Share button may share your browsing history, too

Jul 22, 2014
An exact replica of the image rendered by a real-world canvas fingerprinting script. The script uses a so-called ‘perfect pangram’, “Cwm fjordbank glyphs vext quiz”, which contains all the letters of the English alphabet. This maximizes the diversity of the image outcomes with the shortest possible string.

One in 18 of the world's top 100,000 websites track users without their consent using a previously undetected cookie-like tracking mechanism embedded in 'share' buttons. A new study by researchers at KU Leuven and Princeton University provides the first large-scale investigation of the mechanism and is the first to confirm its use on actual websites.

The mechanism, called "canvas fingerprinting", uses special scripts – the coded instructions that tell your how to render a website – to exploit the browser's so-called 'canvas', a browser functionality that can be used to draw images and render text.

When a user visits a website encoded with canvas fingerprinting software, a first script tells the user's browser to print an invisible string of text on the browser's canvas. Another script then instructs the browser to read back data about the pixels in the (invisibly) rendered image.

These data contain important information about the user's browser type, graphics card, system fonts and even display properties. Because this grouping of data is highly likely to be unique for each user, it can be reliably associated to individual users, like a fingerprint.

Cookies

Once a website has determined a device's fingerprint, it can easily recognize the user on subsequent site visits, much in the same way cookies do.

But while unwanted cookies can be flagged or blocked to enhance a user's online privacy, there is no available solution for doing so with fingerprints.

In this study, the researchers used automated 'crawlers' to scan the world's top 100,000 websites for canvas fingerprinting scripts. They found canvas fingerprinting scripts on 5,542 of the internet's top 100,000 websites, a prevalence of 5.5 percent.

Previous studies on related browser fingerprinting techniques reported a prevalence of 0.4 percent and 1.5%, respectively, although they are not directly comparable to the current study since they measured different types of fingerprinting techniques.

While researchers demonstrated the feasibility of canvas fingerprinting as a tracking mechanism in 2012, this is the first time it has been observed on real websites and traced back to specific provider domains. Analyses of the real-world scripts reveal that fingerprinters are going beyond the techniques known by the academic research community.

AddThis

Surprisingly, the researchers traced 95 percent of canvas fingerprinting scripts back to a single company: AddThis. AddThis is the world's largest content sharing platform and provides free plugins such as share buttons, follow buttons and content recommendation features. The company reaches an estimated 97.2% of Internet users in the United States and receives 103 billion page views each month.

Can users protect themselves against canvas fingerprinting? Acar and his colleagues studied the effect of ad-industry opt-out tools offered by the Network Advertising Initiative (NAI) and the European Interactive Digital Advertising Alliance. No websites included in the opt-lists stopped collecting canvas fingerprints after activating the opt-out option.

At present, only one browser, Tor, can prevent canvas fingerprinting scripts, but this added security comes with major trade-offs in performance, functionality and content availability.

Many websites, including sensitive sites such as health and government websites, unknowingly contain canvas fingerprinting – by using one of AddThis' free plug-ins for example.

The researchers are concerned by the growing prevalence of fingerprinting , says Gunes Acar, the first author of the study: "This is an advanced tracking mechanism that misuses browser features to enable the circumvention of ' tracking preferences. We hope that our results will lead to better defenses, increase accountability for companies deploying sticky tracking techniques and an invigorated and informed public and regulatory debate on increasingly resilient tracking techniques."

Explore further: Microsoft makes IE 11 browser work for Windows 7

More information: securehomes.esat.kuleuven.be/~… ersistent/index.html

add to favorites email to friend print save as pdf

Related Stories

Firefox 4 has simpler design, more privacy control

May 11, 2010

(AP) -- The next version of the Firefox browser, set for release by the end of the year, will pare down the software's menus and certain user options while giving Web surfers more control over privacy.

Lightbeam from Mozilla shines light on online tracking

Oct 26, 2013

(Phys.org) —Marketing professionals often tell the public that tracking Website visitors has its positive side. After all, businesses offering services can transform the data they collect to produce more ...

Google, Apple and other tech giants look to a post-cookie era

Oct 30, 2013

After nearly 20 years, the era of Web-based "cookies" appears headed for an end, as companies like Google Inc., Apple Inc. and Microsoft Corp. explore new ways to track Internet users' habits, from desktop PCs to smartphones ...

Recommended for you

Report: Better shields needed for private tax data

17 hours ago

Federal investigators say the IRS and the states should improve how they protect the security of confidential tax information of people getting benefits under the 2010 health care law.

Apple issues security warning for iCloud

Oct 22, 2014

Apple has posted a new security warning for users of its iCloud online storage service amid reports of a concerted effort to steal passwords and other data from people who use the popular service in China.

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

Nik_2213
5 / 5 (1) Jul 22, 2014
Okay, Google, here's your chance to do something wonderful, and immunise Chrome against such...
antialias_physorg
5 / 5 (2) Jul 23, 2014
Just read the paper which you can view here:
https://securehom...gets.pdf

Canvas fingerprinting, evercookies and cookie syncing...scary stuff. (And the list of things they haven't looked at looks even scarier). Coupled with the inability for even tech savvy users to block these it's high time that tracking of any sort be made illegal (invasion of privacy).

I don't let companies look into my fridge to send me ads targetted to what type of milk I drink - so why should I let companies track my browsing habits?

Google, here's your chance to do something wonderful, and immunise Chrome against such

After installing ghostery I was actually surprised that google sites don't use tracking cookies (they may use other methods of which I am unaware). Physorg uses quite a spread, though.
gwrede
5 / 5 (1) Jul 23, 2014
After installing ghostery I was actually surprised that google sites don't use tracking cookies (they may use other methods of which I am unaware). Physorg uses quite a spread, though.
Google knows enough about you already. Plus, they don't want to come off as too greedy about your privacy.