Canvas fin­ger­print­ing: the cookie successor

The idea of fin­ger­print-based online tracking was first thought up by Keaton Mowery and Hovav Shacham, employees at the Uni­ver­sity of Cali­for­nia, in their 2012 work ‘Pixel Perfect: Fin­ger­print­ing Canvas in HTML5’. In the pub­lic­a­tion, they present their idea: that in­di­vidu­al fin­ger­prints based on the system con­fig­ur­a­tions of a web user can be easily generated with help from HTML5 imported canvas elements. Inspired by the work of these two re­search­ers, the Russian pro­gram­mer Valentin Vasilyev developed and released a first example of a Canvas fin­ger­print code under an open source license on GitHub. His code served as the basis for companies like AddThis and Ligatus to finally realise this tracking tech­no­logy.

The canvas elements mentioned above are actually defined areas (height and width) which can be drawn in using JavaS­cript to create graphics, logos, and buttons with text. But com­bin­a­tions of the following hardware/software are often unique:

• Operating system
• Browser
• Graphics card
• Graphics card driver
• Installed client fonts

These com­pon­ents ensure that each text will turn out slightly dif­fer­ently, which is what enables canvas fin­ger­print­ing. All that a website operator needs to carry out this internet tracking is the specific canvas fin­ger­print code, which then causes the browser to display a hidden text in the back­ground via JavaS­cript as the page is loading. This hidden text is then forwarded on to the website’s web server. Due to the many features involved, the digital fin­ger­print created in this way is unique in over 80% of cases, meaning it can be re­cog­nised every time – as long as the user doesn’t make changes to their enu­mer­ated system con­fig­ur­a­tions.

A canvas fin­ger­print basically only contains in­form­a­tion about systems and browsers. But this is already enough to identify website visitors as in­di­vidu­als and so to track their surfing behaviour from then on. This could simply mean tracking a user’s activity on your own website, but it’s also possible to track them on several websites, provided the script is im­ple­men­ted on different webpages. This form of online tracking is useful for website op­tim­isa­tion and es­pe­cially in­ter­est­ing for con­cep­tu­al­ising targeted ad­vert­ising. A big plus point of this modern user tracking method is that it doesn’t involve col­lect­ing personal data from users, making fin­ger­print tracking a serious al­tern­at­ive to cookies for web analysts. Cookies are con­sidered legally ques­tion­able and are de­lib­er­ately blocked or regularly deleted by lots of users.

But digital fin­ger­prints do differ from human fin­ger­prints in that they’re not 100% unique, meaning that results from canvas fin­ger­print­ing aren’t always trust­worthy. For example, two website visitors with the same con­fig­ur­a­tions will receive the same user ID, creating problems for visitor analysis. Since the chances of this happening increase with the amount of users visiting a website, canvas fin­ger­print­ing is naturally less effective for larger sites with higher traffic. Users of mobile devices create a further problem for fin­ger­print internet tracking: the hardware and software used by tablets and smart­phones are usually too stand­ard­ised for canvas fin­ger­print­ing, with too few dis­tin­guish­ing features to generate enough unique fin­ger­prints. 

Unlike cookies, canvas fin­ger­prints can’t simply be deleted because the data is shared directly to the server – there isn’t any storing on the client side. Using an incognito mode on your browser won’t stop this tracking technique either, as the canvas script and system/browser in­form­a­tion is still shared. But users aren’t com­pletely helpless to stop this tracking method. It’s possible for you to prevent the scripts from running in advance. This can be achieved using the following measures:

• De­ac­tiv­a­tion of your JavaS­cript: without a JavaS­cript, the canvas elements can’t load and so no client in­form­a­tion can be loaded either. But un­for­tu­nately this can affect your browser per­form­ance: since many websites contain JavaS­cript, you may find that these are no longer displayed correctly with the JavaS­cript disabled.
  
  
• Adblock Plus: Adblock Plus is best known as a browser extension used to block ads, par­tic­u­larly pop-ups. But by combining this free tool with the filter list EasyP­ri­vacy, you can protect yourself against advanced fin­ger­print tracking online.
  
  
• Can­vas­B­lock­er: Firefox users can download the free add-on Can­vas­B­lock­er and receive advanced settings and options for blocking canvas fin­ger­print­ing. For example, it’s possible to either simply ignore all canvas requests, or to ma­nip­u­late the data trans­mit­ted in order to make sure that every fin­ger­print given is different. 

When the 2014 list of websites using canvas fin­ger­print­ing scripts was published, there were even some website operators who were surprised that they fell into the category of companies using canvas fin­ger­print­ing – as they hadn’t im­ple­men­ted the tracking technique them­selves. One notable case in Europe centred on Ligatus, a German company operating out of Cologne. This digital marketing firm had failed to properly clarify what canvas fin­ger­print­ing was and how it worked to their numerous clients, including popular German websites like kicker.de, golem.de, and n-tv.de. According to a statement from the per­form­ance agency, they had been running a limited trial of the technique, for which they were only col­lect­ing anonymous in­form­a­tion from pre-de­term­ined users and ensured that this in­form­a­tion wasn’t being shared anywhere else. But the majority of websites involved – again, some un­know­ingly – were using the tracking code of the US firm AddThis, famous for its embedding of social media buttons for websites.

But a more pressing and serious issue than the ignorance of website operators is the lack of in­form­a­tion made available to website visitors. For internet users, we strongly recommend that you fa­mil­i­ar­ise yourself with what canvas fin­ger­print­ing is, before deciding whether or not you wish to block it (see above). And if you’re con­sid­er­ing im­ple­ment­ing the canvas fin­ger­print­ing technique for your company web presence, be sure to research the rules for your country and inform your site visitors that you’re using this method of online tracking, so they have the option to leave your site or hide their canvasses if they wish.