The latest ad tracking tricks and what to do about them

On the Canvas

© Lead Image © Boyan Dimitrov, 123RF.com

© Lead Image © Boyan Dimitrov, 123RF.com

Article from Issue 182/2016
Author(s):

We'll tell you about some powerful new ad tracking techniques and how you can stop them.

Ad networks and companies are using increasingly sophisticated methods to track web surfers and spy on user behavior. However, the free web browser Firefox, in particular, makes it hard for these unabashed spies: various extensions block and remove standard cookies, web pixels, and well-hidden LSO cookies (also known as Flash cookies [1]).

A young technology known as canvas fingerprinting does not require tricks like web pixels and LSO cookies and relies instead on standard HTML5 and JavaScript to help data grabbers track user behavior. In many cases, you can even accurately identify users. Because canvas fingerprints do not rely on additional data such as cookies on the system, conventional prevention methods fail.

Evercookies [2] are an older, but also increasingly popular, technique for spying on unsuspecting surfers. This article takes a close look at canvas fingerprinting and Evercookies and offers some options for how to stop these powerful tracking techniques.

Fingerprints

Almost all modern web browsers have supported the standardized HTML5 page description language since 2014. With its advanced commands and features, HTML5 gives programmers the ability to generate dynamic graphics. The canvas element of the command set identifies a region in which JavaScript can draw. You can also use the canvas element to call out, position, and scale text or graphics in the PNG, GIF, or JPEG format.

To create a clearly identifiable fingerprint of each surfer, canvas technology uses the fact that images and text in the canvas elements are displayed differently depending on the operating system, the web browser, the installed fonts, the graphics hardware, and the deployed drivers. Also, browser data such as the language, time zone, color depth, browser ID, and installed plugins vary from system to system.

Invisible graphics are output as a data URL, after injecting a hidden canvas element into a web page, and the script generates a hash value. When the surfer visits the same website with the same browser again, the tracker generates the same hash value again given an unchanged configuration.

Thus, the script can very reliably identify the user. To track the user, ad networks place the same hidden canvas element on several websites and can then clearly identify users based on the same hash value.

The hit rate is particularly high for legacy desktop PCs with their extensive configuration options and variety of hardware components, operating systems, desktops, web browsers, and applications. The resulting large number of possible combinations translates to a similarly high rate of unique identification. Canvas fingerprinting works less successfully on mobile devices, such as smartphones or tablets, which are largely identical in terms of hardware and software, because the dynamically generated graphics only exhibit minor differences.

Redundant Cookies

Evercookies also use JavaScript to infest a computer system. In contrast to traditional cookies and Flash cookies, they use the web browser's individual storage technologies in a variety of combinations to nest multiple times in different locations. The history, browser cache, various HTML5 attributes – such as session, local, and global storage – as well as Silverlight Isolated Storage are all used to store Evercookies.

It is thus very hard to remove these pests completely from the system. If the user or a browser extension automatically deletes Evercookies in just some of these locations, they can be reconstructed from the remaining cookies. Thus, the usual browser extensions remain largely ineffective.

Detection Mechanisms

In as-delivered state, none of the popular web browsers can detect, remove, or block canvas fingerprints or Evercookies. Only the Tor Browser [3] emits a warning message if you call a web page that contains a canvas script, and it asks whether the browser should run or block the script. Additionally, canvas scripts presented to the Tor browser are not allowed to extract the implemented image data by default.

For Firefox, only the CanvasBlocker [4] add-on offers the ability to detect canvas call stacks (Figure 1). For Chrome/Chromium, there is CanvasFingerprintBlock [5], an add-on with a similar function. Like the Tor Browser, CanvasBlocker can block all or selected canvas elements in combination with Firefox. If the pop-up messages about discovered fingerprints at the top of the browser window disturb you, simply switch them off.

Figure 1: CanvasBlocker alerting on accessing a web page.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Pale Moon

    A new browser with familiar technology: The lean Firefox offshoot Pale Moon is compatible with many cherished Firefox extensions.

  • LibreWolf

    LibreWolf, a modified Firefox-based web browser, simplifies configuration and puts a stop to malware and spying.

  • Cover Story: HTML5

    Back in 1999 when the HTML 4.01 standard first appeared, virtually nobody envisioned video blogs, social networking sites, or Internet office tools. The upcoming HTML 5 standard will remake the web for the new generation of technologies and services.

  • AJAX Workshop

    Books were the original model for website design. Navigation was similar to flipping the pages. Thanks to AJAX, many state-of-the-art websites now behave like desktop applications.

  • Firefox Phone Apps

    Cooking up an app for the Firefox OS is in no way difficult. All you need is a good measure of HTML and a dash of CSS. A few drops of JavaScript will bring it all to life.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News