Yesterday, ProPublica reported on new research by a team at KU Leuven and Princeton on canvas fingerprinting. One of the most intrusive users of the technology is a company called AddThis, who are employing it in “shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.” Canvas fingerprinting allows sites to get even more identifying information than we had previously warned about with our Panopticlick fingerprinting experiment.
Canvas fingerprinting exploits the fact that different browsers have slightly different algorithms, parameters, and hardware for turning text into pictures on your screen (or more specifically, into an HTML 5 canvas object that the tracker can read1). According to the research by Gunes Acar, et al., AddThis draws a hidden image containing the unusual phrase “Cwm fjordbank glyphs vext quiz” and observed the way the pixels would turn out differently on different systems. This builds on a fingerprinting technique that was first presented by Keaton Mowery and Hovav Shacham in 2012.
The main distinction is that the canvas fingerprint can’t be blocked by cookie management techniques, or erased with your other cookies. This is inconsistent with the White House’s promise that “Visitors can control aspects of website measurement and customization technologies used on WhiteHouse.gov.” The website’s How To instructions are no help, because they are limited to traditional cookies and flash cookies. AddThis’ opt out is no more helpful, as it only prevents targeting, not tracking: “The opt-out cookie tells us not to use your information for delivering relevant online advertisements.”
The White House is far from alone. According to the researchers, over 5,000 sites include the canvas fingerprinting, with the vast majority from AddThis.
What You Can Do to Protect Yourself From Canvas
Updated 7/23: Added additional citation to research by Keaton Mowery and Hovav Shacham.
- 1. HTML 5 canvas fingerprinting should not be confused with the type of supercookie that can be created by force-caching images and then using the HTML5 Canvas to read them back, as demonstrated by the evercookie project