InformAction Forums

A new kind of tracking tool, canvas fingerprinting, is being used to follow visitors to thousands of top websites...

"Use NoScript browser extension to block JavaScript from known fingerprinters such as AddThis (Warning: requires a lot of research and decision-making)"
http://www.propublica.org/article/meet- ... e-to-block

Anybody have a good solution for this?

"the Tor Project added a feature to its privacy-protecting Web browser to notify users when a website attempts to use the canvas feature and sends a blank canvas image. But other Web browsers did not add notifications for canvas fingerprinting."

Can NoScript add a feature for this, as Tor Project did?

see also viewtopic.php?f=19&t=19907

Your link got broken by the forum. Could you please re-post it wrapped in tags? like this: Note that you can already write NoScript surrogate scripts that effectively zap any JS object property you want, so you should be able to make the site think your browser doesn't properly support canvas - but since I don't know what JS is being used in this case, I can't actually provide such a surrogate, sorry.

(Fixed &) also noted here, viewtopic.php?f=19&t=19907.

therube wrote:(Fixed &)

@ therube: Thanks for fixing the link I had posted.

@ barbaz: It would be nice if NoScript were to address this Canvas Fingerprinting issue through surrogate scripts or some other method, for all NoScript users. If a few people were to write our own rules to zap things, perhaps we would be fingerprinting ourselves with the resulting potentially unique behavior of our browsers. If NoScript itself included the rules needed to defeat Canvas Fingerprinting, there would be a large crowd of browsers with Canvas Fingerprinting defeating behavior, thereby helping to protect privacy rights.

You've got to figure it relies on JavaScript.
And also that by default none of the domains being used (linked in the other thread) would be Allowed, so in that respect, done.

You think we should add a new "Canvas" checkbox in the Noscript options on the Embeddings page to block this element entirely (for websites where someone would want to have js enabled that is)?

@Lurion: Remember that NoScript is a security tool, not a privacy tool. Any privacy benefits NoScript gives/can give are side-effects.

Ideally, to mitigate this there would be an extension or surrogate script that, when a website wants to send a canvas image, prompts the user (showing the URL(s)) whether to send a blank canvas image like TOR Browser does or send the actual rendered image.

barbaz wrote:@Lurion: Remember that NoScript is a security tool, not a privacy tool. Any privacy benefits NoScript gives/can give are side-effects.

Ideally, to mitigate this there would be an extension or surrogate script that, when a website wants to send a canvas image, prompts the user (showing the URL(s)) whether to send a blank canvas image like TOR Browser does or send the actual rendered image.

And yet, once the user allows JavaScript on a tracking site, there are so many way you can be fingerprinted (e.g. by profiling your execution performance, your browser quirks and so on) that it's a lost battle. So I'm not sure this is something I should put much effort into.

Do you perhaps know of a FF addon that blocks or at least tries to detect profiling? For example by watching which functions a script is calling (i.e. document.createElement("canvas") ), and what properties are being accessed (i.e. navigator.userAgent)?

Lurion wrote:Do you perhaps know of a FF addon that blocks or at least tries to detect profiling? For example by watching which functions a script is calling (i.e. document.createElement("canvas") ), and what properties are being accessed (i.e. navigator.userAgent)?

NoScript has the ability to do that (and it does, e.g. for WebGL usages), but as has already been stated in this thread, security requirements are different than privacy ones, and can even be in conflict (see below).

If you really need anonymity (even at expenses of some security and a lot of convenience) your only (yet not perfect) choice, currently, is the Tor Browser (which, BTW, ships with NoScript in a customized -- less secure but more anonymous -- default configuration), or even better the Tails Live System (which includes Tor).

As an example of the conflict between security and privacy, Tor Browser's default NoScript settings use the new "cascade permissions" mode, which is inherently less safe: if you whitelist the top level domain everything imported by the page and its subframe gets automatically allowed, even if not whitelisted, as long as its ancestor document is whitelisted.
The rationale behind this choice is not just usability, but the fact that a fingerprinting script could check if a list of popular websites are or not in your whitelist (by trying to import a script from them and testing for failure) and use this information to identify your browser. This is of course mitigated if your permanent whitelist is quite generic and you generally use "Temporary Allow...", but neatly demonstrates how an undisputable security advantage (keeping 3rd party scripts disabled by default) can have negative impacts on anonymity/privacy.