There’s a new way for advertisers to track you. And there’s almost nothing you can do to stop it.
It’s called Canvas Fingerprinting, and it can be found on almost five percent of the top 100,000 websites, from Whitehouse.gov, to dating site Plenty Of Fish.
It allows websites to ‘fingerprint’ the browsers of their users, and then uniquely identify (within a significant margin of error. We’ll talk about this later) and track them without the use of browser cookies.
The privacy concerns surrounding Canvas Fingerprinting are many, and severe. Perhaps the biggest concern surrounding it is how it can easily defeat the ‘do not track’ features baked in to many modern browsers.
Canvas Fingerprinting is evil. Here’s everything you need to know about it, and why you should be worried about this latest piece of tracking technology.
How Canvas Fingerprinting Works
The way it works is simple. It takes advantage of the HTML5 Canvas Element (you can learn more about this in MakeUseOf’s guide to HTML5, written by yours truly). Whenever a user visits a site running a Canvas Fingerprinting tracker, it draws an invisible line.
The specific configuration of your computer – graphics card, graphics driver used, browser and operating system – create small, unique changes in how this line is drawn. A fingerprint of those discrepancies is generated, and shared across advertising parties.
As a result, it becomes possible to identify a user across multiple, unrelated websites.
‘… But That Doesn’t Sound Very Unique!’
Well, I suppose you are correct. There will be (I imagine) a lot of overlap, especially when one considers the the criteria for identifying a user.
Take for example, the laptop used to write this article. I’m using a 2012 model 13″ MacBook Pro. I’m using the latest version of OS X Mavericks, as well as the latest drivers for the built-in Intel HD4000 Graphics.
I imagine there are a lot of people running that configuration of computer. After all, the millions of units of that particular computer were shipped around the world, and I imagine the majority will be running the latest software.
With that in mind, is it possible to meaningfully identify a person based upon how their browser renders a line using the HTML5 Canvas API? They seem to think so, especially when you add other potential sources of identifiable information.
There’s a lot of information about your computer that is leaked when using the Internet. Going along with the example of my laptop. I live in the UK. That narrows down the amount of potential hardware matches significantly, going on my timezone alone.
Then, take in to account that the language on my machine is US English. There are likely even less people with that particular hardware configuration in that timezone using that particular language.
We leak a lot of information about ourselves when we browse the Internet. We do it without even thinking about it. And this information is a vital part of what makes Canvas Fingerprinting useful.
‘… But What Does Canvas Fingerprinting Mean For Me?’
That depends, really. It’s still a small minority of sites actually packing the ‘do-not-track’ resistant code. The vast majority are either using traditional tracking measures, or nothing at all.
But if you’re one of the millions of people
ruining the Internet using advertisement blocking software, it means that there’s a new way to track you, and to serve semi-personalized advertisements based upon your browsing history. And there’s not much to do
‘… But There’s A Way To Mitigate Against It, Right?’
Well, yes, and no.
If you look at the source code to any website which monetizes its content with adverts (such as MakeUseOf), you’ll see that the adverts are served from a different domain name to the one you’re browsing right now.
This is usually because adverts are served by specialized companies, each running powerful content distribution networks which can serve adverts rapidly without slowing down the user’s browsing experience.
As a result, advertisement blocking software works by blocking these content distribution networks, and preventing them from injecting adverts into pages. No CDN. No injection. No adverts.
This is (and will be) the achilles heel of Canvas Fingerprinting. The code used to generate the lines has to come from somewhere. Likewise, the results of the fingerprinting have to go somewhere.
As a result, mitigating against the most pernicious form of Canvas Fingerprinting – the form that tracks you across the Internet – is possible, and serious moves are being made in order to counteract it.
Should You Be Worried?
Well, yes and no.
Canvas Fingerprinting is resilient, it’s innovative, and mitigating against it is hard, although is certainly possible.
It’s also incredibly rare. As previously mentioned, only five percent of the top 100,000 websites actually use it. Traditional tracking methods seem to still be the tool-de-jour of targeting advertisements.
Are you worried? Are you a site operator and are tempted to start using Canvas Fingerprinting? Tell me about it. The comments box is below.