Re: [CODE4LIB] Canvas Fingerprinting by AddThis
On 8/14/14 4:32 PM, William Denton wrote: On 14 August 2014, Eric Hellman wrote: Another approach is Tor, both spreading the word about it and how to use it properly, and also about running relays and exit nodes on the Tor network. I run a relay myself, and encourage others to do so. Institutions like libraries and universities should be running them---we have the bandwidth and computing power and instituional heft---and I wonder if anyone here is doing that are their work. Tor is a good thing, and I use it myself occasionally (more to add to the user pool and make personal identification harder than for anything else), but it won't completely stop canvas fingerprinting. I believe Tor blocks the WebGL API, which helps, but a certain amount of fingerprinting can be done using the W3C Canvas API, which is still allowed through. I've just posted a technical summary of canvas fingerprinting to my File Formats Blog: http://fileformats.wordpress.com/2014/08/15/canvasfp/ -- Gary McGath, Professional Software Developer http://www.garymcgath.com
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
On 08/13/2014 05:08 PM, William Denton wrote: On 13 August 2014, Karen Coyle wrote: *ps - I had a great cookie manager for a while, but it's no longer around. Cookie control in browsers actually was easier a decade ago - they've obviously been discouraged from including that software. If anyone knows of a good cookie program or plugin, I'd like to hear about it. I use Cookie Monster [0] and like it. Related: on my work box I'm trying out the EFF's Privacy Badger [1], which I hope will be a success. At home I use Disconnect [2], which blocks entire domains. It's great for cutting out cookies and junk like AddThis, but cripes, I hadn't realized how many people pull in Javascript libraries from Google or Yahoo. That's a harder way of tracking to avoid. +1 on EFF Privacy Badger. I have used Xombrero[0] browser for a while which has most of these concerns `built-in` and not as an add-on. I will be the first to say the browser requires a Vi state of mind to use that trips all but the most seasoned Vi (possibly ed ;-) users. Cheers, ./fxk [0] https://opensource.conformal.com/wiki/xombrero -- Bank error in your favor. Collect $200.
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
http://www.addthis.com/privacy/opt-out Is this satire?
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
If you click on the opt-out button, we reserve the right to sell your data, and where permitted, your body and/or soul, to entities targeting luddites, losers and resistors of the inevitable. On Thu, Aug 14, 2014 at 7:18 AM, Keith Jenkins k...@cornell.edu wrote: http://www.addthis.com/privacy/opt-out Is this satire? -- Cary Gordon The Cherry Hill Company http://chillco.com
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
Bill (others), are you running PrivacyBadger alongside AdBlock? I'm concerned about the confluence of decisions there, although tempted to try anyway. Thanks, kc On 8/13/14, 2:08 PM, William Denton wrote: On 13 August 2014, Karen Coyle wrote: *ps - I had a great cookie manager for a while, but it's no longer around. Cookie control in browsers actually was easier a decade ago - they've obviously been discouraged from including that software. If anyone knows of a good cookie program or plugin, I'd like to hear about it. I use Cookie Monster [0] and like it. Related: on my work box I'm trying out the EFF's Privacy Badger [1], which I hope will be a success. At home I use Disconnect [2], which blocks entire domains. It's great for cutting out cookies and junk like AddThis, but cripes, I hadn't realized how many people pull in Javascript libraries from Google or Yahoo. That's a harder way of tracking to avoid. Bill [0] https://addons.mozilla.org/en-US/firefox/addon/cookie-monster/ [1] https://www.eff.org/privacybadger [2] https://disconnect.me/disconnect -- Karen Coyle kco...@kcoyle.net http://kcoyle.net m: +1-510-435-8234 skype: kcoylenet/+1-510-984-3600
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
On 14 August 2014, Karen Coyle wrote: Bill (others), are you running PrivacyBadger alongside AdBlock? I'm concerned about the confluence of decisions there, although tempted to try anyway. I am---Adblock Plus, that is. Haven't noticed any problems (or ads!) or missing content. They seem to get along fine. Bill -- William Denton ↔ Toronto, Canada ↔ http://www.miskatonic.org/
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
I must say I'm surprised that most of the response to libraries are letting advertisers track patrons as they browse their catalogs is discussion of privacy condomware. Perhaps I've missed something? On Aug 14, 2014, at 1:39 PM, Karen Coyle li...@kcoyle.net wrote: Bill (others), are you running PrivacyBadger alongside AdBlock? I'm concerned about the confluence of decisions there, although tempted to try anyway. Thanks, kc On 8/13/14, 2:08 PM, William Denton wrote: On 13 August 2014, Karen Coyle wrote: *ps - I had a great cookie manager for a while, but it's no longer around. Cookie control in browsers actually was easier a decade ago - they've obviously been discouraged from including that software. If anyone knows of a good cookie program or plugin, I'd like to hear about it. I use Cookie Monster [0] and like it. Related: on my work box I'm trying out the EFF's Privacy Badger [1], which I hope will be a success. At home I use Disconnect [2], which blocks entire domains. It's great for cutting out cookies and junk like AddThis, but cripes, I hadn't realized how many people pull in Javascript libraries from Google or Yahoo. That's a harder way of tracking to avoid. Bill [0] https://addons.mozilla.org/en-US/firefox/addon/cookie-monster/ [1] https://www.eff.org/privacybadger [2] https://disconnect.me/disconnect -- Karen Coyle kco...@kcoyle.net http://kcoyle.net m: +1-510-435-8234 skype: kcoylenet/+1-510-984-3600
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
Unfortuantly there isn't much we can do besides (a) not use the site, (b) remove it from the site, or (c) contact the site owner and get them to remove it (unlikely). So we are stuck with our virtual condoms until a better solution is thought up. :( Riley Childs RileyChilds.net +1 (704) 497-2086 -Original Message- From: Code for Libraries [mailto:CODE4LIB@LISTSERV.ND.EDU] On Behalf Of Eric Hellman Sent: Thursday, August 14, 2014 2:31 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Canvas Fingerprinting by AddThis I must say I'm surprised that most of the response to libraries are letting advertisers track patrons as they browse their catalogs is discussion of privacy condomware. Perhaps I've missed something? On Aug 14, 2014, at 1:39 PM, Karen Coyle li...@kcoyle.net wrote: Bill (others), are you running PrivacyBadger alongside AdBlock? I'm concerned about the confluence of decisions there, although tempted to try anyway. Thanks, kc On 8/13/14, 2:08 PM, William Denton wrote: On 13 August 2014, Karen Coyle wrote: *ps - I had a great cookie manager for a while, but it's no longer around. Cookie control in browsers actually was easier a decade ago - they've obviously been discouraged from including that software. If anyone knows of a good cookie program or plugin, I'd like to hear about it. I use Cookie Monster [0] and like it. Related: on my work box I'm trying out the EFF's Privacy Badger [1], which I hope will be a success. At home I use Disconnect [2], which blocks entire domains. It's great for cutting out cookies and junk like AddThis, but cripes, I hadn't realized how many people pull in Javascript libraries from Google or Yahoo. That's a harder way of tracking to avoid. Bill [0] https://addons.mozilla.org/en-US/firefox/addon/cookie-monster/ [1] https://www.eff.org/privacybadger [2] https://disconnect.me/disconnect -- Karen Coyle kco...@kcoyle.net http://kcoyle.net m: +1-510-435-8234 skype: kcoylenet/+1-510-984-3600
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
I agree. What was prompted as a discussion of protecting one's patrons has turned into a discussion of protecting oneself. Joshua Gomez Library Systems Programmer University of Southern California From: Code for Libraries CODE4LIB@LISTSERV.ND.EDU on behalf of Eric Hellman e...@hellman.net Sent: Thursday, August 14, 2014 11:30 AM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Canvas Fingerprinting by AddThis I must say I'm surprised that most of the response to libraries are letting advertisers track patrons as they browse their catalogs is discussion of privacy condomware. Perhaps I've missed something? On Aug 14, 2014, at 1:39 PM, Karen Coyle li...@kcoyle.net wrote: Bill (others), are you running PrivacyBadger alongside AdBlock? I'm concerned about the confluence of decisions there, although tempted to try anyway. Thanks, kc On 8/13/14, 2:08 PM, William Denton wrote: On 13 August 2014, Karen Coyle wrote: *ps - I had a great cookie manager for a while, but it's no longer around. Cookie control in browsers actually was easier a decade ago - they've obviously been discouraged from including that software. If anyone knows of a good cookie program or plugin, I'd like to hear about it. I use Cookie Monster [0] and like it. Related: on my work box I'm trying out the EFF's Privacy Badger [1], which I hope will be a success. At home I use Disconnect [2], which blocks entire domains. It's great for cutting out cookies and junk like AddThis, but cripes, I hadn't realized how many people pull in Javascript libraries from Google or Yahoo. That's a harder way of tracking to avoid. Bill [0] https://addons.mozilla.org/en-US/firefox/addon/cookie-monster/ [1] https://www.eff.org/privacybadger [2] https://disconnect.me/disconnect -- Karen Coyle kco...@kcoyle.net http://kcoyle.net m: +1-510-435-8234 skype: kcoylenet/+1-510-984-3600
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
On 14 August 2014, Eric Hellman wrote: I must say I'm surprised that most of the response to libraries are letting advertisers track patrons as they browse their catalogs is discussion of privacy condomware. Perhaps I've missed something? Indeed no, that's how this thread went. But it's relevant, because though we should make our own sites private and secure, we should also help people use the web privately and securely everywhere, and extensions like this do that. At the university where I work Google Analytics is the standard, and we use it on the library's web site. There's probably no way around that---but we can tell people how to block the tracking, which will help them locally (ironically) and everwhere else. (I use Piwik at home, and like it, but moving to that here would be a long-term project, only partly for technical reasons.) I know it doesn't make a lot of sense for some people in institutions to work to defeat what co-workers are doing, but I think there will be a lot of that around privacy---some people blocking tracking that marketers want to use, for example---for some time to come. Another approach is Tor, both spreading the word about it and how to use it properly, and also about running relays and exit nodes on the Tor network. I run a relay myself, and encourage others to do so. Institutions like libraries and universities should be running them---we have the bandwidth and computing power and instituional heft---and I wonder if anyone here is doing that are their work. Bill -- William Denton ↔ Toronto, Canada ↔ http://www.miskatonic.org/
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
BTW, EBSCOhost (used in a few libraries, I think) has AddThis widgets. I suppose if you use their API you could avoid that. -- Jeff Karlsen Librarian Library Department Chair Sacramento City College 916-558-2583 www.scc.losrios.edu/library -Original Message- From: Code for Libraries [mailto:CODE4LIB@LISTSERV.ND.EDU] On Behalf Of Joshua Nathan Gomez Sent: Thursday, August 14, 2014 11:55 AM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Canvas Fingerprinting by AddThis I agree. What was prompted as a discussion of protecting one's patrons has turned into a discussion of protecting oneself. Joshua Gomez Library Systems Programmer University of Southern California From: Code for Libraries CODE4LIB@LISTSERV.ND.EDU on behalf of Eric Hellman e...@hellman.net Sent: Thursday, August 14, 2014 11:30 AM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Canvas Fingerprinting by AddThis I must say I'm surprised that most of the response to libraries are letting advertisers track patrons as they browse their catalogs is discussion of privacy condomware. Perhaps I've missed something? On Aug 14, 2014, at 1:39 PM, Karen Coyle li...@kcoyle.net wrote: Bill (others), are you running PrivacyBadger alongside AdBlock? I'm concerned about the confluence of decisions there, although tempted to try anyway. Thanks, kc On 8/13/14, 2:08 PM, William Denton wrote: On 13 August 2014, Karen Coyle wrote: *ps - I had a great cookie manager for a while, but it's no longer around. Cookie control in browsers actually was easier a decade ago - they've obviously been discouraged from including that software. If anyone knows of a good cookie program or plugin, I'd like to hear about it. I use Cookie Monster [0] and like it. Related: on my work box I'm trying out the EFF's Privacy Badger [1], which I hope will be a success. At home I use Disconnect [2], which blocks entire domains. It's great for cutting out cookies and junk like AddThis, but cripes, I hadn't realized how many people pull in Javascript libraries from Google or Yahoo. That's a harder way of tracking to avoid. Bill [0] https://addons.mozilla.org/en-US/firefox/addon/cookie-monster/ [1] https://www.eff.org/privacybadger [2] https://disconnect.me/disconnect -- Karen Coyle kco...@kcoyle.net http://kcoyle.net m: +1-510-435-8234 skype: kcoylenet/+1-510-984-3600
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
To Eric, thank you for bringing this to our attention. I passed the info along to my coworkers and a discussion about the AddThis widget in our CONTENTdm instance is now on the agenda for our next weekly meeting. To Bill, I think a workshop on setting up a Tor relay/node at a library would be an excellent addition to the next code4lib conference in February. Joshua Gomez Library Systems Programmer University of Southern California From: Code for Libraries CODE4LIB@LISTSERV.ND.EDU on behalf of William Denton w...@pobox.com Sent: Thursday, August 14, 2014 1:32 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Canvas Fingerprinting by AddThis On 14 August 2014, Eric Hellman wrote: I must say I'm surprised that most of the response to libraries are letting advertisers track patrons as they browse their catalogs is discussion of privacy condomware. Perhaps I've missed something? Indeed no, that's how this thread went. But it's relevant, because though we should make our own sites private and secure, we should also help people use the web privately and securely everywhere, and extensions like this do that. At the university where I work Google Analytics is the standard, and we use it on the library's web site. There's probably no way around that---but we can tell people how to block the tracking, which will help them locally (ironically) and everwhere else. (I use Piwik at home, and like it, but moving to that here would be a long-term project, only partly for technical reasons.) I know it doesn't make a lot of sense for some people in institutions to work to defeat what co-workers are doing, but I think there will be a lot of that around privacy---some people blocking tracking that marketers want to use, for example---for some time to come. Another approach is Tor, both spreading the word about it and how to use it properly, and also about running relays and exit nodes on the Tor network. I run a relay myself, and encourage others to do so. Institutions like libraries and universities should be running them---we have the bandwidth and computing power and instituional heft---and I wonder if anyone here is doing that are their work. Bill -- William Denton ↔ Toronto, Canada ↔ http://www.miskatonic.org/
[CODE4LIB] Canvas Fingerprinting by AddThis
It seems that Code4Lib hasn't discussed this., though the news is 2 weeks old. It seems that there are libraries using social share tools from AddThis, a company that has been using a technology called Canvas Fingerprinting to track users. In other words, it looks like libraries are giving away the user-privacy store. For example, AddThis is used by my public library's Polaris catalog (BCCLS). I'd be interested to learn how widespread this is. Here's the article from ProPublica. http://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block And a follow-on discussion from Princeton CITP https://freedom-to-tinker.com/blog/englehardt/the-hidden-perils-of-cookie-syncing/ The research article: https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf Techdirt: https://www.techdirt.com/articles/20140721/14523127960/tons-sites-including-whitehousegov-experiment-with-tracking-technology-that-is-difficult-to-block.shtml Eric Eric Hellman President, Gluejar.Inc. Founder, Unglue.it https://unglue.it/ http://go-to-hellman.blogspot.com/ twitter: @gluejar
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
I think this would bother me more if I thought that there were a significant number of users who either do not use cookies at all, or who had some kind of effective cookie manager. I suspect that the actual number is very close to zero, in the .n range at best.* I have a problem with libraries using social media at all, actually, since it has turned out to be such a privacy disaster. When I go to what I think of as a benign site (my local library, DPLA, EFF!) and see that they've got a FB page that gathers likes it just chills me. I realize that all of these organizations need to maintain a level of visibility, and Facebook or Tumblr or whatever is a way to do that. However, there is no use of social media that can be argued as being privacy-neutral. It's a dilemma, I know. But I hate to see libraries and others seemingly promoting its use. As for web use, only Tor, and perhaps not even Tor, can give you something close to anonymity (except, perhaps, with the NSA). But it requires certain tech chops and an effort way beyond that of clearing out your cookies now and again, something that most people do not do. kc *ps - I had a great cookie manager for a while, but it's no longer around. Cookie control in browsers actually was easier a decade ago - they've obviously been discouraged from including that software. If anyone knows of a good cookie program or plugin, I'd like to hear about it. On 8/13/14, 10:22 AM, Eric Hellman wrote: It seems that Code4Lib hasn't discussed this., though the news is 2 weeks old. It seems that there are libraries using social share tools from AddThis, a company that has been using a technology called Canvas Fingerprinting to track users. In other words, it looks like libraries are giving away the user-privacy store. For example, AddThis is used by my public library's Polaris catalog (BCCLS). I'd be interested to learn how widespread this is. Here's the article from ProPublica. http://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block And a follow-on discussion from Princeton CITP https://freedom-to-tinker.com/blog/englehardt/the-hidden-perils-of-cookie-syncing/ The research article: https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf Techdirt: https://www.techdirt.com/articles/20140721/14523127960/tons-sites-including-whitehousegov-experiment-with-tracking-technology-that-is-difficult-to-block.shtml Eric Eric Hellman President, Gluejar.Inc. Founder, Unglue.it https://unglue.it/ http://go-to-hellman.blogspot.com/ twitter: @gluejar -- Karen Coyle kco...@kcoyle.net http://kcoyle.net m: +1-510-435-8234 skype: kcoylenet/+1-510-984-3600
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
On 8/13/14 1:22 PM, Eric Hellman wrote: It seems that Code4Lib hasn't discussed this., though the news is 2 weeks old. It seems that there are libraries using social share tools from AddThis, a company that has been using a technology called Canvas Fingerprinting to track users. In other words, it looks like libraries are giving away the user-privacy store. For example, AddThis is used by my public library's Polaris catalog (BCCLS). I'd be interested to learn how widespread this is. It's pretty widespread in general, but I don't know how many libraries are using it, or why. It's a concern regardless of absolute numbers, because it targets people who are concerned about being tracked and have taken steps to make cookies less effective. (For example, I discard cookies at the end of each browser session, making long-term tracking ineffective.) It isn't virtually impossible to block; mapping addthis.com on the client computer to 127.0.0.1 (using /etc/hosts on Linux and Unix machines) does a nice job of it. But anyone who uses it really is betraying the user's trust. -- Gary McGath, Professional Software Developer http://www.garymcgath.com
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
Interesting thread, AddThis is certainly everywhere (5 percent of the top 100,000 websites--ProPublica), often in contrast to an organization's stated privacy policies. Here's three examples of use within OCLC and their products: http://oclc.org/research/people/follow.html ContentDM: http://www.contentdm.org/help6/custom/configure9.asp WorldCat.org: http://www.worldcat.org/title/jazz/oclc/25048293referer=brief_results For kicks I just did a Google Advanced search for AddThis limited to the .edu domain, wow. What is the alternative for libraries looking to promote their services out into the polluted ocean of the internet where everyone else is swimming? --Jimmy On Wed, Aug 13, 2014 at 2:33 PM, Gary McGath develo...@mcgath.com wrote: On 8/13/14 1:22 PM, Eric Hellman wrote: It seems that Code4Lib hasn't discussed this., though the news is 2 weeks old. It seems that there are libraries using social share tools from AddThis, a company that has been using a technology called Canvas Fingerprinting to track users. In other words, it looks like libraries are giving away the user-privacy store. For example, AddThis is used by my public library's Polaris catalog (BCCLS). I'd be interested to learn how widespread this is. It's pretty widespread in general, but I don't know how many libraries are using it, or why. It's a concern regardless of absolute numbers, because it targets people who are concerned about being tracked and have taken steps to make cookies less effective. (For example, I discard cookies at the end of each browser session, making long-term tracking ineffective.) It isn't virtually impossible to block; mapping addthis.com on the client computer to 127.0.0.1 (using /etc/hosts on Linux and Unix machines) does a nice job of it. But anyone who uses it really is betraying the user's trust. -- Gary McGath, Professional Software Developer http://www.garymcgath.com -- Jimmy Ghaphery Head, Digital Technologies VCU Libraries 804-827-3551
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
On 13 August 2014, Karen Coyle wrote: *ps - I had a great cookie manager for a while, but it's no longer around. Cookie control in browsers actually was easier a decade ago - they've obviously been discouraged from including that software. If anyone knows of a good cookie program or plugin, I'd like to hear about it. I use Cookie Monster [0] and like it. Related: on my work box I'm trying out the EFF's Privacy Badger [1], which I hope will be a success. At home I use Disconnect [2], which blocks entire domains. It's great for cutting out cookies and junk like AddThis, but cripes, I hadn't realized how many people pull in Javascript libraries from Google or Yahoo. That's a harder way of tracking to avoid. Bill [0] https://addons.mozilla.org/en-US/firefox/addon/cookie-monster/ [1] https://www.eff.org/privacybadger [2] https://disconnect.me/disconnect -- William Denton ↔ Toronto, Canada ↔ http://www.miskatonic.org/
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
It isn't virtually impossible to block; mapping addthis.com on the client computer to 127.0.0.1 (using /etc/hosts on Linux and Unix machines) does a nice job of it. But anyone who uses it really is betraying the user's trust. I was looking around for a complete set of addthis domains to block and came across this extensive, up-to-date hosts file. It blocks more than 10,000 domains. http://someonewhocares.org/hosts/hosts /dev
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
I blogged this. http://go-to-hellman.blogspot.com/2014/08/libraries-are-giving-away-user-privacy.html Do libraries even realize they're doing this? Eric On Aug 13, 2014, at 4:28 PM, Jimmy Ghaphery jghap...@vcu.edu wrote: Interesting thread, AddThis is certainly everywhere (5 percent of the top 100,000 websites--ProPublica), often in contrast to an organization's stated privacy policies. Here's three examples of use within OCLC and their products: http://oclc.org/research/people/follow.html ContentDM: http://www.contentdm.org/help6/custom/configure9.asp WorldCat.org: http://www.worldcat.org/title/jazz/oclc/25048293referer=brief_results For kicks I just did a Google Advanced search for AddThis limited to the .edu domain, wow. What is the alternative for libraries looking to promote their services out into the polluted ocean of the internet where everyone else is swimming? --Jimmy On Wed, Aug 13, 2014 at 2:33 PM, Gary McGath develo...@mcgath.com wrote: On 8/13/14 1:22 PM, Eric Hellman wrote: It seems that Code4Lib hasn't discussed this., though the news is 2 weeks old. It seems that there are libraries using social share tools from AddThis, a company that has been using a technology called Canvas Fingerprinting to track users. In other words, it looks like libraries are giving away the user-privacy store. For example, AddThis is used by my public library's Polaris catalog (BCCLS). I'd be interested to learn how widespread this is. It's pretty widespread in general, but I don't know how many libraries are using it, or why. It's a concern regardless of absolute numbers, because it targets people who are concerned about being tracked and have taken steps to make cookies less effective. (For example, I discard cookies at the end of each browser session, making long-term tracking ineffective.) It isn't virtually impossible to block; mapping addthis.com on the client computer to 127.0.0.1 (using /etc/hosts on Linux and Unix machines) does a nice job of it. But anyone who uses it really is betraying the user's trust. -- Gary McGath, Professional Software Developer http://www.garymcgath.com -- Jimmy Ghaphery Head, Digital Technologies VCU Libraries 804-827-3551
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
We have had, for some time now, a section in our privacy policy explaining what services we use and giving links to opt out. http://sonomalibrary.org/governance/library-policies/privacy-statement Genny Engel Sonoma County Library gen...@sonoma.lib.ca.us 707 545-0831 x1581 www.sonomalibrary.org -Original Message- From: Code for Libraries [mailto:CODE4LIB@LISTSERV.ND.EDU] On Behalf Of Eric Hellman Sent: Wednesday, August 13, 2014 3:37 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Canvas Fingerprinting by AddThis I blogged this. http://go-to-hellman.blogspot.com/2014/08/libraries-are-giving-away-user-privacy.html Do libraries even realize they're doing this? Eric On Aug 13, 2014, at 4:28 PM, Jimmy Ghaphery jghap...@vcu.edu wrote: Interesting thread, AddThis is certainly everywhere (5 percent of the top 100,000 websites--ProPublica), often in contrast to an organization's stated privacy policies. Here's three examples of use within OCLC and their products: http://oclc.org/research/people/follow.html ContentDM: http://www.contentdm.org/help6/custom/configure9.asp WorldCat.org: http://www.worldcat.org/title/jazz/oclc/25048293referer=brief_results For kicks I just did a Google Advanced search for AddThis limited to the .edu domain, wow. What is the alternative for libraries looking to promote their services out into the polluted ocean of the internet where everyone else is swimming? --Jimmy On Wed, Aug 13, 2014 at 2:33 PM, Gary McGath develo...@mcgath.com wrote: On 8/13/14 1:22 PM, Eric Hellman wrote: It seems that Code4Lib hasn't discussed this., though the news is 2 weeks old. It seems that there are libraries using social share tools from AddThis, a company that has been using a technology called Canvas Fingerprinting to track users. In other words, it looks like libraries are giving away the user-privacy store. For example, AddThis is used by my public library's Polaris catalog (BCCLS). I'd be interested to learn how widespread this is. It's pretty widespread in general, but I don't know how many libraries are using it, or why. It's a concern regardless of absolute numbers, because it targets people who are concerned about being tracked and have taken steps to make cookies less effective. (For example, I discard cookies at the end of each browser session, making long-term tracking ineffective.) It isn't virtually impossible to block; mapping addthis.com on the client computer to 127.0.0.1 (using /etc/hosts on Linux and Unix machines) does a nice job of it. But anyone who uses it really is betraying the user's trust. -- Gary McGath, Professional Software Developer http://www.garymcgath.com -- Jimmy Ghaphery Head, Digital Technologies VCU Libraries 804-827-3551
Re: [CODE4LIB] Canvas Fingerprinting by AddThis
What you're saying on the Sonoma County Library website is accurate and correct. I hope other libraries follow your example, if they use AddThis. Although it would be even better if services were used that didn't use cookies in order to provide advertisements about goods and services. For example, in the comment on my post, Piwik is mentioned by Dan Scott. Why aren't more libraries using Piwik? Are any libraries using Piwik? Eric On Aug 13, 2014, at 7:00 PM, Genny Engel gen...@sonoma.lib.ca.us wrote: We have had, for some time now, a section in our privacy policy explaining what services we use and giving links to opt out. http://sonomalibrary.org/governance/library-policies/privacy-statement Genny Engel Sonoma County Library gen...@sonoma.lib.ca.us 707 545-0831 x1581 www.sonomalibrary.org -Original Message- From: Code for Libraries [mailto:CODE4LIB@LISTSERV.ND.EDU] On Behalf Of Eric Hellman Sent: Wednesday, August 13, 2014 3:37 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Canvas Fingerprinting by AddThis I blogged this. http://go-to-hellman.blogspot.com/2014/08/libraries-are-giving-away-user-privacy.html Do libraries even realize they're doing this? Eric On Aug 13, 2014, at 4:28 PM, Jimmy Ghaphery jghap...@vcu.edu wrote: Interesting thread, AddThis is certainly everywhere (5 percent of the top 100,000 websites--ProPublica), often in contrast to an organization's stated privacy policies. Here's three examples of use within OCLC and their products: http://oclc.org/research/people/follow.html ContentDM: http://www.contentdm.org/help6/custom/configure9.asp WorldCat.org: http://www.worldcat.org/title/jazz/oclc/25048293referer=brief_results For kicks I just did a Google Advanced search for AddThis limited to the .edu domain, wow. What is the alternative for libraries looking to promote their services out into the polluted ocean of the internet where everyone else is swimming? --Jimmy On Wed, Aug 13, 2014 at 2:33 PM, Gary McGath develo...@mcgath.com wrote: On 8/13/14 1:22 PM, Eric Hellman wrote: It seems that Code4Lib hasn't discussed this., though the news is 2 weeks old. It seems that there are libraries using social share tools from AddThis, a company that has been using a technology called Canvas Fingerprinting to track users. In other words, it looks like libraries are giving away the user-privacy store. For example, AddThis is used by my public library's Polaris catalog (BCCLS). I'd be interested to learn how widespread this is. It's pretty widespread in general, but I don't know how many libraries are using it, or why. It's a concern regardless of absolute numbers, because it targets people who are concerned about being tracked and have taken steps to make cookies less effective. (For example, I discard cookies at the end of each browser session, making long-term tracking ineffective.) It isn't virtually impossible to block; mapping addthis.com on the client computer to 127.0.0.1 (using /etc/hosts on Linux and Unix machines) does a nice job of it. But anyone who uses it really is betraying the user's trust. -- Gary McGath, Professional Software Developer http://www.garymcgath.com -- Jimmy Ghaphery Head, Digital Technologies VCU Libraries 804-827-3551