Canvas fingerprinting is one of a number of browser fingerprinting techniques for tracking online users that allow websites to identify and track visitors using the

HTML5 HTML5 (Hypertext Markup Language 5) is a markup language used for structuring and presenting hypertext documents on the World Wide Web. It was the fifth and final major HTML version that is now a retired World Wide Web Consortium (W3C) recommend ...

canvas element The HTML canvas element allows for dynamic, scriptable rendering of 2D shapes and bitmap images. Introduced in HTML5, it is a low level, procedural model that updates a bitmap. The element also helps in making 2D games. While the element ...

instead of browser cookies or other similar means. The technique received wide media coverage in 2014 after researchers from

Princeton University Princeton University is a private university, private Ivy League research university in Princeton, New Jersey, United States. Founded in 1746 in Elizabeth, New Jersey, Elizabeth as the College of New Jersey, Princeton is the List of Colonial ...

and KU Leuven University described it in their paper ''The Web never forgets''.

Description

Canvas fingerprinting works by exploiting the

. As described by Acar et al. in: Variations in which the

graphics processing unit A graphics processing unit (GPU) is a specialized electronic circuit designed for digital image processing and to accelerate computer graphics, being present either as a discrete video card or embedded on motherboards, mobile phones, personal ...

(GPU), or the graphics driver, is installed may cause the fingerprint variation. The fingerprint can be stored and shared with advertising partners to identify users when they visit affiliated websites. A profile can be created from the user's browsing activity, allowing advertisers to target advertise to the user's inferred demographics and preferences. By January 2022, the concept was extended to fingerprinting performance characteristics of the graphics hardware, called DrawnApart by the researchers.

Uniqueness

Since the fingerprint is primarily based on the browser, operating system, and installed graphics hardware, it does not, on its own, uniquely identify users. In a small-scale study with 294 participants from Amazon's Mechanical Turk, an experimental

entropy Entropy is a scientific concept, most commonly associated with states of disorder, randomness, or uncertainty. The term and the concept are used in diverse fields, from classical thermodynamics, where it was first recognized, to the micros ...

of 5.7 bits was observed. The authors of the study suggest more entropy could likely be observed in the wild and with more patterns used in the fingerprint. While not sufficient to identify individual users by itself, this fingerprint could be combined with other entropy sources to provide a unique identifier. It is claimed that because the technique is effectively fingerprinting the GPU, the entropy is "orthogonal" to the entropy of previous browser fingerprint techniques such as

screen resolution The display resolution or display modes of a digital television, computer monitor, or other display device is the number of distinct pixels in each dimension that can be displayed. It can be an ambiguous term especially as the displayed resoluti ...

and browser

JavaScript JavaScript (), often abbreviated as JS, is a programming language and core technology of the World Wide Web, alongside HTML and CSS. Ninety-nine percent of websites use JavaScript on the client side for webpage behavior. Web browsers have ...

capabilities. Much more unique identification becomes possible with DrawnApart, published in 2022, which was shown to boost tracking duration of individual fingerprints by 67% when used to enhance other methods.

History

In May 2012, Keaton Mowery and Hovav Shacham, researchers at

University of California, San Diego The University of California, San Diego (UC San Diego in communications material, formerly and colloquially UCSD) is a public university, public Land-grant university, land-grant research university in San Diego, California, United States. Es ...

, wrote a paper ''Pixel Perfect: Fingerprinting Canvas in HTML5'' describing how the HTML5 canvas could be used to create digital fingerprints of web users. Social bookmarking technology company AddThis began experimenting with canvas fingerprinting early in 2014 as a potential replacement for

cookies A cookie is a sweet biscuit with high sugar and fat content. Cookie dough is softer than that used for other types of biscuit, and they are cooked longer at lower temperatures. The dough typically contains flour, sugar, egg, and some type of ...

. 5% of the top 100,000 websites used canvas fingerprinting while it was deployed. According to AddThis CEO Richard Harris, the company has only used data collected from these tests to conduct internal research. Users will be able to install an opt-out cookie on any computer to prevent being tracked by AddThis with canvas fingerprinting. A software developer writing in Forbes stated that device fingerprinting has been utilized for the purpose of preventing unauthorized access to systems long before it was used for tracking users without their consent. As of 2014 the technique is widespread in many websites, used by at least a dozen high-profile web ads and user tracking suppliers. In 2022, the capabilities of canvas fingerprinting were much deepened by taking minute differences between nominally identical units of the same GPU model into account. Those differences are rooted in the manufacturing process, making units more deterministic over time than between identical copies.

Mitigation

Typical Tor Browser notification of a canvas read attempt

Tor Project reference documentation states, "After plugins and plugin-provided information, we believe that the HTML5 Canvas is the single largest fingerprinting threat browsers face today."

Tor Browser Tor is a free overlay network for enabling anonymous communication. It is built on free and open-source software run by over seven thousand volunteer-operated relays worldwide, as well as by millions of users who route their Internet traffic ...

notifies the user of canvas read attempts and provides the option to return blank image data to prevent fingerprinting. However, Tor Browser is currently unable to distinguish between legitimate uses of the canvas element and fingerprinting efforts, so its warning cannot be taken as proof of a website's intent to identify and track its visitors. Browser add-ons like Privacy Badger, DoNotTrackMe, or

Adblock Plus Adblock Plus (ABP) is a free and open-source browser extension for content-filtering and ad blocking. It is developed by Eyeo GmbH, a German software company. The extension has been released for Mozilla Firefox (including mobile), Google Chro ...

manually enhanced with EasyPrivacy list are able to block third-party ad network trackers and can be configured to block canvas fingerprinting, provided that the tracker is served by a third party server (as opposed to being implemented by the visited website itself). The LibreWolf browser project includes technology to block access to the HTML5 canvas by default, only allowing it in specific instances green-lit by the user.

References

External links