Canvas fingerprinting web tracking tool isn’t the end of privacy

Canvas fingerprinting web tracking tool isn’t the end of privacy

An “impossible to block” web tracking tool was discovered earlier this week by ProPublica.  Called “canvas fingerprinting,” the tool instructs web browsers to draw a hidden image, which is used as a unique identifier for users.

Canvas fingerprinting was developed by a company called AddThis to replace cookies, which also tracks user behavior across sites. The difference is, there are tons of tools that wipe or block cookies. Most browsers offer a way to block cookies altogether.

ProPublica was the first to report about canvas fingerprinting, calling it “virtually impossible to block.” In truth, the web tracking tool can be blocked quite easily. In fact, users of the Adblock Plus (Chrome | Firefox | Internet Explorer) browser add-on are already blocking canvas fingerprinting.

How does canvas fingerprinting work?

Let’s bring it back to the beginning and explain exactly how canvas fingerprinting works. In short, the tool works by collecting data from your computer’s graphics chip to create a profile about you. Each individual graphics setting acts as part of a fingerprint. For example, your clock settings, font size, and driver versions all give canvas fingerprinting to make a unique identifier about you.

The tool does all this without storing anything on your computer, meaning there’s nothing to delete.

On mobile, canvas fingerprinting is all but useless. Most phones are uniform, running the same hardware and software. It would be impossible to test variances in graphics with such homogenized devices.

Which sites use canvas fingerprinting?

While 13 million sites across the web have the canvas fingerprinting technology built in, only a small portion actually use it to track users. ProPublica specifically calls out and YouPorn.

YouPorn has responded to the allegations by saying it had no idea AddThis technology used on its site contained a tracking tool. The site has since removed AddThis to protect its users’ privacy.

“[YouPorn was] completely unaware that AddThis contained a tracking software that had the potential to jeopardize the privacy of our users,” said a spokesperson speaking to ProPublica.

How can I stop canvas fingerprinting?

As mentioned before, installing the Adblock Plus browser add-on defeats the canvas fingerprinting. By blocking the script that allows canvas fingerpriting to run, Adblock Plus can stop it from launching. Keep in mind you’ll have to add the EasyPrivacy filter to the extension for this to work. This will only block known advertisers from tracking you so lesser known sites may still be tracking you.

Alternatively, you can run the NoScript extension to block JavaScript, which canvas fingerprinting relies on to run. This is not ideal as many parts of the web rely on JavaScript to display web pages properly.

Users who really don’t want to be tracked can use Tor (Mac | Windows), the onion router. Tor works by sending your web traffic through randomly selected relays before reaching the site you’re trying to view. This prevents anyone watching your internet traffic from knowing where it originated from. All information is encrypted as well, making it even more secure.

Tor visualized

Unfortunately, Tor makes your connection much slower since it has to jump through so many randomized nodes to hide your identity.

While Tor is quite secure, it’s not invincible. The FBI was able to track down a Harvard student who threatened to bomb the university.

No need to panic

Canvas fingerprinting is an interesting technology but limited in its use. While it’s hard to detect, it’s not impossible to block.

After a year of high profile attacks on sites and services like eBay and Spotify, it’s understandable that people are worried about their privacy and security.

While no one is completely safe online, you can educate yourself about privacy and security. If you’re a parent, be aware of what your kids are doing online. Learn how to delete a file permanently. Wipe your phone completely before selling it.

Knowing is half the battle so stay tuned for more security news and features from Softonic.


Firefox 31 brings new tab search bar, increased download security

Critical Java update prevents hackers from remotely controlling your computer

Security researchers find critical flaws in web-based password managers

How to permanently delete files on Android

Critical Adobe Flash exploit leaves your data vulnerable

Follow Lewis on Twitter: @lewisleong

View all comments
Loading comments