Canvas fingerprinting: the cookie successor
Under the title ‘The web never forgets: Persistent tracking mechanisms in the wild’, researchers at Princeton University and the Catholic University of Leuven published a study into modern methods of user tracking. Alongside Evercookie and cookie synchronisation, they discussed a technique that was relatively unknown at the time: canvas fingerprinting. The study found that over 5.5% of the 100,000 websites they explored were employing this sophisticated technique to identify users.
What is canvas fingerprinting?
The idea of fingerprint-based online tracking was first thought up by Keaton Mowery and Hovav Shacham, employees at the University of California, in their 2012 work ‘Pixel Perfect: Fingerprinting Canvas in HTML5’. In the publication, they present their idea: that individual fingerprints based on the system configurations of a web user can be easily generated with help from HTML5 imported canvas elements. Inspired by the work of these two researchers, the Russian programmer Valentin Vasilyev developed and released a first example of a Canvas fingerprint code under an open source license on GitHub. His code served as the basis for companies like AddThis and Ligatus to finally realise this tracking technology.
The canvas elements mentioned above are actually defined areas (height and width) which can be drawn in using JavaScript to create graphics, logos, and buttons with text. But combinations of the following hardware/software are often unique:
- Operating system
- Browser
- Graphics card
- Graphics card driver
- Installed client fonts
These components ensure that each text will turn out slightly differently, which is what enables canvas fingerprinting. All that a website operator needs to carry out this internet tracking is the specific canvas fingerprint code, which then causes the browser to display a hidden text in the background via JavaScript as the page is loading. This hidden text is then forwarded on to the website’s web server. Due to the many features involved, the digital fingerprint created in this way is unique in over 80% of cases, meaning it can be recognised every time – as long as the user doesn’t make changes to their enumerated system configurations.
The value of canvas fingerprinting in web analysis
A canvas fingerprint basically only contains information about systems and browsers. But this is already enough to identify website visitors as individuals and so to track their surfing behaviour from then on. This could simply mean tracking a user’s activity on your own website, but it’s also possible to track them on several websites, provided the script is implemented on different webpages. This form of online tracking is useful for website optimisation and especially interesting for conceptualising targeted advertising. A big plus point of this modern user tracking method is that it doesn’t involve collecting personal data from users, making fingerprint tracking a serious alternative to cookies for web analysts. Cookies are considered legally questionable and are deliberately blocked or regularly deleted by lots of users.
But digital fingerprints do differ from human fingerprints in that they’re not 100% unique, meaning that results from canvas fingerprinting aren’t always trustworthy. For example, two website visitors with the same configurations will receive the same user ID, creating problems for visitor analysis. Since the chances of this happening increase with the amount of users visiting a website, canvas fingerprinting is naturally less effective for larger sites with higher traffic. Users of mobile devices create a further problem for fingerprint internet tracking: the hardware and software used by tablets and smartphones are usually too standardised for canvas fingerprinting, with too few distinguishing features to generate enough unique fingerprints.
Users can avoid canvas fingerprinting
Unlike cookies, canvas fingerprints can’t simply be deleted because the data is shared directly to the server – there isn’t any storing on the client side. Using an incognito mode on your browser won’t stop this tracking technique either, as the canvas script and system/browser information is still shared. But users aren’t completely helpless to stop this tracking method. It’s possible for you to prevent the scripts from running in advance. This can be achieved using the following measures:
- Deactivation of your JavaScript: without a JavaScript, the canvas elements can’t load and so no client information can be loaded either. But unfortunately this can affect your browser performance: since many websites contain JavaScript, you may find that these are no longer displayed correctly with the JavaScript disabled.
- Adblock Plus: Adblock Plus is best known as a browser extension used to block ads, particularly pop-ups. But by combining this free tool with the filter list EasyPrivacy, you can protect yourself against advanced fingerprint tracking online.
- CanvasBlocker: Firefox users can download the free add-on CanvasBlocker and receive advanced settings and options for blocking canvas fingerprinting. For example, it’s possible to either simply ignore all canvas requests, or to manipulate the data transmitted in order to make sure that every fingerprint given is different.
Transparency as a prerequisite
When the 2014 list of websites using canvas fingerprinting scripts was published, there were even some website operators who were surprised that they fell into the category of companies using canvas fingerprinting – as they hadn’t implemented the tracking technique themselves. One notable case in Europe centred on Ligatus, a German company operating out of Cologne. This digital marketing firm had failed to properly clarify what canvas fingerprinting was and how it worked to their numerous clients, including popular German websites like kicker.de, golem.de, and n-tv.de. According to a statement from the performance agency, they had been running a limited trial of the technique, for which they were only collecting anonymous information from pre-determined users and ensured that this information wasn’t being shared anywhere else. But the majority of websites involved – again, some unknowingly – were using the tracking code of the US firm AddThis, famous for its embedding of social media buttons for websites.
But a more pressing and serious issue than the ignorance of website operators is the lack of information made available to website visitors. For internet users, we strongly recommend that you familiarise yourself with what canvas fingerprinting is, before deciding whether or not you wish to block it (see above). And if you’re considering implementing the canvas fingerprinting technique for your company web presence, be sure to research the rules for your country and inform your site visitors that you’re using this method of online tracking, so they have the option to leave your site or hide their canvasses if they wish.