Canvas fingerprinting has been on the news a lot lately, described as the alternative to Internet tracking cookies that is impossible to turn off. But it’s actually not that hard to block canvas fingerprinting.
Canvas fingerprinting isn’t really anything new, it’s just a new twist on a method of tracking individual computers on the Internet. Last year we explained Internet fingerprinting, and nearly 10 years ago we described how any computer can be tracked across the Internet using its clock skew fingerprint.
We also wrote about how to thwart Internet fingerprinting.
Canvas fingerprinting, however, specifically takes advantage of a widget that plants javascript on your computer when you visit sites which use the AddThis technology.
AddThis touts itself by saying that “AddThis offers you website tools, advertising solutions and massive data.”
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Ewww, doesn’t that “massive data” just make your skin crawl?
In a blog post ostensibly in response to the canvas fingerprinting outcry, but that really seems more a thinly guised marketing tool, AddThis said that “We conducted this research project from February to mid-July. We’re constantly testing, and this was a preliminary initiative to evaluate alternatives to browser cookies. Many other companies are working on cookie alternatives, and we wanted to see if this approach worked before deciding whether or how we’d use it. The test was completed, the code has been disabled, and this data was never used for personalization or targeted advertising.”
So how it works is like this. You go to a site that runs the AddThis widget, and that widget causes the AddThis tracking javascript to be downloaded to your computer. That javascript takes advantage of an API (called the “canvas API”, hence the “canvas fingerprinting” term) that accesses your graphic chip. The javascript sends an invisible graphic which causes your computer to send data back to the AddThis mothership.
Now, again, AddThis says that they have disabled the code. But that javascript is probably still on your computer. And could, quite possibly, be enabled again. You just never know.
And there in lies the twin rub. Both that they did it in the first place, and that their code is still on your computer.
Of course, if you have already disabled javascript, as we advise in that earlier article, then the widget will be unable to download the AddThis javascript to your computer (or at least it won’t be able to run).
You can also get the “Do Not Track Me” private browsing app from “Abine, which is free, and which, says Abine, has always blocked AddThis.
The EFF offers a handy way to test how much information your browser is giving up at the EFF How Unique and Trackable is Your Browser test.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
