Canvas Fingerprinting: A Stealthy Technique for Tracking Online Users - Decisimo

Published on: 2024-08-10 18:29:56

Canvas fingerprinting is an increasingly popular method for tracking online users without their consent. This technical article delves into how this technique works, its value, its role in device fingerprinting, its limitations, and ways it can be spoofed.

What is Canvas Fingerprinting?

Canvas fingerprinting is a browser fingerprinting technique that exploits the HTML5 canvas element. When a user visits a website, the site can execute a script that forces the user's browser to draw a hidden image or graphic using the HTML5 canvas. Because different machines and browsers render images slightly differently, the resulting image can serve as a unique identifier, or "fingerprint", of the user’s device.

How is Canvas Fingerprinting Done?

  1. Creating a Canvas Element: The website embeds a script that creates an invisible HTML5 canvas element on the user’s browser.
  2. Drawing Graphics: The script commands the browser to draw complex shapes, texts, and colors.
  3. Extracting Data: The script then converts the rendered image back into data (usually a Base64 encoded string) which can be unique to the device or browser.
  4. Sending Data to the Server: Finally, this string is sent back to the server and is used as an identifier for the user.

Value of Canvas Fingerprinting

Canvas fingerprinting is attractive for several reasons:

  • Stealthy: Users are usually unaware that their browser is being used to create a fingerprint.
  • Persistent: Unlike cookies, users cannot easily delete or block canvas fingerprints.
  • Cross-site Tracking: It allows advertisers to track a user’s behavior across different websites.

Component for Fingerprinting

Canvas fingerprinting is often used as one component in a broader device fingerprinting approach. When combined with other data such as user agent strings, screen resolutions, and installed fonts, canvas fingerprinting significantly increases the entropy and uniqueness of the device fingerprint.

Limitations of Canvas Fingerprinting

  • Browser Updates: Changes in browser rendering engines can alter canvas fingerprints over time.
  • Common Hardware: Devices with very common hardware and settings might generate similar fingerprints.
  • Limited Efficacy on Mobile: Canvas fingerprinting is less effective on mobile browsers due to standardized rendering.

Spoofing Canvas Fingerprinting

Canvas fingerprinting can be mitigated or spoofed through several methods:

  • Browser Extensions: Extensions like CanvasBlocker manipulate the JavaScript that handles the canvas element, preventing the script from reading the data.
  • Using Tor Browser: Tor Browser, by design, resists fingerprinting including canvas fingerprinting.
  • Disabling JavaScript: Turning off JavaScript will prevent the script from executing, though this can break functionality on some websites.

Why is Canvas Fingerprinting Unique?

The uniqueness of canvas fingerprinting comes from the subtle differences in how graphics are rendered on different hardware and software configurations. Even trivial details such as anti-aliasing, scaling, and rendering engines can create variations in the resulting image data.

Conclusion

Canvas fingerprinting is a powerful but covert technique for tracking users online. While it has its limitations, it's a critical reminder of the pervasive nature of online tracking. Awareness and usage of privacy-enhancing tools are essential for users who wish to safeguard their online anonymity and privacy.

Manage antifraud rules
using Decisimo.

Published: 2023-04-26