Purism website trying to identify my computer


#1

When I visit puri.sm with Tor Browser 8.0.8 I get a pop-up saying

“Will you allow puri.sm to use your HTML5 canvas image data? This may be used to uniquely identify your computer”

WTF?!


#2

Maybe that’s because they use piwik.puri.sm (matomoto), which is a web analytics tool.


#3

Shouldn’t Purism be fully aware what kind of code they include on their own site and not have this kind of fingerprinting done on their customers?


#4

Isn’t Purism going to comment on the fact that they are running a website that fingerprints the visitors?


#5

@jeremiah Dunno if you are the right person to flag, but maybe you can comment or at least pass it to someone who can


#6

Thanks @taylor-williamc. I saw this and pushed it to marketing. I did a little digging and we’re definitely not “fingerprinting” anyone. We do however run piwik as @anon10067017 says and a couple other tools. We have to patch small javascript tools together because we have a policy to use only free software tools.

We’re going to be doing a review of all our javascript and tooling internally and I hope that myself or marketing will come back with much more info.


#7

Any news on this? @jeremiah

It’s been two weeks and puri.sm still tries to fingerprint visitors


#8

Hiya,

Sorry for slow response, holidays here. In speaking with marketing they’re very aware of the constraints that Purism places on user freedom and privacy. They do not ‘fingerprint’ specific browsers or users. We do use some javascript but that is, as mentioned previously, under review. The javascript we do use is for things like purchases in our store.

Can you detail your concerns regarding fingerprinting? What exactly do you see, from a technical perspective, is happening that you consider fingerprinting? Is it the capture of your browser’s User Agent string?


#9

@jeremiah, I am not certain what @robin sees, but I commented about the Purism Forum site in a task, which voiced a similar concern about DuckDuckGo. At the time, I used the CanvasBlocker add-on with Firefox, and, if memory serves, the Purism Forum site got the same DOMRect API indications. (It has been a while; there could be new issues.)

I only used that add-on to see what was going on with DuckDuckGo. I did not see a need to panic about DuckDuckGo getting indications without having more information. I was not alarmed to see it here either, but that does not mean it should be ignored.

Anyway, that plug-in might be a place to start.


#10

Thanks for the reminder @Wayne, I remember that conversation we had regarding DDG’s various not-so-private profiling. (FWIW, here’s DDG’s reply: DDG browser fingerprinting)

With regards to Purebrowser, we’re continually working on it to make it better, that work will continue. I’ve also opened and issue to surf our various sites (forum, tracker, etc.) with a strong set of add-ons that will report issues with our site to understand better how our users see our web presence.


#11

Thanks, @jeremiah. The article kind of confirms what I suspected.


#12

@jeremiah

So whenever I visit puri.sm I get a pop-up asking “Will you allow puri.sm to use your HTLM5 canvas image data? This may be used to uniquely identify your computer”. I don’t get this question when I visit forums.puri.sm. I using Tor Browser 8.0.8

On this page https://2019.www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability one can read the following about this practice:

After plugins and plugin-provided information, we believe that the HTML5 Canvas is the single largest fingerprinting threat browsers face today. Studies show that the Canvas can provide an easy-access fingerprinting target: The adversary simply renders WebGL, font, and named color data to a Canvas element, extracts the image buffer, and computes a hash of that image data. Subtle differences in the video card, font packs, and even font and graphics library versions allow the adversary to produce a stable, simple, high-entropy fingerprint of a computer. In fact, the hash of the rendered image can be used almost identically to a tracking cookie by the web server.

In some sense, the canvas can be seen as the union of many other fingerprinting vectors. If WebGL is normalized through software rendering, system colors were standardized, and the browser shipped a fixed collection of fonts (see later points in this list), it might not be necessary to create a canvas permission. However, until then, to reduce the threat from this vector, we have patched Firefox to prompt before returning valid image data to the Canvas APIs, and for access to isPointInPath and related functions. Moreover, we put media streams on a canvas behind the site permission in that patch as well. If the user hasn’t previously allowed the site in the URL bar to access Canvas image data, pure white image data is returned to the JavaScript APIs. Extracting canvas image data by third parties is not allowed, though.


#13

I don’t know what the HTML5 “Canvas” element (which is the crux of the question in this thread) is doing there, I’ll ask around.

As for Matomo/Piwik, it’s been there for years, and already respects your privacy choices, see the “About this website” section in https://puri.sm/policies/ . Matomo is Free Software by the way, we host it ourselves, and for what it’s worth even the FSF website uses it.


#14

Thanks @Robin! That is very helpful. Marketing is already on it. :grinning:


#15

Any news? I’m still getting same pop-up.


#16

According to the error you are reporting, this data (?) could be used to identify your computer. That is a pretty open ended statement. Does this mean just that you be identified based on your IP, or that pieces of your browser information are being used to build a profile of your computer?

I think given the comments already mentioned here, identifying your computers isn’t the intent. There are however many reasons to want to identify IPs on a public facing website.


#17

Every time you load a web page, you willingly submit your IP to the server, in order to receive an answer. You make it sound like advanced technology would be needed to get the IP.
The reason why fingerprinting is a thing is that the IP does NOT reliably identify you, especially not over a long period of time. You can change your public IP every five minutes if you want. (Depending on your provider, restarting the router can be sufficient).
A browser fingerprint is supposed much more stable. Like a… fingerprint :wink:
Try it out here, if you’re curious how unique your browser’s fingerprint is:


#18

I didn’t mean it like that. I meant that the error they received was pretty broad and could mean a number of things. However, based on what Purism employees have already said and the fact that the FSF site uses the same software, it seems pretty safe to assume that there is nothing nefarious going on here.


#19

The thing is that you don’t get that fingerprinting warning when visiting https://www.fsf.org/