Tons Of Sites, Including WhiteHouse.gov, In Unwitting AddThis Experiment With Tracking Technology That Is Difficult To Block
from the our-post-cookie-era dept
ProPublica has a new story about the rise of “canvas fingerprinting,” a new method of tracking users without using cookies. It’s a method that is apparently quite difficult to block if you’re using anything other than Tor Browser. In short, canvas fingerprinting works by sending some instructions to your browser to draw a hidden image — but does so in a manner making use of some of the unique features of your computer, such that each resulting image is likely to be unique (or nearly unique). The key issue here is that the popular “social sharing” company AddThis, which many sites (note: not ours) use to add “social” buttons to their website, had been experimenting with canvas fingerprinting to identify users even if they don’t use cookies. As ProPublica’s Julia Angwin notes, it’s very difficult to block this kind of thing — and tons of sites make use of AddThis — including WhiteHouse.gov (whose privacy policy does not seem to reveal this, saying it only uses Google Analytics as a third party provider).
The report does note that others who have tried canvas fingerprinting have found that it’s not necessarily accurate enough yet, but the technology appears to keep getting better. Still, AddThis says it’s likely to drop it anyway, because it’s not good enough yet:
AddThis said it rolled out the feature to a small portion of the 13 million websites on which its technology appears, but is considering ending its test soon. ?It?s not uniquely identifying enough,? Harris said.
AddThis did not notify the websites on which the code was placed because ?we conduct R&D projects in live environments to get the best results from testing,? according to a spokeswoman.
The company also insisted it wasn’t doing anything bad with the tracking, but even if you believe that’s true, how long will it be until others make use of similar fingerprinting for more questionable behavior.
Given the attention this is getting, hopefully browsers will at least role out features that allow users more notification and control over such practices. Cookies are hardly a perfect solution, but at least users have control over them.
Filed Under: canvas fingerprinting, cookies, tracking, whitehouse, whitehouse.gov
Companies: addthis
Comments on “Tons Of Sites, Including WhiteHouse.gov, In Unwitting AddThis Experiment With Tracking Technology That Is Difficult To Block”
The advertising efforts have reached a level today that people find “creepy” and “scary” (not my words) when they get the picture of how it works, which is not as easy as it seems.
If somebody is actively trying to stay away from the tracking and the advertisement you should just let it at that. Chances are you will enrage such person and drive them further away from your product if you insist. I’ve gave up items I was going to buy with 100% certainty because of such intrusive advertising already, I hate it. And when people get to know how things work they usually want it all blocked too.
Here is the scary part
“It’s not uniquely identifying enough,”
They didn’t say they didn’t want to track and identify people, they said it wasn’t “good enough”.
Re: Here is the scary part
As far as I know the current canvas fingerprinting is very good at uniquely identifying computers. The problem is that the computers fingerprint will change over time too, so you may only identify a computer for maybe a month before it gets tagged as another computer. I would expect it to be difficult to predict the degradation of the computer with enough certainty to connect these fingerprints, which is bad for business.
The technologies are virtually impossible to guard against. In the end these kinds of tracking is just something we have to accept in the long run.
Re: Re: Here is the scary part
The technologies are virtually impossible to guard against.
That sounds like a challenge to me. Techies, ‘hackers’, and other people who enjoy fiddling around with code and computers love challenges, the harder the better.
Re: Re: Re: Here is the scary part
One interesting thing to do would be run a script that continuously changes characteristics used in defining the “fingerprint”.
Re: Re: Re:2 Here is the scary part
I’ve always wanted to find the time to make a plugin that swaps tracking cookies with other people rather than just blanking them.
Similar thing to switch your system around so it looks like someone else could make this kind of tracking very confusing for the tracker.
Re: Re: Re:2 Here is the scary part
yes, plug in a peripheral that you never use, but does it change the ‘fingerprint’ ? presumably so…
so you plug in an old flashdrive, and/or whatever, then unplug it the next time, etc…
what next ? we have ‘burner’ phones, are we going to ‘burner’ pc’s now ? ? ?
Re: Re: Here is the scary part
Add the following to your hosts file:
127.0.0.1 p.addthis.com
127.0.0.1 s3.addthis.com
127.0.0.1 s7.addthis.com
127.0.0.1 s9.addthis.com
127.0.0.1 su.addthis.com
127.0.0.1 http://www.addthis.com
Presto, you can’t connect to them, they can’t track you.
Any other virtually impossible problems you need solved?
Re: Re: Re: Here is the scary part
That considering they don’t add more. Still, ABP should block loading of anything from these, no?
Re: Re: Re:2 Here is the scary part
The root of all the evilz is Microshits refusal to allow for wildcard usage in the hosts file.
For example: 127.0.0.1 *.addthis.com
Re: Re: Re:3 Here is the scary part
Do other operating systems allow wildcards in the hosts file?
Re: Re: Re:4 Here is the scary part
Yes
Re: Re: Re:2 Here is the scary part
Still, ABP should block loading of anything from these, no?
Is this technique javascript based? If so of course NoScript would take care of it as well.
Maybe something like RequestPolicy could help by blocking external elements (i.e. the AddThis beacon) other than from the actual domain you’re visiting (e.g. Whitehouse.gov).
Re: Re:
I use NoScript…would it work the same concept ? Because I can’t use RequestPolicy, using NS and it at the same time + disconnect + ghostery + autodestructing cookies is one hell of a headache.
Re: Re: Re:
Ghostery is proprietary software, though. It is owned by a marketing company, Evidon, and there have been well supported accusations that it in fact is used to help advertisers discover how users are blocking ads – http://lifehacker.com/ad-blocking-extension-ghostery-actually-sells-data-to-a-514417864 http://www.businessinsider.com/evidon-sells-ghostery-data-to-advertisers-2013-6 I would personally recommend Disconnect, which another commenter mentioned, instead, it’s an open source alternative to Ghostery – https://disconnect.me/disconnect
I would also recommend CookieKeeper over Self Destructing Cookies, as it’s been deprecated. https://addons.mozilla.org/en-US/firefox/addon/cookiekeeper/
Re: Re:
I believe that NoScript can accomplish what you want here, but it would be easier and more targeted to just disable accesses to the AddThis servers using your hosts file.
Re: Re: Re:
It does, in fact that is what I do when I use the Konqueror web browser. There are also userscripts for the Greasemonkey add on that can accomplish this. For the average non-technical user, I still think Disconnect is probably the better choice. I still use it with Firefox/Ice Weasel due to all of its other benefits and built in/updated tracker lists.
Not too hard to block - yet
Ghostery blocks AddThis effortlessly.
Blocking trackers is the same good idea as blocking ads
because the industries behind ads/trackers
do not police themselves well enough to have earned our trust.
Re: Not too hard to block - yet
DoNotTrackMe also blocks AddThis by default.
Re: Not too hard to block - yet
That’s exactly right.
After years of enduring pop-ups, pup-unders, in-your-face flash banners and a myriad of other forms of intrusive advertising that got in the way of what I originally went to a website for, I eventually turned to pop-up and ad-blockers and I haven’t looked back. Between those tools and Ghostery, I infrequently see advertising unless I’ve white-listed a site a like well enough where they don’t engage in that type of advertising crap.
Re: Re: Not too hard to block - yet
yep, as much as there are some sites (like techdirt) where i would like to support them by allowing ads (I NEVER LOOK AT); i am INFINITELY more interested in stopping as much crap from being forced on me as possible…
Re: Re: Re: Not too hard to block - yet
Yes, this. I block all ads as much and as hard as I can regardless of what site is using them. Ad networks are not trustworthy, and will track you through any and all means they can.
For more enlightened sites (such as Techdirt) that provide a way to support them by just giving them money, I do that instead. It’s why I’m an “insider” here — I block all the ads, but am willing to pay for the content.
Re: Not too hard to block - yet
Privacy Badger also blocks this.
Re: Re: Not too hard to block - yet
Thanks to @RoninOne for pointing out that tools that block tracking cookies won’t work for canvas fingerprinting. I just checked on Privacy Badger, since I recommended it, and it appears that it will work, but I’m just going off what is in their FAQ:
“If as you browse the web, the same source seems to be tracking your browser across different websites, then Privacy Badger springs into action, telling your browser not to load any more content from that source. And when your browser stops loading content from a source, that source can no longer track you. Voila!”
Seems like that would work. However, there is a loophole that may or may not be open:
“In some cases a third-party domain provides some important aspect of a page’s functionality, such as embedded maps, images, or fonts. In those cases Privacy Badger will allow connections to the third party but will screen out its tracking cookies.”
FYI.
Presumably trying to do a similar thing to panopticlick ( https://panopticlick.eff.org/ ) from a few years ago.
The “trick” is managing to get unique enough with out tripping warnings to the users and giving the game away. Which thankfully no one seems to have cracked yet. At least not publicly.
Re: Re:
Nice link, thanks,.
I don’t know about this one. The information that a server can get from a user is rather limited without javascript, and javascript can be blocked. The info they can get otherwise might be enough to ID a specific user at an IP address, behind a NAT, but mobile users will change their IP many times a day.
Re: Re:
Also with mobiles the in-ability to install plugins means that just about every single mobile browser is identical to every other one of the same type even if javascript is enabled.
Re: Re:
Blocking javascript is hard compared to blocking trackers because so many sites become broken without js.
Re: Re: Re:
Then avoid those sites – simple.
Re: Re: Re:
It’s not so hard to learn NoScript and what to allow for 99% of sites to work, yes even thedailyshow.com, usually allowing, the namesake js, the comedynetwork js and the CDN js and you got it.
Re: Re: Re:
And that’s exactly what’s wrong with “Web 2.0” websites: if you block javascript because you don’t want any nasties, then the site may not work, but if you enable javascript to get the site to work, then you’re enabling all the trackers and other code.
Re: Re: Re:
It’s not as hard as all that, really. I use NoScript and disable Javascript through it. Since I can enable specific bits of Javascript on a page on-demand and as needed, this blocking has never prevented me from using a website.
Re: Re: Re: Re:
Sure, but NoScript is not available for all browsers. If you’re going to use a more obscure browser, it’s still necessary to edit your hosts file, unfortunately. Greasemonkey is available for WebKit browsers, though, so you’d have to really go out of your way with something like KHTML or NetSurf to absolutely need to do this.
Re: Re: Re:2 Re:
True, which is why I prefer to block access to known bad sites using the hosts file instead. You can even find preconfigured hosts files that block an extensive number of these sites, so all you have to do is pretty much just copy the file to the right location.
The other advantage to the hosts file is with your mobile devices: if you’re running a rooted Android, you can block all these accesses from it in exactly the same way.
There is so much
There is so much TRACKING that it takes over 1/2 the net traffic to watch it..
I have been to sites that had so many Tracking cookies that it took 5 minutes to find my way to the site..
I love programming, but SOME of the idiots out there use serial programming, Which means you take 1 step at a time..And you cant PASS a step(cookie) to get to a site. Its STUPID..
I LOVE the Overlay system they found, they use it OVEr video’s to FORCE you to watch adverts..
Iv asked, and been denied, 1 little prog, to put NAMES in the comments of the cookies, of the location I got them..
SO THAT IF’ I find the cookie that crashed a system, I can TRACK it tot he site, and ASK for info, of where it came from…and follow it back..
What do you think would happen, if you KNEW a certain site had LET a cookie infect your system?
What do you think would happen to the advertiser?
HOW about the Cookie maker, that worked for the advertiser?
Anyone seeing a way to track SPAMMERS here?
Re: There is so much
You do realize that is often on purpose. The website doesn’t want you to be able to view their site unless you accept their cookies.
I like your proactive attitude about fighting tracking cookies, but what do you mean you “asked, and have been denied”? Denied by whom?
Re: Re: There is so much
Sent a request for an addon from mozilla to add comments to cookies, listing the location is came from
Considering the data caps some have to deal with, one might think these websites would not use data heavy advertising techniques …. awwww, who am I kidding – they don’t give a shit about you, lolololol.
Ghostery
To all the commenters talking about Ghostery or donttrackme, those DO NOT block canvas fingerprinting, they block cookies. AddThis also uses cookies, which those extensions do block, but currently there is nothing that blocks canvas fingerprinting by default. Also to add to the article, they are only about 90% accurate since computers settings change often depending on the user.
Re: Ghostery
Does this fingerprint approach rely upon javascript?
Re: Re: Ghostery
Canvass fingerprinting uses the HTML5 canvass element. If your browser displays HTML5, it is going to work regardless of the extensions and blockers you have installed (that’s the point).
Right now, there is a bunch of attention – particularly since AddThis had it turned on for some popular porn sites. It seems likely to me that some of the ad-blockers and tracker companies are actively working on stripping out the canvass tags from the html so this will not function.
You could also use an older browser (IE 8 or earlier, I believe) that does not support HTML5 until someone comes up with a reliable way to block this.
Re: Re: Re: Ghostery
It would seem the AddThis fingerprint would actually have to be relayed at some point. Hosts file?
Re: Ghostery
Ghostery does block stuff like this, because it blocks the widget from loading at all.
Of course, the problem is that ends up being potentially disruptive, as now the AddThis widget doesn’t display at all.
Re: Re: Ghostery
Of course, the problem is that ends up being potentially disruptive, as now the AddThis widget doesn’t display at all.
So, double bonus.
Re: canvas
I’d think that older generations of browsers, pre-HTML5 without Canvas support, would resist that tracking, but then there’s the problem that they’d be subject to some drive-by vulnerabilities that have since been patched.
Maybe an update to the current browsers can include a setting to disable the Canvas resource. That would certainly break many HTML5 effects, but is less limiting than blocking Javascript if you don’t want to be tracked.
Re: Ghostery
TOR Browser blocks
Where are you, Firefox?
Has anyone else noticed that Firefox’s development has regressed to endless self-indulgent tinkering with the UI (which was just fine 16 revisions ago) instead of integrating the VERY necessary defenses provided by add-ons into the core browser? By now, Firefox should long since have folded in AdBlock Plus, NoScript, Ghostery, Beef Taco, HTTPS Everywhere, Calomel SSL Validation, and others. (Not necessarily all in their entirety or current form: but the majority of the functionality should be there.)
It’s absolutely ridiculous that in 2014 the Firefox web browser ships in an undefended state. But I suppose it’s easy to move buttons around and continuously dumb down the interface than it is to actually do the hard work of defending users.
Re: Where are you, Firefox?
Taking out the status bar was fucking dumb, so many good addons go there and only there, thankfully I found status4ever or something like that. it was the only way to access my rutorrent icon.
Re: Re: Where are you, Firefox?
also elite proxy switcher, need it in case I rebooted and didn’t create my ssh tunnel to my server yet as one of many examples.
Re: Where are you, Firefox?
Mozilla is dependent on the Google money that supports them.
Some things in Firefox that would be safer for the user are off or unconfigured by default. For example Do Not Track is not active by default.
I suspect (of course I have no proof) it’s because Google prefers it that way.
Re: Re: Where are you, Firefox?
google is a business… treat it just like that no matter what they say and you will never be caught off guard.
A business is only there to make money… once the money making stops… guess what? No more business!
Re: Re: Re: Where are you, Firefox?
Sure, but that doesn’t make Mozilla better equipped. Chrome has taken a lot of the pressure off of Google in the negotiations. Now Google have a pretty strong say in how Firefox works if Mozilla want economic support from that direction.
That connection would stop if Google became the target of boycuts, which would be uncomfortable for Mozilla to put it lightly…
Re: Where are you, Firefox?
I was a loyal user, but Mozilla kept disappointing over and over again… Ad-laden start page; Australis; upcoming support for DRM. Enough is enough — I ditched it in favour of Palemoon (which I tend to like more than Iceweasel, OS difference notwithstanding).
I think it’s a bit too much to hope that Mozilla will incorporate features found in addons such NoScript (beyond simple js blocking) or HTTPS Everywhere when they’re trying half-heartedly to comply with Hollywood pressure and possibly full-heartedly to make a Mozilla Chrome.
Re: Re: Where are you, Firefox?
You raise some good points, although I’m not wild about Palemoon’s licensing: http://www.palemoon.org/redist.shtml I think the opportunity is ripe for someone to launch a Kickstarter for a new browser, one that is committed to FOSS principles and under a BSD-style license or the GPL. WebKit has been a good alternative, but the QtWebKit engine and its predecessor KHTML are all but dead. With browsers like Qupzilla and Opera now being built on Google’s Chromium/QtWebEngine framework, the only truly open browser still in development is NetSurf, which just isn’t able to meet the needs of most users right now. Who knows, maybe some enterprising young programmers will seize on the opportunity.
Re: Re: Where are you, Firefox?
I had the very same experience. I switched to Palemoon this spring after another Firefox change and I haven’t looked back. A few minutes of configuration and it was like being back in the happy place you thought was long gone.
I can’t get Adobe’s PDF plugin to work, which is kind of a nuisance, but Palemoon is the browser I’ve been searching for ever since Firefox 14.
disconnect.me
I’m not sure if disconnect.me protects against this.
Re: disconnect.me
It does, and it is open source unlike Ghostery. They wrote a blog post last night about this very issue, actually. https://blog.disconnect.me/disconnect-blocks-new-tracking-device-that-makes-your-computer-draw-a-unique-image
WHEN?!
Can I have a browser that will RANDOMLY spew proper looking but actual shit to people asking for my info?
Work the logistic out… I bet the first browser to produce this would get near instant majority market share.
Firefox extensions (with links!)
I see some folks speculating about various Firefox extensions that may or may not be helpful. For the benefit of readers who are unfamiliar with those extensions:
NoScript causes the browser not to run Javascript on a page until you allow it. You grant permission on a per-serving-domain basis. Using NoScript will break poorly written Web 2.0 sites until you whitelist them. Whitelisting may take several tries as you run down which domains are responsible for the scripts that the page requires for proper functionality. However, since NoScript denies first and permits only on command, it is very effective at killing unwanted scripts.
RequestPolicy causes the browser not to load resources from domains other than the current one, until you permit it. You can grant permissions on a per-source domain, per-destination domain, or per-both basis. Per-destination lets you say that all embeds of YouTube are allowed, regardless of where you find them. Per-source lets you say that Techdirt can always embed a resource, no matter where that resource is hosted. Per-both lets you write rules such as “Techdirt may embed YouTube, but nothing else can embed it under this rule.” (You might have other rules that whitelist YouTube for use on other sites. Once a match permits the embed, then it is allowed even if other permissions fail to match.) As with NoScript, a blank install of RequestPolicy will make some sites look odd or function poorly until you whitelist the domains that serve their supporting resources. In some cases, you may need to whitelist a site once in RequestPolicy to allow its JavaScript to be loaded, then whitelist that same site in NoScript to allow the JavaScript to be run once it has loaded. Although inconvenient, this can be useful, since NoScript only grants permission based on the serving domain, but RequestPolicy can also look at the domain that requested the script. Thus, you could whitelist Google’s copy of jQuery in NoScript, but use RequestPolicy to allow it to load only on selected sites.
AdBlock Plus blocks user-specified resources. By default, it has no blocks, but you can subscribe to community-maintained lists. AdBlock plus could block the AddThis tracker, but would require that you (or someone who maintains a list you use) block the domain(s) that serve the tracker. By contrast, both NoScript and RequestPolicy block everything you have not permitted.
Ghostery
Privacy Badger
Re: Firefox extensions (with links!)
I agree with all of those EXCEPT for Ghostery, given the tone of this article and discussion, I don’t understand why it’s being advocated. It is specifically used by a marketing company to generate revenue by selling data to advertisers, and is allegedly used to help advertisers create more technology that is difficult to block.
Re: Re: Firefox extensions (with links!)
Sorry, I do not use Ghostery and did not see the negative remarks about it until after I posted. I provided a link to it for completeness, but if those allegations are accurate, it should be avoided. If I could retract my prior link to it, I would.
Re: Re: Re: Firefox extensions (with links!)
It’s fine, no offense meant on my part. I just want to make sure that information is out there, especially since several commenters before you recommenhded it.
Ghostery has been getting mentioned on a lot of other news sites I frequent since this story broke, as well. It would not surprise me if they astroturf comments pages to promote it when there are stories like this, since it’s in their financial interest to do so. Let me be clear and say that there is no evidence of that, to the best of my knowledge, that’s just speculation on my part.
Canvas Fingerprinting
Ever since the U.S. & Israeli govts rolled out Stuxnet on the Iranians to screw up their centerfuges (& their nuke program), both countries (U.S. & Israel) spy agencies worked on a worse spying tool “Flame”. When they were exposed by Kaspersky, they tried said they were ‘only’ infecting suspected terrorists in the middle east and no one need worry about it! One of the key features of Flame, was that it could make screen shots of any infected computer and it could record every keystroke.
This ‘Canvas Fingerprinting’ sounds like it originated at the N.S.A.
The Nazis at NSA never sleep. Hail to the United Secret Police State of America! Secret police with secret laws and secret punishments.
When Obama said (after Snowden’s revelations -June 7, 2013): “You can’t have 100 percent security and also then have 100 percent privacy and zero inconvenience,”…“We’re going to have to make some choices as a society.”
What he means is: We get 100 percent “security” and zero privacy. That is the choice he and George W. Bush have chosen for the rest of us.
Here's a good one!
Q: What do porn websites and the President of the United States of America’s website have in common?
A: Sleazy user tracking.
Q: What’s the difference between porn websites and the President of the United States of America’s website?
A: You don’t have to wait more than a year for a response from a porn website.
Try it yourself
The site http://www.browserleaks.com/ has a demo of the canvas fingerprinting method. I emailed the Panopticlick suggestion address about a month ago asking them to update the site with tests like the canvas one from browserleaks.
I’m a little late to the party but I’ve been using Disconnect , BetterPrivacy (for flash cookie deletion) , noscript, and xforwardforheader (careful it may break a site or 3 )+ useragent switcher (stick with something in the gecko family if using fx).
https://addons.mozilla.org/en-US/firefox/addon/x-forwarded-for-header/?src=search
https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/?src=ss
https://addons.mozilla.org/en-US/firefox/addon/disconnect/?src=ss
https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/?src=ss
https://addons.mozilla.org/en-US/firefox/addon/foundstone-html5-local-storage/?src=ss
and turnoff geo tracking in fx
In the URL bar, type about:config
Type geo.enabled
Double click on the geo.enabled preference
Location-Aware Browsing is now disabled