Cookies have been around since the ’90s Internet, so it’s not surprising that after all these years there’s a new game in town. But it’s concerning that the new tracking apparatus, canvas fingerprinting, was called “virtually impossible to block” by ProPublica's Julia Angwin. And now the Internet is responding.
Canvas fingerprinting uses a script to render an extra and invisible part of a webpage along with the regular site you’re looking for. The extra piece is there specifically to evaluate minor things about your computer that your system reveals in the process of loading the site. They're little things like which browser you’re using and which version of it you're running, but when enough of them are put together, says Angwin, they can turn into a unique profile or fingerprint, and then companies can use this identifier to track your browsing.
But maybe it’s not even worth fighting canvas fingerprinting. Internet filtering company AdBlock Plus, which was mentioned in the ProPublica article, posted a blog post by lead developer Wladimir Palant on Wednesday that argues that canvas fingerprinting is doomed to fail because sheer volume of users should stymie the approach. He explains that canvas fingerprinting uses available information about users' graphics drivers, browsers, operating systems, and other parameters to identify them on different sites based on their system's unique combination of attributes. But he notes that even if a tracker looks at tons of criteria, it’s pretty likely that groups of people will have the same combinations. Palant says,
All this taken into account, my guess is that canvas fingerprinting can work to identify users on smaller websites with a fairly stable community. However, as soon as you start talking about millions of users (e.g. if you want to track users across multiple websites), it is just too likely that different users will have exactly the same configuration and won’t be distinguishable by means of canvas fingerprinting.
Palant also cites problems with canvas fingerprinting that the ProPublica article itself brings up, like the fact that canvas fingerprinting doesn’t work so well for tracking mobile users. Even AddThis is skeptical continuing to use the approach. But if that doesn’t satisfy your concerns about canvas fingerprinting, Palant suggests using AddBlock Plus (naturally) and its EasyPrivacy filter list as a way of ensuring anonymity. The Electronic Frontier Foundation says that its Privacy Badger plugin can also help you go off the canvas fingerprinting grid.
Angwin says that Palant isn’t quite getting the point. “I don't think you should dismiss every threat just because it doesn't seem effective,” she said. If companies are tracking you, it’s worthwhile to know how, and what you can do about it, instead of passively allowing it. But Angwin says she is heartened by the large response to her piece. “It reminded me that people still do care about this stuff,” she said.