Web Tracking Advances Beat Privacy Defenses

Technologies such as canvas fingerprinting, evercookies, and cookie syncing prompt new call for privacy regulation.

Thomas Claburn, Editor at Large, Enterprise Mobility

July 22, 2014

3 Min Read
InformationWeek logo in a gray background | InformationWeek

Internet Of Things: 8 Pioneering Ideas

Internet Of Things: 8 Pioneering Ideas


Internet Of Things: 8 Pioneering Ideas (Click image for larger view and slideshow.)

Researchers warn that advances in online tracking have made it difficult even for sophisticated computer users to protect their privacy -- and call for further regulatory intervention.

In a research paper, computer security experts from Princeton University and KU Leuven University in Belgium describe three recently developed online tracking mechanisms that can be used to track and potentially identify users across different websites without their knowledge or consent.

These technologies -- canvas fingerprinting, evercookies, and cookie syncing -- represent what the researchers characterize as an ongoing arms race against privacy. Built using recently developed Web APIs, these tracking techniques are designed to be less susceptible to erasure and blocking than traditional HTTP cookies, which can be cleared and avoided through browser controls.

Online advertising companies want to understand consumer behavior online and they gain this understanding by building interest profiles based on the websites individuals visit. But when people clear the cookie files that websites place on their computers or block them, advertisers may be left in the dark about who is seeing their ads.

To preclude this possibility -- which makes advertising less effective and less profitable -- online advertising companies have been experimenting with more reliable ways to get information about website visitors. 

In their paper, the researchers say that they found 5% of the top 100,000 websites using canvas fingerprinting. This is a tracking technique that utilizes HTML5's Canvas API to draw an invisible picture in the user's browser window. This picture is then converted into an alphanumeric code so it can serve as a "fingerprint," a unique identifier associated with a specific user. In and of itself, this code does not reveal the user's identity, but identity can often be determined through other means and may end up being associated with other user data.

A single online advertising company, AddThis, is responsible for most of the canvas fingerprinting (95%), according to the paper. Canvas fingerprinting scripts were also found associated with 19 other domains or companies, including Ligatus, a German digital marketing firm, and Pof.com, operated by Canada's PlentyofFish Media.

A spokesperson for AddThis was not immediately available.

In an interview with ProPublica, AddThis CEO Rich Harris said his company has been testing canvas fingerprinting as an alternative to traditional cookies, has only used the data internally, and will allow people to opt-out if they install the company's opt-out cookie.

Two other tracking mechanisms are discussed in the paper alongside more established alternatives to HTTP cookies like Flash cookies. Evercookies circumvent user efforts to clear cookies "by abusing different browser storage mechanisms to restore removed cookies." And cookie syncing is described as a way to bypass a browser privacy mechanism known as the Same-Origin Policy, intended to limit the information available to software associated with a specific Web domain.

There are some defenses available, such as Disconnect. But the researchers expect individuals will have problems trying to protect their privacy. "It is doubtful that even privacy-conscious and technologically-savvy users can adopt and maintain the necessary privacy tools without ever experiencing a single misstep," the paper states.

The researchers conclude by urging standards bodies like the World Wide Web Consortium (W3C) to consider the privacy implications of new Web technology at the design stage. They suggest that a viable approach to online privacy needs to include technical efforts buttressed by regulatory oversight.

In its ninth year, Interop New York (Sept. 29 to Oct. 3) is the premier event for the Northeast IT market. Strongly represented vertical industries include financial services, government, and education. Join more than 5,000 attendees to learn about IT leadership, cloud, collaboration, infrastructure, mobility, risk management and security, and SDN, as well as explore 125 exhibitors' offerings. Register with Discount Code MPIWK to save $200 off Total Access & Conference Passes.

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights