Researchers at Princeton University and KU Leuven University in Belgium have discovered that several companies including AddThis, makers of the popular sharing buttons toolbar found on many websites, have been secretly testing a new type of cookie.
It’s called canvas fingerprinting, and it gathers more information than existing cookies in an attempt to create a unique identifier to be used to track you around the web.
First proposed in 2012, canvas fingerprinting involves using the canvas tag from HTML5 to generate an image which is unique to a particular person’s web browser. It’s not strictly a cookie, but it is a closely related type of tracking tech – only worse. Since canvas fingerprinting isn’t a cookie it can’t be blocked by the privacy settings in your web browser; instead you’ll have to use a browser add-on like Ghostery to block it.
The research team found canvas fingerprinting code on 5% of the top 100,000 websites on the web. Some of the code was tracked back to the German digital marketer Ligatus, but in many cases the code had been quietly added to the social media sharing tools which the websites had gotten from AddThis.
Most of the websites were unaware of the extra code – including me. This blog is on the, and I’m not happy about that.
AddThis has readily copped to installing the code without telling anyone, but they also insist that this was a limited trial that only involved a small fraction of the 13 million websites which use AddThis’s tools.
AddThis also insists that they will soon stop the trial. “It’s not uniquely identifying enough,” Rich Harris, CEO of AddThis, said in an interview. “We were looking for a cookie alternative”, he added. While Harris noted the privacy concerns, he also said that the issue had been considered and that AddThis had decided that “this is well within the rules and regulations and laws and policies that we have”.
In some circles canvas fingerprinting has been a known problem. The possibility of using the canvas tag to identify website visitors was first notid by researchers at the University of California, San Diego, in May 2012. It hasn’t gotten much attention outside of internet security circles until a year later when a Russian programmer by the name of Valentin Vasilyev noticed the study and added a canvas feature to freely available fingerprint code that he had posted on the Internet. The developers of The Tor Project also noticed the study, and in June 2012 they added a feature which warned users when a website attempted to use the canvas feature and sends a blank canvas image
And now the fecal matter is hitting the rotary impeller unit. While AddThis says they are backing down, chances are other marketing firms will start using the tech – if they aren’t already.
Or you can install a privacy plugin called Ghostery. This plugin works with most web browsers and it blocks virtually every type of tracking code from Google Analytics to AddThis to Facebook. What’s more, it will tell you exactly what it is blocking.
I am a long-time user of, and I love it. It sometimes causes problems on websites, but that is a relatively minor issue which can usually be fixed by white-listing a particular site. Ghostery will even block AddThis. This will keep you from using the share buttons but it will also keep AddThis from tracking you.
Ghostery is not a one-size-fits all solution for privacy and security, but it is a tool you should be using alongside similar tools like a good firewall, Spybot S&D, and HitManPro.
Speaking of online safety and privacy, what tools do you use?
image by nolifebeforecoffee