How companies use Canvas Fingerprinting to track you online

Traditional ways of tracking users have come under fire in recent years. Cookies and other small snippets of data that get saved on user systems may not be available forever to many companies.

That's why many have invested resources in finding other means to track users on the Internet. Fingerprinting is popular but not that reliable due to several factors.

The Panopticlick page on the EFF website runs a fingerprinting test that reveals how unique your browser really is. While that is great, any change made to the browser or system, like an upgrade to a new version, a new computer monitor, or a new plugin version will change the unique fingerprint of the browser.

But the generation of a fingerprint based on data that is made available publicly by browsers is not the only fingerprinting option.

HTML5 Canvas Fingerprinting

html5 canvas fingerprinting

Fingerprinting test

The fingerprinting technology emerged about two years ago. It makes use of the HTML5 element Canvas which can be used to draw graphics.

The issue with it from a privacy perspective is that results are different based on a number of factors including the web browser used as well as operating system specific settings.

What this means is that Canvas can be used to draw a picture in the browser that is often different from others. Since it is different, it can be used to identify users on the Internet based on that alone.

They do have access to more information though most of the time including all header information that are transferred during connection.

The site Browserleaks has created a fingerprinting demonstration that you can run in your browser, provided that it supports HTML5 Canvas and that JavaScript is enabled on the site.

Which companies make use of it?

A Pro Publica article lists three companies that make use of Canvas fingerprinting: AddThis, known for its social sharing plugins, a German digital marketer Ligatures, and the popular dating website Plenty Of Fish.

It is very likely that additional companies make use of it.

Blocking and revealing fingerprinting

chameleon chrome extension

There are several options to block Canvas fingerprinting, but most are not straightforward.

  • The TOR web browser displays a prompt whenever a website tries to use HTML5 Canvas image extraction. If you use the browser, you are safe from this particular method. You can access the bug here.
  • Chameleon for Chrome is an experimental browser extension that informs you if a site uses Canvas fingerprinting. It won't block it on the other hand. It is not that easy to set up though as it is not available in the Chrome Web Store at the time of writing.
  • Blocking scripts on sites that you don't trust using NoScript or a similar browser extension (or disabling JavaScript). The main issue with this approach is that JavaScript may be needed for a site's functionality. In addition, harmless looking scripts such as AddThis may be used for the fingerprinting.

There is no option currently to disable the functionality directly in the browser. A userscript from 2010 that blocked the Canvas element on web pages is not working anymore unfortunately.

Resources and further reading

The following list links to resources that provide with additional information about Canvas fingerprinting:

  1. Canvas Fingerprinting Sites - Lists sites sorted by Alexa rank that use fingerprinting scripts.
  2. Cross-browser fingerprinting test 2.0 - Another fingerprinting test.
  3. Fingerprinting Guidance - Document that defines different types of fingerprinting.
  4. Mozilla Wiki entry on Fingerprinting
  5. Pixel Perfect: Fingerprinting Canvas in HTML - The research paper from 2012 which mentioned the method first.
  6. The Web never forgets: Persistent tracking mechanisms in the wild - Research paper from Princeton and KU Leuven, Belgium that analyzes several fingerprinting methods including canvas, evercookies and cookie syncing.

Now Read: Modify your browser's fingerprint

Summary
Article Name
How companies use Canvas Fingerprinting to track you online
Author
Description
Find out how companies use the HTML5 element Canvas to track you online, and how to protect yourself against it.
Please share this article

facebooktwittergoogle_plusredditlinkedinmail


Responses to How companies use Canvas Fingerprinting to track you online

  1. Oxa July 21, 2014 at 11:20 pm #

    This and this: http://arstechnica.com/tech-policy/2014/07/ars-editor-learns-feds-have-his-old-ip-addresses-full-credit-card-numbers/ are the creepiest things I've read in a long time.

    • Rick July 22, 2014 at 2:01 am #

      YIKES .. if you find that creeps you out, I suggest you self-imprison yourself at home :)

      Did you know .. in Canada and the US (not sure about other countries) if you have your wireless device turned on (phone, tablet, your Kindle or Kobe - anything with wifi ) with wifi active when in an airport, or close to an airport, that your device and other information is automatically logged. Happens whether you actually connect or not .. if you connect obviously more information is available.

      Wondered why airports starting offering free wifi hotspots? Wonder no longer .. free usage comes at the expense of your privacy. In fact, owning any wifi device has a privacy cost.

  2. Anonymous July 22, 2014 at 1:14 am #

    And this is exactly the "red flag" authorities are looking for--passenger 912A purchased airline tickets in cash, 30 minutes before departure, using three different carriers although one carrier offered a direct flight to same city.

    "I could also employ a Julian Assange-like tactic, only buying last-minute tickets at an airport and in person. But that’s a lot harder when traveling with others, and it's almost always significantly more expensive."

  3. Rick July 22, 2014 at 1:52 am #

    Why I like the plugin Yesscript - html5 canvas fingerprinting uses html5 AND javascript. No javascript, no issue (at least for this one).

    • Ray July 22, 2014 at 7:20 am #

      Thanks for recommending an alternative to NoScript.

      Also, Martin, I'd recommend writing a post about ETags as it's simliar to Canvas fingerprinting.

  4. Pants July 22, 2014 at 3:36 am #

    I tested this .. extensively .. I LET ligatus thru, and my canvas drew a big finger ... well done FF :)

    In all seriousness though, this has been around for at least 2 years. Its like Flash - you give any third party access to system resources (font enumeration) and other variables and its bound to create uniqueness. What is needed is at least an HTML "click to play" with a whitelist ability

  5. Christoph July 22, 2014 at 3:37 am #

    The 2 major domains using this (addthis and ligatus) are both blocked by HTTP Switchboard :)

    Also, please don't like to w3schools, it's a horrible site with often inaccurate information [1]. MDN has high quality information and tutorials regarding canvas [2] including links to the specs and other resources.

    [1] http://www.w3fools.com/

    [2] https://developer.mozilla.org/en-US/docs/Web/HTML/Canvas

  6. ilev July 22, 2014 at 11:21 am #

    EFF's Badger extension will bring in future releases fingerprint blocking :

    Does Privacy Badger prevent fingerprinting?

    Currently, Privacy Badger does not prevent browser fingerprinting, of the sort we demonstrated with the Panopticlick project. But we will be adding fingerprinting countermeasures in a future update!

    https://www.eff.org/privacybadger

  7. Edward August 3, 2014 at 9:07 pm #

    The CanvasFingerprintBlock extension for Chrome intercepts calls to the canvas-exporting JavaScript functions that are used to create a fingerprint, and it makes those functions return blank data to the caller. The result is that all the browsers with the extension installed will produce an identical canvas-fingerprint, thus rendering the fingerprint useless.

    https://chrome.google.com/webstore/detail/canvasfingerprintblock/ipmjngkmngdcdpmgmiebdmfbkcecdndc

  8. Tom Hawack August 7, 2014 at 2:17 pm #

    There's a new Firefox add-on, CanvasBlocker ( https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/ ) which may be interesting if efficient. I'm trying it at this time.

Leave a Reply