AddThis Tracker “Just a Test,” Still Questioned

The Electronic Frontier Foundation (EFF) reported on July 22, 2014 that the White House website WhiteHouse.gov has been running the intrusive tracker AddThis. AddThis is a sharing company that had been quietly running tests with canvas fingerprinting in order to obtain unique tracking information from website users. Canvas fingerprinting, when successful, is supposed to provide unique tracking information that cannot be erased like cookies (prompting Abine cofounder Rob Shavell to boldly declare “The cookie is dead”). The EFF report notes that AddThis canvas fingerprinting technology is not in compliance with WhiteHouse.gov’s own Privacy Policy.

SIEM

Photo: watcharakun / Shutterstock

How AddThis Uses Canvas Fingerprinting to Track Users

At present, the majority of canvas fingerprinting cases on the web are from AddThis script. However, other companies are also employing their own versions of the fingerprinting code. Canvas fingerprinting gets its name from the “canvas” feature that first made its appearance with HTML5. It takes advantage of a number of browser settings (including the computer’s internal clock, browser plug-ins, and local memory).

The AddThis code commands the browser to return a string of text containing all letters of the alphabet. In theory, this method should allow the script to uniquely identify each browser based on slight discrepancies in how it “prints” the text. Compare this to supercookies, which according to EFF also take advantage of the canvas feature “by force-caching images and then using the HTML5 Canvas to read them back.”

Frequency and Development of Canvas Fingerprinting

EFF’s report on the White House website follows a ProPublica report bringing AddThis and the canvas fingerprinting technique to light. AddThis was also found on popular websites such as YouPorn.com. It has so far been discovered on over 5000 of the top 100,000 websites. YouPorn removed AddThis after ProPublica’s article rapidly gained media attention. EFF does not believe the White House website administrators were aware of AddThis’ tracking mechanisms at the time of publication. To date, however, it is still using AddThis on every webpage, even where not visibly advertised.

The ProPublica report states that Princeton researchers first documented canvas fingerprinting in the forthcoming paper The Web never forgets: Persistent tracking mechanisms in the wild. The EFF report, on the other hand, claims that researchers Keaton Mowery and Hovav Shacham first demonstrated the technique in a 2012 presentation “Pixel Perfect.” Russian programmer Valentin Vasilyev cites EFF research How unique is your web browser? as the inspiration for his canvas fingerprinting project.

Vasilyev’s Testing Process and Questionable Data

Vasilyev refined existing fingerprinting code to add the canvas feature as an attempt to improve unique tracking practices. According to his Valve report, “We wanted to see if it was possible at all to rely on identifying someone this way and not leave cookies.” AddThis would later base their own work on Vasilyev’s code. Vasilyev thoroughly documents his research on collaborative software development website GitHub. He claims mobile browsers typically return uniform images to the HTML5 Canvas and therefore are not as susceptible to canvas fingerprinting tracking mechanisms. His own data, based on “several million [users] a month,” resulted in up to 10 to 12 per cent false reporting.

The discussion on his research webpage questions his use of unreliable variables including screen resolution and browser plug-ins. Browser plug-ins can update as frequently as multiple times per day and on average once every few days, creating multiple unique identifiers for a single user. Vasilyev’s data included outliers such as users with “a staggering amount” of fingerprints, upwards of 20 to 25 per user. Vasilyev confessed in collaborator discussion that he suspected browser plug-ins to be guilty of producing those unstable results. Similarly, he opted against screen resolution as an identifier because multiple displays might skew the results, but he added it as an optional variable in later updates.

Preventing Canvas Fingerprinting Tracking Techniques

As of June 2014, the Tor browser notifies its users when a webpage is attempting to use canvas fingerprinting. It returns a blank image to the tracking script. Extensions, browser add-ons, and widgets do already exist to counteract these invasive tracking techniques. Several such extensions specifically block AddThis but not the fingerprinting technique at large.

EFF’s Privacy Badger, Disconnect, AdBlock Plus, and DoNotTrackMe all provide the option to block AddThis. Broader (and typically more advanced) blockers include JavaScript-based No Script. AddThis itself provides a cookie that the company claims will prevent AddThis from using tracked data to target advertisements.

PCWorld calls AddThis “sneaky but easy to halt.” Following the swarm of media updates, AddThis now claims it had been running a test, but has since disabled its canvas fingerprinting capabilities. The company promises to provide more information before conducting such tests in the future.