|Did you know...?|
LWN.net is a subscriber-supported publication; we rely on subscribers to keep the entire operation going. Please help out by buying a subscription and keeping LWN on the net.
Recently, public attention has been called to a new online user-tracking method that is purported to be nearly impossible to block. Called "canvas fingerprinting," the technique relies on forcing the browser to generate an image on the client side of the connection—an image that is unique enough to serve as a fingerprint for the browser that created it. In fact, the basis for this fingerprinting approach is several years old, but it does now seem to be in use in the wild. Whether or not it truly amounts to an insurmountable blocking challenge, however, remains to be seen.
ProPublica was among the first to report the discovery of the technique, in an article dated July 21. The tracker was discovered running on multiple high-traffic web sites, and was served by the web-tracking vendor AddThis. AddThis's user-visible feature is the appearance of click-and-share-this-link buttons that connect to various social-media services; the web-tracking function that accompanies said buttons is not advertised, of course.
The new tracker uses the HTML5 <canvas> element, telling the user's browser to draw a hidden image containing the text "Cwm fjordbank glyphs vext quiz"—which is a pangram in English, containing every letter of the alphabet. The text is rendered in the <canvas> element multiple times, in different colors and overlapping—and differences in the graphics stacks of different computers will produce slightly different results. That, plus the variations in browser-window size, text-rendering settings, and other variables, mean that the resulting image, when rasterized, will exhibit a considerable amount of variation from one browser to the next. It can thus be sent back to the originating server (via the ToDataUrl method) to serve as a fingerprint to track the browser between different sites and repeat visits.
Inquisitive users can visit the browserleaks.com page that tests <canvas> support to tell whether or not they are susceptible to this form of fingerprinting.
Although the AddThis fingerprinting tracker appears to be the first of its kind, the concept of canvas fingerprinting is not new. It was first described in detail in a 2012 paper written by Keaton Mowery and Hovav Shacham. The paper describes tests performed both with text rendering and by creating an image with WebGL. It goes into considerable detail about what parts of the browser and graphics stack contribute to differences in the resulting rendered image.
On the OpenGL side, the authors noted differences in the antialiasing algorithm, the interpolation of textures, and the illumination calculated for the OpenGL light source that is pointed at the image. In the text component, even though all text elements were rendered in the Arial font, there were discernible differences between the version of Arial used, the sub-pixel hinting, spacing, and antialiasing.
Ultimately, Mowery and Shacham estimated that their tests revealed an entropy of 5.73 bits, but noted that the tests were not sophisticated and that further refinement could yield better results. This is not an insignificant amount of entropy, but it is worth putting in context. The Panopticlick project from the Electronic Frontier Foundation (EFF) notes that the average browser fingerprint it observes contains 18.1 bits of entropy or more, which is enough to uniquely identify one browser out of roughly 280,000. An additional 5.73 bits pushes that number to one in 14.6 million.
Thus, even the relatively modest entropy accounted for in Mowery and Shacham's research can constitute a real threat to individual privacy when it is used in conjunction with other techniques. But the AddThis canvas fingerprinting technique may have improved on the 2012 research in other ways. ProPublica attributed the discovery of the new AddThis tracker to a team of researchers at KU Leuven University in Belgium and Princeton University in the United States. The team's findings have been published on the web, but the code and data have not yet been released—although the researchers have said it will be made public shortly.
The ProPublica article does mention tracker-blocking options in a sidebar, although it labels them with discouraging warnings like "can be slow" and "requires a lot of research and decision-making." Users who are attuned to the risks of browser-tracking and the steps necessary to combat it may find such commentary objectionable. But then again, it is the "average user" who makes up the bulk of the population that AddThis and other web-tracking companies will be collecting data from. Reality is, unfortunately, that a great many users cannot or will not take steps to improve their privacy beyond whatever ships by default in the browser. Even if canvas fingerprinting fails to catch on, the contest to capture those user's movements through the web will undoubtedly just move on to the next user-tracking idea.
Copyright © 2014, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds