Approximately 5.5 percent of the top 100,000 websites fingerprint each of the computers that visit them, using a process called canvas fingerprinting that takes just a second to conduct. It's a practice the White House has taken an ambiguous stance against.
Websites ranging from WhiteHouse.gov to Starbucks.com are using the hard-to-shake tracking method to plot the movements of computers, according to an incoming study from researchers at KU Leuven and Princeton.
While canvas fingerprinting doesn't collect details on the individual user, it can chain together a history of a computer's visits to any website that's using the tracking method. That technique was one of three looked at in the study -- the others were the use of evercookies and the use of "cookie syncing" in conjunction with evercookies. Evercookies, which are designed to overcome the "shortcomings" of traditional tracking mechanisms, use storage vectors that may be more difficult for users to clear.
To accomplish canvas fingerprinting, websites using the tracking method task web browsers with drawing an image -- it happens fast and is hidden from the user. The way the browser renders the unseen image will be unique to the computer's hardware, hardware settings and software versions.
On its own, canvas fingerprinting likely will only provide minimal details about computer and even less about their users. But when combined with other tracking technologies, some of which may still be undiscovered, canvas fingerprinting can be vital to profiling web users and uncovering details the individuals would rather keep private.
The KU Leuven and Princeton study found that the White House has been using a canvas fingerprinting script developed by AddThis, despite the governmental organization's equivocal position against such practices.
"Visitors can control aspects of website measurement and customization technologies used on WhiteHouse.gov and still have access to comparable information and services on WhiteHouse.gov," stated the White House's Cookie Policy. "You can choose not to accept cookies from any website, including WhiteHouse.gov, by changing the settings of your browser. You can also delete cookies stored in your browser at any time."
AddThis was among the list of third parties the White House listed as sites that could produce cookies for visitors of WhiteHouse.gov, though the White House Cookie Policy didn't explain that blocking the tracking script was nothing like refusing to accept traditional cookies. The canvas fingerprinting script, almost hidden in plain site, appeared out of place in a list that included YouTube, Pinterest, Scribd, Twitter and other well-known websites.
AddThis had an "opt out" feature that stopped the delivery of relevant ads to fingerprinted computers, but did nothing to stop the tracking of computers that visit sites with the company's canvas fingerprinting script embedded.
"When you opt out, we will place an opt-out cookie on your computer," stated AddThis. "The opt-out cookie tells us not to use your information for delivering relevant online advertisements. Please note that if you delete, block, or otherwise restrict cookies, or if you use a different computer or Internet browser, you will need to renew your opt-out choice."
AddThis was said to be the most commonly used script for canvas fingerprinting, by far. AddThis was discovered on 95 percent of the 5,542 websites that employed the tracking tactic, while 20 other scripts were found on the remaining 5 percent, according to the study.