What do the White House and YouPorn have in common? Their websites both use canvas fingerprinting, a newer form of online tracking designed to make it hard to hide. ProPublica investigated the pervasive shadowing method, developed as an insidious alternative to cookies so websites can keep tabs on where their visitors browse online. [Update: YouPorn has removed AddThis upon learning about canvas fingerprinting. Good job, YouPorn!]


The Princeton and KU Leven University researchers who first uncovered canvas fingerprinting titled their paper about it "The Web Never Forgets," and estimate that 5 percent of the top 100,000 websites use this method to trace user movements online, including Whitehouse.gov, Perez Hilton, PlentyOfFish, Rap Genius, CBS, and yep, YouPorn.

So how does it work?

Canvas fingerprinting gets its name because it instructs web browsers to draw a hidden image, and each computer produces a slightly different, unique image. Like a fingerprint. A creepy fingerprint that wants to follow you online.


Once your browser draws the hidden picture, the information is relayed to the website. It uses your unique image to assign a number to your computer and develop a user profile to better sell targeted ads. Canvas fingerprinting was invented in 2012, and a company called AddThis developed code used in 95 percent of the cases.

Don't want to get fingerprinted?

Canvas fingerprinting is an especially sinister form of online tracking because you can't use AdBlock Plus or your standard web browser privacy settings to get around them. Incognito mode is no match for canvas fingerprinting, which is bad news for everyone trying to keep their porn viewing habits on the DL by clicking the Incognito button. They know what you've seen.

If you want to avoid canvas fingerprinting, ProPublica pointed out a few methods. You can use the Tor network to go online anonymously and avoid all sorts of tracking. You can use NoScript, a Firefox web extension, to counter tracking, although you'll have to look up which sites are kosher each time you want to unblock Java or another script they run, which will be both time-consuming and not entirely certain. There's a website that lists all of the top sites currently using canvas fingerprinting, so you could check sites against that, but it may not be updated frequently enough to catch new offenders.

You can also download Chameleon, a browser designed to avoid this kind of tracking, but it's still a low-key experiment, and not very user-friendly unless you're comfortable setting stuff up from Github. Another option: blocking JavaScript from your browser altogether. That's going to seriously mess up your experience on a lot of websites, so I don't recommend doing that.


As many readers have pointed out, you can also install the Electronic Frontier Foundation's Privacy Badger browser extension, which I do recommend, because the EFF is excellent. It can't track fingerprinting every time, but it will help limit your exposure.

If you've accepted your fate as The Tracked but don't want the data used for ad targeting and profile building, you can manually sign up for opt-outs from the businesses doing the tracking. AddThis would be the big one, since it does most of the known fingerprinting.


It's both telling and disturbing that the only real work-arounds are inconvenient and incomplete. But until someone finds a way to step up and stop it, at least you can know which sites are violating the little privace you have left online. [ProPublica]