Tons Of Sites, Including WhiteHouse.gov, In Unwitting AddThis Experiment With Tracking Technology That Is Difficult To Block
from the our-post-cookie-era dept
ProPublica has a new story about the rise of "canvas fingerprinting," a new method of tracking users without using cookies. It's a method that is apparently quite difficult to block if you're using anything other than Tor Browser. In short, canvas fingerprinting works by sending some instructions to your browser to draw a hidden image -- but does so in a manner making use of some of the unique features of your computer, such that each resulting image is likely to be unique (or nearly unique). The key issue here is that the popular "social sharing" company AddThis, which many sites (note: not ours) use to add "social" buttons to their website, had been experimenting with canvas fingerprinting to identify users even if they don't use cookies. As ProPublica's Julia Angwin notes, it's very difficult to block this kind of thing -- and tons of sites make use of AddThis -- including WhiteHouse.gov (whose privacy policy does not seem to reveal this, saying it only uses Google Analytics as a third party provider).The report does note that others who have tried canvas fingerprinting have found that it's not necessarily accurate enough yet, but the technology appears to keep getting better. Still, AddThis says it's likely to drop it anyway, because it's not good enough yet:
AddThis said it rolled out the feature to a small portion of the 13 million websites on which its technology appears, but is considering ending its test soon. “It’s not uniquely identifying enough,” Harris said.The company also insisted it wasn't doing anything bad with the tracking, but even if you believe that's true, how long will it be until others make use of similar fingerprinting for more questionable behavior.
AddThis did not notify the websites on which the code was placed because “we conduct R&D projects in live environments to get the best results from testing,” according to a spokeswoman.
Given the attention this is getting, hopefully browsers will at least role out features that allow users more notification and control over such practices. Cookies are hardly a perfect solution, but at least users have control over them.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: canvas fingerprinting, cookies, tracking, whitehouse, whitehouse.gov
Companies: addthis
Reader Comments
Subscribe: RSS
View by: Time | Thread
If somebody is actively trying to stay away from the tracking and the advertisement you should just let it at that. Chances are you will enrage such person and drive them further away from your product if you insist. I've gave up items I was going to buy with 100% certainty because of such intrusive advertising already, I hate it. And when people get to know how things work they usually want it all blocked too.
[ link to this | view in chronology ]
Here is the scary part
They didn't say they didn't want to track and identify people, they said it wasn't "good enough".
[ link to this | view in chronology ]
Re: Here is the scary part
The technologies are virtually impossible to guard against. In the end these kinds of tracking is just something we have to accept in the long run.
[ link to this | view in chronology ]
Re: Re: Here is the scary part
That sounds like a challenge to me. Techies, 'hackers', and other people who enjoy fiddling around with code and computers love challenges, the harder the better.
[ link to this | view in chronology ]
Re: Re: Re: Here is the scary part
[ link to this | view in chronology ]
Re: Re: Re: Re: Here is the scary part
Similar thing to switch your system around so it looks like someone else could make this kind of tracking very confusing for the tracker.
[ link to this | view in chronology ]
Re: Re: Re: Re: Here is the scary part
so you plug in an old flashdrive, and/or whatever, then unplug it the next time, etc...
what next ? we have 'burner' phones, are we going to 'burner' pc's now ? ? ?
[ link to this | view in chronology ]
Re: Re: Here is the scary part
127.0.0.1 p.addthis.com
127.0.0.1 s3.addthis.com
127.0.0.1 s7.addthis.com
127.0.0.1 s9.addthis.com
127.0.0.1 su.addthis.com
127.0.0.1 www.addthis.com
Presto, you can't connect to them, they can't track you.
Any other virtually impossible problems you need solved?
[ link to this | view in chronology ]
Re: Re: Re: Here is the scary part
[ link to this | view in chronology ]
Re: Re: Re: Re: Here is the scary part
For example: 127.0.0.1 *.addthis.com
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Here is the scary part
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Here is the scary part
[ link to this | view in chronology ]
Re: Re: Re: Re: Here is the scary part
Is this technique javascript based? If so of course NoScript would take care of it as well.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
I would also recommend CookieKeeper over Self Destructing Cookies, as it's been deprecated. https://addons.mozilla.org/en-US/firefox/addon/cookiekeeper/
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Not too hard to block - yet
Blocking trackers is the same good idea as blocking ads
because the industries behind ads/trackers
do not police themselves well enough to have earned our trust.
[ link to this | view in chronology ]
Re: Not too hard to block - yet
[ link to this | view in chronology ]
Re: Not too hard to block - yet
After years of enduring pop-ups, pup-unders, in-your-face flash banners and a myriad of other forms of intrusive advertising that got in the way of what I originally went to a website for, I eventually turned to pop-up and ad-blockers and I haven't looked back. Between those tools and Ghostery, I infrequently see advertising unless I've white-listed a site a like well enough where they don't engage in that type of advertising crap.
[ link to this | view in chronology ]
Re: Re: Not too hard to block - yet
[ link to this | view in chronology ]
Re: Re: Re: Not too hard to block - yet
For more enlightened sites (such as Techdirt) that provide a way to support them by just giving them money, I do that instead. It's why I'm an "insider" here -- I block all the ads, but am willing to pay for the content.
[ link to this | view in chronology ]
Re: Not too hard to block - yet
[ link to this | view in chronology ]
Re: Re: Not too hard to block - yet
"If as you browse the web, the same source seems to be tracking your browser across different websites, then Privacy Badger springs into action, telling your browser not to load any more content from that source. And when your browser stops loading content from a source, that source can no longer track you. Voila!"
Seems like that would work. However, there is a loophole that may or may not be open:
"In some cases a third-party domain provides some important aspect of a page's functionality, such as embedded maps, images, or fonts. In those cases Privacy Badger will allow connections to the third party but will screen out its tracking cookies."
FYI.
[ link to this | view in chronology ]
The "trick" is managing to get unique enough with out tripping warnings to the users and giving the game away. Which thankfully no one seems to have cracked yet. At least not publicly.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
The other advantage to the hosts file is with your mobile devices: if you're running a rooted Android, you can block all these accesses from it in exactly the same way.
[ link to this | view in chronology ]
There is so much
I have been to sites that had so many Tracking cookies that it took 5 minutes to find my way to the site..
I love programming, but SOME of the idiots out there use serial programming, Which means you take 1 step at a time..And you cant PASS a step(cookie) to get to a site. Its STUPID..
I LOVE the Overlay system they found, they use it OVEr video's to FORCE you to watch adverts..
Iv asked, and been denied, 1 little prog, to put NAMES in the comments of the cookies, of the location I got them..
SO THAT IF' I find the cookie that crashed a system, I can TRACK it tot he site, and ASK for info, of where it came from...and follow it back..
What do you think would happen, if you KNEW a certain site had LET a cookie infect your system?
What do you think would happen to the advertiser?
HOW about the Cookie maker, that worked for the advertiser?
Anyone seeing a way to track SPAMMERS here?
[ link to this | view in chronology ]
Re: There is so much
I like your proactive attitude about fighting tracking cookies, but what do you mean you "asked, and have been denied"? Denied by whom?
[ link to this | view in chronology ]
Re: Re: There is so much
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Ghostery
[ link to this | view in chronology ]
Re: Ghostery
[ link to this | view in chronology ]
Re: Re: Ghostery
Right now, there is a bunch of attention - particularly since AddThis had it turned on for some popular porn sites. It seems likely to me that some of the ad-blockers and tracker companies are actively working on stripping out the canvass tags from the html so this will not function.
You could also use an older browser (IE 8 or earlier, I believe) that does not support HTML5 until someone comes up with a reliable way to block this.
[ link to this | view in chronology ]
Re: Re: Re: Ghostery
[ link to this | view in chronology ]
Re: Ghostery
Of course, the problem is that ends up being potentially disruptive, as now the AddThis widget doesn't display at all.
[ link to this | view in chronology ]
Re: Re: Ghostery
So, double bonus.
[ link to this | view in chronology ]
Re: canvas
Maybe an update to the current browsers can include a setting to disable the Canvas resource. That would certainly break many HTML5 effects, but is less limiting than blocking Javascript if you don't want to be tracked.
[ link to this | view in chronology ]
Re: Ghostery
[ link to this | view in chronology ]
Where are you, Firefox?
It's absolutely ridiculous that in 2014 the Firefox web browser ships in an undefended state. But I suppose it's easy to move buttons around and continuously dumb down the interface than it is to actually do the hard work of defending users.
[ link to this | view in chronology ]
Re: Where are you, Firefox?
[ link to this | view in chronology ]
Re: Re: Where are you, Firefox?
[ link to this | view in chronology ]
Re: Where are you, Firefox?
Some things in Firefox that would be safer for the user are off or unconfigured by default. For example Do Not Track is not active by default.
I suspect (of course I have no proof) it's because Google prefers it that way.
[ link to this | view in chronology ]
Re: Re: Where are you, Firefox?
A business is only there to make money... once the money making stops... guess what? No more business!
[ link to this | view in chronology ]
Re: Re: Re: Where are you, Firefox?
That connection would stop if Google became the target of boycuts, which would be uncomfortable for Mozilla to put it lightly...
[ link to this | view in chronology ]
Re: Where are you, Firefox?
I think it's a bit too much to hope that Mozilla will incorporate features found in addons such NoScript (beyond simple js blocking) or HTTPS Everywhere when they're trying half-heartedly to comply with Hollywood pressure and possibly full-heartedly to make a Mozilla Chrome.
[ link to this | view in chronology ]
Re: Re: Where are you, Firefox?
[ link to this | view in chronology ]
Re: Re: Where are you, Firefox?
I can't get Adobe's PDF plugin to work, which is kind of a nuisance, but Palemoon is the browser I've been searching for ever since Firefox 14.
[ link to this | view in chronology ]
disconnect.me
[ link to this | view in chronology ]
Re: disconnect.me
[ link to this | view in chronology ]
WHEN?!
Work the logistic out... I bet the first browser to produce this would get near instant majority market share.
[ link to this | view in chronology ]
Firefox extensions (with links!)
NoScript causes the browser not to run Javascript on a page until you allow it. You grant permission on a per-serving-domain basis. Using NoScript will break poorly written Web 2.0 sites until you whitelist them. Whitelisting may take several tries as you run down which domains are responsible for the scripts that the page requires for proper functionality. However, since NoScript denies first and permits only on command, it is very effective at killing unwanted scripts.
RequestPolicy causes the browser not to load resources from domains other than the current one, until you permit it. You can grant permissions on a per-source domain, per-destination domain, or per-both basis. Per-destination lets you say that all embeds of YouTube are allowed, regardless of where you find them. Per-source lets you say that Techdirt can always embed a resource, no matter where that resource is hosted. Per-both lets you write rules such as "Techdirt may embed YouTube, but nothing else can embed it under this rule." (You might have other rules that whitelist YouTube for use on other sites. Once a match permits the embed, then it is allowed even if other permissions fail to match.) As with NoScript, a blank install of RequestPolicy will make some sites look odd or function poorly until you whitelist the domains that serve their supporting resources. In some cases, you may need to whitelist a site once in RequestPolicy to allow its JavaScript to be loaded, then whitelist that same site in NoScript to allow the JavaScript to be run once it has loaded. Although inconvenient, this can be useful, since NoScript only grants permission based on the serving domain, but RequestPolicy can also look at the domain that requested the script. Thus, you could whitelist Google's copy of jQuery in NoScript, but use RequestPolicy to allow it to load only on selected sites.
AdBlock Plus blocks user-specified resources. By default, it has no blocks, but you can subscribe to community-maintained lists. AdBlock plus could block the AddThis tracker, but would require that you (or someone who maintains a list you use) block the domain(s) that serve the tracker. By contrast, both NoScript and RequestPolicy block everything you have not permitted.
Ghostery
Privacy Badger
[ link to this | view in chronology ]
Re: Firefox extensions (with links!)
[ link to this | view in chronology ]
Re: Re: Firefox extensions (with links!)
[ link to this | view in chronology ]
Re: Re: Re: Firefox extensions (with links!)
Ghostery has been getting mentioned on a lot of other news sites I frequent since this story broke, as well. It would not surprise me if they astroturf comments pages to promote it when there are stories like this, since it's in their financial interest to do so. Let me be clear and say that there is no evidence of that, to the best of my knowledge, that's just speculation on my part.
[ link to this | view in chronology ]
Canvas Fingerprinting
This 'Canvas Fingerprinting' sounds like it originated at the N.S.A.
The Nazis at NSA never sleep. Hail to the United Secret Police State of America! Secret police with secret laws and secret punishments.
When Obama said (after Snowden's revelations -June 7, 2013): “You can’t have 100 percent security and also then have 100 percent privacy and zero inconvenience,”...“We’re going to have to make some choices as a society.”
What he means is: We get 100 percent "security" and zero privacy. That is the choice he and George W. Bush have chosen for the rest of us.
[ link to this | view in chronology ]
Here's a good one!
A: Sleazy user tracking.
Q: What's the difference between porn websites and the President of the United States of America's website?
A: You don't have to wait more than a year for a response from a porn website.
[ link to this | view in chronology ]
Try it yourself
[ link to this | view in chronology ]
[ link to this | view in chronology ]
https://addons.mozi lla.org/en-US/firefox/addon/betterprivacy/?src=ss
https://addons.mozilla.org/en-US/firefox/addon/disc onnect/?src=ss
https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/?src=ss
https://addo ns.mozilla.org/en-US/firefox/addon/foundstone-html5-local-storage/?src=ss
and turnoff geo tracking in fx
In the URL bar, type about:config
Type geo.enabled
Double click on the geo.enabled preference
Location-Aware Browsing is now disabled
[ link to this | view in chronology ]