Canvas Fingerprinting 101: An Ultimate Guide to Canvas Fingerprinting

What do you know about canvas fingerprinting? If you have little to no knowledge, then let me introduce you to the world of canvas fingerprinting and how to protect yourself from it.

An Ultimate Guide to Canvas Fingerprinting

Accepting to visit a website now is synonymous with making yourself available for that website to track you. Most websites on the Internet today engage in the tracking of their users one way or the other, either with the excuse of providing a good user experience, fighting spam, or some not-so-good reasons that only benefit the website owners while putting the users at a disadvantage.

In the past, Internet users thought the only ways they were being tracked was by IP address and HTTP cookie tracking. Well, web services are much more advanced than this as users have quickly developed methods to bypass these. Some of the newer methods of tracking users now include browser fingerprinting, web beacon, and canvas fingerprinting, among other methods that are non-obstructive but highly effective and unsuspecting by Internet users.

Our focus here is on canvas fingerprinting, and you will be learning all you need to know about canvas fingerprinting which includes what it is, how it works, reasons why websites engage in canvas fingerprinting, and how to protect yourself from canvas fingerprinting.


What is Canvas Fingerprinting?

YouTube video

Canvas fingerprinting is one of the newer methods of online tracking where websites leverage the power of the HTML5 canvas and its API to generate a unique digital footprint that can be used to identify you and your activities online. Canvas fingerprinting uses the canvas HTML5 element to generate the fingerprint of your browser, which can be an effective method of tracking you without you knowing. This method has been called the true successor of cookies, and some even see it as “cookies on steroids.”

One thing you need to know about this is that online cookie that is saved in your browser, and you can delete it; you might not even know you are being tracked using canvas fingerprinting. This method of tracking online users is quite effective because of the way different computers and browsers render canvas images. The method is closely related to or is even seen as part of the larger online tracking method known as browser fingerprinting.

Browser fingerprinting entails collecting your browser information and using such to generate a fingerprint of your browser, which is being used to uniquely identify your browser even with your real IP address masked and cookies removed. Some of the information collected for browser fingerprinting includes your Operating System (OS), user-agent string, device model, supported font types, time zones, screen resolution, timestamp, file format identifiers, plugins, and extensions, among others. Interestingly, when all of these are put together, they are able to generate a unique footprint for tracking you.


How Does Canvas Fingerprinting Works

Canvas Fingerprinting Works

Browser fingerprinting is undeniably accurate and the most effective online tracking method – even better than IP and cookie tracking, which can be bypassed so easily and are already popularly known to the masses using the Internet. So what makes the Canvas fingerprinting technology so accurate, and how does it even work? Knowing this would help you better understand how to make it less effective in your case.

The canvas we have been talking about since is an HTML5 element that is being used to draw text and graphics on webpages using JavaScript for the drawing. While this element has been developed as a way of bringing drawing capabilities to the web, web services have noticed that the way different computers and browsers render the same canvas image is different even if the image looks identical – making it a good tool for tracking.

There are basically two reasons why the same canvas images would produce different results – system level and image format level. The system-level has to do with the OS, fonts, and settings for sub-pixel rendering and anti-aliasing. For the image format level, we can talk about the image processing engine, export option, and browser-compression levels.

If you visit a page with canvas fingerprinting enabled, a fingerprinting script is launched to carry out the fingerprinting exercise. It first draws text with the font and size of its choice and adds a background color.  The script then calls the Canvas API’s ToDataURL method in other to get the canvas pixel data in data URL format. DataURL format is a Base64 encoded representation of the binary pixel data. The hash of this DataURL format becomes the fingerprint and is being sent to the webserver to be stored. This can be used in conjunction with your browsing history to create a profile for you and shared it with advertising partners.


Canvas Fingerprinting: The Good, the Bad, and the Ugly

Let take a look at the advantages and disadvantages of canvas fingerprinting as it relates to users’ privacy and experience.

  • Good Aspect of Canvas Fingerprinting

online fraud detection

Canvas fingerprinting is not inherently bad. It does have its place and its usefulness both to us as Internet users and the web services we access. Already, you probably have been tracked for a long now as over 79 percent of web services track their users. In a way, you can see canvas fingerprinting as a necessary evil that has its place when used correctly.

One of the importance of web tracking, such as canvas fingerprinting, is that it helps in content personalization which gives you a more enjoyable and personalized feel when using a site. Targeted ads that are not obstructive and you enjoy seeing can also be seen as a part of content personalization. Canvas fingerprinting is also helpful in the aspect of website analytics and online fraud detection.

  • Bad Aspect of Canvas Fingerprinting

Target of advertising companies

Just like every other technology – canvas fingerprinting has the bad side and what you need to know about it. One bad aspect of canvas fingerprinting is that you become the target of advertising companies that you didn’t even opt for. Some websites generate a fingerprint of you and combine them with your browsing history, then create a profile of you which it then sells to third-party advertising partners that bore you with ads anywhere you go on the Internet.

Web services can also use this to keep you out of its service if it blocks your account. With canvas fingerprinting, even if you create a new account, a website that blocks you will still know you are the one.

  • Ugly Aspect of Canvas Fingerprinting

Ugly Aspect of Canvas Fingerprinting

The bad aspect might not be of concern to you, but this is where it gets interesting. If you are being tracked for marketing reasons, that is not much of a problem, especially if the ads being served are what you like.

However, what if the reason behind canvas fingerprinting is to feed governments, security agencies, and other spying bodies with information online then this becomes ugly and an inversion of your privacy regardless of even if you are not doing anything shading which most Internet users are not. This is bad and the major reason why you should protect yourself against canvas fingerprinting.


How to Protect Yourself from Canvas Fingerprinting

Canvas Fingerprinting Protection

One thing you need to know is that canvas fingerprinting does not work in isolation; it works together with browser fingerprinting, IP tracking, and cookies tracking. Make no mistake about it; canvas fingerprinting is not easy to prevent. The only way you can protect yourself 100 percent from it is by disabling JavaScript, and for sites that are actively tracking you via canvas fingerprinting and other JavaScript methods, you will be denied access until you turn on JavaScript rendering.

Even for those that still allow you access, the experience would be bad as websites now use JavaScript heavily for user experience. So since turning JavaScript OFF is not an option, what then is the option?

The most popular option is to make use of an anti-fingerprinting tool to prevent both canvas fingerprinting and browser fingerprinting since they do work hand in hand. One of the most popular tools for preventing canvas fingerprinting is the Tor Browser. This tool is on the top of browsers for privacy protection and uses the TOR network to keep your IP address anonymous.

How it solves the canvas fingerprinting problem is simple – it notifies users of canvas reading attempts and provides the option to return blank image data, giving out false information. If you are not OK with using the Tor browser because of the bad name it has, you can use Browser add-ons like Adblock Plus, Blur, and Privacy Badger.

Blocking canvas fingerprinting has one inherent problem – it does show the sites that you are aware of their game, and as such, they would abandon using canvas fingerprinting and use other methods to try to forcefully get your fingerprint. Besides, using any of these plugins means makes it more unique browser fingerprint wise.

To put it to you, because of the way the web and web technologies have been structured today, avoiding tracking completely is near impossible, except you are willing to go the extra length and give up the user experience provided by JavaScript. Instead of trying to block canvas fingerprinting, you should allow it but use the extensions mentioned above (Adblock Plus and Blur) or Tor browser frequently to erase fingerprints. With too many fingerprints of you, they will lose out.


Read more,

Conclusion

Canvas fingerprinting and other forms of tracking online have become necessary evil we have to live with online today. While you might be tempted to block canvas fingerprinting, I will advise you to try to control it instead of blocking it, as blocking it would make you even more identifiable. Using anti-fingerprinting browser extensions frequently would give you multiple fingerprints, making it impossible for them to track you efficiently, which is what you would want to achieve.