A growing number of websites are employing a stealthy new form of hard-to-block Internet tracking software that may pose increasing privacy risks for customers.
Canvas fingerprinting, which can command your browser to draw a unique identifier and then log your online behaviour, is nearly impossible to detect, does not fall under "do not track" voluntary systems and evades most conventional ad-blocking software. It is already tracking users on 5 per cent of the biggest sites on the Internet, including The White House, Starbucks, Re/Max Canada, Canadian retailers Metro and Home Hardware, Postmedia website Canada.com, as well as a number of pornography sites.
A team of academics from Princeton University and Belgium's KU Leuven University released a study Tuesday that says canvas fingerprinting has spread to at least 5,542 of the Web's top 100,000 sites, largely thanks to software from a Virginia-based company called AddThis.
A search of the researchers' database shows the trackers are being employed in Canada by organizations and companies such as the Ontario Universities' Application Centre, Rogers TV station City News and Transcontinental's Canadian Living and immigration consultancy Canadavisa.com.
AddThis had the largest reach, with 5,232 sites, but was not the the only firm using canvas fingerprinting. The researchers found 20 fingerprinting providers: Nine built their own (including one written by the Canadian dating site Plentyoffish.com) and there were 11 from third parties such as Ligatus and Admicro.
Customer tracking through browser cookies is commonly used by Web advertiser networks, such as Google's DoubleClick, to target users; sites that host tracking software typically gain a small portion of those revenues. But for years, savvy online consumers have been aware of methods to evade browser cookies, either by installing ad-blocking software or by clearing cookies manually.
"What's scary about this is it takes the control away from the users," said Gunes Acar, a PhD student with KU Leuven's Computer Security and Industrial Cryptography department and the lead researcher on the project. "In Europe, it is kind of our right to have a controllable browsing experience. This is a way to circumvent user preferences."
"There is an entire invisible ecosystem that is reliant on my data," says Casey Oppenheim, co-founder of online privacy service Disconnect. "My very personal information about what I'm browsing for, searching for, is being combined with real-world information about where I work, who I'm friends with. People are creating very detailed profiles, not just for advertising but also for employers and also for insurance companies." Mr. Oppenheim's company issued an update on Monday notifying users that his service can block third-party software attempts at canvas fingerprinting.
AddThis chief executive officer Rich Harris told news site ProPublica that the data were being used for "internal research and development." He also claimed that it had not been "uniquely identifying enough" and the test would end soon.
"If it's an experiment, it is a long experiment," Mr. Acar said. His team says it appears AddThis began employing canvas fingerprinting in January.
Another AddThis spokesman said that most customers were not informed of the software's existence.
Canadian grocer Metro Inc. has been an AddThis client since September, 2013. When reached for comment, a spokesperson said the company wasn't aware of the new tracking technology but that the digital team "took this very seriously and we are in the process of taking it out," but warned the process could take 48 hours.
After news of the trackers broke, the largest site discovered by the researchers, YouPorn, removed its AddThis buttons. AddThis offers an opt-out option on its site, though Mr. Acar noted that when the researchers opted out, the tracking data were still being collected, though the company pledged the data were just not being used.
Mr. Acar says that companies such as Google and Facebook are also attempting to find non-cookie methods of online tracking, partly because studies have shown most users clear Web cookies every 30 days, degrading the accuracy of databases ad-trackers hope to compile.
"Fingerprints can create legitimate services," Mr. Acar said, particularly for reputation trackers such as ThreatMetrix or BlueCava, which maintain databases of millions of records in an attempt to identify online scammers. "Using it for ads is a heavy-handed approach. It is a little shady. Google – I think they would not dare; I think they would try to stick to more conventional methods."
Even though Mr. Oppenheimer's company is one of many locked in an arms race against ever-more complex tracking technology, he says he's not anti-business. "The Internet economy relies on the advertising economy, and I don't want that to change, but we can't sacrifice transparency along the way. The way it is now, people don't understand there is an exchange for your privacy."