1. What is canvas fingerprinting?
The term canvas fingerprinting appeared for the first time in 2012 in the document Pixel Perfect: Fingerprinting Canvas in HTML5 published by Keaton Mowery and Hovav Shacham from Department of Computer Science and Engineering University of California, San Diego La Jolla, California, USA.
Until the date of the document’s publication, tracking methods for visitors of a web page were the classic ones (e.g. IP address, user agent, browser language and operating system language, cookies, etc.).
Canvas fingerprinting is a modern method by which, along with other methods, an internet user can be identified and tracked. The “Canvas fingerprinting” method is based on the “canvas” function of HTML5 used to draw graphics (on the fly, via JavaScript) on a web page.
To obtain this fingerprint, a website renders text and WebGL scenes to a <canvas> element, and then examines the pixels produced. Different systems produce different output, and therefore different fingerprints. Even very simple tests — such as rendering a single sentence in a widely distributed system font — produce surprising variation. (Pixel Perfect: Fingerprinting Canvas in HTML5)
This method is quite easy to practice: through a JavaScript code, in less than a second, the visitor’s computer will write one or more strings of characters of different fonts in a rectangle, it will draw a few geometrical figures and then it will write the result in a .png image as seen by the visitor’s device. According to the hardware and software components of your device, the generated image is a new one almost all the time. The resulting image is sent either completely or partially as a characters string which exactly represents “canvas fingerprinting”.
Canvas fingerprinting has more advantages than other online tracking methods:
– It is consistent: because it is based mostly on hardware components of your device, so if you visit the site again, it will be the same.
– It is high-entropy: From the test made over time, the result was that there is a very large percentage of unique fingerprints (116 unique fingerprint/294 visitors).
– It is orthogonal to other fingerprints: measures graphics driver and GPU model, which is independent of other possible fingerprints.
– It is transparent to the user: the test lasts less than a second and the user will not see anything on the screen.
– It is readily obtainable: because it is based on JavaScript, any web site may apply this method for your online tracking.
2. How we should not defend against canvas fingerprinting:
– Using portable browsers (e.g. Portable Mozilla Firefox)
– Changing the screen resolution
– Cleaning the browser’s history and cookies
– Restarting the device
– Using programs for disk freezing (as deep freeze)
3. How we should defend from canvas fingerprinting?
Disabling JavaScript
This method seems to be the simplest. It can be done from browser settings or some plug-ins added to the browser, but most websites use JavaScript and will not work properly without JavaScript functions.
Blocking the Canvas function
It may be a productive method, but in this case your tracking would be an easy enough process for those sites with many visitors.
For a large number of visitors, they are split (for example) on the browser / operating system / screen resolution groups.
Perhaps a fairly small percentage of them will have the same browser / operating system / screen resolution as you do. From your group, quite small now, it is quite possible that you only block the canvas functions and so you can be tracked much easier.
Use Mozilla Firefox + plugin “Canvas Blocker“
Step 1 (install – how to install canvas blocker)
– Open Mozilla Firefox
– Write in address bar “about:addons” and press Enter
– Click on “Extensions” (in left side)
– Type in the search box (upper right) “Canvasblocker” and press Enter
– Click on the Install button from “Canvasblocker (Blocks the JS-API for modifying <canvas> […])”
– Click on “Add” and “Ok”
Step 2 (configure – how to use canvas blocker)
– Click on Extensions (left side on “about:plugins” page)
– Click on “Preferences” (on CanvasBlocker row)
– Go to the bottom of this plugin page and check “Expert mode” box
– Set “Random number generator” to “Persistent”
– Uncheck the “Use canvas cache” box
– Uncheck the “Show Notifications” box
– Close the browser
Open your browser and go to iptest.club and copy your Canvas fingerprinting string in notepad text.
Close the browser.
Open your browser again and go to iptest.club and copy your Canvas fingerprinting string in same notepad text.
Compare the two results in the text file. If they are different, canvas fingerprinting is gone.
Every time you want to have a new identity you need to close all Mozila Firefox tabs and open a new one.