Adblock Plus and the canvas fingerprinting threat · 2014-07-23 12:21 by Wladimir Palant

ProPublica recently wrote about canvas fingerprinting which supposedly has even more significant privacy implications than cookies. And the worst of it: unlike cookies, canvas fingerprinting cannot be blocked by Adblock Plus!

Those of you who know Adblock Plus are probably saying now: “What, Adblock Plus can block cookies? I never knew that!” And you are right of course — Adblock Plus doesn’t block cookies. So, what is this canvas fingerprinting and what does it have to do with Adblock Plus?

The technical details are best looked up in this paper by Keaton Mowery and Hovav Shacham published in 2012, this is where the possibility of canvas fingerprinting was first explained. In short, modern browsers have a nice feature that allows bringing exciting games to the web among other things. There is a side-effect however: some internal workings of your graphics chip are exposed to web pages. And web pages can use them to recognize users, just like they do it with cookies but without storing any data on your computer.

Is this approach useful? It depends. If this were only about graphics chips, it wouldn’t be any more useful than identifying users by their browser version: even assuming that each graphics chip model leaves a unique fingerprint (unlikely), there are simply way more users than graphics chip models. However, the result also seems to depend on graphics drivers, browser, operating system and (my suspicion, not mentioned in the paper) some settings like ClearType. This increases the number of distinctly different combinations that can be recognized, but it also means that one has to do as little as recalibrating ClearType or updating the graphics driver to drop off the radar. Granted, most people never do either.

All this taken into account, my guess is that canvas fingerprinting can work to identify users on smaller websites with a fairly stable community. However, as soon as you start talking about millions of users (e.g. if you want to track users across multiple websites), it is just too likely that different users will have exactly the same configuration and won’t be distinguishable by means of canvas fingerprinting. The ProPublica article already mentions that the approach doesn’t work too well with mobile devices (probably because hardware and software is more uniform there) and that AddThis (apparently the only company which tried the approach on a larger scale) considers dropping it because it just isn’t “uniquely identifying enough.” So, very much like the similarly hyped evercookie approach this one won’t be able to replace cookies completely — at best it could help making an educated guess in order to try recognizing users who removed their cookies.

So what we have here is a potential (but not too reliable it seems) way to track users who clear cookies or block third-party cookies completely. And what about Adblock Plus? When you add the EasyPrivacy filter list in Adblock Plus this won’t make Adblock Plus block tracking cookies directly. Instead, Adblock Plus will block the script that would try to set these cookies. And guess what: blocking that script doesn’t just prevent cookie-based tracking, it also lets you deal with canvas fingerprinting or evercookie or any other tracking approach. In particular, the rules to prevent AddThis tracking were added to EasyPrivacy almost five years ago.

Tags:

Comment [13]

  1. John · 2014-07-24 01:35 · #

    Hmm. Not a convincing article since you quote a 2012 article rather than the more recent (July 1st 2014) article from the universities of Princeton and Belgium’s KU Leuven. In particular you suggest that the tracking mechanism uses hardware pieces and is therefore not specific enough; you don’t respond to the more recent research which shows that this technology creates specific “fingerprint” images which are specific. You don’t respond either to the persistence of “evercookies” which use Flash technology so that they are never cleared.

    I use AdBlock Plus because I don’t like ads; I accept that it is not a cookie manager. I don’t understand why you would enter the discussion on these other issues with an article that doesn’t appear to address the concerns—or mine at least.

    Reply from Wladimir Palant:

    The 2012 article was about the technical background, the new one is merely a study on who is using the approach (with the conclusion that it is mostly AddThis). They are both talking about the same approach: drawing something in a canvas, extracting the resulting image and looking at the individual pixels. And no matter how confusing it has been formulated in some places: this image can by no means identify individual users, it is rather dependent on hardware and to some extent on software.

    Evercookie isn’t just about Flash cookies (a.k.a. Local Shared Objects), it’s about combining lots of different factors in order to recognize users. However, pretty much all of it was just noise – it was either things that aren’t reliable enough or things that the browsers would clear along with cookies (like local storage). Flash cookies were the only real issue there, and this one has been taken care of – every modern browser will clear Flash cookies as well whenever you clear cookies.

  2. Kyle · 2014-07-24 03:04 · #

    What is the point of this post? You do not explain any connection between ABP and canvas fingerprinting.

    Namely, what ought to be your most important sentence is not explained: “[ABP cookie blocking] also lets you deal with canvas fingerprinting or evercookie or any other tracking approach”.

    Technically speaking, what does “deal with” and how does Adblock Plus let us do this?

    Reply from Wladimir Palant:

    The point of the post is that there is no connection between ABP and canvas fingerprinting – even though some media is trying to establish one.

    If the last paragraph isn’t explicit enough for you, here you go: Adblock Plus privacy protection (a.k.a. EasyPrivacy filter list) doesn’t care whether it is cookies, canvas fingerprinting or evercookie, you will be protected regardless.

  3. Tunit · 2014-07-24 03:44 · #

    The last paragraph explains the connection between ABP and canvas fingerprinting .

  4. Tom · 2014-07-25 02:54 · #

    To be clear, AdBlockPlus DOES currently protect users from canvas fingerprinting/tracking but only if the tracking is done through AddThis company ?

    Reply from Wladimir Palant:

    If you find somebody else tracking users across websites I can check whether they are covered by EasyPrivacy – most likely they are. But my understanding is that currently nobody else is doing it.

  5. Tom · 2014-07-25 09:24 · #

    5% of top 100,000 websites use Canvas fingerprinting and according to the company the conducted the study, about 95% of them were using AddThis.Which means around 250 of top 100,000 websites are using a different company which is not blocked by AdBlockPlus I assume.
    Sources are
    http://www.geek.com/apps/canvas-fingerprinting-is-like-a-cookie-you-cant-block-and-thousands-of-sites-are-using-it-1599967/

    https://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block

    Reply from Wladimir Palant:

    Actually, https://securehomes.esat.kuleuven.be/~gacar/persistent/ indeed lists a bunch more third-party scripts doing canvas fingerprinting, merely on a smaller scale. Other than AddThis, the top ones are:

    • Ligatus: blocked by EasyList (ads, not just tracking), no Adblock Plus user will see that script.
    • Kitcode.net: blocked by EasyPrivacy.
    • vcmedia.vn: specific to Vietnamese websites, blocked by Fanboy’s Vietnamese List for example (vcmedia.com is blocked by EasyList on the other hand).
  6. blah · 2014-07-25 15:38 · #

    Adblockplus is AWWWWWWESOME. Sorry to see some ungrateful jerks trolling with nonsense. Hopefully their Autism leads to their being run over by a large truck.

  7. Rrrrrrrrrrrrrrrrrrr · 2014-07-25 17:20 · #

    thanks for all your work protecting us online and explaining these latest developments

    cheers

  8. oibnion · 2014-07-25 17:53 · #

    > Adblock Plus will block the script that would try to set these cookies

    Untrue. Go to ibtimes.com: the canvas-fingerprinting script is not blocked. What is blocked is the reporting back through a XMLHttpRequest. But the cookie pathway is not blocked, so the result of the fingerprinting script can be reported back through cookies. The proper solution is to outright block the fingerprinting script (which EasyPrivacy doesn’t do), or to advise users to block third-party cookies. Otherwise EasyPrivacy is of no help.

    Reply from Wladimir Palant:

    Yes, the blog post is simplifying some aspects and in this particular case only the reporting back is blocked because blocking the script would break the entire widget (it is being blocked by filter lists like Fanboy’s Social Blocking List). This is sufficient however because there is no way for AddThis to get the result of canvas fingerprinting and to track the user using it.

    Your statement “cookie pathway is not blocked” makes no sense. Cookies on the addthis.com domain (third-party) can only be set by the AddThis server, not by their script. The script can set cookies on the webpage domain (first-party) but AddThis server cannot get to these without the script talking to it.

  9. oibnion · 2014-07-27 01:13 · #

    > Cookies on the addthis.com domain (third-party) can only be set by the AddThis server, not by their script

    But can’t a script inside an iframe set the cookie and have this cookie transferred with the next (unblocked) request?

    I think some browsers prevent this, but for chrome, I am pretty sure it depends on whether third-party cookies are set to be blocked or not.

    I definitely see an addthis iframe with the canvas fingerprinting code, and a cookie created by that code (not the server), and that cookie sent with the next request, along with the referrer being ibtimes.com.

  10. Nione.A. · 2014-07-29 09:37 · #

    Easy. Always disable Javascript. Turn off HTML5.

    “Tor Browser” can block canvas attack by returning blank image to attacker.

  11. just want to be invisible · 2014-08-02 07:25 · #

    I can see is that for instance this site “https://panopticlick.eff.org/” is gathering most information from my plugins list and my fonts list. So I was wondering if a subset of that info can be send by default to untrusted web sites? Can it be done by a browser plugin or the browser itself need to be modified? I guess it can also depend on the browser…

    Reply from Wladimir Palant:

    Firefox already implemented a number of changes to make the browsers harder to identify uniquely. Plugins and fonts are tricky however, restricting functionality here will break many websites. I’m not sure whether an extension could do things better here (beyond blocking the tracking scripts altogether), definitely not trivial.

  12. Cowicide · 2014-08-03 07:33 · #

    Is there any way to use easyprivacy with the Android Firefox Adblock Plus extension or is that already a part of easylist?

    Reply from Wladimir Palant:

    No, our user interface in Firefox for Android is unfortunately very limited right now and doesn’t allow adding EasyPrivacy. This is something we hope to address soon.

  13. soothing.sinz@gmail.com · 2014-08-15 17:37 · #

    3 words- love your work!

Commenting is closed for this article.