by Nathan Reitinger
Strange Bedfellows: Fingerprinting Phenomena…or state.gov versus facebook.com
A knee-jerk reaction might be to pick state.gov — given Zuckerberg’s consistency in drumming up uncannily accurate advertisements and state.gov’s seemingly innocuous purpose. Or you may feel like this is simply a “choice of evils” and, when backed into a corner, you’d be forced pick the website operated by the government. Hey, at least it’s something you, in some unknown, tenuous way, cast a vote on, right?
Still others might want to know what should the metric for trust be. Is this a test of who better safeguards my secrets (haveibeenpwned) or who is more likely to view me as a dollar figure (and wait, how high is that dollar figure)? And still others may try to dig deeper and define “trust” from a colloquial vantage: what does this website do without telling me?
And here, quite surprisingly, we find a likeness.
But first, a bit of background…
Out of the many ways to “track” visits to websites — why is it that I’m seeing advertisements for TVs after searching for them on Amazon, oh wait that’s actually a really good deal [click click click] — the best are those that you don’t have to get users’ consent for. Because let’s face it, if someone asks you to “accept” a cookie or terms of service, you will. Trust me, I said “no” one time and got kicked back to google.
But the key here, at least in terms of trust, is knowledge. You are now, in some way shape or form, aware of succumbing to whatever you just agreed to. Hopefully you don’t have to give up your eldest child like you did last time, but for the most part you’ve just agreed that no matter what happens on the website you are visiting, none of it was ‘their’ fault.
…got caught for cheating on your wife because of a website breach — no fault
…being harassed over and over again because your stalker keeps using a fake profile of you to send hoards of randos to your place of work — no fault
To avoid this possibly-sticky knowledge issue, website builders may prefer to use more secretive techniques like fingerprinting to identify users, in a similar way that cookies identify users.
Okay another backup — what actually is a cookie? A cookie is like a secret password you give out to the members of your secret club. No one gets through the door without the secret password, but instead of using just one password, you give each member their own special password. So you know Bob’s password is “periwinkle” and you also know that “periwinkle” has been used seventy times in the last month; woah, Bob, you should probably take a break from the club.
In a similar way, fingerprinting is like gathering details about Bob without needing to use his special password tally. Try this one:
He’s a tad…heavyset. Not on the skinny side, but on the rather large side. Also he’s kind of Orange, with white-ish circles around his eyes. His hair is a yellowish blonde. His hair doesn’t look that real. Then his face, wrinkly.
You may have guessed this is Trump, but a “guess” wouldn’t be good enough for a website owner. Instead, you need lots and lots of unique details so you can definitively say “I know that’s Trump, it couldn’t be anyone else.”
Proof’s in the Pudding
So what does this all have to do with state.gov, facebook.com, and professor Narayanan’s tweet? Well, all three websites currently* use fingerprinting techniques to check you out.
Flattered as you may be, it’s a bit strange that a company who values you at $7.37 and a website representing our Department of State, #diplomacyinaction, are using the same sneaky means of identification. But I digress, how did I figure this out?
I built a Google Chrome Extension hunting for a very particular technique used in fingerprinting (i.e., canvas fingerprinting). I ran the extension in a Selenium web-scrape and pulled in data on approximately half a million websites, creating a database of fingerprinting attempts. My Chrome extension is essentially the same type of Chrome extension the researcher Günes Acar used to identify the fingerprinting on ftc.gov, (he used CanvasFingerprintBlock).
Here’s a relative SQL query displaying facebook’s use of canvas fingerprinting:
The string in the left-hand column is base64 encoded, but I turned it back into an image to see what it looks like, shown with the arrow.
Here’s another for state.gov:
As it turns out, Facebook’s use of an emoji reveal lots of unique details about the user — like having someone pahk the cah in Hahvahd Yahd. So too do the words printed by ForeSee, an analytics company, though Mr. Jock, TV quiz Ph-D, bags few lynx! would have been better because it is a not-quite-but-pretty-close perfect pangram.
Either way, both the emoji and oddly-shadowed ForeSee text were requested to be drawn by your computer — without telling you about it — and both provide a lot of unique detail about who you are. A sneaky form of fingerprinting.
And state.gov is not Alone!
There are actually 304 websites in my database that use the same ‘ForSee’ image to extract uniqueness from users. Moreover, many of them use the .gov top level domain — so it looks like foresee has a good ‘in’ with government-based websites.
So what you’re saying is…
Maybe we shouldn’t trust either website when talking about our privacy.
In conclusion, here’s the full list of websites using this one particular canvas image — but note, the scape occurred over the summer of 2018, so some of the websites may have updated since that time. If you want to reproduce these results yourself, use Chrome with the CanvasFingerprintBlock** extension and head on over to the listed URLs.
* as of February 15, 2019, it looks like ftc.gov’s version of ForeSee’s codebase no longer triggers a canvas fingerprint action. However, this does not displace the fact that ForeSee continues to use the technique on other government websites like state.gov and uscourts.gov, and the fact that ftc.gov had used this practice in the past.
** my home-grown version of the Chrome extension varies slightly from CanvasFingerprintBlock so your mileage may vary. If you really want to go fishing, open up the inspector in Chrome and search for