Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A New Form of Online Tracking: Canvas Fingerprinting

Unknown Lamer posted about 3 months ago | from the subverting-features-for-evil-and-profit dept.

Privacy 194

New submitter bnortman (922608) was the first to write in with word of "a new research paper discussing a new form of user fingerprinting and tracking for the web using the HTML 5 <canvas> ." globaljustin adds more from an article at Pro Publica: Canvas fingerprinting works by instructing the visitor's Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user's device a number that uniquely identifies it. ... The researchers found canvas fingerprinting computer code ... on 5 percent of the top 100,000 websites. Most of the code was on websites that use the AddThis social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish. ... Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a possible way to replace cookies ...

Sorry! There are no comments related to the filter you selected.

Is that what it is come down to? (3, Funny)

thieh (3654731) | about 3 months ago | (#47506665)

Skipping all images to avoid tracking? Back to ncurses it is then

Re:Is that what it is come down to? (4, Funny)

Anonymous Coward | about 3 months ago | (#47506941)

They're already tracking you by your termcap.

Re:Is that what it is come down to? (1)

slazzy (864185) | about 3 months ago | (#47507277)

No, it shouldn't be hard to create some sort of randomizer for browser image generation. It will probably be a browser standard in 5 years, and a plugin within a few months.

So (0)

Anonymous Coward | about 3 months ago | (#47506667)

How do we block it?

Re: So (0)

Anonymous Coward | about 3 months ago | (#47506785)

sudo echo '0.0.0.0 addthis.com' >> /etc/hosts

Re: So (0)

Anonymous Coward | about 3 months ago | (#47506815)

sudo echo '0.0.0.0 addthis.com' >> /etc/hosts

and other third party trackers? now it will spread all across the web, shall we erase every second domain?

More hosts than that... (4, Informative)

justthinkit (954982) | about 3 months ago | (#47506817)

There are a number of other sites that are hosting the code. Check the summary link to see what they are.

Since the sites using this exploit are sorted by Alexa rank, I gave up looking after a while, but here are "the biggies":
127.0.0.1 addthis.com
127.0.0.1 ligatus.com
127.0.0.1 cloudfront.net
127.0.0.1 vcmedia.vn
127.0.0.1 cloudflare.com
127.0.0.1 kitcode.net
127.0.0.1 pof.com
127.0.0.1 shorte.st
127.0.0.1 ringier.cz
127.0.0.1 insnw.net
127.0.0.1 domainsigma.com

Not sure how serious this would break things, but some are hosting the exploit on Amazon's cloud: 127.0.0.1 amazonaws.com

Re:More hosts than that... (1)

Anonymous Coward | about 3 months ago | (#47507187)

When I use 127.0.0.1, it makes my browsers wait for a timeout before they finish rendering. If you use something like 0.0.0.0, it returns immediately.

Re:More hosts than that... (1)

justthinkit (954982) | about 3 months ago | (#47507395)

Thanks. Shaves 2 bytes per site in my hosts file as well. Adds up to almost an MB in a 16MB file.

Re:More hosts than that... (2)

Lawrence_Bird (67278) | about 3 months ago | (#47507439)

blocking cloudfront is going to be a problem as it is a CDN from Amazon.

Re:More hosts than that... (-1)

gstoddart (321705) | about 3 months ago | (#47507519)

You and I have different versions of the meaning of "problem".

Page don't load because cloudfront is blocked?

No problem, because I don't care.

I have yet to find a single site I need or can't live without that requires it.

Re:More hosts than that... (-1)

Anonymous Coward | about 3 months ago | (#47507571)

>I have yet to find a single site I need or can't live without that requires it.
You obviously do not use the internet much, so no one really cares about what you think

Re:More hosts than that... (0)

Anonymous Coward | about 3 months ago | (#47507785)

You can't just keep playing whack-a-mole. They could register a new domain every 12 hours for negligible cost, or even use IP addresses.

If you really want to prevent fingerprinting, the only way is to disable javascript. Yes, it's painful, and a lot of poorly written sites won't work. But, it's the only real way to stop fingerprinting.

If you're willing to fully identify yourself to a certain site, and trust it not to use zero-day exploits against your browser, then you can use noscript to selectively enable javascript there. But, if you really care about privacy, you have to have the willpower to say, "I don't need to read this javascript-rendered news article", or "I don't need to buy this here. I can spend 10% more to get it on Amazon, where I don't need javascript".

Re: So (4, Funny)

plover (150551) | about 3 months ago | (#47506879)

Noooo! Don't mention /etc/hosts, lest you summon ... him.

Re: So (1)

tepples (727027) | about 3 months ago | (#47507055)

By "him" do you mean me [pineight.com] ? I didn't think so.

Re: So (0)

Anonymous Coward | about 3 months ago | (#47507373)

The Best Poster

Re: So (0)

Anonymous Coward | about 3 months ago | (#47507659)

... said nobody ever.

Re: So (2)

jones_supa (887896) | about 3 months ago | (#47506915)

sudo echo '0.0.0.0 addthis.com' >> /etc/hosts

That would lead to a "Permission denied" error because the appending to file is done by the normal user.

Try instead: sudo sh -c "echo '0.0.0.0 addthis.com' >> /etc/hosts"

Re: So (1, Informative)

Anonymous Coward | about 3 months ago | (#47507283)

echo '0.0.0.0 addthis.com' | sudo tee /etc/hosts

also works.

Re: So (1)

jones_supa (887896) | about 3 months ago | (#47507419)

Thanks. That one also looks a bit cleaner.

Re: So (2, Informative)

Anonymous Coward | about 3 months ago | (#47507537)

echo '0.0.0.0 addthis.com' | sudo tee /etc/hosts

also works.

That'll overwrite the whole file.

echo '0.0.0.0 addthis.com' | sudo tee -a /etc/hosts

will append.

Re: So (0)

Anonymous Coward | about 3 months ago | (#47507781)

this will never work on bash. Oh god, slashdot is no more what it used to be..a real slashdotter (even average AC) would have used sed

Re:So (2)

plover (150551) | about 3 months ago | (#47506883)

NoScript or Ghostery already block AddThis. It's just JavaScript.

Re:So (4, Informative)

Crayon Kid (700279) | about 3 months ago | (#47507013)

Use the RequestPolicy [mozilla.org] addon in Firefox. It's a whitelist for allowing certain sites to load resources (of any kind) from other sites. If the pairing between the site you're on and another site is not explicitly added to RequestPolicy, nothing gets loaded (the request is not even made to begin with). It covers JS, CSS, images, anything.

IMO it's a more practical approach than NoScript, although not as ultra-secure.

In case you're wondering what's the difference between RequestPolicy and Ghostery:

  • * Ghostery is a blacklist, not a whitelist (blocks only the things in the list, allows anything else). Blacklists are usually a bad idea in security.
  • * With RequestPolicy you control the list, with Ghostery someone else does.
  • * Ghostery has a lot of extra fluff, RP has only what's needed.

Not entirely clear. (5, Insightful)

fuzzyfuzzyfungus (1223518) | about 3 months ago | (#47507079)

Depending on what you mean by 'block', there may or may not be a properly satisfactory answer:

'Block' as in 'make this specific mechanism fail' is the relatively easy question. If the attacker can't manipulate a canvas element and read the result, it won't work. So the usual javascript blockers or more selective breaking of some or all of the canvas element (the TOR browser apparently already does this for methods that can be used to read back the contents of a canvas element, so you can still draw on one but not observe your handiwork) will do the job.

Unfortunately the attacker doesn't actually care about making your browser draw a picture, they care about achieving as accurate a UID as they can. Given that, you might actually make yourself more distinctive if your attempt to break a given fingerprinting mechanism succeeds. In the case of the TOR browser, for instance, attempts to read a canvas will always be handled as though the canvas is all opaque white. This does prevent the attacker from learning anything useful about font rendering peculiarities or other quirks of your environment's canvas implementation; but it's also a behavior that, for the moment at least, only the TOR browser has. Relatively uncommon. Possibly less common than the result that you'd receive from an unmodified browser.

That's the nasty thing about fingerprinting attacks. Fabricating or refusing to return many types of identifying information is relatively easy (at least once you know that attackers are looking for them); but unless you lie carefully, your fake data may actually be less common (and thus more trackable) than your real data.

Identical devices (1)

ameen.ross (2498000) | about 3 months ago | (#47506693)

I can see the privacy implications this has, but how in the world would such a method successfully discern between 2 identical devices?

Re:Identical devices (1)

ameen.ross (2498000) | about 3 months ago | (#47506737)

Especially in corporate environments it's rather common to buy devices in bulk. They are often maintained by IT staff, ensuring the software stack installed on it is identical as well. Not to mention the external IP addresses.

Re:Identical devices (1)

Carewolf (581105) | about 3 months ago | (#47506741)

It doesn't. It also has trouble detecting two identical versions of firefox. This is only really works as a few more bits to existing fingerprint frameworks.

Re:Identical devices (4, Informative)

RKThoadan (89437) | about 3 months ago | (#47506795)

It looks like the technical details would be found in this link: http://cseweb.ucsd.edu/~hovav/... [ucsd.edu]

In that first article the CEO of AddThis says that "Itâ(TM)s not uniquely identifying enough" and the guy who originally developed it says it's only 90% accurate.

Re:Identical devices (1)

CastrTroy (595695) | about 3 months ago | (#47506827)

Yeah, especially on tablets and laptops where people generally don't (or can't) update the hardware at all. I would have to say that it's just yet another piece of identifying information. Combine it with all the other pseudo identifiers like user agent strings and font lists and you can narrow down the number of collisions quite quickly. Also, it's probably another thing that varies from time to time, which allows you to double count people and drive up visitor counts to increase your worth to advertisers.

Re:Identical devices (1)

BasilBrush (643681) | about 3 months ago | (#47506835)

It can't. But that doesn't make it useless. There's a lot of variety out there. In a test out of 200 and some samples, it comes up with over a hundred different fingerprints.

It could be used if you want to differentiate when a known user (via account or other method) is using different devices. As a user is extremely unlikely to use 2 separate but identical computers.

It could be used in combination with other fingerprinting techniques to get closer to cookie levels of ID.

You might not care whether you get down to a single user. Hashing clients into buckets might serve your purposes.

Re:Identical devices (1)

tepples (727027) | about 3 months ago | (#47507065)

As a user is extremely unlikely to use 2 separate but identical computers.

Not even two iPads in a household?

Re:Identical devices (4, Interesting)

Charliemopps (1157495) | about 3 months ago | (#47507039)

I can see the privacy implications this has, but how in the world would such a method successfully discern between 2 identical devices?

I work with marketing software on and off. There are thousands of data points collected when you visit a site that cares enough to ID you. This would be just one. If this ID narrows the device down to 10 or so... and they also have date stamps, general location data based on your IP, browser type, etc? They can ID you specifically, pretty easily. I've not seen this particular method come up myself... in fact, most of the time the ways the marketing software ID's you is irrelevant to the site owner. They just buy the software and install it. Done. The general doesn't care that there's 1 new landmine in his arsenal when he's already blanketed the field with thousands of them.

Also, you need to understand that goal here... they don't care who you are. They just want to know that you are visitor 52467, and all the other times you were here you looked at products X, P and Q so they can display more information on those products. They also salt the site with "Free" offers that all you need to claim them is to input your contact information. Once you do that they link that contact information to your browsing history and shoot it over to a salesman and/or send you a personally designed advertisement to your email.

This may all sound dumb and horribly invasive... but it's amazingly successful. There is absolutely no way these companies would give it up voluntarily. Many of them wouldn't be in business without that sort of data... I'm not even sure you'd like it if it were gone. Getting ads is annoying, getting ads for African American hair styling products when you're a redhead is infuriating. Targeted ads are a good thing, it's the completely unaddressed side affects of that data collection that's a problem.

What needs to happen is laws governing how long the data can be kept need to be passed. As of now, it's kept forever as far as I know... because... well, why not? And who the data is shared with needs to be regulated. The intercooperation of these companies is pretty scary. Amazon should not know what I'm searching for on WebMD, and the fact of the matter is, as of now, pretty much every major site you visit is sharing data with every other site you visit for mutual profit. This likely includes government websites. I've seen the marketing companies brag about their government contracts so that's a tad scary. Lastly, pretty much all regulation is not-so-cleverly avoided by simply changing the tech. The regulation needs to be broad and easy to understand. As of now they do things like "Well, that's not a person, that's a device!" or "Is that really data?" etc... Bill Clinton word style play shouldn't absolve you of negligence.

No it is not infuriating (2)

aepervius (535155) | about 3 months ago | (#47507387)

"Getting ads is annoying, getting ads for African American hair styling products when you're a redhead is infuriating"

No it isn't for most people, because we got used a LOT for this with TV. TV nearly never showed us advertising targeted for us specifically but more to a watcher class. But you know to whom it is infuriating to not target ads ? Marketing people. Because targeted ads means a better probability to transform an ad into a sale. In fact if marketing people could totally break our privacy and put camera everywhere to enhance their probability to higher level, they would do it, and pretend people like it. That's justification post hoc. They enable msot amrketing people to never discuss their own moral and ethical choice. Just pretend people like it and are infuriated when ads are not targeted to them. As opposed to be totally creeped out.

Re:No it is not infuriating (0)

Anonymous Coward | about 3 months ago | (#47507793)

Actually, to me it is infuriated which is why I stopped watching TV. I get sick of seeing ads for cars when I live in a major urban area and use cars, I see add for cheeseburgers, sugary cereal and other junk I don't eat and of course the political campaign ads where there is no chance I will vote for the guy. What I much prefer to that is how on the internet when I go to Google Finance they show me new arrivals from a clothing store I like. If it looks good I might even click through and check it out. I'd rather see ads for jeans I like than ads for car insurance I have no use for.

Re:Identical devices (1)

gstoddart (321705) | about 3 months ago | (#47507609)

Targeted ads are a good thing

So says you.

I don't give a shit about someone's ads, targeted or not. I'm not interested in them, and I will block them at every chance I get, as well as the ability to collect enough information to target me.

You want to let them give you targeted ads, fine, no problem. That's your choice.

I trust neither regulators to get this right (because so far their ability to regulate anything technology related is abysmal), nor do I trust the corporations to not try to ignore it.

If they don't have your data, they can't misuse it.

Re:Identical devices (1)

sjames (1099) | about 3 months ago | (#47507741)

they don't care who you are.........They also salt the site with "Free" offers that all you need to claim them is to input your contact information. Once you do that they link that contact information to your browsing history and shoot it over to a salesman and/or send you a personally designed advertisement to your email.

So in other words, they very much care who I am.

Getting targeted ads is creepy. It's like having my own 24/7 personal stalker. I notice the advertisers often aren't that anxious to share their own details with me. Too often, they can't even manage to be honest about the products they're advertising.

I would rather get ads for irrelevant products and services. Or just ads that are relevant in a generic sort of way based on a few demographic observations.

Privacy Badger (4, Informative)

cmdr_tofu (826352) | about 3 months ago | (#47506695)

I guess this is probably the best place to plug privacy badger https://www.eff.org/privacybad... [eff.org] (although I'm not sure if it would defeat this... noscript + privacy badger?)

I just learned about privacy badger 2 days ago at HOPE.

Re:Privacy Badger (3, Informative)

just_another_sean (919159) | about 3 months ago | (#47506787)

Yes, Privacy Badger is a great tool. It's a little tedious when loading content from CDN's, can make pages look pretty bad unless you let a little tracking in... So I also keep my privacy set to delete everything when I close the browser. I also follow the guidelines here [debian.org] ( Scroll down to the Web Browser section ). It's Debian specific but easily translated to whatever mozilla based browsing experience you're using.

As mentioned in the HowTo you can check your "fingerprint" here: https://panopticlick.eff.org/ [eff.org] .

And all that said, I have no idea at the moment if any of the above defeats the technique from TFA.

Re:Privacy Badger (1)

Anonymous Coward | about 3 months ago | (#47507243)

As mentioned in the HowTo you can check your "fingerprint" here: https://panopticlick.eff.org/ [eff.org] .

Ok, dum de dum...clicky clicky...

'Your browser fingerprint appears to be unique among the 4,309,928 tested so far.'

This is either an 'oh bugger' moment, or lol...

(I don't know which at present)

Re:Privacy Badger (1)

just_another_sean (919159) | about 3 months ago | (#47507415)

Although a bit of a long read, the article about the data collected and what the stat's mean is pretty helpful. And unique among 4.3M is pretty bad. It means you are easy to identify and track.

What the results mean (PDF): https://panopticlick.eff.org/b... [eff.org]

Re:Privacy Badger (1)

Cloud K (125581) | about 3 months ago | (#47507579)

Mine says: "Your browser fingerprint appears to be unique among the 4,310,202 tested so far."

Oh bugger indeed.

But seriously it's always been like that whenever I've tried it - even without the huge fingerprinting effect of the browser plugin reporting (I tried it with a completely fresh OS installation), in many cases just the combination of user agent and screen size - both reported in the HTTP headers - is unique. You might possibly blend in using some version of IE on Windows 7 on a 1024x768 or 1080p display, if you're lucky. There's been some discussion around making User-agent a bit less specific http://www.wilderssecurity.com... [wilderssecurity.com]

Also quite interesting is that if you block as much as possible with something like noscript (which I found rather impractical to use, incidentally - CDNs are a genius idea when it comes to tracking people as it's easy to just get fed up of deciding whether you want each site to work properly and have the fonts required to display menus properly etc and just unblock all the CDNs - in the end I figured I might as well just remove noscript) then you're in a highly privacy conscious minority and therefore potentially even more unique. Sort of a black hole.

Re:Privacy Badger (0)

Anonymous Coward | about 3 months ago | (#47506833)

(although I'm not sure if it would defeat this... noscript + privacy badger?)

From https://www.eff.org/privacybadger#how_does_it_work [eff.org]

At a more technical level, Privacy Badger keeps note of the "third party" domains that embed images, scripts and advertising in the pages you visit. If a third party server appears to be tracking you without permission, by using uniquely identifying cookies to collect a record of the pages you visit across multiple sites, Privacy Badger will automatically disallow content from that third party tracker. In some cases a third-party domain provides some important aspect of a page's functionality, such as embedded maps, images, or fonts. In those cases Privacy Badger will allow connections to the third party but will screen out its tracking cookies.

That's an absolutely certain "Maybe".

Re:Privacy Badger (1)

BasilBrush (643681) | about 3 months ago | (#47506855)

It doesn't solve the problem as yet. From the FAQ:

"Currently, Privacy Badger does not prevent browser fingerprinting, of the sort we demonstrated with the Panopticlick project. But we will be adding fingerprinting countermeasures in a future update!"

Also it only supports Firefox and Chrome.

Torbrowser however does prevent canvas fingerprinting.

Re:Privacy Badger (0)

Anonymous Coward | about 3 months ago | (#47506867)

Interesting. I was wondering what was the point of using it over Ghostery and similar until I read the FAQ.

It's dynamic. If a resource on one site it triggered and tracked on another, boom it's added to blocking.

Ad Blocking Is Self Defense (0)

Anonymous Coward | about 3 months ago | (#47506707)

Browsers should offer an option to block all third party content. And idiot webmasters need to stop loading their Javascript libraries from Google.

Re:Ad Blocking Is Self Defense (1)

Fruit (31966) | about 3 months ago | (#47507031)

You can do this in Firefox using the RequestPolicy plugin [mozilla.org] .

Re:Ad Blocking Is Self Defense (1)

tepples (727027) | about 3 months ago | (#47507073)

And idiot webmasters need to stop loading their Javascript libraries from Google.

Then from whose shared CDN should webmasters load JavaScript libraries in order to become not idiots?

Re:Ad Blocking Is Self Defense (1)

Anonymous Coward | about 3 months ago | (#47507469)

There is absolutely no sane reason for loading anything that your site relies on from anything but your own domain (and your own servers). It may seem hip and all cloudy to do so, but it's a really useless thing to do. No, you do not save on bandwidth that way. No, your site does not load faster that way. No, serving those libraries is not the burden that overloads your server. You save bandwidth by not loading dozens of scripts per page, some of which intentionally prevent caching. You make your site load faster by not loading dozens of scripts per page from dozens of domains, which take extra DNS lookups and HTTP connections and obviously burden the client browser for no benefit. You reduce the load on your server by not making every goddamn page dynamic even though the actual content never changes.

Occasionally I need to use a computer which doesn't have Adblock: I find the experience shockingly unbearable. How anyone can use the web like that is beyond me. If I were forced to use the web without extensive blocking and rewriting, I'd find a remote plot of land to live of and never touch a computer again. I could never work in web design. I'd go postal within the first month, not primarily because what these people do is despicable, morally corrupt and borderline criminal, no, because these people take systems with unprecedented processing power and fail to make them more useful than a piece of printed paper. Bloody idiots! If everybody who has ever knowingly added tracking scripts to a website died in a freak accident tomorrow, the world of web design would not be set back one bit.

... until everyone does it (1)

tepples (727027) | about 3 months ago | (#47507539)

Without advertisements, how should people who provide information to the public over the Web for a living feed themselves? Not every site is a New York Times or Wall Street Journal that can get away with a paywall.

Re:... until everyone does it (0)

Anonymous Coward | about 3 months ago | (#47507735)

they should get a job

Re:Ad Blocking Is Self Defense (0)

Anonymous Coward | about 3 months ago | (#47507279)

It's normal practice to use a separate domain for static content. This reduces cookie data getting passed to servers that only host up static content.

Re:Ad Blocking Is Self Defense (0)

Anonymous Coward | about 3 months ago | (#47507709)

Boohoo, cookie data, all hundred bytes of it. My "dont-track-me-bastards" header is longer than all the cookie data you NEED. What you mean is that idiot web authors have cookie diarrhea and somehow try to contain the shit flood instead of treating the cause. And then they load half a megabyte of uncached graphics just for the ads. WTF is wrong with you people?

Yet another reason to turn off Ecmascript (1)

Arker (91948) | about 3 months ago | (#47506713)

Not like another was needed, but there you go.

Re:Yet another reason to turn off Ecmascript (1)

BasilBrush (643681) | about 3 months ago | (#47506859)

You'll do precious litte on the internet without Javascript.

Re:Yet another reason to turn off Ecmascript (1)

gstoddart (321705) | about 3 months ago | (#47506933)

But being able to selectively disable it and block certain sites definitely helps.

You don't need to run the scripts for each of the 15 or so trackers in every page, just the ones which actually are needed.

Admittedly, in a few cases, they've made it more or less impossible to do anything unless you allow the 3rd parties.

In that case, the back button works just fine.

Re:Yet another reason to turn off Ecmascript (1)

StripedCow (776465) | about 3 months ago | (#47506909)

People who have Javascript disabled are the Amish of the internet.

Re:Yet another reason to turn off Ecmascript (3, Insightful)

ArcadeMan (2766669) | about 3 months ago | (#47506945)

Yeah, but the Amish also don't receive telemarketing calls or email spam.

Re:Yet another reason to turn off Ecmascript (1)

gstoddart (321705) | about 3 months ago | (#47506981)

Lucky bastards.

Re:Yet another reason to turn off Ecmascript (2)

Arker (91948) | about 3 months ago | (#47507137)

Not really. The Amish reject technology across the board, whether useful or not. People that are on the internet are obviously not rejecting technology across the board - javascript-in-the-browser is a single, very problematic technology, which is responsible for the vast majority of computer infections.

So no, people that do not allow javascript are not much like the Amish of the internet. We are more like the 'people who know how to use condoms' of the internet.

Re:Yet another reason to turn off Ecmascript (1)

BasilBrush (643681) | about 3 months ago | (#47507219)

More like the celibate of the internet. less chance of infections but no fun either.

Re:Yet another reason to turn off Ecmascript (0)

Anonymous Coward | about 3 months ago | (#47507357)

I assure you, porn is still available without cookies or Javascript.

Re:Yet another reason to turn off Ecmascript (1)

StripedCow (776465) | about 3 months ago | (#47507259)

But the Amish *do* use technology: hammers, nails, rakes, plows, et cetera are all technology.

We are more like the 'people who know how to use condoms' of the internet.

The most effective way of spreading your beliefs is to preach *not* to use condoms.
This can be confirmed by many religious leaders.
Just sayin.

Re:Yet another reason to turn off Ecmascript (1)

Junta (36770) | about 3 months ago | (#47507459)

Not really. The Amish reject technology across the board, whether useful or not.

Actually, at least for a lot of Amish this isn't the case. For example, many Amish communities will have phones. They may relegate them to emergency and/or communal space use because they don't think it's good for private family time to be disrupted by a phone call. They reject grid power but do use batteries and generators. They use LED flashlights and buggy lights rather than burning lamps in many cases. They use cash registers, alarm clocks, and even power tools to some extent.

Sure, they are a lot more reluctant about technology and they believe a lot of family and social values are threatened by wanton use of technology, but they do partake of some key technology benefits.

Random.. or AntiRandom (0)

Anonymous Coward | about 3 months ago | (#47506743)

So, a canvas randomizer is needed, isn't it? Or a means to get many, many machines to all appear identical.

Re:Random.. or AntiRandom (1)

fuzzyfuzzyfungus (1223518) | about 3 months ago | (#47507239)

So, a canvas randomizer is needed, isn't it? Or a means to get many, many machines to all appear identical.

Unfortunately, since this technique is almost certainly being used alongside a suite of others, it's tricky to know what tactic is most privacy-maximizing. Canvas randomization would ensure that your browser's canvas fingerprint does not remain stable; but if the attacker is able to determine that you are randomizing(by making multiple runs, possibly even from different domains, that ought to be identical but won't be if your canvas is randomized), that may also be a behavior distinctive enough to be useful.

Coloring my World View (0)

Anonymous Coward | about 3 months ago | (#47506751)

Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit — profiles that shape which ads, news articles, or other types of content are displayed to them.

So, I'm being spoon fed news articles that this software chooses because it "thinks" that's what I want to see?!

I read the news to understand and learn the facts as best as I can. It's bad enough that I have to deal with the intended and unintended bias of editors - but to just see what someone THINKS I want do see?

No wonder people are so uninformed! And it turns out that I am one of them!

So... (0)

Anonymous Coward | about 3 months ago | (#47506797)

...another wet dream for GCHQ and the NSA.

Why can't a browser do what I say? (0)

Anonymous Coward | about 3 months ago | (#47506803)

Is there anyway to configure a browser to do the following?:

First: When I visit a website, say www.slashdot.org, it fetches the page from that domain and NO OTHER. Why in the world is it fetching stuff from God knows where else that I did not tell it to just because the page I'm fetching links to it some how?

Second: Of course if browsers did that then soon the objectionable crap would come down the pipe via the server on the domain I'm visiting. So we need a database, like dns that lists all crappy and underhand web sites. Something we can all contribute to. When I follow a link to one I can be warned and proceed accordingly.

Third: I'm not sure what else we need but the above would be a good start.

Currently it seems web browsers and web standards are designed to let people fuck with the user.

Re:Why can't a browser do what I say? (0)

Anonymous Coward | about 3 months ago | (#47506837)

Right, because it isn't like said database would be useless on the day it went up as a combination of trolls (asshats), SEO types (blackhats), and competitors (acting as as asshats) would submit all sorts of legitimate sites in order to get people not to visit them. Oh, wait - no, that's exactly what would happen.

Re:Why can't a browser do what I say? (0)

Anonymous Coward | about 3 months ago | (#47507163)

Hmm, it sounds like you've got a fundamental misunderstanding of how the Internet operates.

Not a replacement for a cookie (1)

loonycyborg (1262242) | about 3 months ago | (#47506805)

There's just no way it could identify particular device. A particular kind of device at most. And even then it wouldn't be very reliable.

what bullshit! (0)

Anonymous Coward | about 3 months ago | (#47506825)

Harris said the company considered the privacy implications of canvas fingerprinting before launching the test, but decided “this is well within the rules and regulations and laws and policies that we have.”

And their policy is that they don't give a fuck about your privacy. Typical corporate PR bullshit - lie without lying.

He added that the company has only used the data collected from canvas fingerprints for internal research and development. The company won’t use the data for ad targeting or personalization if users install the AddThis opt-out cookie on their computers, he said.

"Opt-out" - cookie?

Fuck you, asshole. Advertising sack of shit.

And this ... (1)

gstoddart (321705) | about 3 months ago | (#47506841)

And this is why my browsers have as many privacy extensions as I can find.

AddThis is definitely one of the sites which are blocked.

If you let your browser load all of this crap, you are more or less asking for this garbage.

I don't care about your business model, I'm simply not going to allow your crap to load.

Re: And this ... (3, Funny)

Anonymous Coward | about 3 months ago | (#47506995)

NSA Guy 1: Hey, there's that one guy that shows up as a black hole on the Internet.
NSA Guy 2: He is up a little early, isn't he?
NSA Guy 1: Yeah, he usually doesn't post his slashdot privacy rants until after browsing those "furry" sites for a half hour or so.
NSA Guy 2: He must not be in the mood.

Re: And this ... (1)

gstoddart (321705) | about 3 months ago | (#47507081)

NSA Guy 1: Hey, there's that one guy that shows up as a black hole on the Internet.

Oh, I very much doubt I'm anywhere near as successful as that.

NSA Guy 1: Yeah, he usually doesn't post his slashdot privacy rants until after browsing those "furry" sites for a half hour or so.

Only on weekends or when the wife is out of town.

Seriously though, it's your privacy. Nobody else is gonna protect it for you.

NoScript blocks it, according to its creator (1)

Anonymous Coward | about 3 months ago | (#47506885)

Giorgio Maone says NoScript blocks "canvas" tracking:

https://twitter.com/ma1/status... [twitter.com]

Why does this work (2)

Cley Faye (1123605) | about 3 months ago | (#47506967)

Instead of focusing on the privacy issue, I'm more curious about why "different computer draws the image slightly differently". Browsers are supposed to provide abstraction from the machine, and the same scripts run on different computers is supposed to behave in the same way. At most, it could tap into things like the user id, but shouldn't have access to more than that.

Re:Why does this work (2)

Puff_Of_Hot_Air (995689) | about 3 months ago | (#47507047)

Different drivers, OS's, web browsers, GPU's etc all have slight effects when asked to render something onto the canvas. The trick is that the raw resultant bits can then be captured trivially using getImageData() and then sent back to the tracker site (after hashing or what have you to reduce the size). It'll render the same way every time on your machine, but will differ to someone else's. (Showing my age here), kind of like how you could easily see the difference between the old Voodoo and TNT2 graphics card by how they rendered.

Re:Why does this work (1)

Cley Faye (1123605) | about 3 months ago | (#47507157)

yes, but, there is so much layers that are supposed to smooth the hardware difference:

  • canvas operations are raster-based and lossless
  • browser scripts (either ecmascript or another) should provide consistent execution: whatever the underlying hardware, if I ask JavaScript to draw a circle with (x,y) center and r radius, the result should be predictable, and not hardware dependant
  • even considering that browsers use "hardware acceleration" as a way to speed things up, there is still at least one layer between the software and the hardware (either an opengl driver, or some other monstrosities drivers) that *should* provide reproducible, consistent result with various hardware

Now, I perfectly understand why neither the browser, the OS API, and the driver would bother to provide perfect results: we're trading performances for accuracy. After all, if I draw my circle with 0.1 pixel of error, it will look good because of antialiasing. But I still think that software results that are independant of external input should not vary from one hardware to another. There is only one good output for a deterministic software function when always providing the same input.

Imagine the horror if different processors would return different values when computing 1/0.999 just because they have different hardware (oh wait, this one kinda happened :D)

Re:Why does this work (1)

Puff_Of_Hot_Air (995689) | about 3 months ago | (#47507285)

Well, if all factors are equal it doesn't vary, otherwise every run on the same machine would vary and it would be useless. The point is that there enough differing variables between machines that it becomes useful for finger printing (and also for identifying specific hardware/driver/os/browser signatures). It would be used in conjunction with other techniques in practise I am sure.

Can't draw a circle on a square grid (1)

tepples (727027) | about 3 months ago | (#47507483)

if I ask JavaScript to draw a circle with (x,y) center and r radius

This is impossible to do exactly on a square grid of pixels. All a raster device can do is approximate a circle. Edge anti-aliasing is underspecified, I believe deliberately, to allow devices to implement the most appropriate AA method for the platform.

But I still think that software results that are independant of external input should not vary from one hardware to another. There is only one good output for a deterministic software function when always providing the same input.

And then we're back to the slowness and increased battery consumption of software rendering. Should all browsers default to a bit-perfect reference renderer and require the use of obscure configuration interfaces to enable hardware acceleration?

Imagine the horror if different processors would return different values when computing 1/0.999 just because they have different hardware

Before the standardization on 32-bit and 64-bit IEEE 754 floating point, this was the rule. Different platforms had different precisions and different rounding guarantees.

Re:Why does this work (1)

BUL2294 (1081735) | about 3 months ago | (#47507101)

I agree--I just don't see how this is the case. Sure, one person's Cleartype settings would be different from another's, so are we saying that the exact subpixel rendering is calculated? The article also mentions fonts installed... So, if I add a font, or a font like Arial Unicode gets updated (e.g. install a new version of MS-Office), my CANVAS fingerprint is now different/broken?

The claim of 90% accuracy for PCs is shockingly, quite high... But if tablets & mobile devices have problems with this and PCs don't, something don't smell right. So, is this trick working on a somehow poor implementation of CANVAS--that somehow creates different images on different PCs--but the same image on the same PC? What about a PC running Firefox vs. the same PC running Firefox in a VM (same OS or different OS)?

Re:Why does this work (0)

Anonymous Coward | about 3 months ago | (#47507845)

It's simple really: People have different vector drawing libraries. They have different monitors with different resolutions, different graphics drivers, versions of those drivers, and settings for those drivers.

Anti-aliasing is somewhat of a dark art, and the specs generally allow many ways of doing it. So if a pixel is half way between value 0x00 and and 0xFF, values of about 0x70 to 0x90 are probably all equally valid according to the specs, and all equally likely to be produced depending on settings.

Rounding differences (2)

tepples (727027) | about 3 months ago | (#47507113)

I'm more curious about why "different computer draws the image slightly differently".

Slight rounding differences, shape edge antialiasing behavior, font antialiasing behavior, installed fonts, and the like are the big ones I can think of. HTML5 Canvas behavior isn't specified down to the bit level.

Re:Rounding differences (1)

Cley Faye (1123605) | about 3 months ago | (#47507173)

I'm more curious about why "different computer draws the image slightly differently".

Slight rounding differences, shape edge antialiasing behavior, font antialiasing behavior, installed fonts, and the like are the big ones I can think of. HTML5 Canvas behavior isn't specified down to the bit level.

Maybe it should. Providing an API and saying "it kinda work like this, most of the time, your mileage may vary" doesn't sound very good.

Re:Rounding differences (1)

tepples (727027) | about 3 months ago | (#47507503)

If Canvas were bit-specified, rendering would in many (or perhaps most) cases have to be done in software, which is slow and battery-consuming on mobile and on low-end laptops. There's a reason that native computer games have been requiring a GPU for the past decade and a half.

In the paper... (1)

thieh (3654731) | about 3 months ago | (#47506991)

The following passage is found in the paper:

The easiest effective defense, then, is to simply require user approval whenever a script requests pixel data. Modern browsers already implement this type of security | for ex- ample, user approval is required for the HTML5 geolocation APIs. This approach continues the existing functionality of <canvas> while disallowing illegitimate uses, at the cost of yet another user-facing permissions dialog.

Does that sounds like lack of common sense or...? I would imagine that the user is the most vulnerable link of the entire system. Permission dialogs never work as a security sanity check because people simply click ok/yes/agree most of the time. Or the web site can witheld data until the user agrees to pixel extraction.

Re:In the paper... (0)

Anonymous Coward | about 3 months ago | (#47507529)

Whenever a script wants to read pixel data from a canvas, it should be required to request that capability beforehand and the browser should switch to a strictly defined invariable software renderer.

It's not "new" (2)

Crayon Kid (700279) | about 3 months ago | (#47507043)

The paper "Pixel Perfect: Fingerprinting Canvas in HTML5" [ucsd.edu] by Keaton Mowery and Hovav Shacham is from 2012.

Re:It's not "new" (1)

Bite The Pillow (3087109) | about 3 months ago | (#47507865)

Were you trying to hide it from us? Or did you think we all read the same things you do?

For the future, what's the cutoff for new? 6 months? 1 month? What percentage of people can know something before it stops being new?

Oh, sod it. Quit yer bitchin.

Requires javascript (0)

Anonymous Coward | about 3 months ago | (#47507057)

All of the related articles seem to assume that javascript is enabled. The drawing function uses script. Anyone who routinely enables javascript is not serious about either privacy or security online.

Re:Requires javascript (1)

tepples (727027) | about 3 months ago | (#47507147)

How would one go about using webmail without JavaScript? In a lot of situations, it's either webmail or no mail at all because the administrator of the machine you're using won't let you install your own MUA.

Re:Requires javascript (0)

Anonymous Coward | about 3 months ago | (#47507197)

All of the related articles seem to assume that javascript is enabled. The drawing function uses script. Anyone who routinely enables javascript is not serious about either privacy or security online.

...or is someone who uses the Internet post-1995.

Confusing things together (4, Informative)

Dan East (318230) | about 3 months ago | (#47507099)

The research paper discusses two entirely different things: Canvas fingerprinting, and "Evercookies & Respawning", which are two entirely different things. Canvas fingerprinting is just another method of trying to determine which browser the user is running, by looking at differences in the way the canvas renders text and the like. "fingerprinting doesn’t work well on mobile" because of the homogeneous nature of mobile devices - 90% of iOS devices are running version 7.1, for example, so they are all using the same web browser version and rendering code, thus they are going to draw canvas fingerprints exactly the same. Nothing in the research article says anything about canvas fingerprinting being used to track people.

Now the other topic "Evercookies & Respawning" is about tracking users. That is using multiple storage vectors to try and keep users from deleting cookies. For example, using tiny hidden Flash apps which have their own caching, actual cookies, HTML5 persistent storage, embedding unique identifiers directly in the HTML so when the cached page is pulled up the identifier is once again active.

So at this point canvas fingerprinting isn't about tracking, but browser identification. The leap to "A New Form of Online Tracking: Canvas Fingerprinting", as described in the Pro Publica article:

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.

First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.

Well that's completely wrong - the bold text should read "this type of tracking, called Evercookies & Respawning". The persistent tracking has nothing to do with the canvas fingerprinting. It's mainly due to Flash (which also explains why it too is ineffective on mobile devices).

Re:Confusing things together (0)

Anonymous Coward | about 3 months ago | (#47507827)

>It's mainly due to Flash (which also explains why it too is ineffective on mobile devices)

Thank god Steve Jobs banned Flash off iOS even though all you fucking know-it-all nerds whined and cried.

Tor browser (1)

Anonymous Coward | about 3 months ago | (#47507271)

I'm pretty sure the tor browser bundle has blocked these tags.

linux live key? (1)

jehan60188 (2535020) | about 3 months ago | (#47507359)

what about a linux "live key" ? don't people use those to avoid cookies?
would it help in this situation?

Pretty damn cool (0)

Anonymous Coward | about 3 months ago | (#47507583)

I think it's a pretty damn cool example of programmatic ingenuity. Makes me wonder what can be done with canvas to come up with things like new captcha techniques.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?