Folia lib.

Today Bruce Schneier wrote a shocking post in his blog, in plain and clear words:

https://www.schneier.com/blog/archives/2014/07/fingerprinting_.html
(highlighting by me)
[*quote*]
————————————————–
Schneier on Security

Fingerprinting Computers By Making Them Draw Images

Here’s a new way
(https://securehomes.esat.kuleuven.be/~gacar/persistent/index.html)
to identify individual computers over the Internet. The page instructs the browser to draw an image. Because each computer draws the image slightly differently, this can be used to uniquely identify each computer. This is a big deal, because there’s no way to block this right now.

Article:
http://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block

Posted on July 21, 2014 at 3:34 PM
————————————————–
[*/quote*]

.
That’s it. Plain and simple. Now let us look at the text at ProPublica:
.

http://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block
(highlighting by me)
[*quote*]
————————————————–
Meet the Online Tracking Device That is Virtually Impossible to Block

A new kind of tracking tool, canvas fingerprinting, is being used to follow visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.

by Julia Angwin
ProPublica, July 21, 2014, 9 a.m.

This is part of an ongoing investigation:
Surveillance

ProPublica investigates the threats to privacy in an era of cellphones, data mining and cyberwar.

Connect with Facebook to share articles you read on ProPublica. Learn more »
Safeguard the public interest.

Support ProPublica’s award-winning investigative journalism.

Donate
Latest Stories in this Project

Here’s One Way to Land on the NSA’s Watch List
Privacy Tools: How to Block Online Tracking
Podcast: Mapping the NSA’s Spying
FAQ For Our NSA Chart
No Warrant, No Problem: How the Government Can Get Your Digital Data

Meet the Online Tracking Device That is Virtually Impossible to Block
California Halts Injection of Fracking Waste, Warning it May Be Contaminating Aquifers
Privacy Tools: How to Block Online Tracking
Error: You Have No Payments from Pharma
Podcast: Glaser, Cuomo, and the Refusals That Made the Story
Why Online Tracking Is Getting Creepier
Who Advised Cuomo on Mortgage Industry Investigation? A Mortgage Lobbyist
It’s Complicated: Facebook’s History of Tracking You
We’re Still Not Tracking Patient Harm
Dollars for Docs

(David Sleight/ProPublica)

Update: A YouPorn.com spokesperson said that the website was “completely unaware that AddThis contained a tracking software that had the potential to jeopardize the privacy of our users.” After this article was published, YouPorn removed AddThis technology from its website.

This story was co-published with Mashable.

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.

First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.
Canvas Fingerprinting in Action

Watch your browser generate a unique fingerprint image. This is for informational purposes only and no fingerprint information is sent to ProPublica. (Mike Tigas, ProPublica)
See your browser’s fingerprint

Click the button above and your computer and web browser will draw a ProPublica-designed canvas fingerprint.

Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit — profiles that shape which ads, news articles, or other types of content are displayed to them.

But fingerprints are unusually hard to block: They can’t be prevented by using standard Web browser privacy settings or using anti-tracking tools such as AdBlock Plus.

The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5 percent of the top 100,000 websites. Most of the code was on websites that use AddThis’ social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish. (A list of all the websites on which researchers found the code is here
https://securehomes.esat.kuleuven.be/~gacar/sticky/index.html).

Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a possible way to replace “cookies,” the traditional way that users are tracked, via text files installed on their computers.

“We’re looking for a cookie alternative,” Harris said in an interview.

Harris said the company considered the privacy implications of canvas fingerprinting before launching the test, but decided “this is well within the rules and regulations and laws and policies that we have.”

He added that the company has only used the data collected from canvas fingerprints for internal research and development. The company won’t use the data for ad targeting or personalization if users install the AddThis opt-out cookie on their computers, he said.

Arvind Narayanan, the computer science professor who led the Princeton research team, countered that forcing users to take AddThis at its word about how their data will be used, is “not the best privacy assurance.”

Device fingerprints rely on the fact that every computer is slightly different: Each contains different fonts, different software, different clock settings and other distinctive features. Computers automatically broadcast some of their attributes when they connect to another computer over the Internet.

Tracking companies have long sought to use those differences to uniquely identify devices for online advertising purposes, particularly as Web users are increasingly using ad-blocking software and deleting cookies.

In May 2012, researchers at the University of California, San Diego, noticed that a Web programming feature called “canvas” could allow for a new type of fingerprint — by pulling in different attributes than a typical device fingerprint.
How You Can Try to Thwart Canvas Fingerprinting

Use the Tor browser (Warning: can be slow)
Block JavaScript from loading in your browser (Warning: breaks a lot of web sites)
Use NoScript browser extension to block JavaScript from known fingerprinters such as AddThis (Warning: requires a lot of research and decision-making)
Try the experimental browser extension Chameleon that is designed to block fingerprinting (Warning: only recommended for tech-savvy users at this point)
Install opt-out cookies from known fingerprinters such as AddThis (Warning: fingerprint will likely still be collected, companies simply pledge not to use the data for ad targeting or personalization)

In June, the Tor Project added a feature to its privacy-protecting Web browser to notify users when a website attempts to use the canvas feature and sends a blank canvas image. But other Web browsers did not add notifications for canvas fingerprinting.

A year later, Russian programmer Valentin Vasilyev noticed the study and added a canvas feature to freely available fingerprint code that he had posted on the Internet. The code was immediately popular.

But Vasilyev said that the company he was working for at the time decided against using the fingerprint technology. “We collected several million fingerprints but we decided against using them because accuracy was 90 percent,” he said, “and many of our customers were on mobile and the fingerprinting doesn’t work well on mobile.”

Vasilyev added that he wasn’t worried about the privacy concerns of fingerprinting. “The fingerprint itself is a number which in no way is related to a personality,” he said.

AddThis improved upon Vasilyev’s code by adding new tests and using the canvas to draw a pangram “Cwm fjordbank glyphs vext quiz” — a sentence that uses every letter of the alphabet at least once. This allows the company to capture slight variations in how each letter is displayed.

AddThis said it rolled out the feature to a small portion of the 13 million websites on which its technology appears, but is considering ending its test soon. “It’s not uniquely identifying enough,” Harris said.

AddThis did not notify the websites on which the code was placed because “we conduct R&D projects in live environments to get the best results from testing,” according to a spokeswoman.

She added that the company does not use any of the data it collects — whether from canvas fingerprints or traditional cookie-based tracking — from government websites including WhiteHouse.gov for ad targeting or personalization.

The company offered no such assurances about data it routinely collects from visitors to other sites, such as YouPorn.com. YouPorn.com did not respond to inquiries from ProPublica about whether it was aware of AddThis’ test of canvas fingerprinting on its website.

Read our recent coverage about how online tracking is getting creepier, how Facebook has been tracking you, and what tools to use to protect yourself.
Like this story? Sign up for our daily newsletter to get more of our best work.
Julia Angwin

Julia Angwin is a senior reporter at ProPublica. From 2000 to 2013, she was a reporter at The Wall Street Journal, where she led a privacy investigative team that was a finalist for a Pulitzer Prize in Explanatory Reporting in 2011 and won a Gerald Loeb Award in 2010.
————————————————–
[*/quote*]

.
Tracking is evil. Okay, we know.

Now we look at the policies of ProPublica.

http://www.propublica.org/about/steal-our-stories
(highlighting by me)
[*quote*]
————————————————–
Steal Our Stories

Unless otherwise noted, you can republish our articles and graphics for free. Here’s what you need to know:

You can’t edit our material, except to reflect relative changes in time, location and editorial style. (For example, “yesterday” can be changed to “last week,” and “Portland, Ore.” to “Portland” or “here.”)
If you’re republishing online, you have to link to us and to include all of the links from our story, as well as our PixelPing tag.
You can’t sell our material separately.
It’s okay to put our stories on pages with ads, but not ads specifically sold against our stories. You can’t state or imply that donations to your organization support ProPublica’s work.
You can’t republish our material wholesale, or automatically; you need to select stories to be republished individually. You can’t use our work to populate a web site designed to improve rankings on search engines, or solely to gain revenue from network-based advertisements.
You cannot republish our photographs or illustrations without specific permission (ask our Communications Director Nicole Collins Bronzan if you’d like to).
Any web site our stories appear on must include a prominent and effective way to contact you.
You have to credit us — ideally in the byline. We prefer “Author Name, ProPublica.”
We do not generally permit translation of our stories into another language.

Note that you can grab HTML code for our stories easily. Click on the “republish” button “Republish” on the left sidebar of every story.

We’re licensed under Creative Commons, which provides the legal details. If you have questions, contact our president, Richard Tofel.
————————————————–
[*/quote*]

“We’re licensed under Creative Commons”. Oh, really? How about the “PixelPing tag”? Let’s see:

http://www.propublica.org/about/pixelping
(highlighting by me)
[*quote*]
————————————————–
PixelPing
What is it?

ProPublica’s PixelPing is a small snippet of javascript code that we’re asking all of our partners to paste into stories we publish together to let us know how well our story is doing.

Why are you doing this?

Our mission is to effect real change through investigative journalism. One of the ways we do this is by providing world-class reporting free of charge to news outlets with large, influential audiences.

An important piece of information we need in return is a sense of the size of the audience our stories reach on our partners’ web sites. PixelPing is simply an efficient way of getting basic page-view statistics quickly.

How does it work?

PixelPing functions much like Google Analytics, Tacoda, Quantcast, and other beacons—only much more simply. All you have to do is copy and paste the following line of code anywhere in the body of the article we’re co-publishing in your website’s content management system—if possible, somewhere close to the top of the story.

<script type=”text/javascript” src=”http://pixel.propublica.org/pixel.js” async=”true”></script>

What will my users see?

Nothing. This will not affect your web page layout at all.
What does it track?

Quite simply, it only counts the number of page views to the story on which the code appears. It doesn’t count unique visitors. It also doesn’t count anything on pages other than the one on which you loaded it.

Who will see the data?

We will hold the page view data PixelPing collects as confidential, and we will not share it with outsiders, period.

Does this violate my privacy policy?

We’re keenly aware of how seriously all of our partners take the privacy of their users. PixelPing does not attempt to track anything at all about visitors—neither individually nor in the aggregate—nor does it attempt to set or read any cookies.

Will it slow down my page or break my web pages?

No. We’ve tested our code extensively. Our code is designed to deal with heavy loads, and it’s designed to “fail gracefully,” meaning that even if our servers are overloaded or down, your web page will not be “blocked,” or prevented from loading . The javascript code on your page will always take precedence over PixelPing.

Who can I contact with questions about it?

Call Scott Klein, our Editor of News Applications at 917-512-0205 or e-mail him at scott.klein@propublica.org.
————————————————–
[*/quote*]

Tracking is spying, and spying is evil.

We do know that.

But that is not all. The plain text of the ProPublica article is about 9093 Bytes in size. But, no, that is NOT what you download onto your computer to read that web-page. This is a list of what is stored (at least in the RAM of your PC) when the browser accesses that very web-page

http://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block

Files list:

[*quote*]
--------------------------------------------------
10848 140717_ap_frack_water_TX_300x200-220x147.jpg
14164 140717_gt_patient_illo_300x200-220x147.jpg
77537 20140720-canvas-tracking-630x420.jpg
8547 20140720-drug-payment-errors-300x200-220x147.jpg
1575 ads
1514 ads_002
1291 ads_003
332 ads_004
1133 ads_005
330 ads_006
168376 all_002.js
240121 all.js
336 alternatives
24490 analytics.js
529 article_pages.js
1714 beacons.js
216776 behemoth.css
2304 btn.js
1253 button3.js
1960 cc-logo-30x30gray.png
18106 chartbeat.js
12151 client.js
239 count-data.js
98228 d.css
252 downArrow.png
44128 embed.js
3024 fb_anon_50x50.png
266995 fonts_002.css
818627 fonts.css
16520 get
200 google_ads_boot.js
1035 google_ads.js
40520 gpt.js
42601 gtm.js
23956 hml8xqy.js
1589 icn-footer-commons.png
1264 icn-search.png
604 icon-fb-top-nav_002.png
604 icon-fb-top-nav.png
4153 icon-mail-28.png
765 icon-tw-top-nav.png
3711 in.js
3429 istock_cellphone_map_140x140_120816-70x70.jpg
28063 lightgl.js
21211 loader.js
309044 margarita.css
25376 muckreads-briefing-300_5-220x147.png
163769 nonSecureAnonymousFramework
44139 osd.js
40588 outbrain.js
1454 pocket-logo-30x30-gray.png
9378 ppfp2.js
24731 print-2011.css
89642 pubads_impl_44.js
4188 ss-social.js
11773 ss-standard.js
780 telephoneline.html
667 typekit.js
99152 widgets.js
260771 woland.css

a_data:
total 904
3100 avatar92_002.jpg
2386 avatar92_003.jpg
5356 avatar92_004.jpg
1547 avatar92_005.jpg
4709 avatar92_006.jpg
1941 avatar92_007.jpg
1547 avatar92_008.jpg
4322 avatar92_009.jpg
3392 avatar92.jpg
262371 common.js
2050 config.js
30481 discovery.css
67737 discovery.js
39 event_002.js
40 event_003.js
40 event.js
40219 ga.js
247634 lounge_002.js
151961 lounge.css
20112 lounge.js
1083 noavatar92_002.png
1644 noavatar92.png

a_data:
total 904
3100 avatar92_002.jpg
2386 avatar92_003.jpg
5356 avatar92_004.jpg
1547 avatar92_005.jpg
4709 avatar92_006.jpg
1941 avatar92_007.jpg
1547 avatar92_008.jpg
4322 avatar92_009.jpg
3392 avatar92.jpg
262371 common.js
2050 config.js
30481 discovery.css
67737 discovery.js
39 event_002.js
40 event_003.js
40 event.js
40219 ga.js
247634 lounge_002.js
151961 lounge.css
20112 lounge.js
1083 noavatar92_002.png
1644 noavatar92.png

button3_data:
total 272
2541 blog_snoo.png
13130 button.js
91342 jquery.js
153768 reddit.css

button3_data:
total 272
2541 blog_snoo.png
13130 button.js
91342 jquery.js
153768 reddit.css

button_data:
total 12
3045 button.css
2309 button.js
1262 shared.js

button_data:
total 12
3045 button.css
2309 button.js
1262 shared.js

comScore_data:
total 4
1900 beacon.js

comScore_data:
total 4
1900 beacon.js

follow_button_data:
total 4
235 info.js

follow_button_data:
total 4
235 info.js

like_box_data:
total 320
1632 1017427_10203469917295163_236486091_n.jpg
45711 10409080_10152590133149445_4917190480511645048_n.png
1781 10462526_10152200185590893_7053101618144386478_n.jpg
11163 10476274_10152590336794445_4839032174365312900_n.jpg
1035 10501749_10152531274399445_2641136824263975971_n.jpg
1274 1173778_10201114396436529_500688041_n.jpg
1278 1922174_1386034441669544_1502972313_n.jpg
1548 262386_113398238864171_404739224_n.jpg
1567 300049_2415469462690_970759569_n.jpg
1432 35009_4709402008728_176015776_n.jpg
1658 394084_2536124019943_257728864_n.jpg
1407 470_10151385422193542_1237461544_n.jpg
1700 576259_429920833702654_50965550_n.jpg
522 GsNJNwuI-UM.gif
11919 safe_image.jpeg
196732 sh9-faBNTLB.js

like_box_data:
total 320
1632 1017427_10203469917295163_236486091_n.jpg
45711 10409080_10152590133149445_4917190480511645048_n.png
1781 10462526_10152200185590893_7053101618144386478_n.jpg
11163 10476274_10152590336794445_4839032174365312900_n.jpg
1035 10501749_10152531274399445_2641136824263975971_n.jpg
1274 1173778_10201114396436529_500688041_n.jpg
1278 1922174_1386034441669544_1502972313_n.jpg
1548 262386_113398238864171_404739224_n.jpg
1567 300049_2415469462690_970759569_n.jpg
1432 35009_4709402008728_176015776_n.jpg
1658 394084_2536124019943_257728864_n.jpg
1407 470_10151385422193542_1237461544_n.jpg
1700 576259_429920833702654_50965550_n.jpg
522 GsNJNwuI-UM.gif
11919 safe_image.jpeg
196732 sh9-faBNTLB.js

login_button_data:
total 380
374060 e1Gxr4mnnN5.js
1056 iqVGY7gYXlg.gif
348 teE39sffXW8.png

tweet_button_data:
total 4
156 count.js
--------------------------------------------------
[*/quote*]

In total: 8 directories, 123 files, 5 MegaBytes.

The plain article text is mere 9093 Bytes. The web-page one must load, is 560 times as large.

9093 Bytes, that is about 4 pages of text on typewriter paper sized A4. 5 MegaBytes is roughly 2240 pages. ProPublica bloats the web-pages, jams the lines, pours Javashit junk into their readers’ computers.

Is that journalism?

I say: NO!

And, not to forget the PixelPing tag: to track the readers.

The NSA is attacked because of spying. But that is their job.

The media (see the article!) commit INTENSIVE spying on all of us.

That is not their job.

It is a crime.