cookie

WhiteHouse.gov Continues Snooping With Unique Cookie Tracking Technology

1 comment

According the Electronic Frontier Foundation (EFF), the White House is using canvas fingerprinting to track visitors to the White House Blog and and website. This revelation comes after Princeton and University of Leuven in Belgium released a paper Tuesday titled “The web never forgets: Persistent tracking mechanisms in the wild.”

It’s constant work keeping up with evolving tracking technology. The EFF has been working to influence White House Cookie Policy as far back as January 2009.

A company called AddThis is among the most intrusive and employs this technology on many top websites including WhiteHouse.gov. “Canvas fingerprinting allows sites to get even more identifying information than we had previously warned about with our Panopticlick fingerprinting experiment,” says EFF. “Canvas fingerprinting software draws a hidden image containing the unusual phrase ‘Cwm fjordbank glyphs vext quiz’ and noticed how the pixels look different on different systems. This type of technology was first presented by Keaton Mowery and Hovav Shacham in 2012.

As of Friday the White House site still included AddThis code. You can experience this yourself (if you don’t mind being tracked) by going to whitehouse.gov, right click on your browser and select view source. Search for the text addthis and you’ll see the site is loading the javascript code.

EFF offers the following advice, “Fortunately, some solutions are available. You can block trackers like AddThis using an algorithmic tool such as EFF’s Privacy Badger, or a list-based one like Disconnect. Or if you’re a fairly knowledgeable user and are willing to do some extra work, you can use a manually controlled script blocker such as No Script to only run JavaScript from domains you trust.”

The study looked at new technologies besides canvas fingerprinting. There are also evercookies and cookie synching. All of these make it difficult for even the most knowledgeable users to maintain their privacy, according to the paper. Researchers claim that this is the first large-scale study about these techniques. “A single lapse in judgment can shatter privacy defenses,” the researchers wrote.

A 1999 New York Times article describes cookies as “surveillance files that many marketers implant in the personal computers of people.” Now years later there are even more advanced cookie methods. The researchers say their goal is “to improve transparency of web tracking in general and advanced tracking techniques in particular. They hope exposure will bring increased accountability and the general public will be more informed.

Evercookies abuse browser storage mechanisms to activate removed cookies.

Cookie syncing is a workaround to the Same-Origin Policy. According to Wikipedia Same-Origin Policy is a concept relevant to the web application security model. Scripts running on pages from the same site can access each other’s DOM on different sites. The researchers say that the workaround is hard to detect and cookie syncing enables back-end server-to server date to be hidden from public view.

“The tracking mechanisms we study are advanced in that they are hard to control, hard to detect and resilient to blocking or removing.” said the researchers. canvasflow“Canvas fingerprinting  uses the browser’s Canvas API to draw invisible images and extract a persistent, long-term fingerprint without the user’s knowledge. There doesn’t appear to be a way to automatically block canvas fingerprinting without false positives and block legitimate functionality; even a partial fix requires a browser source-code patch.”

For those interested in the specifics of the canvas fingerprinting technology the Princeton/Leuven paper explains how it works:

canvastext

Add Your Comments

  • (will not be published)

One Comment

  1. Goodness, what's new! Why can't we just be free without bigdaddy watching over us with their microscopes. Governments have such little faith and trust in people they have to spy and monitor their every move. No the internet will be full of it, not such a free place as it used to be.

    Reply