Since the EU clamped down on cookies tracking us online there’s been a race to find a replacement. New research shows it’s already here, in use across thousands of websites including President Obama’s Whitehouse.gov, dating site Plenty of Fish and CBS
For advertisers it’s very important to see which websites you visit: knowing what you read gives them clues on what you may want to buy. Search for “television reviews” on Google and you may find that next time you’re reading the news you’ll see adverts for the latest widescreen model crop up in the margins. It will be no coincidence.
In May 2012 new EU legislation took effect which required an explicit opt-in before cookies could be created. It helped less technically-savvy people retain their privacy, but an unintended consequence was that it kick-started a race to invent a new, unregulated replacement.
That brings us to “canvas fingerprinting”.
Like cookies, this technique allows third parties to track which websites you visit and when, but it also circumvents that EU pesky legislation because it places no files on your PC.
Canvas fingerprinting works by asking your browser to draw a small image on your screen when you visit a website. Certain unique characteristics of your browser and computer mean that this image is drawn in an near-unique way that can be used to identify you.
The image is analysed, converted into a number via some clever maths and sent back to a third party. All of the website visits with a matching number can then be grouped together to create a profile of what you look at and when. Potentially, we’re heading straight back to the unregulated days of cookies.
As well as circumventing EU legislation, this technique also manages to elude most other methods of staying private. Incognito or private modes commonly provided by browsers will not prevent it, nor will advert-blocking software. And there is no special setting in your browser that will turn it off.
There are some ways to stop it, but they are laborious and not for those afraid of tinkering with their computers. The Tor anonymous browsing network will help combat it, as will using the Chamelon browser – but both require technical expertise to set up.
This may change, as new evidence suggests it is already in use across large parts of the web.
The fingerprinting technique was invented in 2012 by researchers at the University of California, San Diego, and has already been developed into commercial products by companies including AddThis.
In an academic study due to be published soon, researchers from Princeton University and KU Leuven University in Belgium scoured the top 100,000 sites by Alexa ranking and found that 5.5 per cent of them already use canvas fingerprinting. Of those, the vast majority (95 per cent) were using code from AddThis – a company which provides social media sharing widgets. On many sites they provide the buttons which allow you to quickly share links via Facebook or Twitter. This gives them a large foothold across many parts of the web – it reaches 1.6 billion different internet users every month, across 14 million domain names.
Sites running the code includes whitehouse.gov, CBS and porn giant YouPorn.com, according to researchers.
The company’s approach to canvas fingerprinting draws the phrase ““Cwm fjordbank glyphs vext quiz”, which uses every letter in the alphabet exactly once, in a small, invisible part of a website – you won’t see it, it’s done entirely in the background. Other services which used the technology include dating website Plenty of Fish.
AddThis said that if users install an opt-out cookie on their computers then it will not use the data collected for advertisement targeting. Use of the technique has simply been a trial for research and development purposes, it claims.
According to reports in ProPublica , the company did not tell any of the websites that it is used on that it had begun trials using the canvas fingerprinting technology. It now plans to drop the trials because they are “not uniquely identifying enough”.
The company did not reply to a request for comment from the Telegraph.
A YouPorn.com spokesperson told ProPublica that the site was “completely unaware that AddThis contained a tracking software that had the potential to jeopardize the privacy of our users.” It has removed all AddThis technology from its site.