Welcome to WebmasterWorld Guest from 54.196.244.45

Forum Moderators: DixonJones & mademetop

Message Too Old, No Replies

Canvas Fingerprinting User Tracking Is A Better Alternative to Cookies, and Difficult To Block

     
4:30 pm on Jul 23, 2014 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:22302
votes: 238


Now that is a concern. Getting of the grid is the only way, really.

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites,...Canvas Fingerprinting User Tracking Is Very Difficult To Block [mashable.com]
The type of tracking, called canvas fingerprinting, works by instructing the visitorís web browser to draw a hidden image, and was first documented in a upcoming paper by researchers at Princeton University and KU Leuven University in Belgium. Because each computer draws the image slightly differently, the images can be used to assign each userís device a number that uniquely identifies it.

Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit ó profiles that shape which ads, news articles or other types of content are displayed to them.

But fingerprints are unusually hard to block: They canít be prevented by using standard web browser privacy settings or using anti-tracking tools such as AdBlock Plus.
5:49 pm on July 23, 2014 (gmt 0)

Junior Member

10+ Year Member

joined:Oct 19, 2004
posts: 168
votes: 1


As a marketer I like the technique. It is difficult to allocate funds to different advertising buckets if you can't track sales. To all those using the internet, Caveat Emptor! You best use a proxy service if you don't want to be tracked. Using the Internet is not anonymous. It never was, for the average user.
6:05 pm on July 23, 2014 (gmt 0)

Junior Member

joined:May 17, 2011
posts:169
votes: 0


As a marketer I like the technique. It is difficult to allocate funds to different advertising buckets if you can't track sales. To all those using the internet, Caveat Emptor! You best use a proxy service if you don't want to be tracked. Using the Internet is not anonymous. It never was, for the average user.

Other viewpoints, please.
6:17 pm on July 23, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month

joined:Apr 9, 2011
posts:12704
votes: 244


Does this mean that MSIE<9 has now vanished off the face of the earth?

:: detour to caniuse dot com ::

83% US, 88.5% world (figures for support of "canvas" element).

They canít be prevented by using standard web browser privacy settings or using anti-tracking tools such as AdBlock Plus.

Right. Canvas-based methods can only be prevented by the obscure, little-used mechanism of turning off javascript.
6:28 pm on July 23, 2014 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:4842
votes: 1


>Other viewpoints

You might be relieved to know that there's effort involved by some browsers to detect this kind of thing and prevent fingerprinting.

Tor Browser can manage to reduce your uniqueness to 1 in 10,000 people. This is just one of many ways to uniquely identify people. I don't think the problem will go away any time soon.
9:44 pm on July 23, 2014 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:May 24, 2012
posts:648
votes: 2


In case you're wondering how and why this works, roughly, the <canvas> element allows you, via javascript, to render a "picture" on the browser side by rendering some text in a specific font.

Because of the wide range of operating systems, browsers, installed fonts, installed video cards, local settings, etc...that picture has a high level of uniqueness. Enough that it can serve as a "fingerprint" of that specific device.

More detail here: [cseweb.ucsd.edu...]
11:43 am on July 25, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 13, 2004
posts:801
votes: 2


If you really want to see tracking, install Google Earth (not maps) and then turn on the "traffic" layer, click on one of the green dots on a major highway and then click on the resultant dot explosion to see the real time speed (actually probably the velocity) of the individual automobiles. Google only shows data on major highways, but it's reasonable to believe Google can track all those vehicles to their "home" location and destination. And since, many, many, people have cable modems with static IP's, think of the information Google can extrapolate. Smartphone connects to modem through wifi, and then, let the correlations begin!
All because Google maps is installed in so many smartphones! I told a buddy about this who drives a good distance to work and he immediately deleted Google maps from his phone.

You best use a proxy service

I believe this canvas technique would defeat a proxy.
6:35 pm on July 25, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:6148
votes: 281


I think it has been mentioned a few times above, but it doesn't hurt to say it once again: No javascipt, no canvas. All browsers (even the old ones) allow turning JS off. And a growing number of folks out there are getting a clue in this regard.
6:43 pm on July 25, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month

joined:Apr 9, 2011
posts:12704
votes: 244


Canvas doesn't care what your IP is. It's essentially a javascript-based process.
6:49 pm on July 26, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:June 16, 2010
posts: 3796
votes: 28


Question:

Wouldn't it then be easy to have a browser based plugin that draws a new image with randomizations to the image on each page reload?

Would that not defeat the canvas tracker while still allowing the user to keep javascript enabled?
12:34 pm on July 30, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 5, 2002
posts: 1845
votes: 3


Has anyone tried disabling javascript for any length of time? Does the internet still work?
1:22 pm on July 30, 2014 (gmt 0)

Administrator from US 

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 21, 1999
posts:38047
votes: 11


Notice none of the stories (which the majority are reprints) don't detail the technology. This is a classic fear monger story that works on peoples privacy fears.

The "images" are all server from the same js from an ad or widget server. Block that server in adblock or other adblocking software and it is gone:
'Canvas fingerprinting' online tracking is sneaky but easy to halt
ďAs soon as you start talking about millions of users (e.g. if you want to track users across multiple websites) it is just too likely that different users will have exactly the same configuration and wonít be distinguishable by means of canvas fingerprinting,Ē he wrote.

Widgets such as AddThis can be entirely blocked with tools such as AdBlock Plus or DoNotTrackMe from Abine, both extensions that can block web trackers.


[pcworld.com...]
4:31 am on Aug 1, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:6148
votes: 281


Has anyone tried disabling javascript for any length of time? Does the internet still work?


About nine years, most recently with NoScript. Works fine! Web that is. On sites that demand JS I take a look. Most usually I do a gentle piss off and go elsewhere. That said...

I am NOT the average user. But I am the guy who is educating 10 to 15 every day. I suspect that two or three are enlightened by each of those and they are doing the same, multiplying... growing_.

Only time JS is really needed is to work a cart these days. For that to happen your product has got to be singular and compelling.

For me, the best part is the web is quiet... not targeted ads, no tracking, no canvas (see other here at WW in that regard)... Nice and clean, the way it SHOULD be...

YMMV