
Evaluating the privacy implications of a canvas fingerprinting countermeasure - avastel
https://antoinevastel.com/tracking/2018/07/01/eval-canvasdef.html
======
mirimir
OK, so how _does_ one interfere with canvas fingerprinting?

I mean, we know that simply blocking it doesn't work.[0]

0) [https://multiloginapp.com/how-canvas-fingerprint-blockers-
ma...](https://multiloginapp.com/how-canvas-fingerprint-blockers-make-you-
easily-trackable/)

~~~
kevingadd
Mozilla is planning to block it (and the APIs it relies on) by default for all
content, I think, regardless of how many apps it breaks. That seems like a
reasonable countermeasure since people with canvas fingerprinting blocked will
not be a small identifiable group.

~~~
mirimir
That's _great_ news. Thanks.

And that reminds me, Apple too in macOS:
[https://www.engadget.com/2018/06/05/apple-safari-canvas-
fing...](https://www.engadget.com/2018/06/05/apple-safari-canvas-
fingerprinting/)

~~~
Uberphallus
Yeah, that's great. Blocking/spoofing fingerprinting is a bit like wearing a
mask. If it's only a handful of people, it may even be worse from a
privacy/tracking perspective -> _look, the guy with the mask_

~~~
mirimir
Well, if Canvas Defender actually worked, you could change fingerprints daily
or weekly or whatever. So you'd still have a valid fingerprint. Just not
invarient.

~~~
Uberphallus
Still, you'd get a pretty unique fingerprint, so even if it changes, it can
help reduce the entropy bits if the trackers are half smart (hey, this is the
guy with the Nixon mask, now he's wearing an Obama mask instead). You don't
need to just hide your real fingerprint, you need to make it look like
everybody else's.

------
Matheus28
It doesn't seem like canvas defender replaces
HTMLCanvasElement.prototype.getImageData anyway, so one could simply use that
to generate a hash.

Hiding the fact that the function in non-native requires replacing
Function.prototype.toString with something that will return a fake result if
the function being tested is one of the modified ones. If an userscript
replaces that toString prototype before you can grab it, I'm unaware of any
other way to test if a function is native.

------
textmode
How does canvas fingerprinting work when Javascript is disabled in the
browser?

What if the HTTP client used to fetch the page does not run third party
Javascript?

