Tracking your browsing using HTML canvas fingerprinting

Every time you fire up your web browser your movements and browser history are being leaked to various websites. No, I am not talking about cookies, but about a technology that you may not have heard much about. It is called canvas fingerprinting.

In this post, I will tell you what it does and how you can try to stop it from happening. Beware that the journey to do this isn’t easy.

The concept refers to coordinating a series of tracking techniques to identify a visitor using what browser, IP address, computer processor and operating system and other details. Canvas is based on the HTML 5 programming interface that is used to draw graphics and other animations using JavaScript. It is a very rich and detailed interface and to give you an idea of the data that the browser collects without your knowledge, take a look at the screenshot below. It shows my computer running Chrome on a Mac OS v.10.13 using Intel hardware. This is just the tip of a large iceberg of other data that can be found quite easily by any web server. 

HTML Canvas has been around for several years, and website builders are getting savvy about how to use it to detect who you are. In the early days of the web, tracking cookies were used to figure out if you had previously visited a particular website. They were small text files that were written to your hard drive. But canvas fingerprinting is more insidious because there is no tracking information that is left behind on your computer: everything is stored in the cloud. What is worse is that your fingerprint can be shared across a variety of other websites without your knowledge. And it is very hard once to eliminate this information, once you start using your browser and spreading yourself around the Internet. Even if you bring up a private or incognito browsing session, you still are dribbling out this kind of data. 

How big an issue is canvas fingerprinting?  In a study done by Ghostery after the 2018 midterm elections, they found trackers on 87% on a large sample of candidate websites. There were 9% of sites having more than 11 different trackers present. Google and Facebook trackers appeared on more than half of the websites and Twitter-based trackers appeared on a third of the candidate webpages.

So what can you do to fight this? You have several options

  1. Make modifications to your browser settings to make yourself more private. The problem with this is that the mods are numerous and keeping track of them is onerous.This post gives you a bunch of FIrefox suggestions.
  2. Use a different browser that gives you more control over your privacy, such as Brave, or even Tor. In that linked post I mention the usability tradeoffs of using a different browser and you will have to expend some effort to tune it to your particular needs. I tolerated Brave for about two days before I went back to using Chrome. It just broke too many things to be useful.
  3. Install a browser extension or additional software, such as PrivacyBadger, Ghostery or Avast’s AntiTrack. I have already written about the first two in a previous post. AntiTrack is a stand-alone $50 per year Windows or MacOS app that works with your browser and hides your digital fingerprint  — including tracking clues from your browser canvas — without breaking too much functionality or having to tweak the browser settings. I just started using it (Avast is a client) and am still taking notes about its use. 
  4. Only run your browser in a virtual machine. This is cumbersome at best, and almost unusable for ordinary humans. Still, it can be a good solution for some circumstances.
  5. Adopt a more cautious browsing lifestyle. This might be the best middle ground between absolute lockdown and burying your head in the sand. Here are a few suggestions:
  • First, see what your HTML Canvas reveals about your configuration so you can get a better understanding of what data is collected about you. There are a number of tools that can be used to analyze your fingerprint, including:

    Each of these tools collects a slightly different boatload of data, and you can easily spend several hours learning more about what web servers can find out about you. 

  • Next, assume that every website that you interact with will use a variety of tracking and fingerprinting technologies
  • Always use a VPN. While a VPN won’t stop websites from fingerprinting your canvas, at least your IP address and geolocation will be hidden.
  • Finally, limit your web browsing on your mobile devices if at all possible. Your mobile is a treasure trove of all sorts of information about you, and even if you are using any of the more private browsers you still can leak this to third parties.

 

5 thoughts on “Tracking your browsing using HTML canvas fingerprinting

  1. Great work Dave, for those of us long time tech media folks it comes as no surprise that tech that is designed for doing good always has a nefarious side. The NY Times ran a great article on tracking and it was an eye opener. I wonder if there should be a paranoia index for sites that have gone too far in tracking?
    The Strom Index?

  2. A very detailed investigation that exposes a means to tag website users. Thank you for posting this information.

    The canvas fingerprint that is compiled consists of numerous attribute/value pairs (some are attribute/list of values). Is fingerprint uniqueness, per website, identified via a 1-to-1 attribute/value compare operation, or a summation of the attribute values? Kindly provide information on the uniqueness computation that says, “We recognize you and we know who you are.” Thx.

Leave a Reply to Liza Draper Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.