internet privacy canvas fingerprinting
July 24, 2014

UPDATED: New Online Tracking Tool Said To Be Nearly Impossible To Block

redOrbit Staff & Wire Reports - Your Universe Online

UPDATE: July 24, 2014 - Clarification and updates provided by a representative of AddThis

Five percent of the world’s top 100,000 websites are using a previously undetected cookie-like online tracking mechanism that is embedded in “share” buttons – and researchers from Princeton University and Belgium’s KU Leuven University report that it is next to impossible to block using conventional computer privacy tools.

According to the authors, their paper is reportedly the first to involve a large-scale investigation of a mechanism known as canvas fingerprinting. It is also the first study to confirm that the technique, which uses scripts to write an invisible string of text on the browser’s canvas in order to access personal information, is currently being used on actual websites.

As the KU Leuven University team members explained in a statement, canvas fingerprinting software uses one script to instruct the browser to print an invisible string of text on the canvas, and then uses a second to instruct the browser to read back data that contains information about the user’s browser type, graphics card, system font and more.

“Because this grouping of data is highly likely to be unique for each user, it can be reliably associated to individual users, like a fingerprint,” they explained. “Once a website has determined a device’s fingerprint, it can easily recognize the user on subsequent site visits, much in the same way cookies do. But while unwanted cookies can be flagged or blocked to enhance a user’s online privacy, there is no available solution for doing so with fingerprints.”

Reports published by claimed that, while there were more than one type of canvas fingerprinting, the most commonly used type of software was “developed by AddThis” and used on popular websites such as, CBS and YouPorn. In addition, the website cited “an AddThis spokesperson” as claiming that those other pages were not informed when the tracking technology was put in place.

However, an AddThis spokesperson has informed that the company “does not develop canvas fingerprinting software,” and that its canvas fingerprinting technology was part of “an internal R&D test that was run during the first half of this year. It has since ended. All data from the test was for R&D purposes only. It was not used and will never be used for ad targeting and personalization.”

“The testing was done in complete compliance with industry standards and AddThis’s own TOS and privacy policy,” the representative said in an email. Similarly, in a July 23 blog post, Vice President of Product Rich LaBarca said that after the completion of the R&D test, the code in question was disabled and “was never used for personalization or targeted advertising.”

“We use cookies to power our anonymous personalization and audience technology with non-personally-identifiable (PII) information. We don’t identify individuals. This is a core philosophy we take to heart and we honor user opt-out preferences any time we act on our data,” he continued.

“Being the largest provider of website tools on the Internet, we have responsibilities to our publishers and their visitors,” LaBarca concluded. “We adhere to industry standards, and have an opt-out process that complies with our membership in the NAI and the DAA. We honored our opt-out policy during this test, and the data was only used for internal research.”

AddThis is one of many companies searching for alternatives to cookies in the wake of European Union laws enacted in May 2012, requiring explicit consent before cookies can be created on a computer. That legislation, explained Matthew Sparkes, Deputy Head of Technology with The Telegraph, was designed to help protect the privacy of less tech-savvy men and women.

However, it came with an unexpected side-effect, creating a race to find a replacement for cookies – which brings us back to the controversy surrounding canvas fingerprinting. In addition to “circumventing EU legislation,” Sparkes said that the technique “also manages to elude most other methods of staying private. Incognito or private modes commonly provided by browsers will not prevent it, nor will advert-blocking software. And there is no special setting in your browser that will turn it off. There are some ways to stop it, but they are laborious and not for those afraid of tinkering with their computers.”

The new Princeton/KU KU Leuven paper also covers two other types of tracking technology: evercookies (a type of javascript API available that produces extremely persistent cookies in a web browser) and cookie syncing (the process of mapping user identities across different computer systems). The researchers call these three techniques part of “an ongoing arms race against privacy,” said Information Week’s Thomas Claburn.

“Online advertising companies want to understand consumer behavior online and they gain this understanding by building interest profiles based on the websites individuals visit. But when people clear the cookie files that websites place on their computers or block them, advertisers may be left in the dark about who is seeing their ads,” Claburn added. “To preclude this possibility – which makes advertising less effective and less profitable – online advertising companies have been experimenting with more reliable ways to get information about website visitors.”