Editor’s Note: The same White House that has repeatedly assured us that the NSA is not spying on every American – in the face of repeated leaks to the contrary – is collecting revealing data on visitors to its own public, transparent website. Just another brick in the wall…
Originally published by Peter Eckersley and Kurt Opsahl
Electronic Frontier Foundation
Yesterday, ProPublica reported on new research by a team at KU Leuven and Princeton on canvas fingerprinting. One of the most intrusive users of the technology is a company called AddThis, who by are employing it in “shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.” Canvas fingerprinting allows sites to get even more identifying information than we had previously warned about with our Panopticlick fingerprinting experiment.
Canvas fingerprinting exploits the fact that different browsers have slightly different algorithms, parameters, and hardware for turning text into pictures on your screen (or more specifically, into an HTML 5 canvas object that the tracker can read1). According to the research by Gunes Acar, et al., AddThis draws a hidden image containing the unusual phrase “Cwm fjordbank glyphs vext quiz” and observed the way the pixels would turn out differently on different systems.
The main distinction is that the canvas fingerprint can’t be blocked by cookie management techniques, or erased with your other cookies. This is inconsistent with the White House’s promise that “Visitors can control aspects of website measurement and customization technologies used on WhiteHouse.gov.” The website’s How To instructions are no help, because they are limited to traditional cookies and flash cookies. AddThis’ opt out is no more helpful, as it only prevents targeting, not tracking: “The opt-out cookie tells us not to use your information for delivering relevant online advertisements.”