Canvas Fingerprinted Profile Pictures

[Guest deleted156886133]

Is the implementation of canvas fingerprinting on profile pictures a new thing? I'm guessing it's new because I uploaded my current profile picture about a month ago with no issue. But yesterday, I went to upload a new one and was slapped with the error 'Your browser is preventing this action: Canvas fingerprinting protection needs to be disabled.' 

Now, I'm already allowing Nexus to cookie track me because I'm lazy and like to stay signed in but why the tracking on profile pictures? Or perhaps, more accurately, why is the profile picture upload process used as another means to track users? Is that entirely necessary?

In case it's not intuitive, allow me to clarify, I'm not happy about this. For fu<k's sake!

[Pickysaurus]

Canvas fingerprinting is (generally) not a privacy concern, although some over-protective browser settings block it because it can be used in weird ways. You need to allow it to be able to crop your avatar. 

A workaround is documented here:

 

[Guest deleted156886133]

6 minutes ago, Pickysaurus said:

Canvas fingerprinting is (generally) not a privacy concern, although some over-protective browser settings block it because it can be used in weird ways. You need to allow it to be able to crop your avatar. 

 

I get that I need to allow it in order to upload. That was blatantly obvious. But you really didn't answer any of my questions. However, I won't reiterate because such an evasive reply was anticipated.

Here's a snippet from a Gadget Hacks Shop article that explains the issue:

The consequences of canvas fingerprinting reach beyond targeted ads. If you have a future in politics or any public career, you might want to make your browsing as untraceable as possible considering all the porn sites that use canvas fingerprinting (aside from YouPorn now, of course). Imagine how much a company could profit off of smearing you.

Regardless, who knows what will be considered "suspicious activity" in the years to come. It's best to remain as anonymous as possible.

Now, while I neither aspire to be a politician nor desire to be in the public's eye, it is still cause for concern. In my opinion, any sort of tracking is a privacy concern no matter how much website developers try to minimize it. I'm considering switching to Tor in order to view Nexus although that may be to the detriment of this website's functionality. But, so be it.

Thanks for reading...

[Guest deleted156886133]

@Pickysaurus

My last reply may have been a bit hasty. I was heading out the door on an errand and fired off a response before I fully understood your reply.

What did you mean by this statement taken from your 12.18.2023 post, 'This issue has been resolved, we now check for errors related to the security settings which cause this problem.'? 

If it has been resolved then, why did I just experience it yesterday? For the record, I use Brave, which I had somehow assumed was based on Firefox. It's not and... it is? A quick web search just told me it's based on Chromium which, as it turns out, was founded by two previous employees at Mozilla, Firefox's creator. Brave is similar in the fashion which you disable trackers, you click on the lion's head instead of Firefox's shield. I did update my browser recently so that may explain why I was able to upload the last avatar sans error.

And also, by my disabling the fingerprint block, does that allow Nexus to 'check for errors'?  If yes then, with all due respect, that sounds kinda shady. But what do I know? I may be overthinking it. I'm just average Joe Q. User.

Thanks for letting me rant.

[Pickysaurus]

You can enable it to allow the avatar crop tool to work and disable it again immediately after. We only use it to offer the crop feature. Or use a different device (such as a mobile) to do the avatar upload. If I recall the "canvas" is the webpage element containing the image preview and the cropper, we need to know which region of the image you chose to crop and upload the avatar properly. 

Just because something can be used maliciously doesn't always mean it is. As I understand it, we found it was the most compatible way to allow image cropping in all modern browsers without a bad user experience. Although the use case for it being blocked was caught shortly after release of the feature which is why you see this informative error (as opposed to it just not working with no explanation). This is what is meant by the issue being fixed, if you've chosen to stop it working via browser settings/addons we let you know that is the reason why. 

Of course, if you'd prefer not to use it at all, that's entirely your choice. Avatars are an optional part of social profiles

[showler]

Just to be clear, is this a case of you using the Canvas feature properly and Firefox/Brave is blocking it in order to block Canvas fingerprinting which is a kind of mis-use of the Canvas feature?

[Guest deleted156886133]

Yeah, you know what? I'll just ride out with my current avatar. Uploading a new one was mostly to stroke my ego, I must admit. I'd been working on one, finally finished it and wanted to show it off. If I decide in the future that I no longer give a chuck, I'll do it. But as it stands now, I'm leery. 'Just because something can be used maliciously doesn't always mean it is.' Yeah but sometimes it can be, maybe not now but later. Once your information is out, it's out there man. There's no pulling it back and no guarantees on where it may ultimately land. Here's an interesting knowledge nugget: While you can delete browser cookies, the location of the image file that stores canvas fingerprint data remains elusive. As if you could fully delete anything on a hard drive anyways, but still. At least with deletion, that data block could get overwritten with new data. Clever system, canvas fingerprinting.

So, I hope you can see my hesitancy. Anything with that sort of mystique about it is a big red flag for me and should be for anyone else reading this.

I also find this statement slightly ironic: '... we found it was the most compatible way to allow image cropping in all modern browsers without a bad user experience.'  And yet it did create a bad user experience. But no worries. I appreciate a good chuckle.

On 3/31/2024 at 2:32 PM, showler said:

Just to be clear, is this a case of you using the Canvas feature properly and Firefox/Brave is blocking it in order to block Canvas fingerprinting which is a kind of mis-use of the Canvas feature?

Was this directed at me or @Pickysaurus? If it was me then your question was unclear despite your attempt to just be clear. Sorry, had to say it.

Edited April 2 by UsernameWithA9
Typo

[showler]

It was directed at Pickysaurus.

I'm a little unclear on the whole "canvas" thing.  It appears it was created for the purpose of manipulating graphics but some people found a way to use it as a tracking "cookie" substitute.

In that case, Nexus Mods could be using it for it's intended purpose with no tracking going on whatsoever, but overzealous privacy protections in browsers could be blocking the intended function in order to block the misuse as a tracker.

If that's the scenario then turning off the blocking while resizing your avatar wouldn't result in a privacy issue because that's not how Nexus Mods is using it.

[Pickysaurus]

On 3/31/2024 at 10:32 PM, showler said:

Just to be clear, is this a case of you using the Canvas feature properly and Firefox/Brave is blocking it in order to block Canvas fingerprinting which is a kind of mis-use of the Canvas feature?

This is sort-of what's happening here but not quite.

I've spoken to one of our developers about this so that I better understand it (big thanks to @themagickoala ). 

So "Canvas Fingerprinting" is the term describing there being a difference in the result per browser based on what the "canvas" element captures when used. It's not directly able to track a user but you can infer their browser from that data. As you might know, most browsers also send a User-Agent header, so that information isn't particularly obscure anyway. If you don't like the idea of websites being able to track this but still want to use the feature you can look up "Canvas Salting" addons for your browser. AFAIK the Brave browser includes this by default (we don't support Brave officially though!). We are not using this feature for anything other than cropping the image and uploading it to your profile. 

[Guest deleted156886133]

1 hour ago, Pickysaurus said:

 If you don't like the idea of websites being able to track this but still want to use the feature you can look up "Canvas Salting" addons for your browser. AFAIK the Brave browser includes this by default (we don't support Brave officially though!).

I'm not sure if it's included by default and I couldn't find any add-on by that exact name related to Brave extensions. However, there are a few canvas fingerprint spoofing extensions that are hit or miss... mostly miss. One user says one add-on works and then two others say it doesn't. God! What a pain in the ass!

I did find mention of 'Canvas Salting' on Brave's github page. It's an issue dated from 2020: Brave Canvas Anti-Fingerprinting causes websites to break if the website requires pixel-perfect color output, because Brave adds random noise to canvases when using the getImageData method. Canvas salting is mentioned further down the page by a user or developer in 2023 by stating 'Firefox has already WIP canvas salting support and more browsers will follow.'

I'm assuming the addition of random noise to canvases is canvas salting? If yes, then Brave does do it.

2 hours ago, Pickysaurus said:

It's not directly able to track a user but you can infer their browser from that data.

Correct, browser identification is inferred as well as any add-ons or extensions your particular browser is using. And guess what? That's sort of a catch-22. When canvas fingerprinting is blocked that identifies you outright because the plugins and extensions you are running are part of the key identifiers in browser fingerprinting. Kinda like wearing a ski-mask in a room full of unmasked folks. Don't be surprised if it appears that you're being watched more closely.

Like I said before, what a pain.