Canvas fingerprinting: How does it compromise security?

Mozilla recently announced it is removing canvas fingerprinting from the Firefox browser. What is canvas fingerprinting, and what are the privacy and security benefits that come with its removal?

Mozilla announced that starting with Firefox 58 it will start disabling the use of canvas fingerprinting to allow users to protect their privacy against websites that are attempting to track them through an HTML5 feature called "Canvas." Advertisers have been attempting to find other ways outside of cookies or Flash locally shared objects to track users without using beacons and have been utilizing the HTML Canvas feature built into most browsers for the past couple years.

This HTML Canvas element is essentially creating a fingerprint of your system that is used and shared with other advertisers who have had the exact match in the past and can cross-correlate data with what they've previously seen created.

Canvas fingerprinting is similar to a canvas on which a browser is able to render an invisible image. Your browser is doing this in the background and being sent instructions from the site that's requesting it. After this occurs, the rendered image that's being drawn in the background is sent back to the requestor and stored with the visitor's image being tracked or hashed. This then becomes your unique digital token, and it can be correlated across multiple sites.

At this point you might not even care that canvas fingerprinting is occurring. They're having me send back an invisible image of something my computer was asked to send back. So What? Well, it becomes an issue with the more complex diagrams a computer is being asked to draw -- along with the different variations of the system, the more unique the image will be. Depending on your browser being used, the operating system, the type of hardware, such as graphic cards and variations of them, plug-ins in the browser and how easily other applications are freely looking to share information with this drawing, the returned image can be quite unique. This HTML canvas element is essentially creating a fingerprint of your system that is used and shared with other advertisers who have had the exact match in the past and can cross-correlate data with what they've previously seen created.

The Tor browser has had this feature disabled for years and now Firefox is looking to follow suit -- it will essentially ask you before having the HTML canvas element used within the browser. There have been security plug-ins created, such as Canvas Defender, that allow you to be notified if a third-party site is looking to fingerprint your browser without permission.

Firefox has always been a "security first" web browser and taking the first step to block this feature by default is beneficial for the privacy of users everywhere. We've seen Mozilla in the past make changes to the security of its browser and push the rest of the industry to follow suit. I'm glad they're taking this step and I'm happy to see that other plug-ins have popped up to assist with the privacy of users in the meantime. This is a step toward creating a standard and forcing advertisers go out and find other ways to track users without permission. It's their move now.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)