Adblock Plus and the canvas fingerprinting threat · 2014-07-23 12:21 by Wladimir Palant
ProPublica recently wrote about canvas fingerprinting which supposedly has even more significant privacy implications than cookies. And the worst of it: unlike cookies, canvas fingerprinting cannot be blocked by Adblock Plus!
Those of you who know Adblock Plus are probably saying now: “What, Adblock Plus can block cookies? I never knew that!” And you are right of course — Adblock Plus doesn’t block cookies. So, what is this canvas fingerprinting and what does it have to do with Adblock Plus?
The technical details are best looked up in this paper by Keaton Mowery and Hovav Shacham published in 2012, this is where the possibility of canvas fingerprinting was first explained. In short, modern browsers have a nice feature that allows bringing exciting games to the web among other things. There is a side-effect however: some internal workings of your graphics chip are exposed to web pages. And web pages can use them to recognize users, just like they do it with cookies but without storing any data on your computer.
Is this approach useful? It depends. If this were only about graphics chips, it wouldn’t be any more useful than identifying users by their browser version: even assuming that each graphics chip model leaves a unique fingerprint (unlikely), there are simply way more users than graphics chip models. However, the result also seems to depend on graphics drivers, browser, operating system and (my suspicion, not mentioned in the paper) some settings like ClearType. This increases the number of distinctly different combinations that can be recognized, but it also means that one has to do as little as recalibrating ClearType or updating the graphics driver to drop off the radar. Granted, most people never do either.
All this taken into account, my guess is that canvas fingerprinting can work to identify users on smaller websites with a fairly stable community. However, as soon as you start talking about millions of users (e.g. if you want to track users across multiple websites), it is just too likely that different users will have exactly the same configuration and won’t be distinguishable by means of canvas fingerprinting. The ProPublica article already mentions that the approach doesn’t work too well with mobile devices (probably because hardware and software is more uniform there) and that AddThis (apparently the only company which tried the approach on a larger scale) considers dropping it because it just isn’t “uniquely identifying enough.” So, very much like the similarly hyped evercookie approach this one won’t be able to replace cookies completely — at best it could help making an educated guess in order to try recognizing users who removed their cookies.
So what we have here is a potential (but not too reliable it seems) way to track users who clear cookies or block third-party cookies completely. And what about Adblock Plus? When you add the EasyPrivacy filter list in Adblock Plus this won’t make Adblock Plus block tracking cookies directly. Instead, Adblock Plus will block the script that would try to set these cookies. And guess what: blocking that script doesn’t just prevent cookie-based tracking, it also lets you deal with canvas fingerprinting or evercookie or any other tracking approach. In particular, the rules to prevent AddThis tracking were added to EasyPrivacy almost five years ago.
Commenting is closed for this article.