Canvas data fingerprinting: yet another way to track you on the web (and Firefox fighting back)

Posted on Oct 31, 2017 by Rick Falkvinge

There’s yet another way to fingerprint people online as they move between sites, and that list is getting long by now. This new vulnerability concerns a “canvas” in your browser, a technical way of showing you visual data and graphics. For once, browser makers are fighting back – but it is far from enough.

GHacks first reported on a bug in the Mozilla database with turned into a new feature, the ability to prevent Firefox 58 (and onward) from fingerprinting the way your browser draws on a canvas — a way for a browser to draw realtime graphics and similar things — and reporting that fingerprint back to the publisher for tracking purposes.

However, this is not enough.

To borrow a security analogy from XKCD, having Firefox have an advanced-user option to disable this back-reporting of canvas data to tracking databases is a little bit like a teacher stating they’re always wearing a condom while teaching: while it is better than the alternative, strictly speaking, it still immediately tells you that something is horribly wrong with the big picture.

There are so many different ways to track a user across sites by now, that having hidden options to turn them off one by one can’t possibly be seen as a way forward, or even a workaround. (And as we’re aware, the Do Not Track request from browsers is being happily, almost gleefully, ignored.)

To begin with, in the very request when your browser is asking for a resource (a page, an image of the page, a script on the page, et cetera), your browser provides its model and version number, gives a list of formats it accepts in return, and a list of languages you prefer the response in. This alone is sufficient in a lot of cases to to uniquely identify your browser as it moves across sites. To add to this, a simple script on the page can report your screen resolution, color settings, installed fonts in some cases, and so on.

There’s just too much data about a system, all of which which can be aggregated into a unique fingerprint.

Since it’s not reasonable to demand that all systems are identical, we have to assume that systems will remain wildly different. For starters, people tend to want their systems in their native language. They also like to make their systems a little bit personal, with background images and such. We’ll never be able to change this, so let’s not go there.

Therefore, since systems and browsers running on these systems will remain wildly different, that means that this set of system data can uniquely (or uniquely enough) identify a system – or at least a browser on a system.

The problem needs to be attacked at communicating this data back to a tracking database, as a whole phenomenon, instead of looking at one single datapoint at a time through a long paper tube. We’re nowhere near there as an industry or community yet, but as marketers keep discovering new ways of fingerprinting browsers, we’ll need to look at the overall picture instead of engaging in that kind of cat-and-mouse game.

Privacy remains your own responsibility.