Canvas Fingerprinting: A Quiet Method for Tracking Online Users

Published on: 2024-08-10 18:29:56

Canvas fingerprinting is a common method for tracking online users without their consent. This technical article explains how it works, where it adds value, its role in browser fingerprinting, its limits, and how it can be spoofed.

What is Canvas Fingerprinting?

Canvas fingerprinting is a browser fingerprinting technique that uses the HTML5 canvas element. When a user visits a website, the site can run a script that makes the user’s browser draw a hidden image or graphic with the HTML5 canvas. Because different machines and browsers render images in slightly different ways, the result can act as a unique identifier, or "fingerprint," for the user’s device.

Decisimo decision engine

Try our decision engine.

How is Canvas Fingerprinting Done?

  1. Creating a Canvas Element: The website embeds a script that creates an invisible HTML5 canvas element in the user’s browser.
  2. Drawing Graphics: The script tells the browser to draw complex shapes, text, and colors.
  3. Extracting Data: The script then converts the rendered image back into data, usually a Base64-encoded string, which can be unique to the device or browser.
  4. Sending Data to the Server: Finally, this string is sent back to the server and used as an identifier for the user.

Value of Canvas Fingerprinting

Canvas fingerprinting is useful for several reasons:

  • Stealthy: Users are usually not aware that their browser is being used to create a fingerprint.
  • Persistent: Unlike cookies, users cannot easily delete or block canvas fingerprints.
  • Cross-site Tracking: It lets advertisers track a user’s behavior across different websites.

Component for Fingerprinting

Canvas fingerprinting is often one part of a broader device fingerprinting approach. When combined with other data such as user agent strings, screen resolutions, and installed fonts, canvas fingerprinting increases the entropy and uniqueness of the device fingerprint.

Limitations of Canvas Fingerprinting

  • Browser Updates: Changes in browser rendering engines can change canvas fingerprints over time.
  • Common Hardware: Devices with very common hardware and settings may generate similar fingerprints.
  • Limited Efficacy on Mobile: Canvas fingerprinting is less effective on mobile browsers because rendering is more standardized.

Spoofing Canvas Fingerprinting

Canvas fingerprinting can be reduced or spoofed in several ways:

  • Browser Extensions: Extensions like CanvasBlocker change the JavaScript that handles the canvas element, which prevents the script from reading the data.
  • Using Tor Browser: Tor Browser is designed to resist fingerprinting, including canvas fingerprinting.
  • Disabling JavaScript: Turning off JavaScript prevents the script from running, though this can break functionality on some websites.

Why is Canvas Fingerprinting Unique?

The uniqueness of canvas fingerprinting comes from small differences in how graphics are rendered across hardware and software configurations. Even minor details such as anti-aliasing, scaling, and rendering engines can create differences in the resulting image data.

Conclusion

Canvas fingerprinting is a powerful but hidden method for tracking users online. It has limits, but it shows how widespread online tracking has become. Users who want to protect their anonymity and privacy should understand the technique and use privacy-focused tools where needed.

Decisimo decision engine

Try our decision engine.

Related Articles

  • The Fallacy of Evading Fingerprinting by Disabling JavaScript

    Disabling JavaScript does not stop fingerprinting. This article explains why that assumption fails, how no-JS fingerprinting works, and which browser signals still expose identifying data through normal HTTP requests.

  • Media Device Fingerprinting: A Modern Method for Online Tracking

    Media Device Fingerprinting uses browser APIs to collect details about a user’s audio and video devices and turn that data into a tracking signal. This article explains how it works, why it matters for online fingerprinting, where it falls short, and what can reduce its effectiveness.

  • The Exciting Evolution of Browser Fingerprinting

    Browser fingerprinting goes well beyond cookies. This article tracks how methods evolved from basic browser identifiers to canvas, WebGL, and device-based fingerprinting, and why each step changed the tradeoff between detection, privacy, and fraud prevention.

  • WebGL Fingerprinting: Tracking Online Users Through Graphics Rendering

    WebGL fingerprinting uses the browser WebGL API to render graphics and expose device-specific rendering traits. This article explains how the technique works and how it fits into broader device fingerprinting. It also covers its limits and common spoofing methods.

  • ETags: a quiet web tracking mechanism

    ETags are a standard part of HTTP, built mainly for web cache optimization. They do more than improve performance. They can also be used as a hidden tracking mechanism. This article explains how ETags work, how they are used in web caching, how they can be misused to track users, and what steps can reduce those privacy risks.