Part 1 of 5: Running into an old friend... Privacy Attack and Defense. Canvas fingerprinting, browser fingerprinting, and online cookie attacks

Part 1 of 5: Running into an old friend... Privacy Attack and Defense. Canvas fingerprinting, browser fingerprinting, and online cookie attacks

Part 1 of 5: A Question from the NIST Cybersecurity Working Group on the Smart Grid

by @SarahCortes-I had a question recently from members of a NIST technical working group to which I belong, asking me to help explain “canvas fingerprinting.” This privacy-invading online technique received attention in late July in the press, when researchers revealed the extent to which your browser text formatting and other settings can invisibly reveal your identity and activities online. Evil spawn of “browser fingerprinting,” a set of online privacy attacks first widely reported starting in 2010, “canvas fingerprinting” uses seemingly harmless information from your browser to create a kind of online DNA that identifies individuals with statistical certainly.

I was curious about how canvas fingerprinting related in general to “browser fingerprinting,” cookie respawning, evercookies, cookie synching, and other hidden privacy attacks, and how to defend against them. Rebecca Herold, a privacy expert who leads our NIST working group, invited me to review the topic with the group at an upcoming meeting.

When I got to the attack defenses, I found the answer, an old friend: Tor Browser. I was not surprised, yet...surprised. Not surprised, yes, as millions of users all over the world know that, when privacy is the problem, Tor is the answer. Surprised, yes, as I had not been aware of how extensively this research and paper referenced Tor, nor how significantly Tor had stood out in its browser experiments. My own research sometimes involves Tor, and I am a member of the “Tor community,” so I expect to be (sort of) on top of “significant” Tor research. Tor is the Cambridge-based nonprofit organization in Central Square that does privacy research for online (anonymous) communications. It online tools like Tor browser are used by millions the world over to protect their anonymity and privacy online. Tor does significant work to help end domestic violence, and is co-located with Transition House, the second-oldest DV shelter in the US.

I don’t focus as much on the browser as on Tor’s anonymity-protecting “onion routing.” Tor includes a software browser, as well as other online tools, but is mainly thought of as a network of thousands of relay servers all over the world, as well as using a cryptographic technique that wraps your network communications in layers of encryption. In reading recent press to find how I had missed this one, I realized: I was not alone. Tor’s browser strengths went unreported in virtually all press about canvas fingerprinting, despite the researcher’s startling finding that Tor Browser, alone among dozens of defenses against the widespread attack, is “the only software that we found to successfully protect against canvas fingerprinting.”

Part Two: Attack and Defense
Part Three: The Attack
Part Four: The Defense
Part Five: Digital Modesty?

Read more at Security Watch

G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, C. Diaz. The Web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of CCS 2014, Nov. 2014. (Forthcoming)
Herold, Rebecca, Privacy Professor,