Share button plugins reveal personal information each time you visit sites


comments

Share buttons on websites may be revealing more about us than we realise, after a study uncovered a covert tracking tool.

Researchers found one in 18 of the world's top 100,000 websites track users without their consent using a technique known as 'canvas fingerprinting.'

In total, 5,619 sites including the White House and Perez Hilton are known to feature plugins that obtain details about a user's browser, web history and computer.

Researchers scanned popular websites and found evidence of 'canvas fingerprinting' on more than 5.5%, including the White House (pictured). Canvas fingerprinting involves telling a user's browser to print code on its canvas - a tool used to draw images, which then reveals data about the user

Researchers scanned popular websites and found evidence of 'canvas fingerprinting' on more than 5.5%, including the White House (pictured). Canvas fingerprinting involves telling a user's browser to print code on its canvas - a tool used to draw images, which then reveals data about the user

The mechanism, called 'canvas fingerprinting', uses special scripts – the coded instructions that tell a browser how to render a website - to exploit the browser's so-called 'canvas'.

WHAT IS CANVAS FINGERPRINTING?

'Canvas fingerprinting' uses special scripts - the coded instructions that tell a browser how to render a website - to exploit the browser's so-called 'canvas'. 

The canvas is a browser tool that can be used to draw images and render text.

When a user visits a website with canvas fingerprinting software, the plugin tells the user's browser to print an invisible string of text on this canvas. 

It then tells the browser to read back data about the pixels in the, invisibly, rendered image.

This reveals important information about the user's browser type, graphics card, system fonts and even display properties. 

Because this grouping of data is highly likely to be unique for each user, it can be reliably associated to individual users, like a fingerprint.

Once a website has determined a device's fingerprint, it can easily recognise the user each time they visit certain sites, much in the same way cookies do.

But, unlike cookies, the canvas fingerprint is virtually undetectable and can't be blocked easily.

The canvas is a browser tool that can be used to draw images and render text.

When a user visits a website with canvas fingerprinting software, the plugin tells the user's browser to print an invisible string of text on this canvas.

It then tells the browser to read back data about the pixels in the, invisibly, rendered image on the canvas.

 

This reveals important information about the user's browser type, graphics card, system fonts and even display properties.

Because this grouping of data is highly likely to be unique for each user, it can be reliably associated to individual users, like a fingerprint.

Once a website has determined a device's fingerprint, it can easily recognise the user each time they visit certain sites, much in the same way cookies do.

But, unlike cookies, the canvas fingerprint is virtually undetectable and can't be blocked easily.

The study, by researchers at KU Leuven and Princeton University, provides the first large-scale investigation of the mechanism, and is the first to confirm its use on actual websites.

In this study, the researchers used automated 'crawlers' to scan the world's top 100,000 websites for canvas fingerprinting scripts.

In the study, researchers used automated 'crawlers' to scan for scripts. They found canvas fingerprinting scripts on 5,542 of the internet's top 100,000 websites, a prevalence of 5.5 per cent. This has since risen to 5,619 and includes PerezHilton.com (pictured)

In the study, researchers used automated 'crawlers' to scan for scripts. They found canvas fingerprinting scripts on 5,542 of the internet's top 100,000 websites, a prevalence of 5.5 per cent. This has since risen to 5,619 and includes PerezHilton.com (pictured)

HOW TO PROTECT YOURSELF FROM CANVAS FINGERPRINTING

There are opt-out tools offered by the Network Advertising Initiative (NAI) and the European Interactive Digital Advertising Alliance.

Studies found, however, that no websites included in the opt-lists stopped collecting canvas fingerprints after activating the opt-out option.

At present, only one browser, Tor, prevents canvas fingerprinting scripts, but this added security comes with major trade-offs in performance, functionality and content availability.

AddThis said it won't use the data for ad targeting or personalisation if users install the AddThis opt-out cookie.

They found canvas fingerprinting scripts on 5,542 of the internet's top 100,000 websites, a prevalence of 5.5 per cent. This has since risen to 5,619.

A list of affected sites can be seen on the KU Leuven site.

Previous studies on related, but not identical, browser fingerprinting techniques estimated this at between 0.4 per cent and 1.5 per cent. 

The worst offending plugin was one called AddThis.

Researchers traced 95 per cent of canvas fingerprinting scripts back to this company, which is the world's largest content sharing platform.

It provides free website plugins such as share buttons, follow buttons and content recommendation features.

The company reaches an estimated 97.2 per cent of web users in the U.S and receives 103 billion page views each month.

This means many websites which use AddThis, including sensitive sites such as health and government websites, contain canvas fingerprinting without realising it.

The worst offending plugin was one called AddThis. Researchers traced 95 per cent of canvas fingerprinting scripts back to this firm, which provides free website plugins such as share buttons, follow buttons and content recommendation features (pictured)

The worst offending plugin was one called AddThis. Researchers traced 95 per cent of canvas fingerprinting scripts back to this firm, which provides free website plugins such as share buttons, follow buttons and content recommendation features (pictured)

YouPorn was on the list, but has since removed the AddThis plugins from its site.

Gunes Acar, the study author said: 'This is an advanced tracking mechanism that misuses browser features to enable the circumvention of users' tracking preferences.

'We hope that our results will lead to better defenses, increase accountability for companies deploying sticky tracking techniques and an invigorated and informed public and regulatory debate on increasingly resilient tracking techniques.'

MailOnline has approached AddThis for comment.

The site told Julia Angwin at ProPublica that it did not notify the websites on which the code was placed because it conducts 'R&D projects in live environments to get the best results from testing.'

The firm added that it doesn't use any of the data it collects from government websites for ad targeting or personalisation.

 


IFTTT

Put the internet to work for you.

Turn off or edit this Recipe

1 comments:

  1. Adding a nice side-bar is needed for providing more info to the people. Plugins are so important for every websites to make it with more value and authority. look here to get a solution also from grafwebcuso.com

    ReplyDelete