Feeds

NEW, SINISTER web tracking tech fingerprints your computer by making it draw

Have you been on YouPorn lately, perhaps? White House website?

Choosing a cloud hosting partner with confidence

A new, persistent web-tracking technology developed has been used to track web users across many of the world's most popular websites, including those of the White House and even wholesale smut platform YouPorn.

The canvas fingerprinting technique was described in 2012 by University of California researchers (PDF) as a means to silently track the web sites users visit.

Surveilled users watched over by canvas attacks cannot defend themselves by clearing the tracking mechanism by normal browser flushing nor guard against infection using apps like AdBlock Plus.

It gets worse: researchers from the universities of Princeton and Belgium's KU Leuven have now found, and documented in a paper titled The Web never forgets: Persistent tracking mechanisms in the wild (PDF), that previously-unreported canvas fingerprinting scripts were deployed on 5000 of the top 100,000 most popular websites as rated by Alexa.

The lion's share of these were running thanks to the AddThis app under an experiment launched without the knowledge of the named websites.

Those sites included the Australian Government's Department of Foreign Affairs and Trade, the Department of Health and the Fair Work Ombudsman, Blighty's Ministry of Justice and the website for the Royals, along with scores of US Government sites including the White House.

Topping the list was the highly rated YouPorn.com website which came in with a rank of 108.

AddThis chief executive Rich Harris told ProPublica it began live experiments this year with canvas fingerprinting across some of the 13 million sites on which it appears as a means to replace traditional text cookies.

The news prompted a startled YouPorn to drop the AddThis function.

Canvas fingerprinting flowchart.

Canvas fingerprinting flow.

Canvas fingerprinting worked by making user web browsers draw unique images using the canvas API which was then converted into an identification number.

"The tracking mechanisms we study are advanced in that they are hard to control, hard to detect and resilient to blocking or removing," the six researchers wrote in the paper.

"Canvas fingerprinting uses the browser’s Canvas API to draw invisible images and extract a persistent, long-term fingerprint without the user’s knowledge."

Easy or stable blocking mechanisms have not yet been developed, however users could test the Chameleon experimental browser, run Tor or blacklist AddThis via NoScript or NotScript.

"A frequent argument in online privacy debates is that individuals should take control of their own privacy online [but] our results suggest that even sophisticated users may not be able to do so without significant trade-offs," they wrote.

The privacy crusaders also examined flash cookies including evercookies, which used slippery storage tactics and cookie syncing which skipped Same-Origin Policy.

They found the cookies in 10 of the 200 most popular websites and 107 of the top 10,000 sites. Of these 33 different flash cookies were detected including the new IndexedDB evercookie vector previously unseen in the wild.

Readers could find technical details of the research in the report by Gunes Acar; Christian Eubank; Steven Englehardt; Marc Juarez; Arvind Narayanan, and Claudia Diaz. They could also opt out of AddThis personalised tracking if they disagreed with the company's claims that targeted ads "enhances your internet experience" ®.

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.