Web Tracking Advances Beat Privacy Defenses - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Applications
09:13 AM
Connect Directly

Web Tracking Advances Beat Privacy Defenses

Technologies such as canvas fingerprinting, evercookies, and cookie syncing prompt new call for privacy regulation.

Internet Of Things: 8 Pioneering Ideas
Internet Of Things: 8 Pioneering Ideas
(Click image for larger view and slideshow.)

Researchers warn that advances in online tracking have made it difficult even for sophisticated computer users to protect their privacy -- and call for further regulatory intervention.

In a research paper, computer security experts from Princeton University and KU Leuven University in Belgium describe three recently developed online tracking mechanisms that can be used to track and potentially identify users across different websites without their knowledge or consent.

These technologies -- canvas fingerprinting, evercookies, and cookie syncing -- represent what the researchers characterize as an ongoing arms race against privacy. Built using recently developed Web APIs, these tracking techniques are designed to be less susceptible to erasure and blocking than traditional HTTP cookies, which can be cleared and avoided through browser controls.

Online advertising companies want to understand consumer behavior online and they gain this understanding by building interest profiles based on the websites individuals visit. But when people clear the cookie files that websites place on their computers or block them, advertisers may be left in the dark about who is seeing their ads.

To preclude this possibility -- which makes advertising less effective and less profitable -- online advertising companies have been experimenting with more reliable ways to get information about website visitors. 

In their paper, the researchers say that they found 5% of the top 100,000 websites using canvas fingerprinting. This is a tracking technique that utilizes HTML5's Canvas API to draw an invisible picture in the user's browser window. This picture is then converted into an alphanumeric code so it can serve as a "fingerprint," a unique identifier associated with a specific user. In and of itself, this code does not reveal the user's identity, but identity can often be determined through other means and may end up being associated with other user data.

A single online advertising company, AddThis, is responsible for most of the canvas fingerprinting (95%), according to the paper. Canvas fingerprinting scripts were also found associated with 19 other domains or companies, including Ligatus, a German digital marketing firm, and Pof.com, operated by Canada's PlentyofFish Media.

A spokesperson for AddThis was not immediately available.

In an interview with ProPublica, AddThis CEO Rich Harris said his company has been testing canvas fingerprinting as an alternative to traditional cookies, has only used the data internally, and will allow people to opt-out if they install the company's opt-out cookie.

Two other tracking mechanisms are discussed in the paper alongside more established alternatives to HTTP cookies like Flash cookies. Evercookies circumvent user efforts to clear cookies "by abusing different browser storage mechanisms to restore removed cookies." And cookie syncing is described as a way to bypass a browser privacy mechanism known as the Same-Origin Policy, intended to limit the information available to software associated with a specific Web domain.

There are some defenses available, such as Disconnect. But the researchers expect individuals will have problems trying to protect their privacy. "It is doubtful that even privacy-conscious and technologically-savvy users can adopt and maintain the necessary privacy tools without ever experiencing a single misstep," the paper states.

The researchers conclude by urging standards bodies like the World Wide Web Consortium (W3C) to consider the privacy implications of new Web technology at the design stage. They suggest that a viable approach to online privacy needs to include technical efforts buttressed by regulatory oversight.

In its ninth year, Interop New York (Sept. 29 to Oct. 3) is the premier event for the Northeast IT market. Strongly represented vertical industries include financial services, government, and education. Join more than 5,000 attendees to learn about IT leadership, cloud, collaboration, infrastructure, mobility, risk management and security, and SDN, as well as explore 125 exhibitors' offerings. Register with Discount Code MPIWK to save $200 off Total Access & Conference Passes.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
David F. Carr
David F. Carr,
User Rank: Author
7/22/2014 | 10:42:36 AM
Is canvass fingerprinting persistent?
Does the canvass fingerprinting technique store something persistently on the user's PC or device? I would think an HTML5 canvas would only persist for as long as the web page was open in the browser window -- in which case this would be useful as a session-tracking mechanism for users who have disabled cookies, but not for ad tracking across multiple visits to the same site.

I confess I haven't studied HTML5 in detail -- and I do remember hearing about plans to give it some local storage capabilities -- so please correct me if I'm wrong.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll