/Tracking/Fingerprinting/active/canvas/

• $ fingerprint@info:~ echo $CANVAS

• Name:

  Canvas Fingerprinting
  

  Original feature purpose:

  The Canvas API provides a means for drawing graphics via JavaScript and the HTML <canvas> element. Among other things, it can be used for animation, game graphics, data visualization, photo manipulation, and real-time video processing. For more details see, e.g., MDN web docs

  
  

  FP-Explanation:

  The Canvas element draws an image with text defined by the JavaScript fingerprinting code, and resulting binary pixel data (Base64 encoded) is extracted and hashed. This hash of the Canvas image serves as fingerprint, which varies among clients due to differences in the rendering process caused by operating system, browser, rendering engine, GPU or graphics driver. The Canvas API allows arbitrary fonts, colors and geometries. To increase fingerprinting diversity, the complete ASCII-Set with various fonts and colors is used for text drawing. If a specific font is not installed or accessible on the client's browser, a fallback font is provided.
  The images drawn by Canvas elements from different system environments usually look different. But, even if no differences can be seen by eye in two canvas rendered images (with the same JavaScript code), it is possible for the images to still differ slightly, because they may not be pixel-identical.
  For fingerprinting purposes, it is only important that there are differences and thus derived fingerprints are distinguishable.
  
  Instead of creating an image with JavaScript, an existing image can be read into the Canvas element. The resulting hash of the rendered Canvas image also varies among rendering engines and browser.
  
  Canvas fingerprinting, which should be consistent, is done with one fake font. Canvas fingerprinting, with the goal of a higher diversity, is done with multiple fonts, but the fingerprint can change if the target system updates its font support.

  
  

  FP-Type:

  active
  

  FP-Categories:

  js, html5, hardware-dependent, software-dependent, consistent
  

  Counter-measures:

  Canvas elements can only be blocked on browser-level - either by a browser-specific Canvas-Blocker Addon or by browser vendor features.

  • From Firefox 58: Canvas data extraction needs user permission or is automatically spoofed
    Explanation: A website cannot use Canvas elements for fingerprinting any more
    Explanation: (blocked or spoofed Canvas API)
    Info: Only works if the setting 'privacy.resitFingerprinting' is set to 'true'
    
  
  

  Publications/References:

  • K Mowery, Pixel Perfect: Fingerprinting Canvas in HTML5 (2012)
  • G Acar, The Web Never Forgets: Persistent Tracking Mechanisms in the Wild (2014)
  • S Englehardt, Online Tracking: A 1-million-site Measurement and Analysis (2016)
  • BrowserLeaks (Canvas Fingerprinting)
  • Panopticlick (Is your browser safe against tracking?)
  • Darkwave Technologies (Canvas Fingerprinting)
  • Prompt before allowing HTML5 Canvas image extraction (Tor Bug Tracker)
  • Sites with canvas fingerprinting scripts (Princeton Web Census)
  
  
• $ fingerprint@info:~ run canvas-demo

Demo:

>> Jump to Canvas Fingerprinting Demo <<