Researchers find a cookie that doesn't crumble
via Flickr © Werwin15 (CC BY 2.0)
Can you be anonymous online? It seems there’s always a way of triangulating little nuggets of info by sifting through the ‘big data’ trails we all leave as we browse, register and buy across the net.
And even some of the little data trails. Here’s a case in point. Researchers at KU Leuven and Princeton University have discovered what they call a thus far undiscovered “cookie mechanism” - a malcookie. It seems that while you were furiously scrubbing as many cookies as you could (and still function online) from your system the evil-doers were simply able to recognise your arrival on their website by pulling together your unique signature from your use of share buttons.
The mechanism is called “canvas fingerprinting” using the code that tells the browser how to render a website.
Say the researchers: “When a user visits a website with canvas fingerprinting software, a first script tells the user’s browser to print an invisible string of text on the browser’s canvas. Another script then instructs the browser to read back data about the pixels in the (invisibly) rendered image.
“This data contains important information about the user’s browser type, graphics card, system fonts and even display properties. Because this grouping of data is highly likely to be unique for each user, it can be reliably associated to individual users, like a fingerprint.”
With the fingerprint defined, the site can recognise the user on subsequent visits - just as if they were carrying a cookie. But while you can get rid of cookies you can’t scrub your canvas fingerprint.
So that’s the theory. Is it being used? Of course it is. The researchers crawled the world’s top 100,000 websites and found that 5,542 (5 per cent) of them were using the technique.
The biggest user was a company called AddThis, the world’s largest content sharing platform. It provides free website plugins such as share buttons (ah-ha!) and it reaches an estimated 97.2 per cent of US Internet users.
So far there is no reliable way of opting out of Canvas Fingerprinting since the opt-out tools offered by the likes of the European Interactive Digital Advertising Alliance don’t identify its use, say the researchers. It’s hoped that a bit of debate, naming and shaming will see better defences banged into place.