Canvas fingerprinting in Web pages

The array of sneaky tricks to get past Internet users’ veil of privacy is astonishing. At least it would be, if we weren’t all past the capacity for astonishment. One which has been around for years is Canvas fingerprinting. It lets servers narrow your profile down to a small number of clients. Combined with other measures, it can uniquely identify you.

How Canvas works

Canvas wasn’t designed to spy on you. It’s a way to draw graphics very efficiently in a browser. It supports animation and interaction. In order to get fast performance, it allows hardware acceleration and doesn’t mandate the exact set of pixels to be drawn. The server can then get those pixels back using getImageData() or toDataURL() in the Canvas API.

Every browser, every operating system, every model of computer may draw a canvas just a little differently. A website can put what amounts to a super-powered web bug into a page and read back the pixels. The pixel rendering will normally be consistent from one session to another, functioning as a kind of tracking cookie which you can’t easily turn off. You can disable cookies and go through proxies to vary your IP address, but Canvas fingerprinting can still be tracking you from one session to the next.

An academic paper, “Pixel Perfect: Fingerprinting Canvas in HTML5”, circa 2011, describes the technique. It notes that the “fingerprint” (distinctive pattern of pixels) from Canvas has high entropy, making it useful for identification. In computer science, entropy is a measure of the variability of data when controlled sources (such as the drawing commands) are accounted for.

Most people don’t care. The ones who never delete old cookies and report their daily lives on Facebook are hardly going to be bothered by one more way of tracking them. Others have good reasons for maintaining their privacy, or they just don’t like the idea of snooping.

Defeating fingerprinting

The Firefox add-on Canvas Blocker offers a solution. It offers a variety of options, from blocking Canvas only for blacklisted sites to returning random pixel data. You can whitelist sites that require Canvas as part of the functionality you want. There are cases where it’s legitimate, and I’ve written code myself that takes advantage of the feature to generate and save graphics for the user.

If you open about:config in Firefox and search for “privacy,” you find tons of settings. Searching for “finger” narrows it down, and these look relevant:

  • privacy.resistFingerprinting
  • privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts
  • services.sync.prefs.sync.privacy.resistFingerprinting

I don’t know exactly what they do. You can play with them at your own risk. It’s a good idea, whenever you mess with Firefox settings, to make a note of what you’re changing and what the original values were. Unlike Canvas Blocker, they don’t offer you a way to treat different sites differently.

Comments are closed.