Canvas Fingerprinting – Tracking You Can’t Block


Many websites use AddThis’ social media sharing tools to make it easy for their uses to share their pages, posts, etc to Facebook, Twitter, etc.

But that could soon change as researchers at Princeton have discovered the AddThis software may be installing a new type of online tracking that is shadowing visitors to thousands websites.

It’s called “canvas fingerprinting,” and can potentially follow users between sites even if they’ve disabled cookies or are using blocking software like Adblock Plus.

Canvas fingerprinting works by getting the browser to draw a hidden image, and using that image to track the unique properties of the browser. Every computer draws a slightly different image and therefore the images can be used to assign each user’s device a number that uniquely identifies it.

This method of tracking can’t be prevented by using standard Web browser privacy settings or using anti-tracking tools such as AdBlock Plus.

The Princeton researchers found the fingerprinting code on 5% of the top 100,000 websites and most of the code was on websites that use AddThis’ social media sharing tools.

Rich Harris, CEO of AddThis :-

We began testing canvas fingerprinting earlier this year as a possible way to replace “cookies,” the traditional way that users are tracked, via text files installed on their computers. We’re looking for a cookie alternative. We have considered the privacy implications of canvas fingerprinting before launching the test, but decided this is well within the rules and regulations and laws and policies that we have.

AddThis have since said they are considering ending the test soon. “It’s not uniquely identifying enough,” Harris said.

That’s unlikely to stop others persisting with canvas fingerprinting. Indeed the Tor Project added a feature to its privacy-protecting Web browser in June to notify users when a website attempts to use the canvas feature and sends a blank canvas image.

Ways to Block Canvas Fingerprinting

  • Use the Tor browser (but it’s slow)
  • Block JavaScript from loading in your browser (may break a lot of web sites)
  • Use the NoScript or ScriptSafe browser extension to block JavaScript from known fingerprinters such as AddThis (advanced users only). Check out our Top 5 tips for using Noscript before using this add-on.

PS: does NOT use the AddThis social media sharing software.

Updated: February 24, 2015 by PrivacyPulp

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top