The latest ad tracking tricks and what to do about them
On the Canvas
We'll tell you about some powerful new ad tracking techniques and how you can stop them.
Ad networks and companies are using increasingly sophisticated methods to track web surfers and spy on user behavior. However, the free web browser Firefox, in particular, makes it hard for these unabashed spies: various extensions block and remove standard cookies, web pixels, and well-hidden LSO cookies (also known as Flash cookies [1]).
A young technology known as canvas fingerprinting does not require tricks like web pixels and LSO cookies and relies instead on standard HTML5 and JavaScript to help data grabbers track user behavior. In many cases, you can even accurately identify users. Because canvas fingerprints do not rely on additional data such as cookies on the system, conventional prevention methods fail.
Evercookies [2] are an older, but also increasingly popular, technique for spying on unsuspecting surfers. This article takes a close look at canvas fingerprinting and Evercookies and offers some options for how to stop these powerful tracking techniques.
Fingerprints
Almost all modern web browsers have supported the standardized HTML5 page description language since 2014. With its advanced commands and features, HTML5 gives programmers the ability to generate dynamic graphics. The canvas element of the command set identifies a region in which JavaScript can draw. You can also use the canvas element to call out, position, and scale text or graphics in the PNG, GIF, or JPEG format.
To create a clearly identifiable fingerprint of each surfer, canvas technology uses the fact that images and text in the canvas elements are displayed differently depending on the operating system, the web browser, the installed fonts, the graphics hardware, and the deployed drivers. Also, browser data such as the language, time zone, color depth, browser ID, and installed plugins vary from system to system.
Invisible graphics are output as a data URL, after injecting a hidden canvas element into a web page, and the script generates a hash value. When the surfer visits the same website with the same browser again, the tracker generates the same hash value again given an unchanged configuration.
Thus, the script can very reliably identify the user. To track the user, ad networks place the same hidden canvas element on several websites and can then clearly identify users based on the same hash value.
The hit rate is particularly high for legacy desktop PCs with their extensive configuration options and variety of hardware components, operating systems, desktops, web browsers, and applications. The resulting large number of possible combinations translates to a similarly high rate of unique identification. Canvas fingerprinting works less successfully on mobile devices, such as smartphones or tablets, which are largely identical in terms of hardware and software, because the dynamically generated graphics only exhibit minor differences.
Redundant Cookies
Evercookies also use JavaScript to infest a computer system. In contrast to traditional cookies and Flash cookies, they use the web browser's individual storage technologies in a variety of combinations to nest multiple times in different locations. The history, browser cache, various HTML5 attributes – such as session, local, and global storage – as well as Silverlight Isolated Storage are all used to store Evercookies.
It is thus very hard to remove these pests completely from the system. If the user or a browser extension automatically deletes Evercookies in just some of these locations, they can be reconstructed from the remaining cookies. Thus, the usual browser extensions remain largely ineffective.
Detection Mechanisms
In as-delivered state, none of the popular web browsers can detect, remove, or block canvas fingerprints or Evercookies. Only the Tor Browser [3] emits a warning message if you call a web page that contains a canvas script, and it asks whether the browser should run or block the script. Additionally, canvas scripts presented to the Tor browser are not allowed to extract the implemented image data by default.
For Firefox, only the CanvasBlocker [4] add-on offers the ability to detect canvas call stacks (Figure 1). For Chrome/Chromium, there is CanvasFingerprintBlock [5], an add-on with a similar function. Like the Tor Browser, CanvasBlocker can block all or selected canvas elements in combination with Firefox. If the pop-up messages about discovered fingerprints at the top of the browser window disturb you, simply switch them off.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.