According the Electronic Frontier Foundation (EFF), the White House is using canvas fingerprinting to track visitors to the White House Blog and and website. This revelation comes after Princeton and University of Leuven in Belgium released a paper Tuesday titled “The web never forgets: Persistent tracking mechanisms in the wild.”
A company called AddThis is among the most intrusive and employs this technology on many top websites including WhiteHouse.gov. “Canvas fingerprinting allows sites to get even more identifying information than we had previously warned about with our Panopticlick fingerprinting experiment,” says EFF. “Canvas fingerprinting software draws a hidden image containing the unusual phrase ‘Cwm fjordbank glyphs vext quiz’ and noticed how the pixels look different on different systems. This type of technology was first presented by Keaton Mowery and Hovav Shacham in 2012.
The study looked at new technologies besides canvas fingerprinting. There are also evercookies and cookie synching. All of these make it difficult for even the most knowledgeable users to maintain their privacy, according to the paper. Researchers claim that this is the first large-scale study about these techniques. “A single lapse in judgment can shatter privacy defenses,” the researchers wrote.
A 1999 New York Times article describes cookies as “surveillance files that many marketers implant in the personal computers of people.” Now years later there are even more advanced cookie methods. The researchers say their goal is “to improve transparency of web tracking in general and advanced tracking techniques in particular. They hope exposure will bring increased accountability and the general public will be more informed.
Evercookies abuse browser storage mechanisms to activate removed cookies.
Cookie syncing is a workaround to the Same-Origin Policy. According to Wikipedia Same-Origin Policy is a concept relevant to the web application security model. Scripts running on pages from the same site can access each other’s DOM on different sites. The researchers say that the workaround is hard to detect and cookie syncing enables back-end server-to server date to be hidden from public view.
“The tracking mechanisms we study are advanced in that they are hard to control, hard to detect and resilient to blocking or removing.” said the researchers. “Canvas fingerprinting uses the browser’s Canvas API to draw invisible images and extract a persistent, long-term fingerprint without the user’s knowledge. There doesn’t appear to be a way to automatically block canvas fingerprinting without false positives and block legitimate functionality; even a partial fix requires a browser source-code patch.”
For those interested in the specifics of the canvas fingerprinting technology the Princeton/Leuven paper explains how it works: