Tons Of Sites, Including WhiteHouse.gov, In Unwitting AddThis Experiment With Tracking Technology That Is Difficult To Block

from the our-post-cookie-era dept

Tue, Jul 22nd 2014 3:42am — Mike Masnick

ProPublica has a new story about the rise of "canvas fingerprinting," a new method of tracking users without using cookies. It's a method that is apparently quite difficult to block if you're using anything other than Tor Browser. In short, canvas fingerprinting works by sending some instructions to your browser to draw a hidden image -- but does so in a manner making use of some of the unique features of your computer, such that each resulting image is likely to be unique (or nearly unique). The key issue here is that the popular "social sharing" company AddThis, which many sites (note: not ours) use to add "social" buttons to their website, had been experimenting with canvas fingerprinting to identify users even if they don't use cookies. As ProPublica's Julia Angwin notes, it's very difficult to block this kind of thing -- and tons of sites make use of AddThis -- including WhiteHouse.gov (whose privacy policy does not seem to reveal this, saying it only uses Google Analytics as a third party provider).

The report does note that others who have tried canvas fingerprinting have found that it's not necessarily accurate enough yet, but the technology appears to keep getting better. Still, AddThis says it's likely to drop it anyway, because it's not good enough yet:

AddThis said it rolled out the feature to a small portion of the 13 million websites on which its technology appears, but is considering ending its test soon. “It’s not uniquely identifying enough,” Harris said.

AddThis did not notify the websites on which the code was placed because “we conduct R&D projects in live environments to get the best results from testing,” according to a spokeswoman.

The company also insisted it wasn't doing anything bad with the tracking, but even if you believe that's true, how long will it be until others make use of similar fingerprinting for more questionable behavior.

Given the attention this is getting, hopefully browsers will at least role out features that allow users more notification and control over such practices. Cookies are hardly a perfect solution, but at least users have control over them.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: canvas fingerprinting, cookies, tracking, whitehouse, whitehouse.gov
Companies: addthis

69 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Ninja (profile), 22 Jul 2014 @ 3:45am

The advertising efforts have reached a level today that people find "creepy" and "scary" (not my words) when they get the picture of how it works, which is not as easy as it seems.

If somebody is actively trying to stay away from the tracking and the advertisement you should just let it at that. Chances are you will enrage such person and drive them further away from your product if you insist. I've gave up items I was going to buy with 100% certainty because of such intrusive advertising already, I hate it. And when people get to know how things work they usually want it all blocked too.
[ link to this | view in chronology ]
Anonymous Coward, 22 Jul 2014 @ 3:57am

Here is the scary part
“It’s not uniquely identifying enough,”

They didn't say they didn't want to track and identify people, they said it wasn't "good enough".
[ link to this | view in chronology ]
- Anonymous Coward, 22 Jul 2014 @ 5:07am
  
  Re: Here is the scary part
  As far as I know the current canvas fingerprinting is very good at uniquely identifying computers. The problem is that the computers fingerprint will change over time too, so you may only identify a computer for maybe a month before it gets tagged as another computer. I would expect it to be difficult to predict the degradation of the computer with enough certainty to connect these fingerprints, which is bad for business.
  
  The technologies are virtually impossible to guard against. In the end these kinds of tracking is just something we have to accept in the long run.
  [ link to this | view in chronology ]
  - That One Guy (profile), 22 Jul 2014 @ 5:15am
    
    Re: Re: Here is the scary part
    The technologies are virtually impossible to guard against.
    
    That sounds like a challenge to me. Techies, 'hackers', and other people who enjoy fiddling around with code and computers love challenges, the harder the better.
    [ link to this | view in chronology ]
    - Anonymous Coward, 22 Jul 2014 @ 5:33am
      
      Re: Re: Re: Here is the scary part
      One interesting thing to do would be run a script that continuously changes characteristics used in defining the "fingerprint".
      [ link to this | view in chronology ]
      - Anonymous Coward, 22 Jul 2014 @ 6:30am
        
        Re: Re: Re: Re: Here is the scary part
        I've always wanted to find the time to make a plugin that swaps tracking cookies with other people rather than just blanking them.
        
        Similar thing to switch your system around so it looks like someone else could make this kind of tracking very confusing for the tracker.
        [ link to this | view in chronology ]
      - art guerrilla (profile), 22 Jul 2014 @ 7:40am
        
        Re: Re: Re: Re: Here is the scary part
        yes, plug in a peripheral that you never use, but does it change the 'fingerprint' ? presumably so...
        so you plug in an old flashdrive, and/or whatever, then unplug it the next time, etc...
        
        what next ? we have 'burner' phones, are we going to 'burner' pc's now ? ? ?
        [ link to this | view in chronology ]
  - Anonymous Coward, 22 Jul 2014 @ 9:46am
    
    Re: Re: Here is the scary part
    The technologies are virtually impossible to guard against.
    Add the following to your hosts file:
    
    127.0.0.1 p.addthis.com
    127.0.0.1 s3.addthis.com
    127.0.0.1 s7.addthis.com
    127.0.0.1 s9.addthis.com
    127.0.0.1 su.addthis.com
    127.0.0.1 www.addthis.com
    
    Presto, you can't connect to them, they can't track you.
    Any other virtually impossible problems you need solved?
    [ link to this | view in chronology ]
    - Ninja (profile), 22 Jul 2014 @ 10:37am
      
      Re: Re: Re: Here is the scary part
      That considering they don't add more. Still, ABP should block loading of anything from these, no?
      [ link to this | view in chronology ]
      - Anonymous Coward, 22 Jul 2014 @ 12:37pm
        
        Re: Re: Re: Re: Here is the scary part
        The root of all the evilz is Microshits refusal to allow for wildcard usage in the hosts file.
        
        For example: 127.0.0.1 *.addthis.com
        [ link to this | view in chronology ]
        
        Rekrul, 22 Jul 2014 @ 1:02pm
        
        Re: Re: Re: Re: Re: Here is the scary part
        Do other operating systems allow wildcards in the hosts file?
        [ link to this | view in chronology ]
        
        John Fenderson (profile), 22 Jul 2014 @ 1:53pm
        
        Re: Re: Re: Re: Re: Re: Here is the scary part
        Yes
        [ link to this | view in chronology ]
      - nasch (profile), 22 Jul 2014 @ 2:15pm
        
        Re: Re: Re: Re: Here is the scary part
        Still, ABP should block loading of anything from these, no?
        
        Is this technique javascript based? If so of course NoScript would take care of it as well.
        [ link to this | view in chronology ]
Anonymous Coward, 22 Jul 2014 @ 3:59am

Maybe something like RequestPolicy could help by blocking external elements (i.e. the AddThis beacon) other than from the actual domain you're visiting (e.g. Whitehouse.gov).
[ link to this | view in chronology ]
- Anonymous Coward, 22 Jul 2014 @ 5:50am
  
  Re:
  I use NoScript...would it work the same concept ? Because I can't use RequestPolicy, using NS and it at the same time + disconnect + ghostery + autodestructing cookies is one hell of a headache.
  [ link to this | view in chronology ]
  - BSD32x (profile), 22 Jul 2014 @ 6:44am
    
    Re: Re:
    Ghostery is proprietary software, though. It is owned by a marketing company, Evidon, and there have been well supported accusations that it in fact is used to help advertisers discover how users are blocking ads - http://lifehacker.com/ad-blocking-extension-ghostery-actually-sells-data-to-a-514417864 http://www.businessinsider.com/evidon-sells-ghostery-data-to-advertisers-2013-6 I would personally recommend Disconnect, which another commenter mentioned, instead, it's an open source alternative to Ghostery - https://disconnect.me/disconnect
    
    I would also recommend CookieKeeper over Self Destructing Cookies, as it's been deprecated. https://addons.mozilla.org/en-US/firefox/addon/cookiekeeper/
    [ link to this | view in chronology ]
- John Fenderson (profile), 22 Jul 2014 @ 9:07am
  
  Re:
  I believe that NoScript can accomplish what you want here, but it would be easier and more targeted to just disable accesses to the AddThis servers using your hosts file.
  [ link to this | view in chronology ]
  - Anonymous Coward, 22 Jul 2014 @ 9:12am
    
    Re: Re:
    It does, in fact that is what I do when I use the Konqueror web browser. There are also userscripts for the Greasemonkey add on that can accomplish this. For the average non-technical user, I still think Disconnect is probably the better choice. I still use it with Firefox/Ice Weasel due to all of its other benefits and built in/updated tracker lists.
    [ link to this | view in chronology ]
NoahVail (profile), 22 Jul 2014 @ 4:05am

Not too hard to block - yet
Ghostery blocks AddThis effortlessly.

Blocking trackers is the same good idea as blocking ads
because the industries behind ads/trackers
do not police themselves well enough to have earned our trust.
[ link to this | view in chronology ]
- Bt Garner (profile), 22 Jul 2014 @ 4:14am
  
  Re: Not too hard to block - yet
  DoNotTrackMe also blocks AddThis by default.
  [ link to this | view in chronology ]
- Anonymous Coward, 22 Jul 2014 @ 5:36am
  
  Re: Not too hard to block - yet
  That's exactly right.
  
  After years of enduring pop-ups, pup-unders, in-your-face flash banners and a myriad of other forms of intrusive advertising that got in the way of what I originally went to a website for, I eventually turned to pop-up and ad-blockers and I haven't looked back. Between those tools and Ghostery, I infrequently see advertising unless I've white-listed a site a like well enough where they don't engage in that type of advertising crap.
  [ link to this | view in chronology ]
  - art guerrilla (profile), 22 Jul 2014 @ 7:44am
    
    Re: Re: Not too hard to block - yet
    yep, as much as there are some sites (like techdirt) where i would *like* to support them by allowing ads (I NEVER LOOK AT); i am INFINITELY more interested in stopping as much crap from being forced on me as possible...
    [ link to this | view in chronology ]
    - John Fenderson (profile), 22 Jul 2014 @ 9:10am
      
      Re: Re: Re: Not too hard to block - yet
      Yes, this. I block all ads as much and as hard as I can regardless of what site is using them. Ad networks are not trustworthy, and will track you through any and all means they can.
      
      For more enlightened sites (such as Techdirt) that provide a way to support them by just giving them money, I do that instead. It's why I'm an "insider" here -- I block all the ads, but am willing to pay for the content.
      [ link to this | view in chronology ]
- Doug (profile), 22 Jul 2014 @ 6:14am
  
  Re: Not too hard to block - yet
  Privacy Badger also blocks this.
  [ link to this | view in chronology ]
  - Doug (profile), 22 Jul 2014 @ 6:22am
    
    Re: Re: Not too hard to block - yet
    Thanks to @RoninOne for pointing out that tools that block tracking cookies won't work for canvas fingerprinting. I just checked on Privacy Badger, since I recommended it, and it appears that it will work, but I'm just going off what is in their FAQ:
    
    "If as you browse the web, the same source seems to be tracking your browser across different websites, then Privacy Badger springs into action, telling your browser not to load any more content from that source. And when your browser stops loading content from a source, that source can no longer track you. Voila!"
    
    Seems like that would work. However, there is a loophole that may or may not be open:
    
    "In some cases a third-party domain provides some important aspect of a page's functionality, such as embedded maps, images, or fonts. In those cases Privacy Badger will allow connections to the third party but will screen out its tracking cookies."
    
    FYI.
    [ link to this | view in chronology ]
Anonymous Coward, 22 Jul 2014 @ 4:18am

Presumably trying to do a similar thing to panopticlick ( https://panopticlick.eff.org/ ) from a few years ago.

The "trick" is managing to get unique enough with out tripping warnings to the users and giving the game away. Which thankfully no one seems to have cracked yet. At least not publicly.
[ link to this | view in chronology ]
- Anonymous Coward, 22 Jul 2014 @ 5:07am
  
  Re:
  Nice link, thanks,.
  [ link to this | view in chronology ]
any moose cow word, 22 Jul 2014 @ 4:19am

I don't know about this one. The information that a server can get from a user is rather limited without javascript, and javascript can be blocked. The info they can get otherwise might be enough to ID a specific user at an IP address, behind a NAT, but mobile users will change their IP many times a day.
[ link to this | view in chronology ]
- Anonymous Coward, 22 Jul 2014 @ 4:28am
  
  Re:
  Also with mobiles the in-ability to install plugins means that just about every single mobile browser is identical to every other one of the same type even if javascript is enabled.
  [ link to this | view in chronology ]
- NoahVail (profile), 22 Jul 2014 @ 4:31am
  
  Re:
  Blocking javascript is hard compared to blocking trackers because so many sites become broken without js.
  [ link to this | view in chronology ]
  - Anonymous Coward, 22 Jul 2014 @ 4:51am
    
    Re: Re:
    Then avoid those sites - simple.
    [ link to this | view in chronology ]
  - Anonymous Coward, 22 Jul 2014 @ 6:11am
    
    Re: Re:
    It's not so hard to learn NoScript and what to allow for 99% of sites to work, yes even thedailyshow.com, usually allowing, the namesake js, the comedynetwork js and the CDN js and you got it.
    [ link to this | view in chronology ]
  - John85851 (profile), 22 Jul 2014 @ 6:44am
    
    Re: Re:
    And that's exactly what's wrong with "Web 2.0" websites: if you block javascript because you don't want any nasties, then the site may not work, but if you enable javascript to get the site to work, then you're enabling all the trackers and other code.
    [ link to this | view in chronology ]
  - John Fenderson (profile), 22 Jul 2014 @ 9:13am
    
    Re: Re:
    It's not as hard as all that, really. I use NoScript and disable Javascript through it. Since I can enable specific bits of Javascript on a page on-demand and as needed, this blocking has never prevented me from using a website.
    [ link to this | view in chronology ]
    - Anonymous Coward, 22 Jul 2014 @ 9:19am
      
      Re: Re: Re:
      Sure, but NoScript is not available for all browsers. If you're going to use a more obscure browser, it's still necessary to edit your hosts file, unfortunately. Greasemonkey is available for WebKit browsers, though, so you'd have to really go out of your way with something like KHTML or NetSurf to absolutely need to do this.
      [ link to this | view in chronology ]
      - John Fenderson (profile), 22 Jul 2014 @ 9:55am
        
        Re: Re: Re: Re:
        True, which is why I prefer to block access to known bad sites using the hosts file instead. You can even find preconfigured hosts files that block an extensive number of these sites, so all you have to do is pretty much just copy the file to the right location.
        
        The other advantage to the hosts file is with your mobile devices: if you're running a rooted Android, you can block all these accesses from it in exactly the same way.
        [ link to this | view in chronology ]
ECA (profile), 22 Jul 2014 @ 4:37am

There is so much
There is so much TRACKING that it takes over 1/2 the net traffic to watch it..
I have been to sites that had so many Tracking cookies that it took 5 minutes to find my way to the site..

I love programming, but SOME of the idiots out there use serial programming, Which means you take 1 step at a time..And you cant PASS a step(cookie) to get to a site. Its STUPID..
I LOVE the Overlay system they found, they use it OVEr video's to FORCE you to watch adverts..

Iv asked, and been denied, 1 little prog, to put NAMES in the comments of the cookies, of the location I got them..
SO THAT IF' I find the cookie that crashed a system, I can TRACK it tot he site, and ASK for info, of where it came from...and follow it back..
What do you think would happen, if you KNEW a certain site had LET a cookie infect your system?
What do you think would happen to the advertiser?
HOW about the Cookie maker, that worked for the advertiser?

Anyone seeing a way to track SPAMMERS here?
[ link to this | view in chronology ]
- Anonymous Coward, 22 Jul 2014 @ 6:25am
  
  Re: There is so much
  "some of the idiots out there use serial programming, which means you take 1 step at a time... and you can't pass a step (cookie) to get to a site. It's stupid.."
  You do realize that is often on purpose. The website doesn't want you to be able to view their site unless you accept their cookies.
  
  "I've asked, and been denied"
  I like your proactive attitude about fighting tracking cookies, but what do you mean you "asked, and have been denied"? Denied by whom?
  [ link to this | view in chronology ]
  - ECA (profile), 22 Jul 2014 @ 10:11pm
    
    Re: Re: There is so much
    Sent a request for an addon from mozilla to add comments to cookies, listing the location is came from
    [ link to this | view in chronology ]
Anonymous Coward, 22 Jul 2014 @ 4:54am

Considering the data caps some have to deal with, one might think these websites would not use data heavy advertising techniques .... awwww, who am I kidding - they don't give a shit about you, lolololol.
[ link to this | view in chronology ]
RoninOne, 22 Jul 2014 @ 5:31am

Ghostery
To all the commenters talking about Ghostery or donttrackme, those DO NOT block canvas fingerprinting, they block cookies. AddThis also uses cookies, which those extensions do block, but currently there is nothing that blocks canvas fingerprinting by default. Also to add to the article, they are only about 90% accurate since computers settings change often depending on the user.
[ link to this | view in chronology ]
- Anonymous Coward, 22 Jul 2014 @ 5:35am
  
  Re: Ghostery
  Does this fingerprint approach rely upon javascript?
  [ link to this | view in chronology ]
  - Michael, 22 Jul 2014 @ 6:30am
    
    Re: Re: Ghostery
    Canvass fingerprinting uses the HTML5 canvass element. If your browser displays HTML5, it is going to work regardless of the extensions and blockers you have installed (that's the point).
    
    Right now, there is a bunch of attention - particularly since AddThis had it turned on for some popular porn sites. It seems likely to me that some of the ad-blockers and tracker companies are actively working on stripping out the canvass tags from the html so this will not function.
    
    You could also use an older browser (IE 8 or earlier, I believe) that does not support HTML5 until someone comes up with a reliable way to block this.
    [ link to this | view in chronology ]
    - Anonymous Coward, 22 Jul 2014 @ 8:02am
      
      Re: Re: Re: Ghostery
      It would seem the AddThis fingerprint would actually have to be relayed at some point. Hosts file?
      [ link to this | view in chronology ]
- Nicholas Weaver (profile), 22 Jul 2014 @ 6:30am
  
  Re: Ghostery
  Ghostery does block stuff like this, because it blocks the widget from loading at all.
  
  Of course, the problem is that ends up being potentially disruptive, as now the AddThis widget doesn't display at all.
  [ link to this | view in chronology ]
  - nasch (profile), 22 Jul 2014 @ 2:20pm
    
    Re: Re: Ghostery
    Of course, the problem is that ends up being potentially disruptive, as now the AddThis widget doesn't display at all.
    
    So, double bonus.
    [ link to this | view in chronology ]
- Hi, 22 Jul 2014 @ 7:45am
  
  Re: canvas
  I'd think that older generations of browsers, pre-HTML5 without Canvas support, would resist that tracking, but then there's the problem that they'd be subject to some drive-by vulnerabilities that have since been patched.
  
  Maybe an update to the current browsers can include a setting to disable the Canvas resource. That would certainly break many HTML5 effects, but is less limiting than blocking Javascript if you don't want to be tracked.
  [ link to this | view in chronology ]
- dvjhs, 23 Jul 2014 @ 1:57am
  
  Re: Ghostery
  TOR Browser blocks
  [ link to this | view in chronology ]
Rich Kulawiec, 22 Jul 2014 @ 6:01am

Where are you, Firefox?
Has anyone else noticed that Firefox's development has regressed to endless self-indulgent tinkering with the UI (which was just fine 16 revisions ago) instead of integrating the VERY necessary defenses provided by add-ons into the core browser? By now, Firefox should long since have folded in AdBlock Plus, NoScript, Ghostery, Beef Taco, HTTPS Everywhere, Calomel SSL Validation, and others. (Not necessarily all in their entirety or current form: but the majority of the functionality should be there.)

It's absolutely ridiculous that in 2014 the Firefox web browser ships in an undefended state. But I suppose it's easy to move buttons around and continuously dumb down the interface than it is to actually do the hard work of defending users.
[ link to this | view in chronology ]
- Anonymous Coward, 22 Jul 2014 @ 6:19am
  
  Re: Where are you, Firefox?
  Taking out the status bar was fucking dumb, so many good addons go there and only there, thankfully I found status4ever or something like that. it was the only way to access my rutorrent icon.
  [ link to this | view in chronology ]
  - Anonymous Coward, 22 Jul 2014 @ 6:21am
    
    Re: Re: Where are you, Firefox?
    also elite proxy switcher, need it in case I rebooted and didn't create my ssh tunnel to my server yet as one of many examples.
    [ link to this | view in chronology ]
- velox (profile), 22 Jul 2014 @ 6:34am
  
  Re: Where are you, Firefox?
  Mozilla is dependent on the Google money that supports them.
  
  Some things in Firefox that would be safer for the user are off or unconfigured by default. For example Do Not Track is not active by default.
  I suspect (of course I have no proof) it's because Google prefers it that way.
  [ link to this | view in chronology ]
  - Anonymous Coward, 22 Jul 2014 @ 6:44am
    
    Re: Re: Where are you, Firefox?
    google is a business... treat it just like that no matter what they say and you will never be caught off guard.
    
    A business is only there to make money... once the money making stops... guess what? No more business!
    [ link to this | view in chronology ]
    - Anonymous Coward, 23 Jul 2014 @ 2:55am
      
      Re: Re: Re: Where are you, Firefox?
      Sure, but that doesn't make Mozilla better equipped. Chrome has taken a lot of the pressure off of Google in the negotiations. Now Google have a pretty strong say in how Firefox works if Mozilla want economic support from that direction.
      
      That connection would stop if Google became the target of boycuts, which would be uncomfortable for Mozilla to put it lightly...
      [ link to this | view in chronology ]
- Anonymous Coward, 22 Jul 2014 @ 8:28am
  
  Re: Where are you, Firefox?
  I was a loyal user, but Mozilla kept disappointing over and over again... Ad-laden start page; Australis; upcoming support for DRM. Enough is enough -- I ditched it in favour of Palemoon (which I tend to like more than Iceweasel, OS difference notwithstanding).
  
  I think it's a bit too much to hope that Mozilla will incorporate features found in addons such NoScript (beyond simple js blocking) or HTTPS Everywhere when they're trying half-heartedly to comply with Hollywood pressure and possibly full-heartedly to make a Mozilla Chrome.
  [ link to this | view in chronology ]
  - BSD32x (profile), 22 Jul 2014 @ 8:40am
    
    Re: Re: Where are you, Firefox?
    You raise some good points, although I'm not wild about Palemoon's licensing: http://www.palemoon.org/redist.shtml I think the opportunity is ripe for someone to launch a Kickstarter for a new browser, one that is committed to FOSS principles and under a BSD-style license or the GPL. WebKit has been a good alternative, but the QtWebKit engine and its predecessor KHTML are all but dead. With browsers like Qupzilla and Opera now being built on Google's Chromium/QtWebEngine framework, the only truly open browser still in development is NetSurf, which just isn't able to meet the needs of most users right now. Who knows, maybe some enterprising young programmers will seize on the opportunity.
    [ link to this | view in chronology ]
  - Jason, 22 Jul 2014 @ 8:44am
    
    Re: Re: Where are you, Firefox?
    I had the very same experience. I switched to Palemoon this spring after another Firefox change and I haven't looked back. A few minutes of configuration and it was like being back in the happy place you thought was long gone.
    
    I can't get Adobe's PDF plugin to work, which is kind of a nuisance, but Palemoon is the browser I've been searching for ever since Firefox 14.
    [ link to this | view in chronology ]
Anonymous Coward, 22 Jul 2014 @ 6:11am

disconnect.me
I'm not sure if disconnect.me protects against this.
[ link to this | view in chronology ]
- BSD32x (profile), 22 Jul 2014 @ 7:07am
  
  Re: disconnect.me
  It does, and it is open source unlike Ghostery. They wrote a blog post last night about this very issue, actually. https://blog.disconnect.me/disconnect-blocks-new-tracking-device-that-makes-your-computer-draw-a-uni que-image
  [ link to this | view in chronology ]
Anonymous Coward, 22 Jul 2014 @ 6:42am

WHEN?!
Can I have a browser that will RANDOMLY spew proper looking but actual shit to people asking for my info?

Work the logistic out... I bet the first browser to produce this would get near instant majority market share.
[ link to this | view in chronology ]
Anonymous Coward, 22 Jul 2014 @ 6:58am

Firefox extensions (with links!)
I see some folks speculating about various Firefox extensions that may or may not be helpful. For the benefit of readers who are unfamiliar with those extensions:

NoScript causes the browser not to run Javascript on a page until you allow it. You grant permission on a per-serving-domain basis. Using NoScript will break poorly written Web 2.0 sites until you whitelist them. Whitelisting may take several tries as you run down which domains are responsible for the scripts that the page requires for proper functionality. However, since NoScript denies first and permits only on command, it is very effective at killing unwanted scripts.

RequestPolicy causes the browser not to load resources from domains other than the current one, until you permit it. You can grant permissions on a per-source domain, per-destination domain, or per-both basis. Per-destination lets you say that all embeds of YouTube are allowed, regardless of where you find them. Per-source lets you say that Techdirt can always embed a resource, no matter where that resource is hosted. Per-both lets you write rules such as "Techdirt may embed YouTube, but nothing else can embed it under this rule." (You might have other rules that whitelist YouTube for use on other sites. Once a match permits the embed, then it is allowed even if other permissions fail to match.) As with NoScript, a blank install of RequestPolicy will make some sites look odd or function poorly until you whitelist the domains that serve their supporting resources. In some cases, you may need to whitelist a site once in RequestPolicy to allow its JavaScript to be loaded, then whitelist that same site in NoScript to allow the JavaScript to be run once it has loaded. Although inconvenient, this can be useful, since NoScript only grants permission based on the serving domain, but RequestPolicy can also look at the domain that requested the script. Thus, you could whitelist Google's copy of jQuery in NoScript, but use RequestPolicy to allow it to load only on selected sites.

AdBlock Plus blocks user-specified resources. By default, it has no blocks, but you can subscribe to community-maintained lists. AdBlock plus could block the AddThis tracker, but would require that you (or someone who maintains a list you use) block the domain(s) that serve the tracker. By contrast, both NoScript and RequestPolicy block everything you have not permitted.

Ghostery

Privacy Badger
[ link to this | view in chronology ]
- BSD32x (profile), 22 Jul 2014 @ 7:03am
  
  Re: Firefox extensions (with links!)
  I agree with all of those EXCEPT for Ghostery, given the tone of this article and discussion, I don't understand why it's being advocated. It is specifically used by a marketing company to generate revenue by selling data to advertisers, and is allegedly used to help advertisers create more technology that is difficult to block.
  [ link to this | view in chronology ]
  - Anonymous Coward, 22 Jul 2014 @ 7:25am
    
    Re: Re: Firefox extensions (with links!)
    Sorry, I do not use Ghostery and did not see the negative remarks about it until after I posted. I provided a link to it for completeness, but if those allegations are accurate, it should be avoided. If I could retract my prior link to it, I would.
    [ link to this | view in chronology ]
    - BSD32x (profile), 22 Jul 2014 @ 7:31am
      
      Re: Re: Re: Firefox extensions (with links!)
      It's fine, no offense meant on my part. I just want to make sure that information is out there, especially since several commenters before you recommenhded it.
      
      Ghostery has been getting mentioned on a lot of other news sites I frequent since this story broke, as well. It would not surprise me if they astroturf comments pages to promote it when there are stories like this, since it's in their financial interest to do so. Let me be clear and say that there is no evidence of that, to the best of my knowledge, that's just speculation on my part.
      [ link to this | view in chronology ]
HIDE UNDER THE BED, 22 Jul 2014 @ 7:27am

Canvas Fingerprinting
Ever since the U.S. & Israeli govts rolled out Stuxnet on the Iranians to screw up their centerfuges (& their nuke program), both countries (U.S. & Israel) spy agencies worked on a worse spying tool "Flame". When they were exposed by Kaspersky, they tried said they were 'only' infecting suspected terrorists in the middle east and no one need worry about it! One of the key features of Flame, was that it could make screen shots of any infected computer and it could record every keystroke.
This 'Canvas Fingerprinting' sounds like it originated at the N.S.A.
The Nazis at NSA never sleep. Hail to the United Secret Police State of America! Secret police with secret laws and secret punishments.
When Obama said (after Snowden's revelations -June 7, 2013): “You can’t have 100 percent security and also then have 100 percent privacy and zero inconvenience,”...“We’re going to have to make some choices as a society.”
What he means is: We get 100 percent "security" and zero privacy. That is the choice he and George W. Bush have chosen for the rest of us.
[ link to this | view in chronology ]
Anonymous Coward, 22 Jul 2014 @ 7:44am

Here's a good one!
Q: What do porn websites and the President of the United States of America's website have in common?

A: Sleazy user tracking.

Q: What's the difference between porn websites and the President of the United States of America's website?

A: You don't have to wait more than a year for a response from a porn website.
[ link to this | view in chronology ]
Eli the Bearded, 22 Jul 2014 @ 3:55pm

Try it yourself
The site http://www.browserleaks.com/ has a demo of the canvas fingerprinting method. I emailed the Panopticlick suggestion address about a month ago asking them to update the site with tests like the canvas one from browserleaks.
[ link to this | view in chronology ]
Anonymous Coward, 22 Jul 2014 @ 8:05pm

I'm a little late to the party but I've been using Disconnect , BetterPrivacy (for flash cookie deletion) , noscript, and xforwardforheader (careful it may break a site or 3 )+ useragent switcher (stick with something in the gecko family if using fx).
[ link to this | view in chronology ]
Anonymous Coward, 22 Jul 2014 @ 8:13pm

https://addons.mozilla.org/en-US/firefox/addon/x-forwarded-for-header/?src=search

https://addons.mozi lla.org/en-US/firefox/addon/betterprivacy/?src=ss

https://addons.mozilla.org/en-US/firefox/addon/disc onnect/?src=ss

https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/?src=ss

https://addo ns.mozilla.org/en-US/firefox/addon/foundstone-html5-local-storage/?src=ss

and turnoff geo tracking in fx
In the URL bar, type about:config
Type geo.enabled
Double click on the geo.enabled preference
Location-Aware Browsing is now disabled
[ link to this | view in chronology ]