How companies use Canvas Fingerprinting to track you online

Traditional ways of tracking users have come under fire in recent years. Cookies and other small snippets of data that get saved on user systems may not be available forever to many companies.

That's why many have invested resources in finding other means to track users on the Internet. Fingerprinting is popular but not that reliable due to several factors.

The Panopticlick page on the EFF website runs a fingerprinting test that reveals how unique your browser really is. While that is great, any change made to the browser or system, like an upgrade to a new version, a new computer monitor, or a new plugin version will change the unique fingerprint of the browser.

But the generation of a fingerprint based on data that is made available publicly by browsers is not the only fingerprinting option.

HTML5 Canvas Fingerprinting

The fingerprinting technology emerged about two years ago. It makes use of the HTML5 element Canvas which can be used to draw graphics.

The issue with it from a privacy perspective is that results are different based on a number of factors including the web browser used as well as operating system specific settings.

What this means is that Canvas can be used to draw a picture in the browser that is often different from others. Since it is different, it can be used to identify users on the Internet based on that alone.

They do have access to more information though most of the time including all header information that are transferred during connection.

The site Browserleaks has created a fingerprinting demonstration that you can run in your browser, provided that it supports HTML5 Canvas and that JavaScript is enabled on the site.

Which companies make use of it?

A Pro Publica article lists three companies that make use of Canvas fingerprinting: AddThis, known for its social sharing plugins, a German digital marketer Ligatures, and the popular dating website Plenty Of Fish.

It is very likely that additional companies make use of it.

Blocking and revealing fingerprinting

There are several options to block Canvas fingerprinting, but most are not straightforward.

• The TOR web browser displays a prompt whenever a website tries to use HTML5 Canvas image extraction. If you use the browser, you are safe from this particular method. You can access the bug here.
• Chameleon for Chrome is an experimental browser extension that informs you if a site uses Canvas fingerprinting. It won't block it on the other hand. It is not that easy to set up though as it is not available in the Chrome Web Store at the time of writing.
• Blocking scripts on sites that you don't trust using NoScript or a similar browser extension (or disabling JavaScript). The main issue with this approach is that JavaScript may be needed for a site's functionality. In addition, harmless looking scripts such as AddThis may be used for the fingerprinting.

There is no option currently to disable the functionality directly in the browser. A userscript from 2010 that blocked the Canvas element on web pages is not working anymore unfortunately.

Resources and further reading

The following list links to resources that provide with additional information about Canvas fingerprinting:

1. Canvas Fingerprinting Sites - Lists sites sorted by Alexa rank that use fingerprinting scripts.
2. Cross-browser fingerprinting test 2.0 - Another fingerprinting test.
3. Fingerprinting Guidance - Document that defines different types of fingerprinting.
4. Mozilla Wiki entry on Fingerprinting
5. Pixel Perfect: Fingerprinting Canvas in HTML - The research paper from 2012 which mentioned the method first.
6. The Web never forgets: Persistent tracking mechanisms in the wild - Research paper from Princeton and KU Leuven, Belgium that analyzes several fingerprinting methods including canvas, evercookies and cookie syncing.