New Web Tracking Technologies Defeat Privacy Protections
Recently developed Web tracking tools are able to circumvent even the best privacy defenses, according to a new joint study by researchers at Princeton University and the University of Leuven in Belgium. New technologies known as canvas fingerprinting, evercookies and cookie syncing are making it difficult for even sophisticated users to maintain their privacy, the study warned.
"A single lapse in judgment can shatter privacy defenses," the rfesearchers wrote. The paper, titled "The Web never forgets: Persistent tracking mechanisms in the wild," claims to be the first large-scale study of the three new tracking techniques.
New Weapons in Privacy Arms Race
These newly developed trackers are difficult to control, detect, or defend against. Canvas fingerprinting, for example, uses the browser's own Canvas API to draw invisible images and extract a persistent, long-term fingerprint without the user's knowledge or consent. Over 5 percent of the top 100,000 Web sites employ canvas fingerprinting as part of their efforts to watch visitors' Web surfing habits, according to Internet measurement firm Alexa -- although only one company, AddThis, is responsible for 95 percent of the instances of the canvas technique. AddThis said on its blog that it was testing the new technology, and that it has subsequently disabled the code.
Cookie syncing, meanwhile, is the practice of tracker domains passing pseudonymous IDs associated with a given user, typically stored in cookies, amongst each other.
"Cookie syncing can greatly amplify privacy breaches through server-to-server communication," the study's authors said. "While Web privacy measurement has helped illuminate many privacy breaches online, server-to-server communication is not directly observable. All of this argues that greater oversight over online tracking is becoming ever more necessary."
With the third technique, evercookies, multiple storage vectors are used that are less transparent to users and may be more difficult to clear, according to the paper. "Evercookies provide an extremely resilient tracking mechanism, and have been found to be used by many popular sites to circumvent deliberate user actions," the study said.
Difficult to Defend
Users can defend against tracking using tools such as AdBlock Plus and Ghostery, which block third-party content, or by disabling evercookie storage vectors such as Flash cookies. However, other storage vectors used by the new techniques such as localStorage, IndexedDB and canvas cannot be disabled without breaking core functionality.
The only software the researchers found that successfully defended against techniques such as canvas fingerprinting was the Tor browser, which returns an empty image from all canvas functions that can be used to read image data. Both the Tor Browser Bundle and the Electronic Freedom Foundation's Privacy Badger were effective in countering cookie syncing.
However, even with effective tools to block the new tracking techniques, the level of user sophistication and effort required to employ them is prohibitively high. Users will have to be meticulous in their use of existing tools, the study concluded.
"The rapid pace at which new tracking techniques are developed and deployed implies that users must constantly install and update new defensive tools," the study said. "It is doubtful that even privacy-conscious and technologically savvy users can adopt and maintain the necessary privacy tools without ever experiencing a single misstep."
Image credit: iStock/Artist's concept.
Posted: 2014-08-04 @ 3:36pm PT
This story is inaccurate. AddThis ran an internal R&D test and it's been over. There is not canvas fingerprinting on all those sites you list. You can get the facts from the AddThis blog: http://www.addthis.com/blog/2014/07/23/the-facts-about-our-use-of-a-canvas-element-in-our-recent-rd-test/#.U-AFS1ZRluY
Stop the BS:
Posted: 2014-07-22 @ 12:59pm PT
You do not need to "break core functionality." Just prevent tracking sites from running their consumer-hostile code on your machine. The RequestPolicy and NoScript extensions for Firefox are your friends, and Adobe Flash should have been considered consumer-hostile already many, many years ago (Steve Jobs was right).