Canvas fingerprinting: Why ad tech’s latest shiny object is pure trouble

One-to-one has become the ad tech industry’s bright shiny object — an unrealizable ideal that’s always just out of reach. Chasing it has driven innovation, but it also has driven us to a place where consumers are increasingly uncomfortable and where the value of some of this innovation is dubious at best.

Cookies were the first and (still) dominant technology to enable one-to-one connections for personalization and advertising. But as their effectiveness continues to decline due to ad blocking, duplication, and device rejection, marketers have sought new and more effective approaches to ID one user on one device.

The latest advance (if you can call it that) is canvas fingerprinting. It secretly creates a graphical system configuration snapshot, writes it to a user’s browser as a hidden image, and then combines it with a unique tracking ID. Not surprisingly, canvas fingerprinting was recently called out in the press for — you guessed it — privacy concerns.

Canvas fingerprinting has been around since 2012 but has only recently gained attention, thanks to the paper The Web never forgets, which revealed that over 5,000 of the top-trafficked sites (ranging from WhiteHouse.gov to adult sites) were unwittingly using canvas fingerprinting. Most of this scare can be attributed to AddThis, a social bookmarking service that allows people to favorite and share sites.

Since canvas fingerprinting details have come out, many sites — including the White House — have discontinued using AddThis. (For its part, AddThis has graciously suggested that it “won’t use the fingerprinting data for ad targeting or personalization if users install the AddThis opt-out cookie on their computers.”)

It turns out that canvas fingerprinting is a particularly ham-handed approach for creating unique IDs. While there are thousands of different system configurations out there, when you begin to think at a scale of tens of millions, you quickly discover that these fingerprints aren’t really that unique.

For example, in most enterprise environments, IT departments create and control standard system configurations. The result is hundreds — or even thousands — of identical fingerprints. Or consider how many people don’t change the graphics card or browser configuration when they purchase a computer at BestBuy.  Then there is the fact that canvas fingerprinting doesn’t work well on the mobile devices people rely on every day.

These limitations should have made canvas fingerprinting irrelevant; but what is more disturbing is the fact that opt-out safeguards were ignored and the technology can track a specific device indefinitely. This is a major problem. Even when a tracking cookie is used and brokered for resale to a DMP, it typically expires after 10 to 30 days, or you have the option to clear your browser cache or opt-out in the first place.

Poking the privacy bear this blatantly is never a good idea. Unfortunately, as long as the consequences are nothing more than a suggestion to provide an opt-out option the “playing with fire” will continue.

What needs to happen in this race for the bright shiny object is for everyone to step away from the JAVA code for a moment and get back to basics. Ad tech companies need to start thinking like marketing companies and focus on methods that improve the scale and quality of their reach. They need to recognize that they already have the ability to accurately serve audiences at scale without using cookies, universal IDs, or (especially) canvas fingerprinting.

If it turns out that one-to-one marketing is as inefficient and poor a marketing tactic as the math of 20% cookie matching suggests, we will eventually adopt less invasive methods that deliver sound audience targeting, improved reach, and a strong ROI.

Identifying and reaching qualified audiences (such as neighborhoods, constituencies, and affiliated groups) is something that direct and broadcast marketers have done successfully for years. It is something online marketers could do today.  And no one is going to suggest that it is up to you to opt-out — something that CFOs, privacy experts, and consumers everywhere will applaud.

Ray Kingman has been at Semcasting since its inception, leading the company in the development and commercialization of its automated targeting and data offerings. He is experienced in content management, analytics, and data visualization fields and previously served as CEO of LightSpeed Software, a content management solution built through the acquisition and integration of multiple providers in the search, analytics, content management, authoring, and portal platform spaces. Prior to LightSpeed, Ray was the founder and president of a division of Thomson Reuters, where he focused on providing syndicated web content solutions to self-directed investors and retail brokerage firms. He was also the founder and president of DeltaPoint, a developer of analytics and data visualization products, and led the firm from its inception to its initial public offering.