Case Study 12.1: The AddThis Canvas Fingerprinting Disclosure

When Tracking Went Beyond What Publishers Knew

Background: The 2014 Princeton/KU Leuven Study

In July 2014, researchers from Princeton University and KU Leuven published a paper titled "The Web Never Forgets: Persistent Tracking Mechanisms in the Wild." The paper documented, for the first time at scale, the deployment of canvas fingerprinting as a tracking mechanism on live websites across the commercial web. The finding attracted significant media attention and prompted immediate questions about a technology that most website operators — and virtually all users — had never heard of.

The study, conducted by Arvind Narayanan, Gunes Acar, and colleagues, examined the tracking mechanisms present on the top 100,000 websites by traffic volume. Among cookie-based tracking (already well-documented), evercookies (cookies stored in multiple locations that reinstall themselves when deleted), and other techniques, the researchers identified canvas fingerprinting on 5,542 of the 100,000 sites surveyed. The vast majority of that deployment — 95% — came from a single company: AddThis.

Who Is AddThis?

AddThis is, or was, a social sharing widget company. Its primary product was a toolbar-style widget — those clusters of buttons that say "Share on Facebook," "Tweet This," or "Email to a Friend" — embedded in websites to encourage visitors to share content on social media. By 2014, AddThis widgets were embedded in approximately 14 million websites. They were the social sharing widget of choice for publishers from small bloggers to major news organizations, government agencies, and Fortune 500 companies.

The social sharing functionality itself was, from a user-visible perspective, simple and benign. You read an article, you clicked a button, you shared it. The AddThis widget handled the sharing mechanics.

What most website operators who embedded AddThis did not know was that the widget contained a canvas fingerprinting library that was generating and transmitting browser fingerprints to AddThis's servers. Every page load on a site with an AddThis widget — even for users who never touched the social sharing buttons — triggered the fingerprinting routine.

The Technical Mechanism

AddThis's canvas fingerprinting worked as follows:

  1. When a page with an AddThis widget loaded, the AddThis JavaScript executed
  2. The JavaScript created an invisible <canvas> element with specific text, fonts, and graphic elements
  3. It rendered the canvas and extracted the pixel data as a base64-encoded string
  4. This string — the canvas fingerprint — was hashed and stored
  5. The hash, combined with other browser characteristics, formed a persistent identifier
  6. This identifier was transmitted to AddThis's servers along with the URL of the page being visited

Because the canvas fingerprint was determined by the user's hardware and software — their graphics card, driver, operating system, and browser version — it remained consistent even when cookies were cleared, even in private browsing mode, and even when users changed their IP address. Users who believed they had "cleaned" their browsers by clearing cookies remained identifiable to AddThis through their fingerprint.

The Scale of Unintended Deployment

What made the AddThis case particularly significant was the role of website publishers. The vast majority of the 14 million sites that embedded AddThis widgets were not tracking users through canvas fingerprinting by choice. They had embedded a social sharing widget because they wanted social sharing buttons. The canvas fingerprinting was — from the perspective of most publishers — an undisclosed bonus feature.

Several major news organizations and prominent websites, upon being informed of the study's findings, immediately removed AddThis from their sites. A spokesperson for the Huffington Post, which had embedded AddThis, said the publication had not known about the canvas fingerprinting capability. A White House website that contained an AddThis widget was quietly updated. Forbes, Tumblr, and several government websites were among those identified in the study.

This illustrates a structural feature of the third-party script ecosystem: when publishers embed third-party JavaScript in their pages, they often have limited visibility into everything that script does. The JavaScript might do exactly what the widget description says — and also do other things that the publisher did not request, did not know about, and would not have approved.

AddThis's Response

When contacted by media following the study's publication, AddThis issued a response that was instructive in its framing. The company acknowledged using canvas fingerprinting but said it was "testing" the technology and that the fingerprints were being used only for "research" purposes, not for targeting or selling data. The company said it had stopped using the technique.

There were several notable features of this response:

First, the characterization of widespread deployment on millions of websites as "testing" stretched the ordinary meaning of the word. Canvas fingerprinting had been running in AddThis widgets across a significant portion of the commercial web for an undisclosed period before the Princeton study was published.

Second, the claim that fingerprints were used for "research" rather than commercial purposes was unverifiable. AddThis had no public documentation of what it was doing with the fingerprint data. Third-party audits of the practice did not exist.

Third, the response revealed an assumption that canvas fingerprinting was a legitimate commercial activity that required explanation but not apology — a framing that said something about how the surveillance ecosystem understood its own norms.

After AddThis: The Persistence of Fingerprinting

The 2014 study and its media coverage prompted significant discussion among privacy researchers and some regulatory interest. It did not prompt regulatory action against AddThis specifically. It did, however, trigger a broader awareness of fingerprinting as a commercial tracking technique and contributed to the development of countermeasures in browsers.

Firefox began offering canvas fingerprinting protection in its privacy settings. The Brave browser implemented fingerprinting randomization as a default feature. The EFF updated Panopticlick to test for fingerprinting alongside cookie-based tracking. Academic research into fingerprinting proliferated.

Meanwhile, fingerprinting continued to evolve. Researchers documented audio context fingerprinting (2016), WebGL fingerprinting (2017), and increasingly sophisticated combinations of fingerprinting signals that achieved higher identification accuracy. A 2019 study found that 90%+ of browsers on major commercial websites were uniquely fingerprintable using combinations of signals that were individually public and benign.

AddThis itself was acquired by Oracle in 2016 for approximately $200 million. Oracle integrated AddThis's data and technology into its Oracle Data Cloud, one of the major data management platforms in the advertising ecosystem. The fingerprinting database and its associated profiles became part of Oracle's commercial data infrastructure.

Analysis Questions

  1. The AddThis case involves three parties with different knowledge and responsibility: AddThis (which deployed the fingerprinting), the publishers (who unknowingly enabled it by embedding the widget), and the users (who were fingerprinted without knowledge). How should moral and legal responsibility be distributed among these parties?

  2. AddThis characterized its fingerprinting as "research" in its initial response. What criteria would you use to evaluate whether this characterization is accurate? What information would you need to verify or refute it?

  3. The fact that 14 million websites deployed canvas fingerprinting without knowing it illustrates a structural vulnerability in the third-party script ecosystem. What structural changes — technical, legal, or commercial — would address this vulnerability? Who has the incentive to implement them?

  4. Following the 2014 study, AddThis's data and capabilities were acquired by Oracle for $200 million. What does this acquisition price suggest about the commercial value of the fingerprinting database? Who benefits from this value, and who bears its costs?

  5. The AddThis case predates the GDPR. Under GDPR's requirements (Chapter 12.8), would canvas fingerprinting as deployed by AddThis be legal? What would be required to make it compliant? Would compliance meaningfully change the privacy implications?

Connections

  • Browser fingerprinting (Section 12.5)
  • Canvas fingerprinting (Section 12.5)
  • Third-party script ecosystem and publisher liability
  • Function creep and commercial surveillance norms
  • Data broker acquisitions and ecosystem consolidation (Chapter 11)

Case Study 12.1 | Chapter 12 | Part 3: Commercial Surveillance