An “impossible to block” web tracking tool was discovered earlier this week by ProPublica. Called “canvas fingerprinting,” the tool instructs web browsers to draw a hidden image, which is used as a unique identifier for users.
Canvas fingerprinting was developed by a company called AddThis to replace cookies, which also tracks user behavior across sites. The difference is, there are tons of tools that wipe or block cookies. Most browsers offer a way to block cookies altogether.
ProPublica was the first to report about canvas fingerprinting, calling it “virtually impossible to block.” In truth, the web tracking tool can be blocked quite easily. In fact, users of the Adblock Plus (Chrome | Firefox | Internet Explorer) browser add-on are already blocking canvas fingerprinting.
How does canvas fingerprinting work?
Let’s bring it back to the beginning and explain exactly how canvas fingerprinting works. In short, the tool works by collecting data from your computer’s graphics chip to create a profile about you. Each individual graphics setting acts as part of a fingerprint. For example, your clock settings, font size, and driver versions all give canvas fingerprinting to make a unique identifier about you.
The tool does all this without storing anything on your computer, meaning there’s nothing to delete.
On mobile, canvas fingerprinting is all but useless. Most phones are uniform, running the same hardware and software. It would be impossible to test variances in graphics with such homogenized devices.
Which sites use canvas fingerprinting?
While 13 million sites across the web have the canvas fingerprinting technology built in, only a small portion actually use it to track users. ProPublica specifically calls out WhiteHouse.gov and YouPorn.
YouPorn has responded to the allegations by saying it had no idea AddThis technology used on its site contained a tracking tool. The site has since removed AddThis to protect its users’ privacy.
“[YouPorn was] completely unaware that AddThis contained a tracking software that had the potential to jeopardize the privacy of our users,” said a spokesperson speaking to ProPublica.
How can I stop canvas fingerprinting?
As mentioned before, installing the Adblock Plus browser add-on defeats the canvas fingerprinting. By blocking the script that allows canvas fingerpriting to run, Adblock Plus can stop it from launching. Keep in mind you’ll have to add the EasyPrivacy filter to the extension for this to work. This will only block known advertisers from tracking you so lesser known sites may still be tracking you.
Users who really don’t want to be tracked can use Tor (Mac | Windows), the onion router. Tor works by sending your web traffic through randomly selected relays before reaching the site you’re trying to view. This prevents anyone watching your internet traffic from knowing where it originated from. All information is encrypted as well, making it even more secure.
Unfortunately, Tor makes your connection much slower since it has to jump through so many randomized nodes to hide your identity.
While Tor is quite secure, it’s not invincible. The FBI was able to track down a Harvard student who threatened to bomb the university.
No need to panic
Canvas fingerprinting is an interesting technology but limited in its use. While it’s hard to detect, it’s not impossible to block.
While no one is completely safe online, you can educate yourself about privacy and security. If you’re a parent, be aware of what your kids are doing online. Learn how to delete a file permanently. Wipe your phone completely before selling it.
Follow Lewis on Twitter: @lewisleong