Some of the Web’s top sites are tracking their users’ browsing habits through a new technique that can’t be thwarted by standard privacy software, a recent study found.
As ProPublica reported, the technique is called “canvas fingerprinting.” Users’ digital signatures are created when a website secretly asks their browsers to render a captcha-like image based on the unique specifications of their computer, such as their graphics card and font library. “Different systems produce different output, and thus different fingerprints,” the researchers who first developed the technique wrote in 2012.
These markers can then help track a user’s behavior on the Web. Any site incorporating the fingerprinting code can extract a visitor’s print and then query what other sites captured the same one. In some cases, this browsing data is then used by sites to target advertising based on their visitors’ Web history.
Princeton computer scientist Christian Eubank, who co-authored a new examination of canvas fingerprinting, equates a computer’s unique specifications with a human’s handwriting. “I could ask a person to write a phrase, and every person would write it differently,” he tells Newsweek.
Much of the canvas fingerprinting software was placed on websites by AddThis, a company that makes web sharing tools. According to the company, the code was put on sites for testing purposes and is not actively collecting data. What makes these fingerprints particularly nefarious to privacy advocates is that they are generated without users’ permission, and they work even if cookies have been turned off. AddThis's CEO told ProPublica that the company was looking at the technique as a “cookie alternative.”
According to the Princeton study, more than 5 percent of the 100,000 most-visited websites (as ranked by Alexa) now use canvas fingerprinting. Among them are a slew of pornographic sites (one, You Porn, was apparently unaware it was collecting fingerprints and removed the code after the ProPublica article was published.) The list also contains 41 educational sites, such as those for the City University of New York; the University of California, Davis; and the Brookings Institute. Media sites, like those for the New York Daily News and Newsweek, were also on the list. (Newsweek uses the technology through to prevent users from thwarting the site’s paywall.)
Eubank points out that canvas fingerprinting is a “widely undocumented” tracking tool. It was conceived just two years ago and has yet to become commonly known among Internet users. As such, he says, “a lot of the sites aren’t exactly aware” that they are collecting fingerprints when they incorporate services that use the code into their web pages.
“The techniques they’re using are more sophisticated than we even expected,” he adds.
Correction: An earlier version of this article misidentified AddThis as a company that sells canvas fingerprinting software. The company develops web sharing tools.