In May 2012, researchers at the University of California, San Diego, noticed that a Web programming feature called "canvas" could allow for a new type of fingerprint — by pulling in different attributes than a typical device fingerprint.
In June, the Tor Project added a feature to its privacy-protecting Web browser to notify users when a website attempts to use the canvas feature and sends a blank canvas image. But other Web browsers did not add notifications for canvas fingerprinting.
A year later, Russian programmer Valentin Vasilyev noticed the study and added a canvas feature to freely available fingerprint code that he had posted on the Internet. The code was immediately popular.
But Vasilyev said that the company he was working for at the time decided against using the fingerprint technology. "We collected several million fingerprints but we decided against using them because accuracy was 90 percent," he said, "and many of our customers were on mobile and the fingerprinting doesn't work well on mobile."
Vasilyev added that he wasn't worried about the privacy concerns of fingerprinting. "The fingerprint itself is a number which in no way is related to a personality," he said.
AddThis improved upon Vasilyev's code by adding new tests and using the canvas to draw a pangram "Cwm fjordbank glyphs vext quiz" — a sentence that uses every letter of the alphabet at least once. This allows the company to capture slight variations in how each letter is displayed.
AddThis said it rolled out the feature to a small portion of the 13 million websites on which its technology appears, but is considering ending its test soon. "It's not uniquely identifying enough," Harris said.
AddThis did not notify the websites on which the code was placed because "we conduct R&D projects in live environments to get the best results from testing," according to a spokeswoman.
She added that the company does not use any of the data it collects — whether from canvas fingerprints or traditional cookie-based tracking — from government websites including WhiteHouse.gov for ad targeting or personalization.
The company offered no such assurances about data it routinely collects from visitors to other sites, such as YouPorn.com. YouPorn.com did not respond to inquiries from ProPublica about whether it was aware of AddThis' test of canvas fingerprinting on its website.
Sign up for CIO Asia eNewsletters.