dslreports logo
 story category
AdBlock: 'Canvas Fingerprinting' Tech Over-Hyped, Can Be Blocked

A report over at ProPublica breathlessly proclaims this week that there's a new advertising and tracking system that's "virtually impossible to block." The technology, being developed by a company called AddThis, utilizes something called "canvas fingerprinting." Canvas fingerprinting, first discussed in a 2012 paper by Keaton Mowery and Hovav Shacham (pdf), uses your computer's unique graphics rendering capabilities (graphics card, browser, driver variant) to track your movements across the Internet --without storing any data locally.

Reliability of canvas fingerprinting has been somewhat iffy; especially on wireless networks (where device hardware and software is far more uniform), and large scale Internet use is far off if it happens at all. Still, the ProPublica report paints canvas fingerprinting as a pretty immediate threat to user privacy, and claims that tools like AdBlock won't work:
quote:
Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit — profiles that shape which ads, news articles, or other types of content are displayed to them. But fingerprints are unusually hard to block: They can’t be prevented by using standard Web browser privacy settings or using anti-tracking tools such as AdBlock Plus.
Not so fast, argues AdBlock's Wladimir Palant in a blog post. Palant reiterates that canvas fingerprinting isn't really reliable enough to replace cookies, and even if it does see widespread adoption, AdBlock Plus should be able to block it just fine:
quote:
...what we have here is a potential (but not too reliable it seems) way to track users who clear cookies or block third-party cookies completely. And what about Adblock Plus? When you add the EasyPrivacy filter list in Adblock Plus this won’t make Adblock Plus block tracking cookies directly. Instead, Adblock Plus will block the script that would try to set these cookies. And guess what: blocking that script doesn’t just prevent cookie-based tracking, it also lets you deal with canvas fingerprinting or evercookie or any other tracking approach. In particular, the rules to prevent AddThis tracking were added to EasyPrivacy almost five years ago.
Even AdThis, the company that is working on the technology, states they may drop the effort because it may not be "uniquely identifying enough." As such, this new "unstoppable" and "impossible to block" ad technology doesn't appear to be much of any immediate threat.
view:
topics flat nest 

PlusOne
@66.249.83.x

PlusOne

Anon

Adblock, ghostery, noscript, etc prevent addthiss from working

ProPublica sowing FUD for no reason. Why they did this other than to draw viewers to their website is a mystery.

Noah Vail
Oh God please no.
Premium Member
join:2004-12-10
SouthAmerica

Noah Vail

Premium Member

Re: Adblock, ghostery, noscript, etc prevent addthiss from working

I was confused when I read the article too - tweeted the same solutions you mention, to @ProPublica.

It could be most of ProPublica's audience isn't savvy enough to be blocking trackers.
This could push them into better securing their browsers.

Also
I've often run squid+squidGuard+shallalist at the edge to strip out crap for everyone.

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

camper

Premium Member

Re: Adblock, ghostery, noscript, etc prevent addthiss from working

said by Noah Vail:

...I've often run squid+squidGuard+shallalist at the edge to strip out crap for everyone.

 
I use privoxy and squid ....

cowboyro
Premium Member
join:2000-10-11
CT

cowboyro to Noah Vail

Premium Member

to Noah Vail
Unless you are using private browsing and masquarading the UA and IP for each session, you can be tracked.
I can feed you certain files with different caching policies or ETags. Based on the requests you make (If-Modified-Since) I can positively identify you later on.
I can tag your IP with your UA. IPs don't change that often for "home" clients. Even if you upgrade the browser or start a private window I can re-tag you with a pretty damn good accuracy.
Mobile may be a different story, but going into private tabs every time quickly becomes a PITA.

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

1 edit

camper

Premium Member

Re: Adblock, ghostery, noscript, etc prevent addthiss from working

said by cowboyro:

Unless you are using private browsing and masquarading the UA and IP for each session, you can be tracked.

About the only thing that can be used to track me is the IP address. And I'm pondering whether to change the IP address on a regular basis....

Everything else you mention either changes frequently, is deleted when the browser closes, is removed on a regular basis by ccleaner, or is blocked/modified by some custom means.

One other aspect of your plan --- you cannot put anything on my computer unless my browser accesses your server. If all of the tracking servers are blocked at my perimeter, your server will never gain access to my browser to do all the things you mention.

cowboyro
Premium Member
join:2000-10-11
CT

cowboyro

Premium Member

Re: Adblock, ghostery, noscript, etc prevent addthiss from working

Do you masquerade your UA on *every* new page, use a private tab on every new page and change your IP on every new page? If not then you are traceable.
Just trust me on this one, it is not that complicated to implement, the difficulty arises from manipulating the sheer amount of data collected and cross-referencing it. And once I can associate only one of your tags with the current session all your effort is rendered useless.

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

camper

Premium Member

Re: Adblock, ghostery, noscript, etc prevent addthiss from working

said by cowboyro:

Do you masquerade your UA on *every* new page, use a private tab on every new page and change your IP on every new page? If not then you are traceable.

 

Once again, my browser has to access a server in order for that server to track me. Ghostery, ABP, and others, plus my custom means, all prevent any accesses to tracking servers by my browser.

 
said by cowboyro:

Just trust me on this one, it is not that complicated to implement, ...And once I can associate only one of your tags with the current session all your effort is rendered useless.

 
Please tell me how you get a "tag" on my computer if my browser does not access your server.

cowboyro
Premium Member
join:2000-10-11
CT

1 edit

cowboyro

Premium Member

Re: Adblock, ghostery, noscript, etc prevent addthiss from working

said by camper:

Please tell me how you get a "tag" on my computer if my browser does not access your server.

Do you request a page from my server? Then I track you myself, without the need for 3rd party trackers.
And most blockers only block a list of DNS names. Just point to IPs that keep changing and the blockers are rendered useless.
Unless you are willing to downgrade your browsing experience to 1995 standards, you can be tracked. Deal with it.
Oh, and the ISP can still track you unless you use something like Tor or an encrypted SOCKS proxy... and even then you can be tracked by the exit nodes... It's really interesting (to say the least) to watch what people are browsing using Tor...

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

camper

Premium Member

Re: Adblock, ghostery, noscript, etc prevent addthiss from working

said by cowboyro:

Do you request a page from my server?

 
If you are a tracking server, then no, I did not request a page from your server.

 

And most blockers only block a list of DNS names.

 
Most, but not all. Changing IPs isn't the cure-all you hope. An CIDR block can be indentified and blocked just as easily as a domain name by the blockers. I know, I do it.

 

the ISP can still track you

 
Yup. But I've been talking about marketing trackers, since that is what this thread's original article was about.

Preventing the ISP from tracking me is a whole 'nother thread....

cowboyro
Premium Member
join:2000-10-11
CT

cowboyro

Premium Member

Re: Adblock, ghostery, noscript, etc prevent addthiss from working

said by camper:

Changing IPs isn't the cure-all you hope. An CIDR block can be indentified and blocked just as easily as a domain name by the blockers

Not when you are a big company and can easily use thousands of IPs all over the world.

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

camper

Premium Member

Re: Adblock, ghostery, noscript, etc prevent addthiss from working

said by cowboyro:

Not when you are a big company and can easily use thousands of IPs all over the world.

 
Well, that has a few issues. Among them...

In order for trackers to work, those IP addresses need to be placed in websites that people visit. Those websites typically do not allow IP-address-based trackers, they require domain-name-based trackers. That's a choke point for trackers, the tracking companies need the cooperation of websites to place the trackers on the webpages. The mainstream websites will not want to do business with sleazy tracking companies who need to use IP-address-based tracking servers.

Also, using thousands of IP addresses around the world is not all that different than using thousands of different domain names. Yet you seem to agree that domain names can be blocked easily. So why not CIDR range blocks? It's essentially the same thing.
big_e
join:2011-03-05

1 recommendation

big_e

Member

What part of do not track me do they not understand?

At least with cookies, they had plausible deniability, i.e. If you don't like being tracked, then delete the cookies. I consider this type of behavior a malicious browser exploit that must be patched via a security update.

If this tracking technology becomes commonplace, Mozilla will probably respond by adding some extra sandboxing or allow/deny permissions to plug that security hole. An average website does not need access to my computer's GPU via WebGL.

Google probably wouldn't do anything to fix this with chrome because tracking is part of their core business model.

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

TamaraB

Premium Member

Re: What part of do not track me do they not understand?

said by big_e:

An average website does not need access to my computer's GPU via WebGL.

Correct! This is trivial to block. It's the same as a rouge system doing a port-scan. Here, they get blocked both ways at the firewall, as are all tracking and ad servers which I observe in the logs.


buzz_4_20
join:2003-09-20
Dover, NH
(Software) Sophos UTM Home Edition
Ruckus R310

buzz_4_20 to big_e

Member

to big_e
Anything ADs do on a PC is considered malware activity if you ask me.

In fact it fits the definition perfectly.

"Short for "malicious software," malware refers to software programs designed to damage or do other unwanted actions on a computer system."
RightHere
Premium Member
join:2003-02-02

RightHere to big_e

Premium Member

to big_e
said by big_e:

An average website does not need access to my computer's GPU via WebGL.

Makes me wonder what other info is available to any random website.

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

1 recommendation

camper

Premium Member

Another day, another hyped-up story about the unstoppable cookie...

 
Remember the evercookie?

 

But more to the point...

If, as the advertisers say, consumers want to be tracked so that they can receive more targeted advertising, then why do those advertisers have to devise increasing stealthy means to track users?

Perhaps, just perhaps, the users really don't want to be tracked.

Jim Gurd
Premium Member
join:2000-07-08
Livonia, MI

Jim Gurd

Premium Member

Re: Another day, another hyped-up story about the unstoppable cookie...

said by camper:

Remember the evercookie?

CCleaner defeats Evercookie. I just tested it at the link you provided.
dra6o0n
join:2011-08-15
Mississauga, ON

dra6o0n

Member

Re: Another day, another hyped-up story about the unstoppable cookie...

in a normal computer environment, that's just like a worm.

Nameless1
join:2014-02-25
Lexington, MA

1 recommendation

Nameless1

Member

Adblock plus is the best browser plugin ever written.

Enjoy the internet the way it was meant to be. Use ABP.

Not affiliated, just a very happy user.

n2jtx
join:2001-01-13
Glen Head, NY

n2jtx

Member

Re: Adblock plus is the best browser plugin ever written.

said by Nameless1:

Enjoy the internet the way it was meant to be. Use ABP.

Not affiliated, just a very happy user.

I agree and combined with Ghostery, they make a fantastic pair of plugins. In fact, the inability to use them on iOS devices is one of my MAJOR pet peeves with the iPad and iPhone. I am so used to looking at clean sanitized web sites on my PC only to get a pile of garbage when I view the same sites on my iPad or iPhone. It is nice that these tools are available on Android platforms and is something pushing me in that direction.
elefante72
join:2010-12-03
East Amherst, NY

elefante72

Member

Re: Adblock plus is the best browser plugin ever written.

IT is specifically for that reason I am rotating out all Apple equipment in the house. First went the Macbook, then the kids to Nexus 7, and now I have a LG Gpad. The only remaining are the phones (which I hate BTW), and when my company gives me the greenlight they go to non-Samsung phones which I consider the Apple of Android.

Smith6612
MVM
join:2008-02-01
North Tonawanda, NY

Smith6612

MVM

Re: Adblock plus is the best browser plugin ever written.

Go Moto!
WhatNow
Premium Member
join:2009-05-06
Charlotte, NC

WhatNow to n2jtx

Premium Member

to n2jtx
AdBlock+, NoScript and now Better Privacy is why I use Firefox. I always wondered why everybody complained about ads then I have to use IE for a few sites that do not work on FF and I see what they are talking about.

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

TamaraB to Nameless1

Premium Member

to Nameless1
said by Nameless1:

Enjoy the internet the way it was meant to be. Use ABP.

Yes, as well as Ghostery, cookie smashers, and your firewall. Look at the sites these programs block and report, then permanently block those sites at the firewall. Eventually you will see less and less blocking from those browser plugins, and you will see almost no ads. Advertisers are the enemy of privacy, keep their adverts, cookies, and trackers out.
FrontirCynic
join:2006-10-25
Long Beach, CA

FrontirCynic to Nameless1

Member

to Nameless1
agree "Adblock plus is the best browser plugin ever written."

cork1958
Cork
Premium Member
join:2000-02-26

1 recommendation

cork1958 to Nameless1

Premium Member

to Nameless1
said by Nameless1:

Enjoy the internet the way it was meant to be. Use ABP.

Couldn't agree more!

That along with a killer host file and router setup correctly, makes me feel very well protected.

cableties
Premium Member
join:2005-01-27

cableties

Premium Member

As long as...

AdBlock+ doesn't sell or disable some feature like they did when Google paid to be on their whitelist.
I get making money. But don't expect them not to allow other sites that are willing to pay...

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

TamaraB

Premium Member

Re: As long as...

said by cableties:

But don't expect them not to allow other sites that are willing to pay...

This is why you need a multi-layered defense against the advert scum!


Selenia
Gentoo Convert
Premium Member
join:2006-09-22
Fort Smith, AR

Selenia to cableties

Premium Member

to cableties
Are you flippin serious? There is a screen in ABP called preferences. From there, untick the box for allowing some non-intrusive advertising and voila. Amazing what happens when somebody does rtfm. As to selling out? That is not in the manual but they did discuss this new option on the internet. It was to allow websites to still make a living if they used ads that followed a certain code of ethics like text ads not popups and a privacy policy.
dra6o0n
join:2011-08-15
Mississauga, ON

dra6o0n to cableties

Member

to cableties
Surprisingly I often subconsciously read text ads by Google more so than the stupid picture or video ads.

People don't want a thousand words plz. Short and simple text are better and if people don't care, then so be it.

Selenia
Gentoo Convert
Premium Member
join:2006-09-22
Fort Smith, AR

Selenia

Premium Member

Good old DNS blocking with hosts file :)

They can't track who does not connect in the first place. Obviously they need their own domain to track across multiple sites, like traditional adservers. I use a hosts file(MVPS) that is modified when downloaded via script to have entries point to an IP that is my router, where it uses a server that serves up a 1 pixel transparent gif in place of the ad domain content for the entire network(firewall redirect only allows use of my local DNS server for all clients). I use ABP to nix the rest of the ads on my desktops and laptops and bluhell firewall for Androids. Not sure if ABP totally blocks connections though I may be inclined to check now via a tcpdump. But it does block the extra cookies and ads served by the primary domain. Not as worried about tracking from primary domains anyways as long as the annoyance is gone. As to addthis, glad to have them in my hosts file To think, I originally set this up for devices that can't run an adblocker and people in the house who can't be bothered to use one(like as little data from my IP to them as possible).

••••••••••••••••••••