Canvas fingerprinting is one of a number of browser fingerprinting techniques for tracking online users that allow websites to identify and track visitors using the HTML5 canvas element instead of browser cookies or other similar means.[1] The technique received wide media coverage in 2014[2][3][4][5] after researchers from Princeton University and KU Leuven University described it in their paper The Web never forgets.[6]

Canvas fingerprinting works by exploiting the HTML5 canvas element. As described by Acar et al. in:[6] .mw-parser-output .templatequoteoverflow:hidden;margin:1em 0;padding:0 40px.mw-parser-output .templatequote .templatequoteciteline-height:1.5em;text-align:left;padding-left:1.6em;margin-top:0

Block Canvas Fingerprinting in Chrome with Canvas Defender

Social bookmarking technology company AddThis began experimenting with canvas fingerprinting early in 2014 as a potential replacement for cookies. 5% of the top 100,000 websites used canvas fingerprinting while it was deployed.[10] According to AddThis CEO Richard Harris, the company has only used data collected from these tests to conduct internal research. Users will be able to install an opt-out cookie on any computer to prevent being tracked by AddThis with canvas fingerprinting.[4]

In 2022, the capabilities of canvas fingerprinting were much deepened by taking minute differences between nominally identical units of the same GPU model into account. Those differences are rooted in the manufacturing process, making units more deterministic over time than between identical copies.[8]

Tor Project reference documentation states, "After plugins and plugin-provided information, we believe that the HTML5 Canvas is the single largest fingerprinting threat browsers face today."[12] Tor Browser notifies the user of canvas read attempts and provides the option to return blank image data to prevent fingerprinting.[6] However, Tor Browser is currently unable to distinguish between legitimate uses of the canvas element and fingerprinting efforts, so its warning cannot be taken as proof of a website's intent to identify and track its visitors. Browser add-ons like Privacy Badger,[10] DoNotTrackMe,[13] or Adblock Plus[14] manually enhanced with EasyPrivacy list are able to block third-party ad network trackers and can be configured to block canvas fingerprinting, provided that the tracker is served by a third party server (as opposed to being implemented by the visited website itself).[citation needed] Canvas Defender, a browser add-on, spoofs Canvas fingerprints.[15]

The canvas element is like a painting canvas for the browser. It is used to draw paint objects dynamically using the JavaScript engine which empowers your browser visually a lot. Unfortunately, this element can also be used by advertising and malicious scripts to identify the user and hence to track the user's browsing interests. Basically, this element can be used to generate a fingerprint key that is unique to each browser. Now if this unique key is generated by different pages and is sent to a server, it can lead to track user's browsing habits easily. One method to generate a unique identification key is to insert two strings on top of each other with just a slight offset in a canvas element and then convert the canvas element into a data string. The generated string could have slight difference based on user's OS and graphical card capabilities hence the generated string is unique. This long string is then converted to a small unique key using a hashing method like an SHA algorithm. This extension adds an arbitrary one-time noise to the canvas element only when one of the string conversion methods are called. To improve the speed of applying this nouse further, instead of applying it to all points of the canvas element, the noise is added to points with 3 element spacing. This significantly reduces the computational cost of adding the noise.

Though be aware that setting this to true also renders some websites that heavily utilize the canvas defunct (in my experience this mainly affects browser games, but YMMV). If you run into any trouble with this, CanvasBlocker set to block mode "fake" is probably your best bet.

Apart from its intended functions, Canvas can also be used as additional entropy in browser fingerprinting. According to Englehardt and Narayanan (2016), a study done by Princeton University, more than 5% of websites use canvas for fingerprinting purposes.

In summary, canvas fingerprinting works by asking the browser to draw a hidden canvas image. This image will be drawn slightly differently on various machines, but will be the same if machines are identical. After the image is drawn, it is converted into a hash string, which is further used as additional entropy in identification. A more detailed overview on how Canvas Fingerprinting works can be found on our blog here.

How this kind of situation may be treated is entirely up to the website's discretion. However, such events can even happen with users who are not intently trying to hide their canvas fingerprint, in cases where a browser error occurs in the process of retrieving the data of the canvas object.

Fingerprints take advantage of the fact that the output of a canvas is often different when rendered in different browsers. This is not always the case, which is why Canvas fingerprinting is often used in conjunction with other tracing methods.

As many know, canvas fingerprinting is the most recent development in web tracking. In the past, the easiest way to prevent web tracking was to block out the method of tracking entirely. For example, to prevent cookie tracking, you simply disable cookies in your browser.

Wrong. Preventing the canvas image from loading is an identifier in itself. Although the canvas fingerprint will not be sent, the fact that you did not load the canvas image will be. So, you will be sorted into a very small group of tech-savvy users who are also blocking fingerprints. From there, sometimes your ordinary fingerprints will be enough to identify you completely.

Panopticlick looks at how my browser settings appear to a website and then calculates how probable it is that anyone else has the exact same settings. The bits of identifying information is based on some fairly complicated mathematics that assesses how likely it is that any given fact is true of any one person. You can read more about that here, but in simple terms this is a score on a scale of 1 to 33, with 33 being completely unique. The Chrome default browser plugins I have are very common (3.3) but the hash of my canvas fingerprint (17.64) is not.

Nevertheless, there is a low use of browser extensions, and we believe this will continue to be a fact as most web users do not want or need to go to the trouble of blocking APIs or features involved in a fingerprint vector. Moreover, extensions usually break the user experience. While some solutions provide some protections against browser fingerprinting, it is often at the cost of usability as we can see for example with NoScript (which blocks JavaScript completely) or the Tor Browser.

Canvas fingerprinting is a technique gaining popularity and was first presented by Mowery [18] in 2012. The canvas element which is part of the HTML5 set of attribute allows the scriptable rendering of 2d shapes and images, providing a rich, interactive web experience for the user. Given the right instructions an image can be rendered to help identify a system with pixel precision. Canvas fingerprinting is quite an attractive fingerprinting method as it provides information based on layers of the system. This may include the browsers, operating system used, graphics drivers and other hardware which is part of the machine.

In combination with WebGL rendering texts and scenes onto a section of the screen via the HTML element. The fingerprint can then be generated using the information from the pixel data. Mowery and Shacham estimated that 10-bits entropy is possible over the whole population of the web[18]. The use of canvas fingerprinting on website home pages makes up a significant number of the top 100,000 sites. Specifically about 5500 sites presented some use of third party scripts and in house scripts. Majority belong to Addthis.com.

Browser extensions like Adblockers are used to provide additional functionality to a browser. The list of extensions can be used to obtain information about the browser. The problem with extensions is that they can often be used to block attempts at fingerprinting a system but this creates a trade-off between privacy enhancing extensions and fingerprinting, as the more extensions install on a system the more a browser will stand out and thus become unique for fingerprinting.

HTTP header with its wealth of attributes and information has shown to produce some of the highest entropy making is a common option for fingerprinting [11],[5], [9]. All major browsers utilise these headers as well as JavaScript making them susceptible targets for fingerpinters. There are a number of issues that arises from this type of fingerprinting; the major being that the fingerprint is unstable, meaning that changes in the browser such as an upgrade of the plugins or hardware modification like adding and external monitor, can alter the fingerprint. Eskerley [11] demonstrated that the use of a heuristic can aid in predicting when a browser will make a change. The method of fingerprint tends to suffer the same pitfall as other techniques discussed in this section, being that canvas fingerprinting cannot distinguish between user who have the exact same setup in regards to software and hardware.

There are several blocking extensions such as Privacy badger, Ghostery, Adblocker, and noScript which can be utilised in blocking fingerprinting scripts. One of the main functions of privacy badger and ghostery is to stop the downloading of script from known trackers. No script takes a different approach and implements the use of whitelists, configured by the user. This presents an issue as whitelists and database will requires to be kept up-to-date and maintained. This means that extensions cannot fully guarantee protection against fingerprinting. As with a lot of countermeasures this falls under the fingerprinting paradox, privacy-enhancing extensions can be counterproductive if detected and it increases the amount of information that can help identify a browser. 2ff7e9595c