Jump to content

Canvas fingerprinting

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Frank C. Müller (talk | contribs) at 09:05, 29 July 2014 (+ illustration.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Canvas fingerprinting

Canvas fingerprinting is one of a number of browser fingerprinting techniques of tracking online users that allow websites to uniquely identify and track visitors without the use of browser cookies or other similar means. The technique received wide media coverage in 2014[1][2][3] after researchers from Princeton University and KU Leuven University described it in their paper The Web never forgets.[4]

Canvas fingerprinting has been deployed on 5 percent of the top 100,000 websites, including whitehouse.gov. 95 percent of these websites use canvas fingerprinting created by technology company AddThis.[5]

Browser add-ons like Privacy Badger[5] or DoNotTrackMe are able to block third-party ad network trackers and will block canvas fingerprinting provided that the tracker is served by a third party server (as opposed to being implemented by the visited website itself). Tor Browser notifies the user for canvas read attempts and provides the option to return blank image data to prevent fingerprinting.[4]

Description

Canvas fingerprinting works by exploiting the HTML5 canvas element. When a user visits a website with canvas fingerprinting, their browser is instructed to "draw" a hidden line of text or 3D graphic that is then converted to a digital token. Variations in which GPU is installed or the graphics driver cause the variations in the rendered digital token. The token can be stored and shared with advertising partners to identify users when they visit affiliated websites. A profile can be created of a user's browsing activity allowing advertisers to target their advertising to the user's preferences.[2]

Uniqueness

The fingerprint is primarily based on browser, operating system, and installed graphics hardware, so does not uniquely identify users. In a small-scale study using Amazon's Mechanical Turk, an experimental entropy of 5.7 bits was observed, but the authors of the study suggest more entropy could likely be observed in the wild and with more patterns used in the fingerprint. While not sufficient to uniquely identify users by itself, this fingerprint could be combined with other sources of entropy to provide a unique identifier. It is claimed that because the technique is effectively fingerprinting the GPU, that the entropy is "orthogonal" to the entropy of previous browser fingerprint techniques such as screen resolution and browser Javascript capabilities.[6]

History

In May 2012, Keaton Mowery and Hovav Shacham, researchers at University of California, San Diego, wrote a paper Pixel Perfect: Fingerprinting Canvas in HTML5 describing how the HTML5 canvas could be used to create digital fingerprints of web users.[6][2]

Social bookmarking technology company AddThis began experimenting with canvas fingerprinting early in 2014 as a potential replacement for cookies. According to AddThis CEO Richard Harris, the company has only used data collected from these tests to conduct internal research. Users will be able to install an opt-out cookie on any computer to prevent being tracked with canvas fingerprinting.[2]

See also

  • Evercookie, a type of browser cookie that is intentionally difficult to delete
  • Local shared object, a persistent browser cookie also known as a Flash cookie

References

  1. ^ Knibbs, Kate (July 21, 2014). "What You Need to Know About the Sneakiest New Online Tracking Tool". Gizmodo. Retrieved July 21, 2014. {{cite web}}: Italic or bold markup not allowed in: |publisher= (help)
  2. ^ a b c d Angwin, Julia (July 21, 2014). "Meet the Online Tracking Device That is Virtually Impossible to Block". Pro Publica. Retrieved July 21, 2014.
  3. ^ Kirk, Jeremy (July 21, 2014). "Stealthy Web tracking tools pose increasing privacy risks to users". PC World. Retrieved July 21, 2014. {{cite web}}: Italic or bold markup not allowed in: |publisher= (help)
  4. ^ a b Acar, Gunes; Eubank, Christian; Englehardt, Steven; Juarez, Marc; Narayanan, Arvind; Diaz, Claudia (July 24, 2014). "The Web never forgets: Persistent tracking mechanisms in the wild". Retrieved July 24, 2014.
  5. ^ a b Davis, Wendy (July 21, 2014). "EFF Says Its Anti-Tracking Tool Blocks New Form Of Digital Fingerprinting". MediaPost. Retrieved July 21, 2014.
  6. ^ a b Mowery, Keaton; Shacham, Hovav. "Pixel Perfect: Fingerprinting Canvas in HTML5" (PDF). Retrieved July 22, 2014.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Canvas_fingerprinting&oldid=618945839"