back to article NEW, SINISTER web tracking tech fingerprints your computer by making it draw

A new, persistent web-tracking technology developed has been used to track web users across many of the world's most popular websites, including those of the White House and even wholesale smut platform YouPorn. The canvas fingerprinting technique was described in 2012 by University of California researchers (PDF) as a means …

  1. cracked

    As with Goonalytics, scripts must be run.

    Sad that Active Content is too dangerous for many developers to use, sadder that more and more sites are requiring it in order to function.

    The Alexa thing has always looked like any other mass tracking system - does one still have to install the toolbar widget? - so its difficult to be surprised to read it is trying to find a revenue stream amongst the lovely data it will have collected (over lord knows how many years it is now?)

    What a bland, corporate-controlled, mucky place the free-web has become :-(

    1. h4rm0ny

      >>"As with Goonalytics, scripts must be run."

      I've occasionally blocked googleanalytics at the router level. I found about a third of the sites I visited became unusable as they were waiting on googleanalytics to respond.

      1. Anonymous Coward
        Anonymous Coward

        Googleanalytics

        I've never allowed this and I've never found a site which caused problems for me.

      2. Charles 9 Silver badge

        And others outright kick you out because they've installed ad-blocker-blockers. And most of them that do host exclusive content, so it's either bend over or go without.

    2. Anonymous Coward
      Unhappy

      What a bland, corporate-controlled, mucky place the free-web has become :-(

      I remember the good old days when it was just a mucky place.

  2. cbars

    ...Sigh

    Just that

  3. Mage Silver badge

    Blocking

    Install Noscript

    go addthis.com (any page)

    now on Noscript you can block addthis.com permanently

    Bottom feeding scum?

    1. AMBxx Silver badge

      Re: Blocking

      Addthis is already blocked on Ghostery, I'm glad to say.

      1. obrien

        Re: Ghostery

        Yep, I had just checked and see the same.

    2. John Gamble

      Re: Blocking

      Install Noscript

      go addthis.com (any page)

      now on Noscript you can block addthis.com permanently

      Blocking in NoScript is the default. You don't have to do anything (beyond not make bad default choices) to block addthis.com.

      You do have to be careful as a long-time user to be sure that you didn't allow it in the past.

      [checks NoScript "allow" list in my browser...]

      [oops...]

      [removes it from the list.]

  4. Extra spicey vindaloo
    Facepalm

    and Ghostery tells me,

    theRegister.co.uk has 10 trackers on the page.

    Datapoint media

    doubleclick

    facebook connect

    google analytics

    google+ platform

    linkedin widgets

    outbrain

    reddit

    stumbleupon widgets

    twitter button

    Seems you are missing the addThis tracker for a full set?

    1. The Wegie

      Re: and Ghostery tells me,

      El Reg are amateurs compared to the Grauniad. 18 trackers on one page!

      Ironically, the page on which Ghostery was reporting was devoted to an Edward Snowden article...

      1. CommanderGalaxian
        Black Helicopters

        Re: and Ghostery tells me,

        "Ironically, the page on which Ghostery was reporting was devoted to an Edward Snowden article..."

        No irony there at all. Whoever reads that page ends up on a list. And then gets tracked wherever else they go on the web.

    2. Anonymous Coward
      Anonymous Coward

      Re: and Ghostery tells me,

      Scroll to the bottom and their are 50% of your items listed, the social media ones.

      1. John Tserkezis

        Re: and Ghostery tells me,

        I use the adblock plus element hiding addon, which makes it easy to add particular sections of pages to the block list. Great for removing the sections that say I *MUST* do something with twatter, farcebook instahack and whoever.

        Too bad Urban Dictionary only takes submissions from Farcebook or gmail now.

        1. Fatman

          Re: and Ghostery tells me,

          Excellent!!!

          ANOTHER satisfied user of AdBlock+'s Element Hider!!!

          One fabulous way to make those plastered with crap ads sites usable!

      2. Irongut

        Re: and Ghostery tells me,

        What items at the bottom of the page? He said he's using Ghostery therefore they don't show up. :)

    3. Anonymous Coward
      Anonymous Coward

      Re: and Ghostery tells me,

      If you are looking for pain, try reason.com

    4. Jorgegt60
      Happy

      Re: and Ghostery tells me,

      Mmmmm, interesting. Why so much concern over these tools? Aren't they simply letting the website owner who's using the site?

      Why would The Register have them if they were so bad?

      Just new to all this so apologies for the questions.

      1. gazthejourno (Written by Reg staff)

        Re: Re: and Ghostery tells me,

        We're actually slurping all this data so we can build a digital copy of everyone's first-born children and sell them to narco-traffickers, because EVIL CORPORATION.

  5. Buzzword

    On porn?

    Why on earth would you want an AddThis box on a porn site? Who in their right mind is going to watch a strictly NSFW video, then use their handy buttons to share it on YouTwitFace? It's an accident waiting to happen.

    1. James 100

      Re: On porn?

      I think there are quite a few adult Twitter accounts out there (I've seen a few) which might post that sort of stuff. Definitely not something I'd want popping up on anything you have family connected to you on, though...

      1. SoaG

        Re: On porn?

        If anyone you know IRL even knows you have a Twitter account, much less your user name, you're doing it wrong.

    2. L05ER

      Re: On porn?

      *GooTwitFace

      Because contextually aware.

  6. Caesarius
    Unhappy

    The nature of the internet

    I have always said:

    The internet is the best of anarchy, and the worst of anarchy.

    and

    There is always the trade-off between security and facility.

    Over recent years (a relative term that encompasses more and more as I grow older), internet banking etc. has tried to make the internet look organised and safe, so Joe Public is even less inclined to listen to me.

    And another saying:

    Eyore was an optimist

  7. BlueGreen

    for the umpteenth time, disable scripting

    then enable it selectively if at all. Ditto cookies & flash. How often do people have to be done over before they wake up? Do they ever?

    (curiously, I'd put the addthis domain in my squid blocklist quite a while back with the comment "# not quite sure what this is but don't want it.")

  8. ElReg!comments!Pierre

    Oldies but goodies

    I find The Proxomitron is quite a handy way to get rid of all this crap. That, or browsing from a JS-free browser. Of course nowadays many pages are almost entirely written in multi-Mb JS even the ones which could (and should) be a simple 1-Kb HTML form...

    1. skeptical i
      Thumb Down

      Re: Oldies but goodies

      Ayuh ... what should be a simple "Find ______________ and search by [ ] name [ ] parcel/ case ID" form (text box + radio selector) form on almost any public information site is a raft of pages and pages of who- knows- what. Some sites that were designed a while ago are still fairly simple, lean, and fast, while many newer ones seem to have used the latest canned bullshit from the "Need to build a website? Have no HTML skills? Have we got the product for YOU!" snake oil sales vermin who get a kickback on whatever click-through and/or other tracking bullshit is buried in the aforementioned who- knows- what. Hangin's too good for 'em.

  9. Anonymous Coward
    Anonymous Coward

    Description...

    Is there a better description of how this works anywhere?

    1. Google

      Re: Description...

      https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf

      The crucial bit the article is missing is on page two of the pdf - a text string will be rendered differently in each browser.

      1. Buzzword

        Re: Description...

        Presumably the fingerprint won't differ between the same make & model of computer or tablet? There are millions of identical iPads and MacBooks. Some of the more popular models from Dell / Asus / Lenovo must sell in the hundreds of thousands, at least. I don't see how canvas fingerprinting could uniquely identify them.

        1. davidp231

          Re: Description...

          MAC address for the WLAN. They're unique.

      2. Anonymous Coward
        Anonymous Coward

        Re: Description...

        Thanks. The interesting bit is :

        "The same text can be rendered in different ways on different computers depending on the operating system, font library, graphics card, graphics driver and the browser. This may be due to the differences in font rasterization such as anti-aliasing, hinting or sub-pixel smoothing, differences in system fonts, API implementations or even the physical display. In order to maximize the diversity of outcomes, the adversary may draw as many different letters as possible to the canvas."

      3. linkbox8

        Re: Description...

        Here's the text from that PDF:

        "Canvas fingerprinting is a type of browser or device fingerprinting technique that was first presented in a paper by Mowery and Shacham in 2012. The authors found that by using the Canvas API of modern browsers, an adversary can exploit the subtle differences in the rendering of the same text to extract a consistent fingerprint that can easily be obtained in a fraction of a second without user's awareness.

        "The same text can be rendered in different ways on different computers depending on the operating system, font library, graphics card, graphics driver and the browser. This may be due to the differences in font rasterization such as anti-aliasing, hinting or sub-pixel smoothing, differences in system fonts, API implementations or even the physical display. In order to maximize the diversity of outcomes, the adversary may draw as many different letters as possible to the canvas."

      4. Havin_it

        Re: Description...

        Thanks for the clarification.

        This is the bit that gets me. Sure, you have a laundry list of "high-entropy properties" (browser, list of plugins, OS, font settings, screen, GPU) but I find it hard to believe there isn't still a pretty high collision rate. I mean, any laptop of the same model in the hands of Average Joe who doesn't change defaults is likely to give the same hash, surely?

        Plus, when the range of "entropy" (read:uniqueness) sources is that great, the odds of one of them being changed and thereby changing the hash must be pretty high too, right? (I guess these two points are slightly contradictory, but both still carry some weight I think.)

        I'm just about certain I'm missing something, feel free to enlighten me ;)

        1. Charlie Clark Silver badge

          Re: Description...

          @Havin_It

          Sure, but factor out all those who don't have extensive script-blocking and your target size is much, much smaller.

          1. Havin_it

            @Charlie Clark Re: Description...

            Charlie, do you mean that to exclude those with "extensive script-blocking" will reduce the target size?

            If so, I'm not convinced that will make it "much, much smaller", because:

            1. Those who ad-block, script-block etc are still a very small minority, I suspect. Be careful you are not voicing the prejudice of our profession!

            2. Such people (myself included) may have given up on JS-blocking due to the effort involved in unblocking the many sites that won't function without JS. That leaves us armed to the teeth with other addons that do everything short of blocking JS to protect privacy, which may just be enough of a climbdown to make us vulnerable.

            1. Charlie Clark Silver badge

              Re: @Charlie Clark Description...

              Charlie, do you mean that to exclude those with "extensive script-blocking" will reduce the target size?

              No, I said and meant the opposite: most people don't run script-blockers and are thus easy to track using the standard methods.

              Personally, I'm quite happy with Ghostery's blocking of the third party crap (all adslingers and trackers by default) but I'm under no illusion that I'm not trackable.

        2. David Pollard

          Re: Description... Panopticlick

          Here from the EFF is a test site. "How unique - and trackable - is your browser?"

          https://panopticlick.eff.org/

          1. cbars

            Re: Description... Panopticlick

            "Your browser fingerprint appears to be unique among the 4,329,759 tested so far."

            Most of that seems to be down to my plugins and fonts. So I use an unusual configuration based on the fact I have installed 3 plugins, and am on my work laptop... crap

    2. Michael Wojcik Silver badge

      Re: Description...

      It's a standard side-channel attack, relying on rendering differences among individual browsers. As the linked paper by Acar et al (which is only 16 pages long and easy reading) notes, things like browser type and version, installed fonts, graphics hardware, and OS settings affect the rendering at the pixel level.

      So you put a script on your page that creates a Canvas object, draws some text in it, converts the resulting bitmap into Base64-encoded data, and hashes that Base64-encoded string. That hash is the fingerprint. In practice the collision rate is low enough that it is a strong contribution toward a unique client identifier.

      Section 3 of the Acar paper has some additional details. It's mostly about how they detected canvas fingerprinting, but the list of fingerprinting text strings in Table 1 is interesting, for example.

      Like any side-channel attack, the only real defenses are blocking all related channels (so basically anything a script can use to query browser state) or whitening (adding noise to the data). Browser fingerprinting is an arms race and there's no reason to think the bad guys aren't going to continue to stay ahead.

      But eventually we'll all move to IPv6 and every machine will be globally, uniquely, directly addressable, and none of that will matter.

  10. Anonymous Coward
    Anonymous Coward

    Have a play

    http://www.browserleaks.com/canvas

  11. Alistair
    Coat

    Hmmm

    Type out the hostname and mac address of the primary nic.

    Likely unique string on the device. Generate the string from that..... Yeah, it would likely be fairly unique.

    NoScipt for ages here... on all browsers.

  12. Ashton Black

    Ghostery for me too. Phew.

  13. Crazy Operations Guy

    An improvement to NoScript

    I wish NoScript had the ability to have domain-specific white lists. What I mean is that I would like to allow Facebook's scripts when I'm on Facebook.com, but disallow them when I'm shopping for stuff on Amazon, or vice-versa.

    1. Adam van Amstel

      Re: An improvement to NoScript

      Have you considered using Request Policy in addition to NoScript to control usage of cross-site requests by the websites you visit?

      https://addons.mozilla.org/en-US/firefox/addon/requestpolicy/

      I've been using this with Firefox for over a year now (very effectively) to reduce snooping from the likes of Facebook et al whilst browsing other sites.

  14. Joe 48

    If target Ads 'apparently' enhance my internet experience

    Why aren't they all simply adverts for more porn?!?!

  15. bXzNGk8QquB3ocO1fr

    deny addthis all access

    I have AddThis blocked through Little Snitch and Ghostery. I use the TOR browser, which detects and allows the choice to deny or allow canvas accesses. If anyone has another suggestion for blocking AddThis, I'd appreciate hearing about it.

  16. janimal
    Black Helicopters

    I now do most of my browsing in a VM, running Linux, using FF & no-script and accessing the net via VPN with a frequently changed, usually foreign, exit point.

    "you ain't seen me right..."

    1. Anonymous Coward
      Anonymous Coward

      They can probably STILL see you. They'll detect you're in a VM and use an escalation exploit to determine the actual machine, they use exploits specifically for Linux, use a trusted domain or simply block the exclusive must-have content until you allow the pertinent domain. Oh, and they can sniff out your VPN exit points, even if they're foreign (and if they can't, then SOMEONE ELSE is sniffing you). Remember, they have ways to beat TOR.

      1. janimal

        and then all they'll see is some generic porn and lots of cat videos :/

  17. Technological Viking
    Trollface

    Just Opt Out

    Hello, fine citizen. Please opt out of our service if you do not want to use it. We will place a cookie on your machine that would get cleared out whenever you delete other cookies. You don't do something so foolish as to clear your cookies, though, right? That's for people that don't want stupid tracking enabled on them. So to opt out of our tracking, please use this cookie.

    Thank you for visiting our webpage, Robert Blackman of Arlington Virginia with IP address 72.131.60.243 from Comcast Cable! Please say "hi" to your Facebook friends Charles LeBlanc and Ricky Chavez for us!

  18. Anonymous Coward
    Anonymous Coward

    AdBlock

    Just subscribe to the Privacy / Tracking / AntiSocial filter lists. No "like" buttons, no GA, no AddThis... it's beautiful.

  19. Graham Cobb Silver badge

    Surely this is illegal under Computer Abuse and Data Protection laws?

    If I have set Do Not Track, and I disable or regularly delete Cookies then I am making an unambiguous statement that I do not permit tracking. Any company trying to workround that (whether using canvas, or flash cookies, or anything else) is then abusing their access to my computer. I have not given permission for that. The deliberate action is illegal, whatever the technology. They are, of course, welcome to deny me access to their website if they wish -- but they are not permitted to hack me.

    Many companies claim that creating URLs which are not published links and which leak information is illegal hacking of their website by users. If that is the case, then mis-using browser features to track me when I have explicitly refused permission is also illegal hacking.

    Why haven't the data protection authorities made a clear statement that any sort of web tracking not based on cookies is illegal and that companies will be prosecuted under data protection laws.

    1. Rob Carriere

      Re: Surely this is illegal under Computer Abuse and Data Protection laws?

      I'm guessing that would depend on your jurisdiction.

      The Dutch anti-tracking law, for example, specifically states that it is the act of tracking that is being legislated, not any specific technology used for that purpose. So as far as I understand it, you'd be perfectly welcome to use these techniques instead of cookies as long as you only use them for purposes for which cookies would be allowed (that is, to implement essential functionality of the site, such as login; to gather anonymized usage statistics of the site; or to do anything else for which I have given explicit and informed consent.)

  20. Anonymous Coward
    Anonymous Coward

    no trak

    work to be a gh05t, use a bootable usb,use several OS systems randomly,jump hot spots,Mac spoof......DELETE!!!!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021