Sign in to follow this  
HAWKI

Emsisoft Blog > Browser Canvas Fingerprinting ??

Recommended Posts

Why is a visit to Emsisoft Blog Page on browser-crypto-mining triggering a Browser Canvas Fingerprinting Warning by Canvas Defender in FF 56 and Chrome ?????????

FP ??

Share this post


Link to post
Share on other sites

It's probably the analytics we use to get an idea of what pages on our websites people visit and how they found them. Most analytics services like that are considered "tracking" services, since the data they collect can be used for that, even though most people using data like that aren't concerned with tracking individual users and are more concerned with how people found their pages and why so that they can make their sites more accessible and more relevant.

Share this post


Link to post
Share on other sites
40 minutes ago, GT500 said:

It's probably the analytics we use to get an idea of what pages on our websites people visit and how they found them. Most analytics services like that are considered "tracking" services, since the data they collect can be used for that, even though most people using data like that aren't concerned with tracking individual users and are more concerned with how people found their pages and why so that they can make their sites more accessible and more relevant.

K, thanks @GT500, but not sure I understand.

Emsisoft uses a third-party analytic service to help it determine what pages on its website people visit and how they found them ?

If the above is correct, does Emsisoft's agreement with such 3rd-party place any restriction on what that 3rd-party can do with the data it collects?

Who "owns" the data collected by the third-party analytics firm ??

The thing is browser fingerprinting is an underhanded practice cuz most, while they may use anti-tracking extensions, do not use anti-fingerprinting extensions and are thus unaware of and not protected against the deployment of browser fingerprinting. In addition, it's permanent -- it can't be defeated or remediated by cleaning cache and cookies etc. IMHO, it's a bad idea for a company who otherwise, to its credit, is so centered on/protective of customer privacy.

Share this post


Link to post
Share on other sites
On 10/24/2017 at 5:16 PM, HAWKI said:

If the above is correct, does Emsisoft's agreement with such 3rd-party place any restriction on what that 3rd-party can do with the data it collects?

We use Google Analytics, but there's also Facebook and other social networking stuff on the blog (which may set of anti-tracking/anti-fingerprinting protections). Any usage of information gathered by these companies would be subject to their privacy policies.

Note that I have Fanboy's Ultimate blocklist (a merger of EasyList and a couple of Fanboy's more aggressive blocklists) configured in uBlock Origin in place of the default EasyList, and this blocks most of this sort of stuff. You can see it all in uBlock Origin's logs when it blocks it.

 

On 10/24/2017 at 5:16 PM, HAWKI said:

Who "owns" the data collected by the third-party analytics firm ??

I would believe the analytics company would generally consider themselves the "owner" of the collected data, but they all have policies that dictate how they use that data.

 

On 10/24/2017 at 5:16 PM, HAWKI said:

The thing is browser fingerprinting is an underhanded practice cuz most, while they may use anti-tracking extensions, do not use anti-fingerprinting extensions and are thus unaware of and not protected against the deployment of browser fingerprinting. In addition, it's permanent -- it can't be defeated or remediated by cleaning cache and cookies etc. IMHO, it's a bad idea for a company who otherwise, to its credit, is so centered on/protective of customer privacy.

You do realize that every time you visit a website, tons of information (IP address, web browser, Operating System, referring page, etc) is saved in the HTTP server's logs, and there's nothing that can block that, right?

Anyway, "browser fingerprint" is just a fancy name for certain types of data that gets saved. Anything that can be used to identify a specific web browser (and theoretically a specific user) can be considered a "browser fingerprint", and since it's all data collected during normal "tracking" then any good anti-tracking extension would block it. Mozilla has a decent wiki entry on the kind of data that can be used for fingerprinting here.

  • Like 1

Share this post


Link to post
Share on other sites
1 hour ago, GT500 said:

We use Google Analytics, but there's also Facebook and other social networking stuff on the blog (which may set of anti-tracking/anti-fingerprinting protections). Any usage of information fathered by these companies would be subject to their privacy policies.

Note that I have Fanboy's Ultimate blocklist (a merger of EasyList and a couple of Fanboy's more aggressive blocklists) configured in uBlock Origin in place of the default EasyList, and this blocks most of this sort of stuff. You can see it all in uBlock Origin's logs when it blocks it.

 

I would believe the analytics company would generally consider themselves the "owner" of the collected data, but they all have policies that dictate how they use that data.

 

You do realize that every time you visit a website, tons of information (IP address, web browser, Operating System, referring page, etc) is saved in the HTTP server's logs, and there's nothing that can block that, right?

Anyway, "browser fingerprint" is just a fancy name for certain types of data that gets saved. Anything that can be used to identify a specific web browser (and theoretically a specific user) can be considered a "browser fingerprint", and since it's all data collected during normal "tracking" then any good anti-tracking extension would block it. Mozilla has a decent wiki entry on the kind of data that can be used for fingerprinting here.

Whatever :blink:

Thanks @GT500 for taking the time to give an upfront and thorough reply.

 

Share this post


Link to post
Share on other sites

Just for fun (and reference) I took a screenshot of the visitor stats from my own private server. The screenshot is censored so it doesn't show IP addresses, the names of files visitors accessed, or what websites they were referred from. Here's a link if anyone wants to see it:
https://www.gt500.org/images/http_stats.png

This is just general statistics compiled from server logs, and you can actually get a little more information than what you see there from those logs.

I guess what I'm trying to say is simply that if website owners really want to track you, they don't don't need Google or other analytics services to do it. Especially since there's no way to prevent the server from logging all of this data (since the servers do that automatically and have access to all of that data when your web browser loads anything from the server).

If this is something you're concerned about then TOR, VPN's, and Virtual Machines are going to do you much more good than worrying about what "trackers" are being used by any individual webpage. TOR and VPN's help keep your IP address private and make it very difficult to determine where you actually are, and of course Virtual Machine's give a generic system for you to browse on and you can restore to a snapshot to reset everything to the condition it was in before you started browsing. Some things may be unique to your Virtual Machine, such as the combination of your CPU and the amount of RAM and disk space, so in theory it would still be possible to "fingerprint" it, however does it really matter if a website "fingerprints" a Virtual Machine (especially when they can't determine the geographical location)?

Also note that "browser fingerprinting" isn't something that I tend to worry much about. It's unfortunate that it's possible, but it's also benign in the vast majority of cases, and the lengths you have to go to in order to prevent it are... well... more that I would be willing to do for something that isn't going to effect me enough for me to care. uBlock Origin blocks most advertising and tracking stuff, so the amount of money that advertisers can make by "fingerprinting" my browser and targeting me is minimal, and if the NSA wants to monitor me then I expect the only way to truly prevent that is to live in a lead box and never connect to the Internet again. ;)

  • Like 2

Share this post


Link to post
Share on other sites

"Firefox is getting a Tor-based security upgrade...

The non-profit Mozilla Foundation will remove a “feature” called canvas fingerprinting from Firefox, which allows user-tracking across multiple sites without cookies, in it’s upcoming build. It’ll do this by imitating Tor browser, which was built on modified Firefox code and already blocks tracking...

Canvas fingerprinting, which happens in every major browser, lets websites extrapolate your data — without asking permission — by tracking you across multiple sites with an amalgam of unique identifiers. This method doesn’t require you to carry any tokens or accept a cookie.

This is great for advertisers and websites, but anyone opposed to having their data commoditized without being asked first may take exception..."

https://thenextweb.com/security/2017/11/01/firefox-is-getting-a-tor-based-security-upgrade/

 

Share this post


Link to post
Share on other sites

You may want to read BleepingComputer's article on it:
https://www.bleepingcomputer.com/news/software/firefox-implements-another-privacy-preserving-feature-taken-from-the-tor-browser/

The practice of "canvas fingerprinting" just allows sites to track that you are the same person, and it doesn't allow gathering of any more personal information than what servers already have access to when you visit webpages. Basically it allows generating a "unique ID" that websites can use to determine that the same web browser is being used when you visit a web site that loads their "canvas fingerprinting" script.

Share this post


Link to post
Share on other sites
1 hour ago, GT500 said:

The practice of "canvas fingerprinting" just allows sites to track that you are the same person, and it doesn't allow gathering of any more personal information than what servers already have access to when you visit webpages. Basically it allows generating a "unique ID" that websites can use to determine that the same web browser is being used when you visit a web site that loads their "canvas fingerprinting" script.

Well, from privacy perspective that's bad isn't it?

 

Share this post


Link to post
Share on other sites

some Important aspects among others from this article:  http://www.w2spconf.com/2012/papers/w2sp12-final4.pdf

Quote

Fingerprints on the web have constructive and destructive uses

-  A use is constructive if users benefit from being fingerprinted. For example, a bank could fingerprint a user’s machine, then require additional authentication for login attempts from systems whose fingerprint does not match.

- A use is destructive if users do not benefit from being tracked, or do not wish to be tracked. Users can attempt to avoid tracking by using their browsers’“private browsing”modes or the Tor anonymity service . Users of Tor may be willing to endure a slower, less attractive browsing experience to avoid being tracked. (Note that, although Torbutton disables WebGL, it allows text rendering to a , and is thus at present partly vulnerable to our fingerprint.) For mainstream browser users, however, the possibility of fingerprinting might be an unavoidable consequence of browsers’ closer ties to operating system functionality and system hardware.

so positive use is for safer login into sensitive sites like banks, etc...

Quote

We are pessimistic about the possibility of eliminating the fingerprints we identified without seriously degrading browser functionality and performance, or require yet more user approval dialogs to enable basic functionality. Perhaps the time has come to acknowledge that fingerprints are unavoidable on the modern web.

so it is to the user to choose between convenience or privacy/security, same old choice...

Share this post


Link to post
Share on other sites
23 hours ago, Minimalist said:

Well, from privacy perspective that's bad isn't it?

To a certain extent, yes. I'm just trying to point out that it doesn't give "tracking" services/sites access to your personal information. They don't actually know who you are, they're just able to track your browser usage across sites that use their "canvas fingerprinting" script.

It's understandable that no one wants to be tracked by some advertising agency (or worse), however some articles make tracking methods sound far worse than they actually are. ;)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.