White House Website Includes Unique Non-Cookie Tracker, Conflicts With Privacy Policy

Yesterday, ProPublica reported on new research by a team at KU Leuven and Princeton on canvas fingerprinting. One of the most intrusive users of the technology is a company called AddThis, who by are employing it in “shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.” Canvas fingerprinting allows sites to get even more identifying information than we had previously warned about with our Panopticlick fingerprinting experiment.

Canvas fingerprinting exploits the fact that different browsers have slightly different algorithms, parameters, and hardware for turning text into pictures on your screen (or more specifically, into an HTML 5 canvas object that the tracker can read1). According to the research by Gunes Acar, et al., AddThis draws a hidden image containing the unusual phrase “Cwm fjordbank glyphs vext quiz” and observed the way the pixels would turn out differently on different systems.

While YouPorn quickly removed AddThis after the report was published, the White House website still contains AddThis code. Some White House pages obviously include the AddThis button, such as the White House Blog, and a link to the AddThis privacy policy.

Other pages, like the White House’s own Privacy Policy, load javascript from AddThis, but do not otherwise indicate that AddThis is present. To pick the most ironic example, if you go to the page for the White House policy for third-party cookies, it loads the “addthis_widget.js.” This script, in turn, references “core143.js,” which has a “canvas” function and the tell-tale “Cwm fjordbank glyphs vext quiz” phrase.

more

https://www.eff.org/deeplinks/2014/07/white-house-website-includes-unique-non-cookie-tracker-despite-privacy-policy