How companies use Canvas Fingerprinting to track you online
Traditional ways of tracking users have come under fire in recent years. Cookies and other small snippets of data that get saved on user systems may not be available forever to many companies, e.g. due to regulations.
That's why marketing and advertising companies have invested resources in finding other means to track users on the Internet. Fingerprinting is popular but not that reliable due to several factors.
The Panopticlick page on the EFF website runs a fingerprinting test that reveals how unique your browser really is. While that is great, any change made to the browser or system, like an upgrade to a new version, a new computer monitor, or a new plugin version will change the unique fingerprint of the browser. Means: most fingerprinting methods are not accurate enough unless combined with other identification means.
But the generation of a fingerprint based on data that is made available publicly by browsers is not the only fingerprinting option.
HTML5 Canvas Fingerprinting
The canvas fingerprinting technology emerged about two years ago. It makes use of the HTML5 element Canvas which can be used to draw graphics.
The issue with it from a privacy perspective is that results are different based on a number of factors including the web browser as well as operating system specific settings.
What this means is that Canvas can be used to draw a picture in the browser that is often different from others. Since it is different, even when it looks identical to the human eye, it can be used to identify users on the Internet based on that alone.
Companies that use canvas fingerprinting do have access to more information though most of the time including all header information that is transferred during connections.
Which companies make use of it?
A Pro Publica article lists three companies that make use of Canvas fingerprinting: AddThis, known for its social sharing plugins, a German digital marketer Ligatures, and the popular dating website Plenty Of Fish.
It is very likely that additional companies make use of it.
Blocking and revealing fingerprinting
There are several options to block Canvas fingerprinting, but most are not straightforward.
- The TOR web browser displays a prompt whenever a website tries to use HTML5 Canvas image extraction. If you use the browser, you are safe from this particular method. You can access the bug here.
- Chameleon for Chrome is an experimental browser extension that informs you if a site uses Canvas fingerprinting. It won't block it on the other hand. It is not that easy to set up though as it is not available in the Chrome Web Store at the time of writing.
- CanvasBlocker for Firefox blocks canvas elements in the Firefox web browser.
- Canvas Defender for Chrome and Firefox blocks against Canvas fingerprinting.
There is no option currently to disable the functionality directly in the browser. A userscript from 2010 that blocked the Canvas element on web pages is not working anymore unfortunately.
Resources and further reading
The following list links to resources that provide with additional information about Canvas fingerprinting:
Canvas Fingerprinting Sites- Lists sites sorted by Alexa rank that use fingerprinting scripts.
- Cross-browser fingerprinting test 2.0 - Another fingerprinting test.
- Fingerprinting Guidance - Document that defines different types of fingerprinting.
- Mozilla Wiki entry on Fingerprinting
- Study on the effectiveness of fingerprinting countermeasures
- Pixel Perfect: Fingerprinting Canvas in HTML - The research paper from 2012 which mentioned the method first.
- The Web never forgets: Persistent tracking mechanisms in the wild - Research paper from Princeton and KU Leuven, Belgium that analyzes several fingerprinting methods including canvas, evercookies and cookie syncing.
Now Read: Modify your browser's fingerprintAdvertisement