AdBlock: 'Canvas Fingerprinting' Tech Over-Hyped, Can Be Blocked Friday Jul 25 2014 08:24 EDT A report over at ProPublica breathlessly proclaims this week that there's a new advertising and tracking system that's "virtually impossible to block." The technology, being developed by a company called AddThis, utilizes something called "canvas fingerprinting." Canvas fingerprinting, first discussed in a 2012 paper by Keaton Mowery and Hovav Shacham (pdf), uses your computer's unique graphics rendering capabilities (graphics card, browser, driver variant) to track your movements across the Internet --without storing any data locally. Reliability of canvas fingerprinting has been somewhat iffy; especially on wireless networks (where device hardware and software is far more uniform), and large scale Internet use is far off if it happens at all. Still, the ProPublica report paints canvas fingerprinting as a pretty immediate threat to user privacy, and claims that tools like AdBlock won't work: quote: Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit — profiles that shape which ads, news articles, or other types of content are displayed to them. But fingerprints are unusually hard to block: They can’t be prevented by using standard Web browser privacy settings or using anti-tracking tools such as AdBlock Plus.
Not so fast, argues AdBlock's Wladimir Palant in a blog post. Palant reiterates that canvas fingerprinting isn't really reliable enough to replace cookies, and even if it does see widespread adoption, AdBlock Plus should be able to block it just fine: quote: ...what we have here is a potential (but not too reliable it seems) way to track users who clear cookies or block third-party cookies completely. And what about Adblock Plus? When you add the EasyPrivacy filter list in Adblock Plus this won’t make Adblock Plus block tracking cookies directly. Instead, Adblock Plus will block the script that would try to set these cookies. And guess what: blocking that script doesn’t just prevent cookie-based tracking, it also lets you deal with canvas fingerprinting or evercookie or any other tracking approach. In particular, the rules to prevent AddThis tracking were added to EasyPrivacy almost five years ago.
Even AdThis, the company that is working on the technology, states they may drop the effort because it may not be "uniquely identifying enough." As such, this new "unstoppable" and "impossible to block" ad technology doesn't appear to be much of any immediate threat. |
|
PlusOne
Anon
2014-Jul-25 9:40 am
Adblock, ghostery, noscript, etc prevent addthiss from workingProPublica sowing FUD for no reason. Why they did this other than to draw viewers to their website is a mystery. | |
| | Noah VailOh God please no. Premium Member join:2004-12-10 SouthAmerica |
Re: Adblock, ghostery, noscript, etc prevent addthiss from workingI was confused when I read the article too - tweeted the same solutions you mention, to @ProPublica.
It could be most of ProPublica's audience isn't savvy enough to be blocking trackers. This could push them into better securing their browsers.
Also I've often run squid+squidGuard+shallalist at the edge to strip out crap for everyone. | |
| | | camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT |
camper
Premium Member
2014-Jul-25 10:10 am
Re: Adblock, ghostery, noscript, etc prevent addthiss from workingsaid by Noah Vail:...I've often run squid+squidGuard+shallalist at the edge to strip out crap for everyone.   I use privoxy and squid .... | |
| | | |
to Noah Vail
Unless you are using private browsing and masquarading the UA and IP for each session, you can be tracked. I can feed you certain files with different caching policies or ETags. Based on the requests you make (If-Modified-Since) I can positively identify you later on. I can tag your IP with your UA. IPs don't change that often for "home" clients. Even if you upgrade the browser or start a private window I can re-tag you with a pretty damn good accuracy. Mobile may be a different story, but going into private tabs every time quickly becomes a PITA. | |
| | | | camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT 1 edit |
camper
Premium Member
2014-Jul-25 11:49 am
Re: Adblock, ghostery, noscript, etc prevent addthiss from workingsaid by cowboyro:Unless you are using private browsing and masquarading the UA and IP for each session, you can be tracked. About the only thing that can be used to track me is the IP address. And I'm pondering whether to change the IP address on a regular basis.... Everything else you mention either changes frequently, is deleted when the browser closes, is removed on a regular basis by ccleaner, or is blocked/modified by some custom means. One other aspect of your plan --- you cannot put anything on my computer unless my browser accesses your server. If all of the tracking servers are blocked at my perimeter, your server will never gain access to my browser to do all the things you mention. | |
| | | | | |
cowboyro
Premium Member
2014-Jul-25 12:02 pm
Re: Adblock, ghostery, noscript, etc prevent addthiss from workingDo you masquerade your UA on *every* new page, use a private tab on every new page and change your IP on every new page? If not then you are traceable. Just trust me on this one, it is not that complicated to implement, the difficulty arises from manipulating the sheer amount of data collected and cross-referencing it. And once I can associate only one of your tags with the current session all your effort is rendered useless. | |
| | | | | | camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT |
camper
Premium Member
2014-Jul-25 12:21 pm
Re: Adblock, ghostery, noscript, etc prevent addthiss from workingsaid by cowboyro:Do you masquerade your UA on *every* new page, use a private tab on every new page and change your IP on every new page? If not then you are traceable.   Once again, my browser has to access a server in order for that server to track me. Ghostery, ABP, and others, plus my custom means, all prevent any accesses to tracking servers by my browser.   said by cowboyro:Just trust me on this one, it is not that complicated to implement, ...And once I can associate only one of your tags with the current session all your effort is rendered useless.   Please tell me how you get a "tag" on my computer if my browser does not access your server. | |
| | | | | | | 1 edit |
cowboyro
Premium Member
2014-Jul-25 12:59 pm
Re: Adblock, ghostery, noscript, etc prevent addthiss from workingsaid by camper:Please tell me how you get a "tag" on my computer if my browser does not access your server. Do you request a page from my server? Then I track you myself, without the need for 3rd party trackers. And most blockers only block a list of DNS names. Just point to IPs that keep changing and the blockers are rendered useless. Unless you are willing to downgrade your browsing experience to 1995 standards, you can be tracked. Deal with it. Oh, and the ISP can still track you unless you use something like Tor or an encrypted SOCKS proxy... and even then you can be tracked by the exit nodes... It's really interesting (to say the least) to watch what people are browsing using Tor... | |
| | | | | | | | camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT |
camper
Premium Member
2014-Jul-25 1:24 pm
Re: Adblock, ghostery, noscript, etc prevent addthiss from workingsaid by cowboyro:Do you request a page from my server?   If you are a tracking server, then no, I did not request a page from your server.   And most blockers only block a list of DNS names.   Most, but not all. Changing IPs isn't the cure-all you hope. An CIDR block can be indentified and blocked just as easily as a domain name by the blockers. I know, I do it.   the ISP can still track you   Yup. But I've been talking about marketing trackers, since that is what this thread's original article was about. Preventing the ISP from tracking me is a whole 'nother thread.... | |
| | | | | | | | | |
cowboyro
Premium Member
2014-Jul-25 1:33 pm
Re: Adblock, ghostery, noscript, etc prevent addthiss from workingsaid by camper: Changing IPs isn't the cure-all you hope. An CIDR block can be indentified and blocked just as easily as a domain name by the blockers Not when you are a big company and can easily use thousands of IPs all over the world. | |
| | | | | | | | | | camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT |
camper
Premium Member
2014-Jul-25 2:15 pm
Re: Adblock, ghostery, noscript, etc prevent addthiss from workingsaid by cowboyro:Not when you are a big company and can easily use thousands of IPs all over the world.   Well, that has a few issues. Among them... In order for trackers to work, those IP addresses need to be placed in websites that people visit. Those websites typically do not allow IP-address-based trackers, they require domain-name-based trackers. That's a choke point for trackers, the tracking companies need the cooperation of websites to place the trackers on the webpages. The mainstream websites will not want to do business with sleazy tracking companies who need to use IP-address-based tracking servers. Also, using thousands of IP addresses around the world is not all that different than using thousands of different domain names. Yet you seem to agree that domain names can be blocked easily. So why not CIDR range blocks? It's essentially the same thing. | |
|
1 recommendation |
big_e
Member
2014-Jul-25 9:51 am
What part of do not track me do they not understand?At least with cookies, they had plausible deniability, i.e. If you don't like being tracked, then delete the cookies. I consider this type of behavior a malicious browser exploit that must be patched via a security update.
If this tracking technology becomes commonplace, Mozilla will probably respond by adding some extra sandboxing or allow/deny permissions to plug that security hole. An average website does not need access to my computer's GPU via WebGL.
Google probably wouldn't do anything to fix this with chrome because tracking is part of their core business model. | |
| | TamaraBQuestion The Current Paradigm Premium Member join:2000-11-08 Da Bronx ·Verizon FiOS Ubiquiti NSM5 Synology RT2600ac Apple AirPort Extreme (2013)
|
TamaraB
Premium Member
2014-Jul-25 11:27 am
Re: What part of do not track me do they not understand?said by big_e: An average website does not need access to my computer's GPU via WebGL. Correct! This is trivial to block. It's the same as a rouge system doing a port-scan. Here, they get blocked both ways at the firewall, as are all tracking and ad servers which I observe in the logs. | |
| | (Software) Sophos UTM Home Edition Ruckus R310
|
to big_e
Anything ADs do on a PC is considered malware activity if you ask me.
In fact it fits the definition perfectly.
"Short for "malicious software," malware refers to software programs designed to damage or do other unwanted actions on a computer system." | |
| | |
to big_e
said by big_e:An average website does not need access to my computer's GPU via WebGL. Makes me wonder what other info is available to any random website. | |
|
camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT
1 recommendation |
camper
Premium Member
2014-Jul-25 10:08 am
Another day, another hyped-up story about the unstoppable cookie...  Remember the evercookie?   But more to the point... If, as the advertisers say, consumers want to be tracked so that they can receive more targeted advertising, then why do those advertisers have to devise increasing stealthy means to track users? Perhaps, just perhaps, the users really don't want to be tracked. | |
| | Jim Gurd Premium Member join:2000-07-08 Livonia, MI |
Jim Gurd
Premium Member
2014-Jul-28 10:34 pm
Re: Another day, another hyped-up story about the unstoppable cookie...CCleaner defeats Evercookie. I just tested it at the link you provided. | |
| | | dra6o0n join:2011-08-15 Mississauga, ON |
Re: Another day, another hyped-up story about the unstoppable cookie...in a normal computer environment, that's just like a worm. | |
|
1 recommendation |
Adblock plus is the best browser plugin ever written.Enjoy the internet the way it was meant to be. Use ABP.
Not affiliated, just a very happy user. | |
| | n2jtx join:2001-01-13 Glen Head, NY |
n2jtx
Member
2014-Jul-25 11:37 am
Re: Adblock plus is the best browser plugin ever written.said by Nameless1:Enjoy the internet the way it was meant to be. Use ABP.
Not affiliated, just a very happy user. I agree and combined with Ghostery, they make a fantastic pair of plugins. In fact, the inability to use them on iOS devices is one of my MAJOR pet peeves with the iPad and iPhone. I am so used to looking at clean sanitized web sites on my PC only to get a pile of garbage when I view the same sites on my iPad or iPhone. It is nice that these tools are available on Android platforms and is something pushing me in that direction. | |
| | | |
Re: Adblock plus is the best browser plugin ever written.IT is specifically for that reason I am rotating out all Apple equipment in the house. First went the Macbook, then the kids to Nexus 7, and now I have a LG Gpad. The only remaining are the phones (which I hate BTW), and when my company gives me the greenlight they go to non-Samsung phones which I consider the Apple of Android. | |
| | | | Smith6612 MVM join:2008-02-01 North Tonawanda, NY |
Re: Adblock plus is the best browser plugin ever written.Go Moto! | |
|
| | WhatNow Premium Member join:2009-05-06 Charlotte, NC |
to n2jtx
AdBlock+, NoScript and now Better Privacy is why I use Firefox. I always wondered why everybody complained about ads then I have to use IE for a few sites that do not work on FF and I see what they are talking about. | |
|
| TamaraBQuestion The Current Paradigm Premium Member join:2000-11-08 Da Bronx ·Verizon FiOS Ubiquiti NSM5 Synology RT2600ac Apple AirPort Extreme (2013)
|
to Nameless1
said by Nameless1:Enjoy the internet the way it was meant to be. Use ABP. Yes, as well as Ghostery, cookie smashers, and your firewall. Look at the sites these programs block and report, then permanently block those sites at the firewall. Eventually you will see less and less blocking from those browser plugins, and you will see almost no ads. Advertisers are the enemy of privacy, keep their adverts, cookies, and trackers out. | |
| | |
to Nameless1
agree "Adblock plus is the best browser plugin ever written." | |
| | cork1958Cork Premium Member join:2000-02-26
1 recommendation |
to Nameless1
said by Nameless1:Enjoy the internet the way it was meant to be. Use ABP. Couldn't agree more! That along with a killer host file and router setup correctly, makes me feel very well protected. | |
|
|
cableties
Premium Member
2014-Jul-25 11:27 am
As long as...AdBlock+ doesn't sell or disable some feature like they did when Google paid to be on their whitelist. I get making money. But don't expect them not to allow other sites that are willing to pay... | |
| | | | SeleniaGentoo Convert Premium Member join:2006-09-22 Fort Smith, AR |
to cableties
Are you flippin serious? There is a screen in ABP called preferences. From there, untick the box for allowing some non-intrusive advertising and voila. Amazing what happens when somebody does rtfm. As to selling out? That is not in the manual but they did discuss this new option on the internet. It was to allow websites to still make a living if they used ads that followed a certain code of ethics like text ads not popups and a privacy policy. | |
| | dra6o0n join:2011-08-15 Mississauga, ON |
to cableties
Surprisingly I often subconsciously read text ads by Google more so than the stupid picture or video ads.
People don't want a thousand words plz. Short and simple text are better and if people don't care, then so be it. | |
|
SeleniaGentoo Convert Premium Member join:2006-09-22 Fort Smith, AR |
Selenia
Premium Member
2014-Jul-25 12:16 pm
Good old DNS blocking with hosts file :)They can't track who does not connect in the first place. Obviously they need their own domain to track across multiple sites, like traditional adservers. I use a hosts file(MVPS) that is modified when downloaded via script to have entries point to an IP that is my router, where it uses a server that serves up a 1 pixel transparent gif in place of the ad domain content for the entire network(firewall redirect only allows use of my local DNS server for all clients). I use ABP to nix the rest of the ads on my desktops and laptops and bluhell firewall for Androids. Not sure if ABP totally blocks connections though I may be inclined to check now via a tcpdump. But it does block the extra cookies and ads served by the primary domain. Not as worried about tracking from primary domains anyways as long as the annoyance is gone. As to addthis, glad to have them in my hosts file To think, I originally set this up for devices that can't run an adblocker and people in the house who can't be bothered to use one(like as little data from my IP to them as possible). | |
| | ••••••••••••••••••••
| | |
|
|