Cover Story

Online Tracking Gets Creepier

There’s a tracker that’s virtually impossible to block

Meet the Online Tracking Device that is Virtually Impossible to Block

ProPublica reporter Julia Angwin has been tracking the trackers that collect information about you online. Here is her latest report.

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com (nsfw).

First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University, in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.

Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit — profiles that shape which ads, news articles or other types of content are displayed to them.

But fingerprints are unusually hard to block: They can’t be prevented by using standard Web browser privacy settings or by using anti-tracking tools, such as AdBlock Plus.

Online Tracking Gets Creepier2The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5 percent of the top 100,000 websites. Most of the code was on websites that use AddThis’ social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish. (A list of all the websites on which researchers found the code is HERE.

Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a way to replace “cookies,” the traditional way that users are tracked, via text files installed on their computers.

“We’re looking for a cookie alternative,” Harris said in an interview.

Harris said the company considered the privacy implications of canvas fingerprinting before launching the test, but decided “this is well within the rules and regulations and laws and policies that we have.”

He added that the company has used the data collected from canvas fingerprints only for internal research and development. The company won’t use the data for ad targeting or personalization if users install the AddThis opt-out cookie on their computers, he said.

Arvind Narayanan, the computer science professor who led the Princeton research team, countered that forcing users to take AddThis at its word about how their data will be used, is “not the best privacy assurance.”

Device fingerprints rely on the fact that every computer is slightly different: Each contains different fonts, different software, different clock settings and other distinctive features. Computers automatically broadcast some of their attributes when they connect to another computer over the Internet.

Tracking companies have long sought to use those differences to uniquely identify devices for online advertising purposes, particularly as Web users are increasingly using ad-blocking software and deleting cookies.

In May 2012, researchers at the University of California, San Diego, noticed that a Web programming feature called “canvas” could allow for a new type of fingerprint by pulling in different attributes than a typical device fingerprint.

Tor-ProjectIn June, the Tor Project added a feature to its privacy-protecting Web browser to notify users when a website attempts to use the canvas feature and sends a blank canvas image. But other Web browsers did not add notifications for canvas fingerprinting.

A year later, Russian programmer Valentin Vasilyev noticed the study and added a canvas feature to freely available fingerprint code that he had posted on the Internet. The code was immediately popular. But Vasilyev said that the company he was working for at the time decided against using the fingerprint technology.

“We collected several million fingerprints, but we decided against using them because accuracy was 90 percent,” he said, “and many of our customers were on mobile, and the fingerprinting doesn’t work well on mobile.”

Vasilyev added that he wasn’t worried about the privacy concerns of fingerprinting.

“The fingerprint itself is a number which in no way is related to a personality,” he said.

AddThis improved upon Vasilyev’s code by adding new tests and using the canvas to draw a pangram “Cwm fjordbank glyphs vext quiz” — a sentence that uses every letter of the alphabet at least once. This allows the company to capture slight variations in how each letter is displayed.

AddThis said it rolled out the feature to a small portion of the 13 million websites on which its technology appears, but is considering ending its test soon.

“It’s not uniquely identifying enough,” Harris said.

AddThis did not notify the websites on which the code was placed because “we conduct R&D projects in live environments to get the best results from testing,” according to a spokeswoman.

She added that the company does not use any of the data it collects — whether from canvas fingerprints or traditional cookie-based tracking — from government websites including WhiteHouse.gov for ad targeting or personalization.

The company offered no such assurances about data it routinely collects from visitors to other sites, such as YouPorn.com. YouPorn.com did not respond to inquiries from ProPublica about whether it was aware of AddThis’ test of canvas fingerprinting on its website.

Why Tracking Matters

envato.com

envato.com

The marketers that follow you around the Web are getting nosier.

Many companies track where users go on the Web — often through cookies — to display customized ads. That’s why if you look at a pair of shoes on one site, ads for those shoes may follow you around the Web.

But online marketers are increasingly seeking to track users offline, as well, by collecting data about people’s offline habits — such as recent purchases, where you live, how many kids you have, and what kind of car you drive.

Here’s how it works, according to some revealing marketing literature from LiveRamp, a digital marketing company.

•    A retailer — let’s call it “The Pricey Store” — collects the e-mail addresses of its high-spending customers. (Ever wonder why stores keep bugging you for your email at the checkout counter these days?)
•    The Pricey Store brings the list to LiveRamp, which locates the customers online when the customers use their email address to log into a website that has a relationship with LiveRamp. (The identity of these websites is a closely guarded secret.)
•    The website that has a relationship with LiveRamp then allows LiveRamp to “tag” the customers’ computer with a tracker.
•    When those high-spending customers arrive at PriceyStore.com, they see a version of the site customized to “show more expensive offerings to them.” (Yes, the marketing documents really say that.)

onboarding

“Onboarding” is a term used to track people using their real names.

Tracking people using their real names — often called “onboarding” — is a hot trend in Silicon Valley. Twitter and Facebook have both started offering onboarding services allowing advertisers to find their customers online.

“The marriage of online and offline is the ad targeting of the last 10 years on steroids,” said Scott Howe, chief executive of Acxiom, a broker company, at a conference earlier this year.

In May, Acxiom — one of the country’s largest data brokers, which claims to have 3,000 data points on nearly every U.S. consumer — agreed to pay $310 million to purchase onboarding specialist LiveRamp. Acxiom and LiveRamp declined to comment for this article, citing the need to remain quiet until the acquisition is complete.

Companies that match the online and offline identities of people generally emphasize that the data is still anonymous because users’ actual names aren’t included in the cookie. But critics worry about the implications of allowing data brokers to profile every person who is connected to the Internet.

In May, the Federal Trade Commission reported that data brokers collected information on sensitive categories — such as whether an individual is pregnant, has a “diabetes interest,” is interested in a “Bible Lifestyle” or is “likely to seek a (credit-card) chargeback.”

Previously, data brokers primarily sold this data to marketers, who sent direct mail — aka “junk mail” — to your home. Now, they have found a new market: online marketing that can be targeted as precisely as junk mail.

Facebook’s History of Tracking You

A view of Facebook's logo May 10, 2012 i

For years, people have noticed a funny thing about Facebook’s ubiquitous Like button: It has been sending data to Facebook tracking the sites you visit. Each time details of the tracking were revealed, Facebook promised that it wasn’t using the data for any commercial purposes.

No longer. In June, Facebook announced it will start using its Like button and similar tools to track people across the Internet for advertising purposes.

Here is the long history of the revelations and Facebook’s denials:

Facebook’s Mark Zuckerberg introduces the “transformative” Like button …
April 21, 2010
Facebook introduces the “Like” button in 2010 at its developer conference. Facebook founder Mark Zuckerberg declares that it will be “the most transformative thing we’ve ever done for the Web.”

He says his goal is to encourage a Web where all products and services use people’s real identity. He suggests, in fact, that creating a personally identifiable web experience could be divine: “When you go to heaven, all of your friends are all there and everything is just the way you want it to be,” he says. “Together, lets build a world that is that good.”

… Which sends data …
Nov. 30, 2010
Dutch researcher Arnold Roosendaal publishes a paper showing that Facebook Like buttons transmit data about users even when the user doesn’t click on the button. Facebook later says that Roosendaal found a “bug.”

… even when users don’t click on it.
May 18, 2011
The Wall Street Journal reports that Facebook Like buttons and other widgets collect data about users even when they don’t click them. Facebook’s chief technology officer says, “we don’t use them for tracking and they’re not intended for tracking.”

Internet pioneer says log of out Facebook …
Sept. 24, 2011
Veteran tech blogger Dave Winer writes that “Facebook is scaring me” with its apps like the social reader, which can automatically share stories you read. This “kind of behavior deserves a bad name, like phishing, or spam, or cyber-stalking,” he writes. Winer recommends that users log out of Facebook to prevent being tracked on other websites.

… Except logging out doesn’t work.
Sept. 25, 2011
Australian blogger Nik Cubrilovic writes that “Logging Out of Facebook is Not Enough.” He shows that Facebook is tracking users even when they log out of the site. Facebook responds that it is fixing the issue so people won’t be tracked when they are logged out of Facebook.

Facebook says not to worry …
Sept. 27, 2011
Facebook tells the New York Times that it doesn’t use data from Like buttons and other widgets to track users or target advertising to them, and that it deletes or anonymizes the data within 90 days.

Turns out Facebook has patented the technique
Oct. 1, 2011
Blogger Michael Arrington digs up a Facebook patent application for “a method  for tracking information about the activities of users of a social networking system while on another domain.” The title of his blog post: “Brutal Dishonesty.”

But, really, don’t worry
Dec. 7, 2012
As the Wall Street Journal finds that Facebook Like buttons and other widgets appear on two-thirds of 900 websites surveyed, the company says again it uses data from unclicked Like buttons only for security purposes and to fix bugs in its software.

OK, worry
June 12, 2014
Facebook tells Ad Age that it will start tracking users across the Internet using its widgets such as the Like button.

It’s a bold move. Twitter and Pinterest, which track people with their Tweet and PinIt buttons, offer users the ability to opt out. And Google has pledged it will not combine data from its ad-tracking network DoubleClick with personally identifiable data without user’s opt-in consent. Facebook does not offer an opt-out in its privacy settings.

Instead Facebook asks members to visit an ad industry page, where they can opt out from targeted advertising from Facebook and other companies. The company also says it will let people view and adjust the types of ads they see.

Update
June 19, 2014
Facebook got back to ProPublica to say it has not yet rolled out this type of tracking and that, at first, it will be used only on mobile devices. It also points out that it will not share information about users’ Web browsing habits directly with advertisers, but will use the data to help advertisers pinpoint ads.

Read New Times Tech Writer Joe Cunningham’s “Modern Family: The profound effect of technology on human relationships” CLICK HERE

Go Home

[fbcomments url="" width="100%" count="on"]
To Top