Tons Of Sites, Including WhiteHouse.gov, In Unwitting AddThis Experiment With Tracking Technology That Is Difficult To Block

from the our-post-cookie-era dept

ProPublica has a new story about the rise of “canvas fingerprinting,” a new method of tracking users without using cookies. It’s a method that is apparently quite difficult to block if you’re using anything other than Tor Browser. In short, canvas fingerprinting works by sending some instructions to your browser to draw a hidden image — but does so in a manner making use of some of the unique features of your computer, such that each resulting image is likely to be unique (or nearly unique). The key issue here is that the popular “social sharing” company AddThis, which many sites (note: not ours) use to add “social” buttons to their website, had been experimenting with canvas fingerprinting to identify users even if they don’t use cookies. As ProPublica’s Julia Angwin notes, it’s very difficult to block this kind of thing — and tons of sites make use of AddThis — including WhiteHouse.gov (whose privacy policy does not seem to reveal this, saying it only uses Google Analytics as a third party provider).

The report does note that others who have tried canvas fingerprinting have found that it’s not necessarily accurate enough yet, but the technology appears to keep getting better. Still, AddThis says it’s likely to drop it anyway, because it’s not good enough yet:

AddThis said it rolled out the feature to a small portion of the 13 million websites on which its technology appears, but is considering ending its test soon. ?It?s not uniquely identifying enough,? Harris said.

AddThis did not notify the websites on which the code was placed because ?we conduct R&D projects in live environments to get the best results from testing,? according to a spokeswoman.

The company also insisted it wasn’t doing anything bad with the tracking, but even if you believe that’s true, how long will it be until others make use of similar fingerprinting for more questionable behavior.

Given the attention this is getting, hopefully browsers will at least role out features that allow users more notification and control over such practices. Cookies are hardly a perfect solution, but at least users have control over them.

Filed Under: , , , ,
Companies: addthis

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Tons Of Sites, Including WhiteHouse.gov, In Unwitting AddThis Experiment With Tracking Technology That Is Difficult To Block”

Subscribe: RSS Leave a comment
69 Comments
Ninja (profile) says:

The advertising efforts have reached a level today that people find “creepy” and “scary” (not my words) when they get the picture of how it works, which is not as easy as it seems.

If somebody is actively trying to stay away from the tracking and the advertisement you should just let it at that. Chances are you will enrage such person and drive them further away from your product if you insist. I’ve gave up items I was going to buy with 100% certainty because of such intrusive advertising already, I hate it. And when people get to know how things work they usually want it all blocked too.

Anonymous Coward says:

Re: Here is the scary part

As far as I know the current canvas fingerprinting is very good at uniquely identifying computers. The problem is that the computers fingerprint will change over time too, so you may only identify a computer for maybe a month before it gets tagged as another computer. I would expect it to be difficult to predict the degradation of the computer with enough certainty to connect these fingerprints, which is bad for business.

The technologies are virtually impossible to guard against. In the end these kinds of tracking is just something we have to accept in the long run.

Anonymous Coward says:

Re: Re: Here is the scary part

The technologies are virtually impossible to guard against.

Add the following to your hosts file:

127.0.0.1 p.addthis.com
127.0.0.1 s3.addthis.com
127.0.0.1 s7.addthis.com
127.0.0.1 s9.addthis.com
127.0.0.1 su.addthis.com
127.0.0.1 http://www.addthis.com

Presto, you can’t connect to them, they can’t track you.
Any other virtually impossible problems you need solved?

BSD32x (profile) says:

Re: Re: Re:

Ghostery is proprietary software, though. It is owned by a marketing company, Evidon, and there have been well supported accusations that it in fact is used to help advertisers discover how users are blocking ads – http://lifehacker.com/ad-blocking-extension-ghostery-actually-sells-data-to-a-514417864 http://www.businessinsider.com/evidon-sells-ghostery-data-to-advertisers-2013-6 I would personally recommend Disconnect, which another commenter mentioned, instead, it’s an open source alternative to Ghostery – https://disconnect.me/disconnect

I would also recommend CookieKeeper over Self Destructing Cookies, as it’s been deprecated. https://addons.mozilla.org/en-US/firefox/addon/cookiekeeper/

Anonymous Coward says:

Re: Re: Re:

It does, in fact that is what I do when I use the Konqueror web browser. There are also userscripts for the Greasemonkey add on that can accomplish this. For the average non-technical user, I still think Disconnect is probably the better choice. I still use it with Firefox/Ice Weasel due to all of its other benefits and built in/updated tracker lists.

Anonymous Coward says:

Re: Not too hard to block - yet

That’s exactly right.

After years of enduring pop-ups, pup-unders, in-your-face flash banners and a myriad of other forms of intrusive advertising that got in the way of what I originally went to a website for, I eventually turned to pop-up and ad-blockers and I haven’t looked back. Between those tools and Ghostery, I infrequently see advertising unless I’ve white-listed a site a like well enough where they don’t engage in that type of advertising crap.

John Fenderson (profile) says:

Re: Re: Re: Not too hard to block - yet

Yes, this. I block all ads as much and as hard as I can regardless of what site is using them. Ad networks are not trustworthy, and will track you through any and all means they can.

For more enlightened sites (such as Techdirt) that provide a way to support them by just giving them money, I do that instead. It’s why I’m an “insider” here — I block all the ads, but am willing to pay for the content.

Doug says:

Re: Re: Not too hard to block - yet

Thanks to @RoninOne for pointing out that tools that block tracking cookies won’t work for canvas fingerprinting. I just checked on Privacy Badger, since I recommended it, and it appears that it will work, but I’m just going off what is in their FAQ:

“If as you browse the web, the same source seems to be tracking your browser across different websites, then Privacy Badger springs into action, telling your browser not to load any more content from that source. And when your browser stops loading content from a source, that source can no longer track you. Voila!”

Seems like that would work. However, there is a loophole that may or may not be open:

“In some cases a third-party domain provides some important aspect of a page’s functionality, such as embedded maps, images, or fonts. In those cases Privacy Badger will allow connections to the third party but will screen out its tracking cookies.”

FYI.

any moose cow word says:

I don’t know about this one. The information that a server can get from a user is rather limited without javascript, and javascript can be blocked. The info they can get otherwise might be enough to ID a specific user at an IP address, behind a NAT, but mobile users will change their IP many times a day.

Anonymous Coward says:

Re: Re: Re: Re:

Sure, but NoScript is not available for all browsers. If you’re going to use a more obscure browser, it’s still necessary to edit your hosts file, unfortunately. Greasemonkey is available for WebKit browsers, though, so you’d have to really go out of your way with something like KHTML or NetSurf to absolutely need to do this.

John Fenderson (profile) says:

Re: Re: Re:2 Re:

True, which is why I prefer to block access to known bad sites using the hosts file instead. You can even find preconfigured hosts files that block an extensive number of these sites, so all you have to do is pretty much just copy the file to the right location.

The other advantage to the hosts file is with your mobile devices: if you’re running a rooted Android, you can block all these accesses from it in exactly the same way.

ECA (profile) says:

There is so much

There is so much TRACKING that it takes over 1/2 the net traffic to watch it..
I have been to sites that had so many Tracking cookies that it took 5 minutes to find my way to the site..

I love programming, but SOME of the idiots out there use serial programming, Which means you take 1 step at a time..And you cant PASS a step(cookie) to get to a site. Its STUPID..
I LOVE the Overlay system they found, they use it OVEr video’s to FORCE you to watch adverts..

Iv asked, and been denied, 1 little prog, to put NAMES in the comments of the cookies, of the location I got them..
SO THAT IF’ I find the cookie that crashed a system, I can TRACK it tot he site, and ASK for info, of where it came from…and follow it back..
What do you think would happen, if you KNEW a certain site had LET a cookie infect your system?
What do you think would happen to the advertiser?
HOW about the Cookie maker, that worked for the advertiser?

Anyone seeing a way to track SPAMMERS here?

Anonymous Coward says:

Re: There is so much

“some of the idiots out there use serial programming, which means you take 1 step at a time… and you can’t pass a step (cookie) to get to a site. It’s stupid..”

You do realize that is often on purpose. The website doesn’t want you to be able to view their site unless you accept their cookies.

“I’ve asked, and been denied”

I like your proactive attitude about fighting tracking cookies, but what do you mean you “asked, and have been denied”? Denied by whom?

RoninOne says:

Ghostery

To all the commenters talking about Ghostery or donttrackme, those DO NOT block canvas fingerprinting, they block cookies. AddThis also uses cookies, which those extensions do block, but currently there is nothing that blocks canvas fingerprinting by default. Also to add to the article, they are only about 90% accurate since computers settings change often depending on the user.

Michael (profile) says:

Re: Re: Ghostery

Canvass fingerprinting uses the HTML5 canvass element. If your browser displays HTML5, it is going to work regardless of the extensions and blockers you have installed (that’s the point).

Right now, there is a bunch of attention – particularly since AddThis had it turned on for some popular porn sites. It seems likely to me that some of the ad-blockers and tracker companies are actively working on stripping out the canvass tags from the html so this will not function.

You could also use an older browser (IE 8 or earlier, I believe) that does not support HTML5 until someone comes up with a reliable way to block this.

Hi says:

Re: canvas

I’d think that older generations of browsers, pre-HTML5 without Canvas support, would resist that tracking, but then there’s the problem that they’d be subject to some drive-by vulnerabilities that have since been patched.

Maybe an update to the current browsers can include a setting to disable the Canvas resource. That would certainly break many HTML5 effects, but is less limiting than blocking Javascript if you don’t want to be tracked.

Rich Kulawiec (profile) says:

Where are you, Firefox?

Has anyone else noticed that Firefox’s development has regressed to endless self-indulgent tinkering with the UI (which was just fine 16 revisions ago) instead of integrating the VERY necessary defenses provided by add-ons into the core browser? By now, Firefox should long since have folded in AdBlock Plus, NoScript, Ghostery, Beef Taco, HTTPS Everywhere, Calomel SSL Validation, and others. (Not necessarily all in their entirety or current form: but the majority of the functionality should be there.)

It’s absolutely ridiculous that in 2014 the Firefox web browser ships in an undefended state. But I suppose it’s easy to move buttons around and continuously dumb down the interface than it is to actually do the hard work of defending users.

Anonymous Coward says:

Re: Re: Re: Where are you, Firefox?

Sure, but that doesn’t make Mozilla better equipped. Chrome has taken a lot of the pressure off of Google in the negotiations. Now Google have a pretty strong say in how Firefox works if Mozilla want economic support from that direction.

That connection would stop if Google became the target of boycuts, which would be uncomfortable for Mozilla to put it lightly…

Anonymous Coward says:

Re: Where are you, Firefox?

I was a loyal user, but Mozilla kept disappointing over and over again… Ad-laden start page; Australis; upcoming support for DRM. Enough is enough — I ditched it in favour of Palemoon (which I tend to like more than Iceweasel, OS difference notwithstanding).

I think it’s a bit too much to hope that Mozilla will incorporate features found in addons such NoScript (beyond simple js blocking) or HTTPS Everywhere when they’re trying half-heartedly to comply with Hollywood pressure and possibly full-heartedly to make a Mozilla Chrome.

BSD32x (profile) says:

Re: Re: Where are you, Firefox?

You raise some good points, although I’m not wild about Palemoon’s licensing: http://www.palemoon.org/redist.shtml I think the opportunity is ripe for someone to launch a Kickstarter for a new browser, one that is committed to FOSS principles and under a BSD-style license or the GPL. WebKit has been a good alternative, but the QtWebKit engine and its predecessor KHTML are all but dead. With browsers like Qupzilla and Opera now being built on Google’s Chromium/QtWebEngine framework, the only truly open browser still in development is NetSurf, which just isn’t able to meet the needs of most users right now. Who knows, maybe some enterprising young programmers will seize on the opportunity.

Jason says:

Re: Re: Where are you, Firefox?

I had the very same experience. I switched to Palemoon this spring after another Firefox change and I haven’t looked back. A few minutes of configuration and it was like being back in the happy place you thought was long gone.

I can’t get Adobe’s PDF plugin to work, which is kind of a nuisance, but Palemoon is the browser I’ve been searching for ever since Firefox 14.

Anonymous Coward says:

Firefox extensions (with links!)

I see some folks speculating about various Firefox extensions that may or may not be helpful. For the benefit of readers who are unfamiliar with those extensions:

NoScript causes the browser not to run Javascript on a page until you allow it. You grant permission on a per-serving-domain basis. Using NoScript will break poorly written Web 2.0 sites until you whitelist them. Whitelisting may take several tries as you run down which domains are responsible for the scripts that the page requires for proper functionality. However, since NoScript denies first and permits only on command, it is very effective at killing unwanted scripts.

RequestPolicy causes the browser not to load resources from domains other than the current one, until you permit it. You can grant permissions on a per-source domain, per-destination domain, or per-both basis. Per-destination lets you say that all embeds of YouTube are allowed, regardless of where you find them. Per-source lets you say that Techdirt can always embed a resource, no matter where that resource is hosted. Per-both lets you write rules such as “Techdirt may embed YouTube, but nothing else can embed it under this rule.” (You might have other rules that whitelist YouTube for use on other sites. Once a match permits the embed, then it is allowed even if other permissions fail to match.) As with NoScript, a blank install of RequestPolicy will make some sites look odd or function poorly until you whitelist the domains that serve their supporting resources. In some cases, you may need to whitelist a site once in RequestPolicy to allow its JavaScript to be loaded, then whitelist that same site in NoScript to allow the JavaScript to be run once it has loaded. Although inconvenient, this can be useful, since NoScript only grants permission based on the serving domain, but RequestPolicy can also look at the domain that requested the script. Thus, you could whitelist Google’s copy of jQuery in NoScript, but use RequestPolicy to allow it to load only on selected sites.

AdBlock Plus blocks user-specified resources. By default, it has no blocks, but you can subscribe to community-maintained lists. AdBlock plus could block the AddThis tracker, but would require that you (or someone who maintains a list you use) block the domain(s) that serve the tracker. By contrast, both NoScript and RequestPolicy block everything you have not permitted.

Ghostery

Privacy Badger

BSD32x (profile) says:

Re: Firefox extensions (with links!)

I agree with all of those EXCEPT for Ghostery, given the tone of this article and discussion, I don’t understand why it’s being advocated. It is specifically used by a marketing company to generate revenue by selling data to advertisers, and is allegedly used to help advertisers create more technology that is difficult to block.

Anonymous Coward says:

Re: Re: Firefox extensions (with links!)

Sorry, I do not use Ghostery and did not see the negative remarks about it until after I posted. I provided a link to it for completeness, but if those allegations are accurate, it should be avoided. If I could retract my prior link to it, I would.

BSD32x (profile) says:

Re: Re: Re: Firefox extensions (with links!)

It’s fine, no offense meant on my part. I just want to make sure that information is out there, especially since several commenters before you recommenhded it.

Ghostery has been getting mentioned on a lot of other news sites I frequent since this story broke, as well. It would not surprise me if they astroturf comments pages to promote it when there are stories like this, since it’s in their financial interest to do so. Let me be clear and say that there is no evidence of that, to the best of my knowledge, that’s just speculation on my part.

HIDE UNDER THE BED says:

Canvas Fingerprinting

Ever since the U.S. & Israeli govts rolled out Stuxnet on the Iranians to screw up their centerfuges (& their nuke program), both countries (U.S. & Israel) spy agencies worked on a worse spying tool “Flame”. When they were exposed by Kaspersky, they tried said they were ‘only’ infecting suspected terrorists in the middle east and no one need worry about it! One of the key features of Flame, was that it could make screen shots of any infected computer and it could record every keystroke.
This ‘Canvas Fingerprinting’ sounds like it originated at the N.S.A.
The Nazis at NSA never sleep. Hail to the United Secret Police State of America! Secret police with secret laws and secret punishments.
When Obama said (after Snowden’s revelations -June 7, 2013): “You can’t have 100 percent security and also then have 100 percent privacy and zero inconvenience,”…“We’re going to have to make some choices as a society.”
What he means is: We get 100 percent “security” and zero privacy. That is the choice he and George W. Bush have chosen for the rest of us.

Anonymous Coward says:

Here's a good one!

Q: What do porn websites and the President of the United States of America’s website have in common?

A: Sleazy user tracking.

Q: What’s the difference between porn websites and the President of the United States of America’s website?

A: You don’t have to wait more than a year for a response from a porn website.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...