One in 18 of the world's top 100 000 Web sites can track browsing information without a user's consent by using a previously undetected tracking mechanism embedded in "share" buttons, according to a new study by US-based Princeton University and Belgian-based University of Leuven.
According to the study, the cookie-like tracking ability, dubbed "canvas fingerprinting", uses "special scripts - the coded instructions that tell your browser how to render a Web site - to exploit the browser's so-called 'canvas', a browser functionality that can be used to draw images and render text".
The Belgian university notes in a statement that "when a user visits a Web site with canvas fingerprinting software, a first script tells the user's browser to print an invisible string of text on the browser's canvas. Another script then instructs the browser to read back data about the pixels in the (invisibly) rendered image."
Gunes Acar, one of the authors of the study, says the advanced tracking mechanism "misuses browser features to enable the circumvention of users' tracking preferences.
"We hope that our results will lead to better defences, increase accountability for companies deploying sticky tracking techniques and an invigorated and informed public and regulatory debate on increasingly resilient tracking techniques," he says.
Researchers claim the study provides the first large-scale investigation of the mechanism and is the first to confirm its use on actual Web sites.
System info
According to the study, the tracking mechanism also stores information about the user's browser type, graphics card, system fonts and even display properties. "Because this grouping of data is highly likely to be unique for each user, it can be reliably associated to individual users, like a fingerprint," researchers say.
They add that once a Web site has determined a device's fingerprint, it can easily recognise the user on subsequent site visits, much the same way cookies do. "But, while unwanted cookies can be flagged or blocked for online privacy, there is no available solution for doing so with fingerprints."
In the study, the researchers used automated "crawlers" to scan the world's top 100 000 Web sites for canvas fingerprinting scripts. They found the scripts on 5 542 of the Internet's top Web sites, a prevalence of 5.5%.
Culprit fingered
Researchers say they traced 95% of canvas fingerprinting scripts back to AddThis - a company described as one of the world's largest content sharing platforms providing free Web site plug-ins, including share buttons, follow buttons and content recommendation features.
"The company reaches an estimated 97.2% of Internet users in the US and receives 103 billion page views each month," says the University of Leuven.
Can users protect themselves against canvas fingerprinting? Acar and his colleagues studied the effect of ad-industry opt-out tools offered by the Network Advertising Initiative and the European Interactive Digital Advertising Alliance. No Web sites included in the opt-lists stopped collecting canvas fingerprints after activating the opt-out option.
Share
