The privacy threat presented by a new web-user tracking technique called ‘canvas fingerprinting' has been highlighted after researchers found it being used on prestigious sites such as the US White House and the official website of the British monarchy.
Researchers at Princeton University and Belgium's KU Leuven University warn in a paper published this month that canvas fingerprinting – an advanced way of tracking web users to replace old-style cookies – is a risk to privacy because it is hidden to site users, operates without their knowledge and can't be blocked by standard browser tools.
Despite this, they say the technique is being used on more than 5,000 of the 100,000 most popular websites worldwide. These include the Royal family's official website, royal.gov.uk, as well as the UK Ministry of Justice, US White House and many others - including porn sites (which are popular).
Closer to home, the technique is also used on Kaspersky's UK website – as well as the UK sites of Cancer Research, Adidas, Oxfam, Starbucks, ACAS and Hampshire County Council among others.
There is no suggestion the websites themselves are knowingly deploying the technique. The researchers say the source of the canvas fingerprinting code on 95 percent of the sites is a company called AddThis, which provides website tools to maximise traffic and which first started using canvas fingerprinting in January 2014. According to press reports, AddThis is testing the technique.
In their paper titled ‘The web never forgets: Persistent tracking mechanisms in the wild', the researchers investigate canvas fingerprinting and two other innovative types of tracking - evercookies and cookie syncing.
They say canvas fingerprinting was first presented in a paper by Keaton Mowery and Hovav Shacham from the University of California in San Diego in 2012.
It works by instructing a site visitor's web browser to draw a hidden text image. Because each computer renders the text subtly differently, this can be used to assign the device a number that uniquely identifies it, so “extracting a consistent fingerprint that can easily be obtained in a fraction of a second without user's awareness”.
This is then used to build a profile of the user, based on which sites they visit, and so target advertising and other content presented to them.
The Leuven and Princeton researchers found canvas fingerprinting scripts on the home pages of 5,542 of the world's 100,000 most popular websites, as ranked by Alexa, mostly belonging to AddThis.com, but from 20 software providers in all.
They say the 5.5 percent prevalence rate is much higher than previous studies have found and that, as they only ‘crawled' home pages, the real prevalence on internal pages will be even higher.
They warn: “The tracking mechanisms are advanced in that they are hard to control, hard to detect and resilient to blocking or removing. There doesn't appear to be a way to automatically block canvas fingerprinting without false positives that block legitimate functionality; even a partial fix requires a browser source-code patch.”
The researchers “hope that our techniques and results will lead to better defences, increased accountability for companies deploying exotic tracking techniques and an invigorated and informed public and regulatory debate on increasingly persistent tracking techniques”.
They advise that asking user permission for each canvas fingerprinting read may be the only effective way to block the technique, and that this is used by the Tor browser - “the only software that we found to successfully protect against canvas fingerprinting”.
Current advertising industry opt-out tools don't work against it.
Analysing their findings, UK security experts agreed the new tracking techniques are a threat to privacy.
Tim Holman, president of the ISSA-UK security professionals user group, told SCMagazineUK.com via email: “Since the cookie law was adopted in 2011, then guess what? Millions of dollars have been poured into research funds to find alternative methods to track users online. Canvas fingerprinting is one of them and I'm sure the Information Commissioner will take a very dim view.
“As this information can be linked to a living individual, then I'd argue this is personal data without a doubt, and would come under jurisdiction of EU e-Privacy laws.
“The solution seems simple enough – remove AddThis from your web applications, but in the meantime there's a bunch of personal data out there that's been collected without our consent. We want it back.”
Professor John Walker, visiting professor at Nottingham-Trent University's School of Science and Technology, told SC: “The bottom line is, where we see the emergence of another tool which may be utilised for the purpose of marketing, or criminality, which is very capable of presenting another form of compromise to the unsuspecting end-user, we need to be concerned.”
Commenting on how canvas fingerprinting works, Walker said: “‘It is interesting just how the imagination of the human has been applied to seek out new ways of extracting information, or even to compromise a systems to gain artefacts in the form of a logical footprint to identify the object.
However, notwithstanding it has been suggested that the accuracy of canvas fingerprinting is only around 90 percent, given the potential target end-points this of course amounts to a significant number of profiles.
“As for the conclusion that the ‘fingerprint' is only associated with a number, it does not take a genius to work out that by applying a methodology of association, it would be possible to calculate the relationship between values, and real personalities.”
Contacted by SC, a spokesperson from Kaspersky was unavailable to comment at time of writing, and a spokesperson for Buckingham Palace declined to comment.