Skip to main content

New Online Tracking Tech Means More Work to Keep Your Reading Private Online

124659356_bbe1e5b661_z[1]Researchers at Princeton University and KU Leuven University in Belgium have discovered that  several companies including AddThis, makers of the popular sharing buttons toolbar found on many websites, have been secretly testing a new type of cookie.

It’s called canvas fingerprinting, and it gathers more information than existing cookies in an attempt to create a unique identifier to be used to track you around the web.

First proposed in 2012, canvas fingerprinting involves using the canvas tag from HTML5 to generate an image which is unique to a particular person’s web browser. It’s not strictly a cookie, but it is a closely related type of tracking tech – only worse. Since canvas fingerprinting isn’t a cookie it can’t be blocked by the privacy settings in your web browser; instead you’ll have to use a browser add-on like Ghostery to block it.

The research team found canvas fingerprinting code on 5% of the top 100,000 websites on the web. Some of the code was tracked back to the German digital marketer Ligatus, but in many cases the code had been quietly added to the social media sharing tools which the websites had gotten from AddThis.

Most of the websites were unaware of the extra code – including me. This blog is on the list of affected websites, and I’m not happy about that.

AddThis has readily copped to installing the code without telling anyone, but they also insist that this was a limited trial that only involved a small fraction of the 13 million websites which use AddThis’s tools.

AddThis also insists that they will soon stop the trial. "It’s not uniquely identifying enough," Rich Harris, CEO of AddThis, said in an interview. "We were looking for a cookie alternative", he added.  While Harris noted the privacy concerns, he also said that the issue had been considered and that AddThis had decided that "this is well within the rules and regulations and laws and policies that we have".

In some circles canvas fingerprinting has been a known problem. The possibility of using the canvas tag to identify website visitors was first notid by researchers at the University of California, San Diego, in May 2012. It hasn’t gotten much attention outside of internet security circles until a year later when a Russian programmer by the name of Valentin Vasilyev noticed the study and added a canvas feature to freely available fingerprint code that he had posted on the Internet. The developers of The Tor Project also noticed the study, and in June 2012 they  added a feature which warned users when a website attempted to use the canvas feature and sends a blank canvas image

And now the fecal matter is hitting the rotary impeller unit. While AddThis says they are backing down, chances are other marketing firms will start using the tech – if they aren’t already.

If this bothers you as much as it bothers me, there are steps you can take. You can install an opt-out cookie from AddThis, or you could install a browser plugin to block Javascript. That is going to break a lot of websites, but it is an option.

Or you can install a privacy plugin called Ghostery. This plugin works with most web browsers and it blocks virtually every type of tracking code from Google Analytics to AddThis to Facebook. What’s more, it will tell you exactly what it is blocking.

I am a long-time user of Ghostery, and I love it. It sometimes causes problems on websites, but that is a relatively minor issue which can usually be fixed by white-listing a particular site. Ghostery will even block AddThis. This will keep you from using the share buttons but it will also keep AddThis from tracking you.

Ghostery is not a one-size-fits all solution for privacy and security, but it is a tool you should be using alongside similar tools like a good firewall, Spybot S&D, and HitManPro.

Speaking of online safety and privacy, what tools do you use?

Pro Publica

image by nolifebeforecoffee

Similar Articles


jerome July 22, 2014 um 3:31 pm


I would recommend

– Privacy badger

– HTTP Switchboard

– Privoxy

– Tor

– ScriptSafe

– Cookie blockers

– Adblock

– If you use firefox open about:config and delete everything "google", "malware", "virus scanning" etc

There are other things you can do but these are the basic steps to take

Bear in mind that Ghostery also tracks you in different ways.

Nate Hoffelder July 22, 2014 um 5:12 pm

That’s an impressive list. Thanks.

I’ve been looking for a proxy service and I think Privoxy will fill my needs.

Valentine July 22, 2014 um 5:30 pm

I use Ghostery and Adblock. When I find a website with something nice AND doesn’t assault me with ads, they get added as exceptions. Period.

When I want to buy something I’ll just google "buy something".

Btw, ghostery says you have 15 trackers here.

Nate Hoffelder July 22, 2014 um 5:36 pm

Fifteen? I’m only seeing 11.

Most of mine have to do with ads, and are relatively benign. I will confess that I didn’t know Zergnet was on the list; that is new and I think I will go delete it.

jerom July 22, 2014 um 8:19 pm

I never ever see ads and I have been using internet for almost 20 years now.

The trick is to use multiple browsers. One for only for banking and such and one for everything else and that is the one that should be loaded with all kinds of cyber defense.

Privoxy will take care of half the issues, and the other script blockers will take care of the rest. If it breaks the page let it be, it is less important than being target by shady entities.

jerome July 22, 2014 um 8:20 pm

Btw you should introduce https for your readers privacy. Http can be siphoned and tempered, at least it is much easier to do.

Nate Hoffelder July 22, 2014 um 9:47 pm

Are readers really sending anything that would need HTTPS for privacy?

Part of the reason why I hesitate is that adopting HTTPS would block me from using a CDN (this speeds up my blog).

eric July 22, 2014 um 9:07 pm

I use RequestPolicy. Blocks all cross-origin requests by default, and lets you white list specific source/destination pairs. Blog sites tend to suffer a fair amount, but Clearly brings back most of them to life. It’s amazing how much info we emit, e.g. how even reputable newspapers have no problem informing twitter or facebook of which articles you read. Coupled with fingerprinting, it’s downright scary.

Jerome July 22, 2014 um 10:23 pm


The thing about https is that analyzing traffic is much much harder. To me the issue boils down to middle man attack issues. For example if someone is targeting another person, they do social engineering like figuring out what web sites they read what kind of interests they have etc. That is when https is useful since they it is much harder to sniff the traffic that goes through. However mine was a recommendation not a necessity for your site. I just wished that all the servers in the world use https for even casual pages.


Malware-Infested Ads Now a Threat When Reading Online – The Digital Reader October 26, 2014 um 7:03 pm

[…] popup ads, auto-play video ads, and pernicious tracking cookies, there are a hundred and one good reasons to use ad-blocking plugins like Adblock […]

Malware-Infested Ads Now a Threat When Reading Online | OSINFO October 27, 2014 um 11:26 am

[…] popup ads, auto-play video ads, and pernicious tracking cookies, there are a hundred and one good reasons to use ad-blocking plugins like Adblock […]

Opera Founder Launches Rival Web Browser for Power Users ⋆ Ink, Bits, & Pixels January 27, 2015 um 11:34 am

[…] cookies you've picked up (it's an option in the settings menu). This might not help you with the dreaded supercookie, but it is going to prove useful at tracking those who are tracking […]

Write a Comment