing them.
The justification for cookies is that they help pay for Internet use by showing you products you might actually want. If you visit dog lovers’ sites, offers for doggy stuff follow you back to your Inbox as surely as a homeless dog might follow you home. (Or not, if you blocked or erased the cookies.)
Two other new supersnoop technologies are evercookies and cookie syncing (“an ongoing arms race against privacy,” as the Leuven–Princeton researchers put it.) Evercookies are harder to block or erase than the usual browser cookies and cookie synching shares your data with other domains.
AddThis claims canvas fringerprinting was just an experiment. Translation: We have to be sure it works before we invest tens of millions.
Some firms may have been using the technology without senior execs even knowing. Metro, one of Canada’s biggest grocery chains, has been using it since 2013 but has now stopped, according to Montreal’s La Presse,
“We were not aware of and it was done without notifying us. So we will not expose our users to a new method that, in our opinion, violates our policy on privacy, “said Geneviève Grégoire, spokesman for Metro.
(It seemed like such a great idea down in the tech pub.)
There are services such as Disconnect that can block current versions of canvas fingerprinting. Co-founder Casey Oppenheim notes,
The Internet economy relies on the advertising economy, and I don’t want that to change, but we can’t sacrifice transparency along the way. The way it is now, people don’t understand there is an exchange for your privacy.
Yes indeed, a vast market where we are all for sale as potential customers. And, as Howard Solomon warns at IT World Canada, worse is to come if “companies merge databases containing the browsing histories of users.” Which they could do if the companies themselves merged…
The study authors call for more regulatory intervention. Trust me, I’m not allergic to regulation. But I am not a fan during the early stages of a new problem like this. That’s principally because it is quite easy for the wrong legislation to be passed before the problem is clearly understood, and all likely options fairly considered. We then find ourselves publicly funding and enforcing an approach that doesn’t work and creates unrelated problems – but now has a solid base of backers who are invested in it simply because it is their system.
For example, there could be an apparently innocuous exception in the legislation, allowing data to be collected for the purposes of “health” or “crime prevention,” only to morph into a domestic espionage enterprise that rivals Cuba or China. Put another way, very few people set out to build a monster. Frankenstein was an exception; in fact, that’s why he became famous, not just because what he built was a monster (nothing new there)! Privacy policies that work will need to be as carefully crafted as the snoopware itself.
Facepalm: Facebook experiments on its users (Part II) Does the sheer size of the study mean anything, as Big Data enthusiasts claim?
This vid explains why it is difficult to track a canvas fingerprint with current technology:
We present the first large-scale studies of three advanced web tracking mechanisms canvas fingerprinting, evercookies and use of cookie syncing” in conjunction with evercookies. Canvas fingerprinting, a recently developed form of browser fingerprinting, has not previously been reported in the wild; our results show that over 5% of the top 100,000 websites employ it. We then present the first automated study of evercookies and respawning and the discovery of a new evercookie vector, IndexedDB. Turning to cookie syncing, we present novel techniques for detection and analysing ID flows and we quantify the amplication of privacy-intrusive tracking practices due to cookie syncing.
Our evaluation of the defensive techniques used by privacy-aware users nds that there exist subtle pitfalls such as failing to clear state on multiple browsers at once in which a single lapse in judgement can shatter privacy defenses. This suggests that even sophisticated users face great diffculties in evading tracking techniques.
Denyse O’Leary is a Canadian journalist, author, and blogger.