A new kind of tracking tool, canvas fingerprinting, is being used to follow visitors to thousands of top websites, from WhiteHouse.gov to YouPorn [Editor's note: YouPorn claim to have removed this now].
First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor's Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user's device a number that uniquely identifies it.
Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit - profiles that shape which ads, news articles, or other types of content are displayed to them.
The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5 percent of the top 100,000 websites. Most of the code was on websites that use AddThis' social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site PlentyOfFish. A list of all the websites on which researchers found the code is available.
(Score: -1, Troll) by Anonymous Coward on Tuesday July 22 2014, @08:01AM
For tracking trolls, totally.
Nigger nigger nigger suck a cock. Blow a goat, eat a box of wood, pussy face cracker jack.
(Score: 2) by Bot on Tuesday July 22 2014, @08:16AM
Detected.
Account abandoned.
(Score: 0) by Anonymous Coward on Tuesday July 22 2014, @09:27AM
Ooooooooo a troll detection bot! So easy to write!
grep -ie 'nig+er'
And done. So fun!
(Score: 2) by Bot on Tuesday July 22 2014, @08:20AM
Account abandoned.
(Score: 3) by zocalo on Tuesday July 22 2014, @08:52AM
Still, as usual for such invasive tracking, most websites actually deploying it don't actually know the details and rely on the marketeers to run the script, so the simplest way is just to sinkhole their domains at the DNS level. So, it's bye bye "AddThis.com"; all your hosts now resolve to 127.0.0.1 for me. I'm pretty sure I won't miss whatever minor social media convenience your company supposedly brought to the web, and I *know* I'm not going to miss yet another bunch of jerks trying to track me.
UNIX? They're not even circumcised! Savages!
(Score: 3) by WizardFusion on Tuesday July 22 2014, @12:00PM
I use this (http://winhelp2002.mvps.org/hosts.htm) as well as NoScript and Adblock.
I also have AdAway on my Android phone, that uses this list and three others to help with advert blocking on that too (root needed)
(Score: 4, Informative) by zocalo on Tuesday July 22 2014, @12:48PM
The meat of "devnull.zone" (yes, you can reference the same file for multiple zones in BIND) is:
That means none of my boxes can even talk to any of the listed domains (mostly ad/tracking domains plus other bad actors, but also a few particularly bad TLDs I'm highly unlikely to visit legitmately). As a bonus, since my email server won't accept data from a host/domain that resolves to 127.0.0.1, it also stops an awful lot of spam right at HELO, no SpamAssassin required.
UNIX? They're not even circumcised! Savages!
(Score: 3) by WizardFusion on Tuesday July 22 2014, @03:35PM
I read somewhere that 0.0.0.0 was better/faster than 127.0.0.1
Thoughts.?
(Score: 2) by zocalo on Tuesday July 22 2014, @05:51PM
In practice, I don't think you'd notice the difference either way, so it comes down to personal preference. I went with 127.0.0.1 because it's more consistent with the DNSBL setups I have, but network engineers might well prefer 0.0.0.0 since it's commonly used to indicate a null route.
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Wednesday July 23 2014, @07:41PM
If you're running a server on localhost:80 for any reason, 0.0.0.0 may be better as it doesn't make your server respond to a bogus request.
(Score: 1, Interesting) by Anonymous Coward on Tuesday July 22 2014, @05:34PM
Unfortunately no hostname based system is going to be effective in the face of DNS aliases.
Consider this:
foo.com includes a cross-site reference to newrelic.com - easy to block
foo.com includes a cross-site reference to newrelic.foo.com - very hard to block
I've already seen big sites use DNS aliasing for their CDNs (although I don't know what benefit there is to using it for benign purposes). They are probably doing it for the trackers.
I have (a completely unimplemented) idea for protecting against that (and a whole bunch of other privacy attacks):
Sandbox identifying information based on the URL in the address bar. Cookies, cache and any other identifying information (like spoofed user-agent, spoofed font list, spoofed screen geometry, etc). So in the above example newrelic.foo.com and newrelic.bar.com would see completely separate sets of identifiable data.
(Score: 4, Interesting) by BsAtHome on Tuesday July 22 2014, @09:00AM
NoScript is great for blocking a lot of unwanted stuff. Unfortunately, many websites suck bigtime without scripts.
I do understand that scripting is a great tool for designing interactive, but the drawbacks are just too great to accept from a privacy perspective. Each time you give them(*) a finger, you end up with losing your hand, arm and most other bodily parts in the process. And, unfortunately, there does not seem to be a solution that creates a proper balance between functionality and privacy.
It makes me wonder what will happen in the future. All of us who limit the invasion with NoScript and AdBlock (and others), will we be scrutinized even more because we do not want to be tracked? It surely must be "suspicious" wanting to be private. What a world have we come to that we actually need to worry about this.
(*) those who want information at all cost, regardless who
(Score: 1, Troll) by Ethanol-fueled on Tuesday July 22 2014, @12:27PM
Yup, defeating online tracking has become so much of a pain in the ass that it's just not worth doing anymore unless you are partaking in illegal activity.
There's the NoScript shuffle, in which you use a slogging process of elimination to see which elements the page needs and does not need to function, recurseively -- first you "add all this page," and then more pop up. Some of the crappier pages like gossip pages need you to "add this page" a good 3 times in a row before those nags go away. Then there's LSO's, user agent string tracking, IP tracking, whatever else, and now this. Good luck running Netflix if you don't allow cookies.
Fine, I give up. So I watch midget porn on XHamster and recently bought a PC from Newegg, so what.
(Score: 2) by lgsoynews on Tuesday July 22 2014, @02:19PM
If only scripting was only used for interactive stuff... But, have you noticed that it is more and more frequent that the site does not load AT ALL, without Javascript? You arrive on the homepage and it's entirely blank. Usually without even a "Javascript is necessary bla bla" blurb?
And that is for no good reason: the sites are usually some sort of blog or basic stuff that could perfectly be static.
And don't get me started on all those sites that use infinite vertical scrolling or horizontal scrolling & such stuff. In most cases it is pure useless fluff, used because it's all the rage. But the fact that it makes interfaces that are at best clunky, at worst unusable doesn't bother the designer. Let's break the back/forward button, the ability to go a few pages forward, to bookmark or to save the page, yiai. Plus it's SLOW!
Technically, it's interesting, but because you can create such UIs doesn't mean you should.
But asking for some common sense and a little understanding of the UI/UX/ergonomy domain is asking too much. Between the clueless boss/customer who likes the shiny (but does not use the site of course), the design & marketing people who want the latest fad & the programmers who are either trapped by the former and/or want to use the latest framework & usually put zero thought in the ergonomy (I don't entirely blame them, it's a job in itself, but still), and you get a perfect mix of cluelessness that explains why most sites are poorly thought out and hard to use.
This is why I use FF plugins to block everything, and often use addons to modifiy the CSS (Stylish) & the page itself (Greasemonkey), to make things bearable. At least, on the sites I use the most.
(Score: 2) by PinkyGigglebrain on Tuesday July 22 2014, @08:39AM
This is great, now I have more sites I can add to the Hosts file.
Having No-Script seems to prevent the fingerprint from being generated. When I went to the article and clicked on the example nothing happened until I had no-script allow all the scripts on the page to run. After it generated the fingerprint image I revoked all the permissions and tried again. It didn't work.
No-Script and Flashblock, really useful plug-ins to have installed.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 2, Interesting) by len_harms on Tuesday July 22 2014, @01:50PM
Instead of a hosts file you should consider a pac file at a minimum. I see you are already using no-script. I suggest adblock instead of hosts. But if you are dead set against it :)
http://www.schooner.com/~loverso/no-ads/ [schooner.com]
I used to use this extensively before I just threw my hands up and used adblock and noscript. It blocks more than ad's too (I havent seen a youtube comment in a year!). It was more flexible than hosts. The problem with hosts files is it is trivial to defeat. *.xyz.com does not work. Just putting xyz.com does not work. Hosts files have 0 concept of the internet hierarchy. They just have an name and an address. It is just a name value pair system with a linear scan lookup. The second problem is the grey sites. Where they serve good and bad stuff. Hosts files deal with that very poorly.
However, if adblock had not come along I would probably still be using pac files. As they let me custom configure what gets loaded and not. It lets me remove all the limitations that hostfile blocking does.
2 days ago I turned it all off. By the end of the day I had some form of malware on my box. Cleaned the box and turned it all back on again. I really should know better...
As for the pac file I recommended it is 'ok'. But it suffers from having a linear search in its code. So the more you add the slower it gets. I had built a log(n) search into it but the group there did not seem very interested in it.
(Score: 1) by Bill Dimm on Tuesday July 22 2014, @06:32PM
Is Flashblock considered safe? I've seen at least one article [botcrawl.com] saying that it isn't. I really wish Mozilla would build Flash blocking into the browser (as they used to for Java ages ago) so the massive security hole that is Flash could be used selectively without relying on add-ons (from flaky third parties) that potentially have their own security issues.
(Score: 0) by Anonymous Coward on Tuesday July 22 2014, @06:56PM
I think firefox does block flash by default now.
Any time I go to a page with flash, firefox asks me if I want to enable flash and gives me a "find out more" link to this page:
https://support.mozilla.org/en-US/kb/why-do-i-have-click-activate-plugins [mozilla.org]
However, despite the page implying that they only do it for out of date plugins, I have the latest version of flash as verified by:
https://www.mozilla.org/en-US/plugincheck/ [mozilla.org]
(Score: 2) by PinkyGigglebrain on Monday July 28 2014, @08:32AM
Just read the article, never heard anything about it being any kind of issue.
All I know is I've been using it for over 5 years on a Linux based system. I installed it using my browser's add-ons manager right from Mozilla's servers. If there is something dodgy about it I would think Mozilla would have pulled it long ago. I've never had any problems with it in all that time and I recommend it as a way of cutting down on wasted bandwidth and slow page load times.
Of course this is only based on my personal experience and YMMV on a different OS/browser.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 3, Informative) by Anonymous Coward on Tuesday July 22 2014, @08:51AM
The best protection against this is RequestPolicy. If your browser doesn't even contact the web site in question, they cannot get any information about you, not even your IP.
(Score: 3, Interesting) by jcross on Tuesday July 22 2014, @12:28PM
I can see how this would produce a unique result for a given rendering stack; the browser version affecting the font layout/rendering code, the OS fonts and font library affecting hinting, the processor affecting floating point calculations, maybe the GPU getting involved as well. But it seems like on a global scale, such configuration combinations wouldn't be that unique. Mobile devices, for example, are made by the millions with the exact same stack. Can someone tell me whether there's more to it? Or does it meant to be used only in combination with other data points?
(Score: 2, Informative) by Anonymous Coward on Tuesday July 22 2014, @02:56PM
Well, if you read the articles, you'll find the following:
So no, there's not more to it.
(Score: 2, Interesting) by idetuxs on Tuesday July 22 2014, @01:30PM
I remember a couple of weeks ago running TAILS, and the browser (I don't know if was because of a Tor plugin) detected on some websites the canvas element and blocked it. Amazing.
The thing is I entered a website I always visit and it detected too. It didn't come from other domain so, how can I check where it really comes from (the code that do that)?
I'm already reading the paper
(Score: 3, Interesting) by SpallsHurgenson on Tuesday July 22 2014, @01:50PM
It is also blocked by anti-tracking tools like Ghostery and DoNotTrackMe, which should be an additional layer of protection every user has in addition to noscript. I expect AdBlock will get around to adding it too, if they haven't already.
AddThis isn't really that different from other browser fingerprinting methods, which have been in use for nearly a decade, and just as easily blocked. Panopticlick.eff.net is a useful tool in explaining how it works (and how you can protect yourself)
(Score: 0) by Anonymous Coward on Thursday July 24 2014, @09:23AM
DoNotTrackMe is a sick joke. If they can track you, they will.
(Score: 2) by hubie on Tuesday July 22 2014, @02:35PM
I noticed on the list of sites was noaa.gov. I wonder who the contractor is that built their site, and what other sites they manage. I also wonder whether any of the entities on that list who have their websites outsourced even know code like this is included. It seems like it would be a pretty lucrative side job for companies who do web sites to put all this tracking crap on; however, that is probably the Faustian bargain one makes when they sign up for these "free" web sites (however, NOAA doesn't fall into that category).
(Score: 1, Interesting) by Anonymous Coward on Tuesday July 22 2014, @08:11PM
Other than viewable text, I don't find that there's anything there [noaa.gov] worth wasting bandwidth or screen space on.
One exception: [weather.gov] @@weather.gov/meteograms/
addthis has been on my AdBlock list for years and years---one of the first things added.
-- gewg_