How companies use Canvas Fingerprinting to track you online

Martin Brinkmann
Jul 21, 2014
Updated • Aug 7, 2019
Security
|
11

Traditional ways of tracking users have come under fire in recent years. Cookies and other small snippets of data that get saved on user systems may not be available forever to many companies, e.g. due to regulations.

That's why marketing and advertising companies have invested resources in finding other means to track users on the Internet. Fingerprinting is popular but not that reliable due to several factors.

The Panopticlick page on the EFF website runs a fingerprinting test that reveals how unique your browser really is. While that is great, any change made to the browser or system, like an upgrade to a new version, a new computer monitor, or a new plugin version will change the unique fingerprint of the browser. Means: most fingerprinting methods are not accurate enough unless combined with other identification means.

But the generation of a fingerprint based on data that is made available publicly by browsers is not the only fingerprinting option.

HTML5 Canvas Fingerprinting

html5 canvas fingerprinting
Fingerprinting test

The canvas fingerprinting technology emerged about two years ago. It makes use of the HTML5 element Canvas which can be used to draw graphics.

The issue with it from a privacy perspective is that results are different based on a number of factors including the web browser as well as operating system specific settings.

What this means is that Canvas can be used to draw a picture in the browser that is often different from others. Since it is different, even when it looks identical to the human eye, it can be used to identify users on the Internet based on that alone.

Companies that use canvas fingerprinting do have access to more information though most of the time including all header information that is transferred during connections.

The site Browserleaks has created a fingerprinting demonstration that you can run in your browser, provided that it supports HTML5 Canvas and that JavaScript is enabled on the site.

Which companies make use of it?

A Pro Publica article lists three companies that make use of Canvas fingerprinting: AddThis, known for its social sharing plugins, a German digital marketer Ligatures, and the popular dating website Plenty Of Fish.

It is very likely that additional companies make use of it.

Blocking and revealing fingerprinting

chameleon chrome extension

There are several options to block Canvas fingerprinting, but most are not straightforward.

  • The TOR web browser displays a prompt whenever a website tries to use HTML5 Canvas image extraction. If you use the browser, you are safe from this particular method. You can access the bug here.
  • Chameleon for Chrome is an experimental browser extension that informs you if a site uses Canvas fingerprinting. It won't block it on the other hand. It is not that easy to set up though as it is not available in the Chrome Web Store at the time of writing.
  • CanvasBlocker for Firefox blocks canvas elements in the Firefox web browser.
  • Canvas Defender for Chrome and Firefox blocks against Canvas fingerprinting.
  • Blocking scripts on sites that you don't trust using NoScript or a similar browser extension (or disabling JavaScript). The main issue with this approach is that JavaScript may be needed for a site's functionality. In addition, harmless looking scripts such as AddThis may be used for the fingerprinting.

There is no option currently to disable the functionality directly in the browser. A userscript from 2010 that blocked the Canvas element on web pages is not working anymore unfortunately.

Resources and further reading

The following list links to resources that provide with additional information about Canvas fingerprinting:

  1. Canvas Fingerprinting Sites - Lists sites sorted by Alexa rank that use fingerprinting scripts.
  2. Cross-browser fingerprinting test 2.0 - Another fingerprinting test.
  3. Fingerprinting Guidance - Document that defines different types of fingerprinting.
  4. Mozilla Wiki entry on Fingerprinting
  5. Study on the effectiveness of fingerprinting countermeasures
  6. Pixel Perfect: Fingerprinting Canvas in HTML - The research paper from 2012 which mentioned the method first.
  7. The Web never forgets: Persistent tracking mechanisms in the wild - Research paper from Princeton and KU Leuven, Belgium that analyzes several fingerprinting methods including canvas, evercookies and cookie syncing.

Now Read: Modify your browser's fingerprint

Summary
How companies use Canvas Fingerprinting to track you online
Article Name
How companies use Canvas Fingerprinting to track you online
Description
Find out how companies use the HTML5 element Canvas to track you online, and how to protect yourself against it.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. TelV said on October 28, 2017 at 11:06 am
    Reply

    I begin to ask myself if there’s any point in trying to defeat these intrusive attempts at identifying my browsing habits since the ultimate goal seems to be to use the data for targeted advertising. But since adblockers prevent ads from appearing anyway there doesn’t seem to be any harm in allowing fingerprinting.

    I tried Canvas Defender for a while but the constant popups to inform users that a given site was attempting to use fingerprinting drove me round the bend and I removed it. I haven’t tried the other one mentioned in this article though.

    By the way Martin, the first link under the “Resources and further reading” heading doesn’t work.

  2. Tom Hawack said on August 7, 2014 at 2:17 pm
    Reply

    There’s a new Firefox add-on, CanvasBlocker ( https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/ ) which may be interesting if efficient. I’m trying it at this time.

  3. Edward said on August 3, 2014 at 9:07 pm
    Reply

    The CanvasFingerprintBlock extension for Chrome intercepts calls to the canvas-exporting JavaScript functions that are used to create a fingerprint, and it makes those functions return blank data to the caller. The result is that all the browsers with the extension installed will produce an identical canvas-fingerprint, thus rendering the fingerprint useless.

    https://chrome.google.com/webstore/detail/canvasfingerprintblock/ipmjngkmngdcdpmgmiebdmfbkcecdndc

  4. ilev said on July 22, 2014 at 11:21 am
    Reply

    EFF’s Badger extension will bring in future releases fingerprint blocking :

    Does Privacy Badger prevent fingerprinting?

    Currently, Privacy Badger does not prevent browser fingerprinting, of the sort we demonstrated with the Panopticlick project. But we will be adding fingerprinting countermeasures in a future update!

    https://www.eff.org/privacybadger

  5. Christoph said on July 22, 2014 at 3:37 am
    Reply

    The 2 major domains using this (addthis and ligatus) are both blocked by HTTP Switchboard :)

    Also, please don’t like to w3schools, it’s a horrible site with often inaccurate information [1]. MDN has high quality information and tutorials regarding canvas [2] including links to the specs and other resources.

    [1] http://www.w3fools.com/

    [2] https://developer.mozilla.org/en-US/docs/Web/HTML/Canvas

  6. Pants said on July 22, 2014 at 3:36 am
    Reply

    I tested this .. extensively .. I LET ligatus thru, and my canvas drew a big finger … well done FF :)

    In all seriousness though, this has been around for at least 2 years. Its like Flash – you give any third party access to system resources (font enumeration) and other variables and its bound to create uniqueness. What is needed is at least an HTML “click to play” with a whitelist ability

  7. Rick said on July 22, 2014 at 1:52 am
    Reply

    Why I like the plugin Yesscript – html5 canvas fingerprinting uses html5 AND javascript. No javascript, no issue (at least for this one).

    1. Ray said on July 22, 2014 at 7:20 am
      Reply

      Thanks for recommending an alternative to NoScript.

      Also, Martin, I’d recommend writing a post about ETags as it’s simliar to Canvas fingerprinting.

  8. Anonymous said on July 22, 2014 at 1:14 am
    Reply

    And this is exactly the “red flag” authorities are looking for–passenger 912A purchased airline tickets in cash, 30 minutes before departure, using three different carriers although one carrier offered a direct flight to same city.

    “I could also employ a Julian Assange-like tactic, only buying last-minute tickets at an airport and in person. But that’s a lot harder when traveling with others, and it’s almost always significantly more expensive.”

  9. Oxa said on July 21, 2014 at 11:20 pm
    Reply
    1. Rick said on July 22, 2014 at 2:01 am
      Reply

      YIKES .. if you find that creeps you out, I suggest you self-imprison yourself at home :)

      Did you know .. in Canada and the US (not sure about other countries) if you have your wireless device turned on (phone, tablet, your Kindle or Kobe – anything with wifi ) with wifi active when in an airport, or close to an airport, that your device and other information is automatically logged. Happens whether you actually connect or not .. if you connect obviously more information is available.

      Wondered why airports starting offering free wifi hotspots? Wonder no longer .. free usage comes at the expense of your privacy. In fact, owning any wifi device has a privacy cost.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.