I've Been Mugged Blog

"Canvas fingerprinting" is the latest technique entities use to identify and track consumers' online habits and movements. I use the word "entities" since both private-sector corporations and public-sector government agencies use the technique in their websites. The BBC described it well:

"This technique forces a web browser to create a hidden image. Subtle differences in the set-up of a computer mean almost every machine will render the image in a different way enabling that device to be identified consistently."

Those subtle differences include the many features that distinguish your computer's configuration from others: clock setting, default font, software installed, operating system brand and version, browser brand and version, and more. Researchers at Princeton University in the United States and at the University of Leuven in Belgium analyzed tracking techniques at 100,000 websites. They announced their findings in a draft report dated July 1, 2014:

"We present the first large-scale studies of three advanced web tracking mechanisms -- canvas fingerprinting, evercookies, and use of cookie syncing" in conjunction with evercookies. Canvas fingerprinting, a recently developed form of browser fingerprinting, has not previously been reported in the wild; our results show that over 5% of the top 100,000 websites employ it... The tracking mechanisms studied in this paper can be differentiated from their conventional counterparts by their potential to circumvent users' tracking preferences, being hard to discover and resilient to removal."

The researchers emphasized the extremely difficulty confronting consumers:

"Canvas fingerprinting uses the browser's Canvas API to draw invisible images and extract a persistent, long-term fingerprint without the user's knowledge. There doesn't appear to be a way to automatically block canvas fingerprinting without false positives that block legitimate functionality; even a partial fix requires a browser source-code patch. Evercookies actively circumvent users' deliberate attempts to start with a fresh profile by abusing different browser storage mechanisms to store removed cookies. Cookie syncing... allows different trackers to share user identifiers with each other. Besides being hard to detect, cookie syncing enables back-end server-to-server data merges hidden from public view."

Why the researchers produced this report:

"Our goal is to improve transparency of web tracking in general and advanced tracking techniques in particular.We hope that our techniques and results will lead to better defenses, increased accountability for companies deploying exotic tracking techniques and an invigorated and informed public and regulatory debate on increasingly persistent tracking techniques."

The researchers concluded the following about consumers' ability to maintain their privacy online:

"Current options for users to mitigate these threats are limited, in part due to the difficulty of distinguishing unwanted tracking from benign behavior. In the long run, a viable approach to online privacy must go beyond add-ons and browser extensions. These technical efforts can be buttressed by regulatory oversight. In addition, privacy-friendly browser vendors who have hitherto attempted to take a neutral stance should consider integrating defenses more deeply into the browser."

ProPublica reported:

"The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5 percent of the top 100,000 websites. Most of the code was on websites that use AddThis’ social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish."

I strongly encourage consumers to read the ProPublica article, since it includes an interview with an executive from AddThis. The article also lists five recommendations consumers can do to minimize the online tracking. However, some of the recommendations require technical knowledge and skills beyond what many consumers have.

One recommendation includes using Chameleon with the Google Chrome browser. A reader, who asked me not to mention their name, shared this opinion:

"... Chameleon, it does not appear to be available for Firefox, and I won't run Chrome because of Google's outrageous privacy policy, which is really a disclosure policy that let's Google do pretty much what it wishes with the personal information that its browser, Chrome, collects... putting Chameleon on Chrome just effectively gives Google a monopoly... as it blocks other domains' fingerprinting while leaving Google's collection techniques in Chrome unmolested."

Is this an over-reaction? Consider... earlier this year, Google changed its policy to reflect its continued scanning of all inbound e-mails from non-Gmail users. About the scanning, a United Kingdom newspaper wrote this headline, "Google: Don't Expect Privacy When Sending to Gmail." A simple online search found this review of Google Chrome privacy. Several news organizations reported in December 2013 about how spy agencies in the U.S. and U.K. use Google's proprietary cookie technology.

Plus, MediaPost reported yesterday:

"Back in March of 2012, Google made international headlines with its controversial decision to revise its privacy policy in a way that allowed it to consolidate information about users. Ever since, a group of consumers have been trying to sue the company for allegedly violating users' privacy. This week, a federal judge ruled that the consumers could proceed with a lawsuit -- but not based on their original claims. Instead, U.S. Magistrate Judge Paul Grewal in San Jose, Calif. said that users could continue with allegations that Google wrongly transfers users' names and contact information to app developers."

So, there seems to be enough happening that some consumers understandably might try to minimize or avoid interactions with any Google products and services.

Several news organizations have reported about the high-profile websites that use canvas fingerprinting, including several porn sites and WhiteHouse.gov. Interested readers can browse this list of websites the researchers found that perform canvas fingerprinting.

I would like to thank the researchers for this report. It is greatly appreciated and very valuable. Consumers need to be informed and the websites (e.g., marketers and advertisers) aren't doing it. Tracking methods need to be disclosed and opt-in based.

During the last 7+ years, this blog has covered stories about several technologies (e.g., cookies, “zombie cookies,” Flash cookies, “zombie e-tags,” super cookies, “zombie databases” on mobile devices, etc.) entities have used to persistently track consumers online without their knowledge nor consent; and circumvent consumers' efforts to maintain privacy online. Proponents usually justify the tracking as needed for consumers interested in seeing relevant, target advertisements online (a/k/a "behavioral advertising). Given this history of repeated privacy abuses, sadly I am not surprised about canvas fingerprinting. Frustrated, yes. Surprised, no.

Many of these tracking technologies have resulted in class-action lawsuits, which has been good because the speed of technological change is far faster than both the laws and legislators’ abilities to understand the emerging technologies. I fear that class-actions, as a protection tool for consumers and/or a method to hold privacy abusers accountable, will be more difficult in the future as many banks, telephone, Internet service providers, consumer electronics, software, nursing, and health care companies have added binding arbitration clauses to agreements with their customers.

This persistent tracking raises other issues. Consumers need new browser features to stop this persistent online tracking, as companies user creative ways to restore browser cookies that users have deleted to maintain privacy online. For consumers, help may be on the way in the form of the Privacy Badger tool from the Electronic Frontier Foundation.

A prior blog post discussed the DuckDuckGo search engine as an alternative to traditional search engines (e.g., Google, Bing, Yahoo) for privacy-conscious users. While there was a discussion on one DuckDuckGo community board about canvas fingerprinting, a DuckDuckGo provided the this explanation:

"We removed the canvas check when we launched our reimagined/redesigned version earlier this year. This is no longer a concern. On the old DuckDuckGo, it's function was to detect if anti-aliasing was turned on, because our old default font (Segoe UI) broke when anti-aliasing was off."

So, the revised DuckDuckGo maintains privacy by design. Consumers can continue using the search engine with confidence for privacy.

Some consumers may conclude that using apps on their mobile devices instead of a web browser is an effective way to avoid the online tracking. Assuming this would be foolish given the Google lawsuit mentioned above. Plus, the unique device ID numbers (UDID) on all mobile devices are simply a very tempting identifier and tracking mechanism. It is one reason why so many apps want access to consumers' entire address books and other files on their mobile devices.

Download the researchers' report, "The Web Never Forgets: Persistent Tracking In The Wild" (Adobe PDF, 903 K bytes).

What are your opinions of the researchers' report? Of canvas fingerprinting? Of AddThis? Of Google? Of the failure of websites to inform consumers of the online tracking methods used? If you operate a blog or website using technologies from known canvas fingerprinters, please share your thoughts and/or whether you continue to use these technologies.

[Correction: an earlier version of this blog post mentioned a possible privacy problem with the DuckDuckGo.com search engine. The revised blog post above includes an explanation from DuckDuckGo about how their search engines maintains privacy and avoids canvas fingerprinting.]