Propublica has a piece on canvas fingerprinting done by the ad service that uses the trojan horse of sharing buttons, AddThis: Meet the Online Tracking Device That is Virtually Impossible to Block. Regardless of the usefulness of this particular technique, which seems to not be effective enough to stick around, services like AddThis and ShareThis will always spy on and tag your audience when you use their widgets, and you should avoid them if you care about that sort of thing. That’s why we put sharing buttons into Jetpack that are much more privacy (and performance) friendly.

13 thoughts on “Canvas Fingerprinting & AddThis

  1. Matt,

    Interesting, but I need the sharing metrics that ShareThis offers. Are you going to be offering social sharing metrics tools to WordPress.com stats? If I abandon ShareThis, that’s what I’m going to need.

    Also, ShareThis isn’t mentioned in the article. Are you sure it’s both services, not just AddThis?

    1. We could look into metrics, also many of the services (FB, Twitter) have pretty good built-in analytics now, though of course not cross-service. I’ll keep that in mind next time we loop back on stats.

      ShareThis is not in the article, and to my knowledge doesn’t use this technique, but their business model is the same — get the widgets on a ton of pages and make money from selling your audience data to third parties. From what I understand Clearspring/AddThis is a much larger business, so just more prominent.

      ShareThis is worth avoiding as well because of their history with the WP community: Alex King open sourced the “share” icon under the LGPL, GPL, BSD, and Creative Commons (basically everything). ShareThis later bought some of Alex’s IP and now uses the share icon as their logo, they tried to un-open-source it and began using legal threats to try and put the cat back in the bag for people who had already adopted it. See this page, and where the “Share Icon Project web site” (shareicons.com) now redirects to

      http://alexking.org/projects/share-icon

      It basically says how you can’t actually use the icon for anything that doesn’t support their commercial enterprise — super sketchy, and makes me question the moral compass of the entire enterprise.

      1. Thanks, Matt. I didn’t realize that Alex King sold the IP and that it’s graduated to this level. Thank for you enlightening me and I’ll start to make the appropriate adjustments with my clients to start moving toward using JetPack’s social sharing tools. Yes, I can certainly get analytics from Twitter and Facebook as well as employing SproutSocial or something like that, I’m sure. The other issue I have with ShareThis is that only clicking on their share icon opens a lightbox, while all the other buttons do not. And, they have yet to employ lazy loading, I believe. So, I’m going to be switching it out and going forward with JetPack. I’ll mention all of this at the next WordPress Chapel Hill, which I organize, in August, and let the WordPress Raleigh and Asheville camps know as well. I live in Asheville now and we just had the first WordCamp Asheville, which sold out the first year. :)

  2. I’ve gone back to using plain old html links and using css to style them as buttons.

    You didn’t mention Shareaholic. I’ve used their social analytics tool in the past to track social sharing services used by my readers . You don’t need to add their buttons to use it. I will admit, I don’t know their policies regarding what data they collect on their end and how it is used.

  3. I’ve had a look into this fingerprinting and actually the use by AddThis isn’t really spying on you as a person but rather a machine you use – it isn’t user specific but machine specific, and judging by what I’ve looked at actually many machines will end up with the same fingerprint (unless they are geeky and have a bunch of addons which change things like how fonts render) this fingerprinting doesn’t send headers for website requests which would include those browser exstensions and make it unique (when combines by machine info). AddThis is collecting machine info only with this fingerprinting, yes its a privacy worry as is all tracking (but its if JetPack stats tells you which browsers are being used to surf a website, or what OS – same idea).

    1. I don’t think the canvas thing is specific enough to stick around as an identifier, but regardless they’re correlating this with other unique identifiers they develop and building a profile of you as you go throughout the web, and using that to target advertising. As they say on their “What We Do” page, “Our data goes beyond following, liking & pinning […] AddThis audiences are modeled from across 1.7B unique users worldwide […] Consumers are engaging with your brand off-domain. Being able to find and reach them can help drive a successful campaign.”

  4. Well, I think that whether or not you feel social sharing buttons are “spying” depends on whether or not you like the idea that they make it easier for you to share using YOUR favorite apps and not just the ones that the site has programmed by default. Besides, given the proliferation of tracking on the web, it’s a fact of life now that your Internet footprint is publicly available. As long as they’re not getting my financial or personal information, I have no problem with them tracking my visits. It is all done toward making the user’s experience resonate at a personal level, IMO.

  5. Shared with WordPress Chapel Hill and Asheville WordPress Meetup Group. Tweeted out as well. Thanks for the heads up. Already removed from netmix.com and removing from other sites. Will notify WordPress NYC and WordPress Raleigh. The JetPack implementation is elegant and nicely configured, so not a big sea change. Looks good upon implementation and hopefully that will speed up my sites in my networks.

  6. There needs to be open alternatives to these buttons on which other people could build analytics and more.

    We built http://subtome.com with that open ness in mind. It’s fully “offline” in a way that once the files are loaded once from the subtome.com domain, everything will be loaded from your local browser.

Comments are closed.