NEW, SINISTER web tracking tech fingerprints your computer by making it draw A new, persistent web-tracking technology developed has been used to track web users across many of the world's most popular websites, including those of the White House and even wholesale smut platform YouPorn. The canvas fingerprinting technique was described in 2012 by University of California researchers (PDF) as a means …
As with Goonalytics, scripts must be run.
Sad that Active Content is too dangerous for many developers to use, sadder that more and more sites are requiring it in order to function.
The Alexa thing has always looked like any other mass tracking system - does one still have to install the toolbar widget? - so its difficult to be surprised to read it is trying to find a revenue stream amongst the lovely data it will have collected (over lord knows how many years it is now?)
What a bland, corporate-controlled, mucky place the free-web has become :-(
Install Noscript
go addthis.com (any page)
now on Noscript you can block addthis.com permanently
Blocking in NoScript is the default. You don't have to do anything (beyond not make bad default choices) to block addthis.com.
You do have to be careful as a long-time user to be sure that you didn't allow it in the past.
[checks NoScript "allow" list in my browser...]
[oops...]
[removes it from the list.]
I use the adblock plus element hiding addon, which makes it easy to add particular sections of pages to the block list. Great for removing the sections that say I *MUST* do something with twatter, farcebook instahack and whoever.
Too bad Urban Dictionary only takes submissions from Farcebook or gmail now.
I have always said:
The internet is the best of anarchy, and the worst of anarchy.
and
There is always the trade-off between security and facility.
Over recent years (a relative term that encompasses more and more as I grow older), internet banking etc. has tried to make the internet look organised and safe, so Joe Public is even less inclined to listen to me.
And another saying:
Eyore was an optimist
then enable it selectively if at all. Ditto cookies & flash. How often do people have to be done over before they wake up? Do they ever?
(curiously, I'd put the addthis domain in my squid blocklist quite a while back with the comment "# not quite sure what this is but don't want it.")
Ayuh ... what should be a simple "Find ______________ and search by [ ] name [ ] parcel/ case ID" form (text box + radio selector) form on almost any public information site is a raft of pages and pages of who- knows- what. Some sites that were designed a while ago are still fairly simple, lean, and fast, while many newer ones seem to have used the latest canned bullshit from the "Need to build a website? Have no HTML skills? Have we got the product for YOU!" snake oil sales vermin who get a kickback on whatever click-through and/or other tracking bullshit is buried in the aforementioned who- knows- what. Hangin's too good for 'em.
Presumably the fingerprint won't differ between the same make & model of computer or tablet? There are millions of identical iPads and MacBooks. Some of the more popular models from Dell / Asus / Lenovo must sell in the hundreds of thousands, at least. I don't see how canvas fingerprinting could uniquely identify them.
Thanks. The interesting bit is :
"The same text can be rendered in different ways on different computers depending on the operating system, font library, graphics card, graphics driver and the browser. This may be due to the differences in font rasterization such as anti-aliasing, hinting or sub-pixel smoothing, differences in system fonts, API implementations or even the physical display. In order to maximize the diversity of outcomes, the adversary may draw as many different letters as possible to the canvas."
Here's the text from that PDF:
"Canvas fingerprinting is a type of browser or device fingerprinting technique that was first presented in a paper by Mowery and Shacham in 2012. The authors found that by using the Canvas API of modern browsers, an adversary can exploit the subtle differences in the rendering of the same text to extract a consistent fingerprint that can easily be obtained in a fraction of a second without user's awareness.
"The same text can be rendered in different ways on different computers depending on the operating system, font library, graphics card, graphics driver and the browser. This may be due to the differences in font rasterization such as anti-aliasing, hinting or sub-pixel smoothing, differences in system fonts, API implementations or even the physical display. In order to maximize the diversity of outcomes, the adversary may draw as many different letters as possible to the canvas."
Thanks for the clarification.
This is the bit that gets me. Sure, you have a laundry list of "high-entropy properties" (browser, list of plugins, OS, font settings, screen, GPU) but I find it hard to believe there isn't still a pretty high collision rate. I mean, any laptop of the same model in the hands of Average Joe who doesn't change defaults is likely to give the same hash, surely?
Plus, when the range of "entropy" (read:uniqueness) sources is that great, the odds of one of them being changed and thereby changing the hash must be pretty high too, right? (I guess these two points are slightly contradictory, but both still carry some weight I think.)
I'm just about certain I'm missing something, feel free to enlighten me ;)
Charlie, do you mean that to exclude those with "extensive script-blocking" will reduce the target size?
If so, I'm not convinced that will make it "much, much smaller", because:
1. Those who ad-block, script-block etc are still a very small minority, I suspect. Be careful you are not voicing the prejudice of our profession!
2. Such people (myself included) may have given up on JS-blocking due to the effort involved in unblocking the many sites that won't function without JS. That leaves us armed to the teeth with other addons that do everything short of blocking JS to protect privacy, which may just be enough of a climbdown to make us vulnerable.
Charlie, do you mean that to exclude those with "extensive script-blocking" will reduce the target size?
No, I said and meant the opposite: most people don't run script-blockers and are thus easy to track using the standard methods.
Personally, I'm quite happy with Ghostery's blocking of the third party crap (all adslingers and trackers by default) but I'm under no illusion that I'm not trackable.
It's a standard side-channel attack, relying on rendering differences among individual browsers. As the linked paper by Acar et al (which is only 16 pages long and easy reading) notes, things like browser type and version, installed fonts, graphics hardware, and OS settings affect the rendering at the pixel level.
So you put a script on your page that creates a Canvas object, draws some text in it, converts the resulting bitmap into Base64-encoded data, and hashes that Base64-encoded string. That hash is the fingerprint. In practice the collision rate is low enough that it is a strong contribution toward a unique client identifier.
Section 3 of the Acar paper has some additional details. It's mostly about how they detected canvas fingerprinting, but the list of fingerprinting text strings in Table 1 is interesting, for example.
Like any side-channel attack, the only real defenses are blocking all related channels (so basically anything a script can use to query browser state) or whitening (adding noise to the data). Browser fingerprinting is an arms race and there's no reason to think the bad guys aren't going to continue to stay ahead.
But eventually we'll all move to IPv6 and every machine will be globally, uniquely, directly addressable, and none of that will matter.
Have you considered using Request Policy in addition to NoScript to control usage of cross-site requests by the websites you visit?
https://addons.mozilla.org/en-US/firefox/addon/requestpolicy/
I've been using this with Firefox for over a year now (very effectively) to reduce snooping from the likes of Facebook et al whilst browsing other sites.
They can probably STILL see you. They'll detect you're in a VM and use an escalation exploit to determine the actual machine, they use exploits specifically for Linux, use a trusted domain or simply block the exclusive must-have content until you allow the pertinent domain. Oh, and they can sniff out your VPN exit points, even if they're foreign (and if they can't, then SOMEONE ELSE is sniffing you). Remember, they have ways to beat TOR.
Hello, fine citizen. Please opt out of our service if you do not want to use it. We will place a cookie on your machine that would get cleared out whenever you delete other cookies. You don't do something so foolish as to clear your cookies, though, right? That's for people that don't want stupid tracking enabled on them. So to opt out of our tracking, please use this cookie.
Thank you for visiting our webpage, Robert Blackman of Arlington Virginia with IP address 72.131.60.243 from Comcast Cable! Please say "hi" to your Facebook friends Charles LeBlanc and Ricky Chavez for us!
If I have set Do Not Track, and I disable or regularly delete Cookies then I am making an unambiguous statement that I do not permit tracking. Any company trying to workround that (whether using canvas, or flash cookies, or anything else) is then abusing their access to my computer. I have not given permission for that. The deliberate action is illegal, whatever the technology. They are, of course, welcome to deny me access to their website if they wish -- but they are not permitted to hack me.
Many companies claim that creating URLs which are not published links and which leak information is illegal hacking of their website by users. If that is the case, then mis-using browser features to track me when I have explicitly refused permission is also illegal hacking.
Why haven't the data protection authorities made a clear statement that any sort of web tracking not based on cookies is illegal and that companies will be prosecuted under data protection laws.
I'm guessing that would depend on your jurisdiction.
The Dutch anti-tracking law, for example, specifically states that it is the act of tracking that is being legislated, not any specific technology used for that purpose. So as far as I understand it, you'd be perfectly welcome to use these techniques instead of cookies as long as you only use them for purposes for which cookies would be allowed (that is, to implement essential functionality of the site, such as login; to gather anonymized usage statistics of the site; or to do anything else for which I have given explicit and informed consent.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
