You may have been hearing about it since yesterday: the new way of profiling your computer (and, with enough other data, you) without leaving either traditional cookies or flash cookies on your system.
Those cookies you can get rid of. The new “evercookie” you can’t even see — although your own system created it on orders from a site or sites you visited.
The underlying technique is “canvas fingerprinting.” Here’s some not-too-geeky info on how it works.
Using TOR apparently helps, but not completely. Firefox’s wonderful NoScript add-on does the trick. It prevents a nasty little company called AddThis from executing its scripts on your device. However, I’m not clear whether other sites you’ve previously marked as trusted can execute the same script on you even if you’ve blocked AddThis.
Lots of big sites are using the evercookie technology. They then sell the info to advertisers — apparently even if you’ve set all kinds of “do not tracks” and opt outs. Some sites (Hey, we’re talking to you, WhiteHouse.gov!) use the technology counter to their own stated privacy policies. Yes, they’re lying to you. What a shock, eh?
The Electronic Frontier Foundation has developed a countermeasure called Privacy Badger and is asking people to help them test it. They also recommend Disconnect as another possible method.
Of course, we know by now that merely having privacy settings on your computer makes you suspect. And we know that you can create your own unique fingerprint merely by having privacy software and settings, using non-standard browsers, etc.
Still … just one more thing to know about beware of.
Geeks, please chime in if you have better info.
(H/T JG)
We are all “domestic terrorists”.
It is time to come in from the cold and embrace our proclaimed status as enemies of the state.
What great company to be in if you ask me.
F— the state and it’s actors.
There is not even close to enough of the f—ing son of a bitches to do anything about a plurality of people who have had enough of their dictator bullshit.
Up their arses!
Up their lousy payroll patriot pervert arses!
Right now right here I claim right to legitimacy the son of a bitches running things can only dream of.
It’s my natural born birth right.
They can classify me as a domestic terrorist or whatever stupid bullshit that fits their agenda and system of pogrom.
I’m f—ing Spartacus in spades.
There is a million guys and gals like me in this awesome republic.
The facade and Kabuki theater of legitimacy, monopoly of power, and violence of the state and it’s actors is a fart in a hurricane to the sovereign nature of we the people.
Truth be told there exists millions of Americans who understand, who in truth are armed to the teeth, with arms and the unstoppable resolve of just cause of defiance of tyranny, for the certain day when you self appointed “elites”, (how I despise that term for you are neither), leave good people with no recourse or redress against your self appointed rule over us.
U want that?
Are you so self destructive that you are willing to destroy everything rather than loose the allusion of power over those you look down upon?
It is insanity what you “elites” impose.
There is probably also a list for all those who are suspect – by virtue of their not appearing on any of the other lists.
Well, I suppose I shouldn’t be too smug about my ongoing policy of doing 99% of my web surfing with JavaScript disabled and no Flash plugin. The implication that NoScript defeats it implies that it uses JavaScript, but then the NoScript plugin also has flash blocking capability.
Mostly repeat, but this ProPublica article has a link to a list of known sites using the techique. Except that it might be that some of those sites are unaware: one site in particular is mentioned as having stopped using AdThis upon learning of it. It’s slightly amusing that the list of known sites employing AdThis is heavily populated by providers of porn.
I wonder how one would go about testing whether a plugin such as PrivacyBadger is actually working to block canvas fingerprinting. I can only speculate about looking for hidden elements, such as the nonsense text strings used, combined with capturing network traffic and looking for data packets associated with it — a daunting task without knowing specifically what to filter for.
To start, I’ll just say that everybody should assume all their internet traffic is monitored–and no, Tor doesn’t help unless used properly (or at all with this particular not-new problem). Nothing you can do will help, unless you (1) know all the techie details, and (2) also observe perfect operational security. At which point you’re probably mostly okay unless/until you get targeted personally, either deliberately or accidentally.
I’ve been lambasted in the comment section before for saying this, but I’m going to do it one more time (and then step away; I won’t check for responses here): doing something to protect your privacy is NOT better than doing nothing, unless you go all the way to geeky crypto-anarchic virtuosity. Sorry about that. It is what it is.
AddThis is -extremely- popular on blogs. I used it myself until I decided a while back to encrypt all my site’s traffic and drop all social media stuff. Basically, if you see a site with buttons for Facebook “Like” or G+ sharing or whatever…it’s often done via AddThis or a competitor. They provide scripts and plugins so site owners/contributors/designers don’t have to mess with the details. And then they sell access to your information.
In fact there are very similar risks every time you go to a site with social media links/images whether the site uses AddThis or not. The code to make those things appear and work often comes from the social media sites. You think Facebook doesn’t know who you are or a lot about where you’ve been browsing just because you don’t have an account or aren’t logged in at the moment? They do, if they want to. Even if there’s no code running on a given site, guess which servers your browser requests the images from? Generally not the site serving up the web page you intended to peruse.
People like to focus on the JavaScript stuff. But JS is not necessary for fingerprinting to work. And as Claire almost points out, disabling JS in fact makes you easier to identify than leaving it in place–because so few people make that choice. It’s a false sort of security that hides some information about the computer you’re using at the moment but makes it easier to unmask your name and address. Which is the choice NoScript users are typically making…depending on the circumstances and configuration details, but this is mostly true.
The quick answer, if you want privacy, is to use the Tor Browser Bundle without installing any extensions to it (NOT just Tor) (really, NOT) and refrain from logging in to anything in the same session (or, better yet, from the same computer…or virtual machine) as anything you truly wish to be kept private. Tor has weaknesses too, and its choice of routes your data might take is NOT random. If you’re using Tor without the Bundle and without understanding its weaknesses, I applaud your effort but you’re easier to spy on than somebody who is just using a browser normally. I could probably spy on you myself, from anywhere in the world. I wouldn’t get perfect data, but I’d get a lot.
If that’s too much of a hassle? You’re probably making the rational choice. I expect this stuff to get better in the reasonably near future, but right now privacy is both hard and inconvenient. Doesn’t matter that we don’t like it.
Okay, one more time: doing “something” that’s incomplete, in this area, is NOT better than doing nothing. It’s very likely to make your traffic stand out. In fact it almost certainly already has. Either go whole hog (possibly including a couple of chained anonymously-purchased VPN connections along with the Tor Browser Bundle, or maybe Whonix), or forget it.
No, this isn’t a defeatist attitude. I’m actually optimistic that the situation will chage. It’s just reality. And it bugs the hell out of me when people who ought to know better start suggesting a single change or practice will protect your online privacy.
In short: I recommend that you browse the internet just like everybody else does. You’re much less obvious that way. And don’t use it for anything private. At all. Or, you know, you can take your chances. (Which you’re doing anyway…using the intertoobz at all, even for innocuous stuff, is a lot like talking to the police: you’ve given information away that can be used against you, justly or otherwise.)
I’ll go away now. Again.
I’m about as technologically unsophisticated as anyone you’re likely to meet, so I apologize in advance for anything unduly foolish which follows. I appreciate the point David made, and think he’s probably correct within certain parameters. However, it seems to me that we are talking here about two different types of “privacy”: privacy from the NSA and other governmental actors, and privacy in the commercial sphere. The “evercookie” seems to fall into the latter category.
If I understand this correctly, AddThis is accumulating data on our internet activities and using it to compile a sort of profile, which it then sells to marketing companies and other commercial actors. That’s annoying, but not especially frightening and certainly not novel. (The only thing new is the apparent inability to defeat it as easily as ordinary cookies.) On the other hand, the NSA (et al) is collecting and archiving all sorts of information about us (including not only our internet search habits but also our emails and voicemails), which is frightening. It seems to me that David is addressing the latter issue, not the former. The core of his argument seems to be that unless you burrow so deep into the cyberweeds as to become essentially invisible (which is beyond the capabilities of most of us), using half-assed security measures will only draw attention to yourself and cause the government to target you more closely. I don’t dispute that. But if using Tor, or disabling JavaScript, or whatever, helps to minimize the commercial (i.e., non-governmental) threats to our privacy, even imperfectly, how is that a bad thing? It’s not going to defeat the NSA, but I don’t realistically hope to be able to accomplish that anyway. And surely everyone visiting this site knows that he is already on any number of “lists” anyway, so raising one more slightly pink little flag isn’t going to make much of a difference.
Am I missing something here?
Yet another article. Different take on it:
… is sneaky but easy to halt
As soon as you start talking about millions of users (e.g. if you want to track users across multiple websites) it is just too likely that different users will have exactly the same configuration and won’t be distinguishable by means of canvas fingerprinting
Which is what was going through my mind. In the digital realm, rendering an image on a monitor isn’t going to have the sort of variation being talked about, I don’t think. The various bits comprising the image itself will be either on or off, when using the same rendering algorithm. Some variation will occur in mapping it to a display, in terms of scaling to the the dot pitch of the monitor. But consider how many people are using commodity PCs — same video card, same monitor, set to the same resolution. I will echo the doubt that this can be used to uniquely identify all computers. Perhaps combined with other information, but then if you have that other information, what does this technique add?
Oh, argh. Too much time spent using BBS markup quote tags. Obviously, I should’ve typed ‘blockquote’.
[doing something to protect your privacy is NOT better than doing nothing, unless you go all the way to geeky crypto-anarchic virtuosity]
I have to disagree. The way you get to “geeky crypto-anarchic virtuosity” is by doing something; one doesn’t make it to that level in one step. And the societal pressure to fight this is developed by people doing something, not by people being rational and giving up as you suggest.
The answer is to do something, being aware at the same time that it is inadequate, and that there will always be an arms race for privacy.
As to sticking out and being obvious, that’s always counter to privacy. Going out into the streets to protest a war is getting one’s name on a list. The war still has to be protested. Freedom is not for the faint of heart.
BTW I looked on my noscript whitelist and found addthis. I deleted it, but I suspect the noscript model is lacking in a lot of ways. Oh, well, time for another escalation of the arms race…