What Canvas Fingerprinting Is and How It Works?

I bet you like to know everyone that walked through your room door, and for whatever reason, they might do so. For people you don’t know, it is crucial. Website owners are room owners on the internet. They like to know everyone who comes through their doors. They do this for different reasons and through different means.

One way they identify website users is via the controversial cookie tracking system. However, considering the privacy issues that plague this system, it is not a preferred method. The push for more effective methods is ongoing. Browser fingerprinting techniques seem to meet these expectations.

There are many browser fingerprinting techniques that exist. In this article, we shall discuss the use of HTML5 canvas tracking (also called Canvas Fingerprinting) as a tracking tool for website users.

 

What Is Canvas Fingerprinting?

Web browsers collect different sets of information while performing their function. When some of this information is collected to identify a website user, it is called Browser Fingerprinting.

The browser fingerprint is formed from browser information such as the following:

• Device model
• Browser type and version
• Operating system (OS)
• Screen resolution
• Time zones
• P0pFile format identifiers
• Timestamp
• User-agent (UA) string
• Language settings
• Plugins
• Extensions

 

This browser fingerprint obtained is 99% accurate in identifying the web browser user. It is called a fingerprint because of the less likely probability of finding an exact match for the information collected for different users.

Canvas fingerprinting is one of these browser fingerprinting techniques. It is based on the canvas element of the Hypertext Markup Language (HTML5) code of a webpage.

The technique was first introduced in 2012 when two researchers, Hovav Shacham and Keaton Mowery, from the University of California, published a paper called ‘Pixel Perfect: Fingerprinting Canvas in HTML5′. They presented how to use the HTML5 canvas feature to identify and track internet users.

Hovac and Keaton bore their idea out of the study’s findings using 300 Mechanical Turk users. They found that browser behavior depends on system resources, and websites can access this information. They then created a browser fingerprint using the canvas element of HTML5, which requires specific system capabilities to render.

In 2014, Russian Programmer Valentin Vasilyev created an open-source code on GitHub to demonstrate canvas fingerprinting. Since many websites and web tracking, service providers have incorporated this technique into their systems. According to Acar and colleagues, more than 5% of the existing websites use this technique to track users.

 

How Does Canvas Fingerprinting Work?

A simple way to describe the workings of canvas fingerprinting was given by Acar and fellow researchers in their 2014 paper. It is as follows: 

“Canvas fingerprinting uses the browser’s Canvas API to draw invisible images and extract a persistent, long-term fingerprint without the user’s knowledge. “

The canvas element of HTML5 was designed to provide the capability to draw graphics on web pages. There are variations in how these canvas elements are rendered on different devices. Different browsers and operating systems will render these canvas elements as close as it is written to look like using their internal resources. 

However, there will always be differences in what the browser renders even though they look identical due to system and browser capabilities differences.

Canvas fingerprinting exploits the use of this feature by generating a random image and text to be rendered. The unique rendering determines and generates specific browser data (mainly font type and active color background). These are then encoded and sent to create a canvas fingerprint.

The canvas fingerprint is a unique hash code. Hash codes are products of hashing functions. These functions reduce images, texts, or audio to standardized data values without losing the uniqueness of the starting material. They are mostly used for fast and easy comparison of large data.

The hash of canvas fingerprint creates an almost perfectly unique identity for the internet user’s browser by exploiting certain characteristics of hashing functions. 

 

These characteristics are:

1. Hashing functions generate different hashes data with just slight differences. For example, “book” and “book” will generate entirely different hash codes. This helps to exploit every difference available to create a unique hash.

2. The hashes generated are the same if the input remains the same. This allows the same hash code to be generated every time on the same browser. It prevents conflicting IDs for the same browser.

 

Canvas fingerprinting begins when a website makes your browser render a canvas object. This is possible through the use of canvas fingerprinting javascript. The JavaScript will code for a canvas task that may include lines, geometric figures with different colors, and distorted backgrounds.

This HTML5 canvas tracking-like browser fingerprinting technique is difficult to mitigate. Unlike the cookie tracking system, the canvas fingerprinting system does not load anything to your system. It uses the resources that are already there.

For this system to work effectively, there has to be a database of fingerprints. So every time a user visits the website, a hash code is generated. The fingerprint is then compared with the library of hash codes. 

A returning user will have a matching hash in the library, while a first-time user will have none.

The execution of a canvas fingerprinting process is within seconds. And as said earlier, it is user-independent. No consent is required from the user to execute the process. Hence, its deployment is automated. This makes it effective and efficient.

A functional canvas fingerprinting technique requires a database of fingerprints, fingerprinting JavaScript, and an HTML5 canvas element. When these three components are in place, a website owner can run the tracking technology.

 

What Is Canvas Fingerprinting Used For?

There are different ways canvas fingerprinting is deployed in the industry. Website owners find it helpful in achieving their many aims. Let’s discuss some of the aims below:

1. Content Personalization

Content providers and e-commerce sites rely on tracking their site visitors to serve them their desired content.

They collect data every time their user visits to personalize the experience for the user. The data collected needs to be tagged to the particular identity of everyone they visit. This is where web tracking tactics come in.

Canvas fingerprinting seems a much more efficient way to do this, considering how unique and easy it is. It is also less obtrusive compared to the prevailing system of cookie tracking.

An effective way brands like Netflix, Amazon, and Spotify use is canvas fingerprinting.

 

2. Ad Customisation

It is a popular way to deploy all web tracking systems. A 2016 study reports that 74% of websites use a user tracking system. A large number of these tracking data are for Ad customization purposes.

Advertisers can reach more people via online advertising. This, however, presents a problem for them. Budget constraints limit how large their campaigns can be. Web tracking systems enable them to create specific ads for potential customers.

This method has proved to be highly effective and guarantees high returns on investment (ROIs).

Canvas fingerprinting takes it a step further. The previous cookie tracking systems are not as accurate as using HTML5 canvas tracking. Also, privacy concerns have made the use of cookies highly controversial. The existence of ways to block cookie tracking has made it less efficient.

With canvas fingerprinting, advertisers can create targeted ads for just potential customers only. This increases their ROIs and makes their campaigns even more effective.

 

3. Analytics and Tracking

Web analytics aims to analyze the data obtained from website usage to create better user experiences and achieve the website owners’ goals. 

Web analytics requires highly accurate tracking systems to identify first-time visitors and returning users on web pages. 

This information enables analysts to advise their clients on several things. One example is which audiences they could target to increase site performance. 

Different analytics services use different strategies to achieve their aims. Canvas fingerprinting is one of them. It may be used as the sole method, but it is mainly used with other techniques to obtain accurate results.

 

4. Fraud Prevention

Canvas fingerprinting helps secure online accounts and profiles. Sensitive websites like financial institution websites use fingerprinting techniques to prevent fraudsters from carrying out their operations. 

Their access to such sites can be blocked or limited.

For example, when a user logins into an account that is not theirs, the fingerprint of the original user can be matched, and the suspicious login will be blocked.

However, like every other tracking system, canvas fingerprinting has to be used with other techniques to make it an effective anti-fraud tool. 

In the example above, the system blocks the login even if it was the original user logging in from another device.

 

Pros and Cons of Canvas Fingerprinting

As we have seen above, canvas fingerprinting has crucial uses for both internet users and website owners. However, it also has some cons associated with its usage. Below we explore some of them.

1. Accuracy issues

A canvas fingerprint is just a little less accurate in describing a unique site visitor – it is about 99.99 percent accurate. Nonetheless, that little matters.

Mobile devices use a lot of standardized hardware and software parts. Fingerprinting mobile device users is quite tricky because of this. 

Using the canvas fingerprinting technique, we can only utilize a few differentiating features to create a unique identifier.

Because of this concern, it is not advisable to use websites with large traffic. Users with the same configurations will receive the same fingerprints. This defeats the purpose of the technique and can make analysis difficult.

2. Legality concerns

There are few or no rules that address the usage of browser fingerprinting techniques. Legislations like the European Union’s General Data Protection Regulation (GDPR) that govern web tracking do not explicitly mention browser fingerprinting. This can make the rules technologically neutral.

However, the EU’s GDPR makes web tracking systems like fingerprinting techniques legal, provided the website owners follow the regulation guiding its usage. And those regulations involve seeking the user’s consent before deploying such systems. 

With such rules, the legal way to use canvas fingerprinting involves asking website users to agree to its use. However, there are special cases where canvas fingerprinting is essential to identify users for access to electronic communications services like video playback. In these cases, the ‘legal’ way is bypassed.

3. Privacy Concerns

There has long been concern about users’ data being mined for purposes not consented to on the web. They use privacy tools like VPN, ad blockers proxies, and anti-detect browsers. These tools have curtailed most of the tracking systems available today; however, the use of fingerprinting bypasses many of these tools. 

Thus, the question of privacy comes up again. The data obtained through canvas fingerprinting, how much does it tell about a user?

A canvas fingerprint only contains information about browsers and systems. However, this data is consequential enough to ask those questions. Privacy concerns are increasing concerning any form of data collection system.

 

Can You Avoid Canvas Fingerprinting?

Avoiding canvas fingerprinting is difficult. This is because it works with an integral part of web pages: the HTML5 canvas element. It is easy to block cookies because they are inconsequential to a web page’s functioning. 

Another reason why avoiding canvas fingerprinting might be difficult to achieve is because of its crucial use. For example, it is a major tool in the site owners’ arsenal to prevent fraudsters. It is not the ultimate way to stop them. However, it is a cheap and easy to deploy method to limit their activities.

As mentioned earlier, canvas fingerprinting works with an integral part of the foundational code of a webpage. The HTML5 canvas element is used to display graphics on a webpage. Blocking the total use of this feature means fewer interactive websites and poor user experiences.

Despite these difficulties, there are some methods available for blocking canvas fingerprinting. These methods include:

1. Total blocking of Canvas Fingerprinting
2. Creating Random Canvas Fingerprints.

 

Blocking Canvas Fingerprinting

Some anti-detection browsers, such as Incogniton, have functionality that allows them to block JavaScripts selectively. 

Incogniton handles canvas fingerprinting by adding a bit of persistent noise to each canvas, creating a unique identifier that is different for each profile, thus preventing canvas fingerprinting. 

Disabling javascript on your browser is another way to go about it. 

Websites won’t be able to detect system resources like fonts and active plugins lists. However, the downside to this is a slow browsing experience. Also, some websites cannot function properly without JavaScript.

Another way to block canvas fingerprinting is to use Plugins. Some plugins can disable ad-trackers or activity spying scripts. Examples of these Plugins include Panopticlick’s Privacy Badger, Adblock Plus, and NoScript.

The Tor Browser can successfully block canvas fingerprinting. It notifies the user of the attempts and provides the option to block them. However, the browser cannot distinguish between fingerprinting and the legitimate use of the canvas element.

 

Creating Random Canvas Fingerprints

With tools like anti-detect browsers, you can create random profiles. These profiles contain different datasets and are deployed every time you use the internet. 

Firefox CanvasBlocker does this. It manipulates the data the browser transmits such that different fingerprints are formed every time you visit the website.

The outright blocking and randomization of canvas fingerprinting present another problem. When you block canvas fingerprinting, you create an exclusive identifier. It only works well if other users are blocking canvas fingerprinting as well. 

The same goes for randomizing canvas fingerprints. It becomes suspicious if you are changing shirts every ten minutes in a public place. 

Using a private browser can help you stay free of web tracking tactics. 

A private browser and anti-detect browser will keep your browsing session secure and reduce ad tracking to the barest minimum. The lack of browser extensions on your regular browser can also help reduce browser fingerprinting.

 

How Incogniton Browser Can Help

A user of Incogniton Browser has a third option. The anti-detect browser has different profiles to help keep your identity private online. 

To mitigate canvas fingerprinting, it modifies the canvas rendering for each profile. However, the modification stays the same. It doesn’t change every time you use the profile. Thus, you have a persistent modified canvas fingerprint for every profile you use. 

The Incogniton browser solves the problems associated with randomizing canvas fingerprints by keeping the random canvas fingerprint constant. It can produce a constant fingerprint every time and yet prevents tracking because the fingerprint is modified. 

 

In conclusion

In this article, we have discussed canvas fingerprinting as a modern web-tracking method used by website owners to identify their site users. We explained in detail how it works, its pros and cons, and how you can mitigate it. 

Though other methods like Evercookies are available to track site users, canvas fingerprinting is the most preferred. This is because of its less obtrusive nature and ease of deployment. 

In the long run, web tracking is unavoidable. The best approach is to control how we are tracked on the internet. The website owners still retain control over what they do on their platforms. It remains their rooms.

We just have to be conscious of what rooms we enter online, just as we are in the physical world.