| Jessica Binsch |
BERLIN (dpa) – The Internet has become a battleground between users, who mostly want their privacy, and website owners, who want to find out as many details as possible about those visiting, so they can trot out the one ad most likely to grab eyeballs.
Predictably, the latest industry attempt to ferret out more data has prompted a backlash. The tactic is called canvas fingerprinting and was recently exposed by scientists from Belgium and the United States. It is already operating on thousands of popular websites, gathering data and picking out ads. It apparently works even if the user has attempted to block tracking by refusing to allow cookies.
Indeed, canvas fingerprinting is almost impossible to disable, noted the team backing Gunes Acar, a researcher at the University of Leuven in Belgium.
“This suggests that even sophisticated users face great difficulties in evading tracking techniques,” reads the report, The Web Never Forgets: Persistent tracking mechanisms in the wild. Canvas fingerprinting came to light after research upon more than 5,000 websites, including pornography sites, some operated by the US government and German news sites. All were gathering digital fingerprints.
Some websites reacted immediately. After US site ProPublica reported about the research results, it removed the technology from its web pages.
German IT news agency Golem wrote: “We’ve taken every measure to ensure that this technology is no longer used at Golem.de.” The site said it had not been aware the technology was in use on its site and attributed its presence to an advertising marketing service.
But the case highlights a dilemma for website operators. Advertisers want to know everything they can about visitors. Different ads are targeted at different people, with the differences starting as soon as the site confirms if the user is a man or a woman. And that kind of targeted advertising is key to financing many websites.
But a lot of Internet users are not comfortable with the idea that information about them, their computer and their surfing behaviour is being gathered in the background the whole time they are online. To that end, many people block cookies, tiny files used by advertisers and websites that recognise repeat visitors to a site.
“That’s why the advertising industry considered what kind of alternatives it could develop,” said software designer Henning Tillmann, who researched tracking mechanisms as part of his university thesis.
Fingerprinting is one of those new options. It stores information about the browser and the computer, which creates a surprisingly specific set of data, says Tillmann.
People install a wide range of software, add-ons or fonts onto their devices, he notes. “As soon as a Star Wars fan downloads a Star Wars font, the computer is pretty unique.” And that’s how a digital fingerprint is created.
The designers of canvas fingerprinting put that to use, generating a graphic in the browser with a variety of different letters. Every computer does this slightly differently from every other, making it unique and recognisable.
Researchers had described the technique as far back as 2012. But its widespread use has only recently been reported. More than five per cent of 100,000 regularly visited websites now use it, according to the Leuven report.
However, the data is generally not gathered by the website operator, but by the firm AddThis, which programmes website buttons, the kind people use to share information on social media.
Clicking on AddThis’ offerings shows dozens of online networks designed to help exchange content. Most website operators didn’t know AddThis technology had been installed on their site, the company told ProPublica.
Ligatus, a German company, also has a code for gathering data found on 115 of the reviewed websites. The Cologne-based company said it was only using fingerprinting for testing purposes and that data gathered was being deleted.
However, the code was not always removed at the end of the testing period and not every website operator told about the experiment.
“Our big mistake was that … we didn’t tell the websites with which we cooperate about this test,” said Ligatus chief Lars Hasselbach. “As a rule, we use neither fingerprinting nor cookie tracking,” he assured.
A lot of other companies are different, he added, noting that fingerprinting is “almost an industry standard in online marketing”.