Yesterday, ProPublica reported on new research by a team at KU Leuven and Princeton on canvas fingerprinting. One of the most intrusive users of the technology is a company called AddThis, who are employing it in “shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.” Canvas fingerprinting allows sites to get even more identifying information than we had previously warned about with our Panopticlick fingerprinting experiment. 

Canvas fingerprinting exploits the fact that different browsers have slightly different algorithms, parameters, and hardware for turning text into pictures on your screen (or more specifically, into an HTML 5 canvas object that the tracker can read1). According to the research by Gunes Acar, et al., AddThis draws a hidden image containing the unusual phrase “Cwm fjordbank glyphs vext quiz” and observed the way the pixels would turn out differently on different systems. This builds on a fingerprinting technique that was first presented by Keaton Mowery and Hovav Shacham in 2012.  

While YouPorn quickly removed AddThis after the report was published, the White House website still contains AddThis code.  Some White House pages obviously include the AddThis button, such as the White House Blog, and a link to the AddThis privacy policy.

Other pages, like the White House’s own Privacy Policy, load javascript from AddThis, but do not otherwise indicate that AddThis is present. To pick the most ironic example, if you go to the page for the White House policy for third-party cookies, it loads the “addthis_widget.js.” This script, in turn, references “core143.js,” which has a “canvas” function and the tell-tale “Cwm fjordbank glyphs vext quiz” phrase.

The White House cookie policy notes that, “as of April 18, 2014, content or functionality from the following third parties may be present on some WhiteHouse.gov pages,” listing AddThis.  While it does not identify which pages, we have yet to find one without AddThis, whether open or hidden.

On the same page that is loading the AddThis scripts, the White House third-party cookie policy makes a promise: “We do not knowingly use third-party tools that place a multi-session cookie prior to the user interacting with the tool.” There is no indication that the White House knew about this function before yesterday's report.

Nevertheless, the canvas fingerprint goes against the White House policy. It may not be a traditional cookie, but it fills the same function as a multi-session cookie, allowing the tracking of unique computers across the web. While the AddThis privacy policy does not mention the canvas fingerprint by that name, it notes that it sometimes places “web beacons” on pages, which would load prior to the user interacting with the AddThis button.

The main distinction is that the canvas fingerprint can’t be blocked by cookie management techniques, or erased with your other cookies. This is inconsistent with the White House’s promise that “Visitors can control aspects of website measurement and customization technologies used on WhiteHouse.gov.” The website’s How To instructions are no help, because they are limited to traditional cookies and flash cookies.  AddThis’ opt out is no more helpful, as it only prevents targeting, not tracking: “The opt-out cookie tells us not to use your information for delivering relevant online advertisements.”

The White House is far from alone. According to the researchers, over 5,000 sites include the canvas fingerprinting, with the vast majority from AddThis.

What You Can Do to Protect Yourself From Canvas

Fortunately, some solutions are available. You can block trackers like AddThis using an algorithmic tool such as EFF’s Privacy Badger, or a list-based one like Disconnect. Or if you're a fairly knowledgeable user and are willing to do some extra work, you can use a manually controlled script blocker such as No Script to only run JavaScript from domains you trust.

Updated 7/23: Added additional citation to research by Keaton Mowery and Hovav Shacham.

• 1. HTML 5 canvas fingerprinting should not be confused with the type of supercookie that can be created by force-caching images and then using the HTML5 Canvas to read them back, as demonstrated by the evercookie project