What Is Canvas Fingerprinting and How Does It Work?

DECEMBER 3, 2024 • PRIVACY & ANONYMITY • EXPERT OPINION

A study of 500,000 of the most popular websites revealed that 0.77% of them use Canvas for covert visitor identification. This fingerprinting method tracks users based on how their devices render images. In this article, we’ll explain what a Canvas-based digital fingerprint is, how it works, and why the most obvious methods of fighting this identification technology often fail to deliver the desired results.

Canvas is an HTML5 element designed for rendering raster graphics using JavaScript. At first glance, it is meant for animations and effects, but in reality, it is also used for less obvious purposes, namely, creating a digital fingerprint of your device.
Canvas Fingerprinting is a user-tracking method that employs the HTML5 Canvas API to generate a unique digital fingerprint of a device. Unlike cookies, which can be easily deleted or blocked, this method allows websites and advertising networks to identify and track you.

Users are often simply unaware that they are being tracked and have limited means to prevent it. Browsers automatically provide part of their data for correct website display and may discreetly execute a script to render an image. Therefore, even if you delete or block cookies, websites can still recognize you.

To combat this method, you can install browser extensions that alter the data used for fingerprint creation. You can also configure your browser’s privacy settings to limit JavaScript execution. However, all these methods are unreliable. Let us explain why.

Digital fingerprints collected using this method are difficult to alter or spoof. Even if a user clears their cache or changes browser settings, their unique fingerprint may still remain unchanged. The hash is stored on a server and will be used for user identification during later website visits. Since the hash is unique to each device, it allows websites and advertising networks to track users.

With the emergence of a vast number of devices with varying resolutions, developers began creating filters for image processing to enhance their final appearance. As a result, when given identical instructions, different devices may render objects differently.

These filters are applied to improve image quality and sharpness. The most noticeable filter is anti-aliasing, but there are others, such as hints used when rendering fonts.

Similarly, all fonts are defined by specific mathematical formulas and consist of glyphs, which can be described as sets of contours or closed curves. For example, the lowercase letter “i” consists of two glyphs: one for the dot and another for the body of the letter. These glyphs, also known as contours, are then filled with pixels to create the final shape of the character.

In addition to the basic mathematical data defining the outline of each specific glyph, fonts can store additional hints. Hints are instructions executed when glyphs are rendered on the screen. These instructions adjust certain points that define the shape of letters to ensure they are properly aligned with the grid on which the glyph is displayed. This ensures the font appears the same on different devices and screens, regardless of resolution or pixel density.

Anti-aliasing involves adding gray pixels to blur the edges of each glyph. If you zoom in on a page, you’ll notice that the edges of curved letters are not perfect but rather jagged. The filter smoothes object boundaries and makes them appear softer because our eyes average the tonal differences.

The uniqueness of each Canvas-based fingerprint lies not in the final image we see but in how each device processes shades and anti-aliasing. When two devices receive the same rendering task, the pixels at the edges will have slightly different shades, among other differences. These minor variations in processing make the image appear identical to us but not to websites.

Hashing is the process of converting data into a unique fixed-length value (hash code), enabling efficient and fast data comparisons. This is particularly important for fingerprinting, as it helps create unique device fingerprints based on images generated through Canvas.

Hashing is used for several reasons:

To create Canvas-based fingerprints, websites send identical instructions for rendering graphical objects. However, retrieving and processing such a large volume of images is inefficient. Instead, a hash function is used to reduce the data size while preserving its uniqueness.

Since even tiny differences in the generated images will result in significantly different hashes, this is an excellent method for identifying and tracking visitors using the unique values of hash codes. Additionally, hash function computations are nearly instantaneous, enabling quick fingerprint generation and comparison.

Building a database of hashes to spoof digital fingerprints is virtually impossible due to the wide variety of instructions and hashing functions. Moreover, websites can change them at any time to identify visitors in different ways.

Hardware noise refers to minor software deviations from system values that influence Canvas object generation. This method makes the fingerprint more challenging to recognize.

The idea is that every time a website accesses the Canvas API, a special application or an anti-detect browser intercepts the request and adds random noise to the data. As a result, the generated hash no longer aids in identifying your device. The problem, however, is that hardware noise simultaneously makes the digital fingerprint non-standard. This means you cannot simply add random noise parameters, as this would make the resulting fingerprint stand out too much among others. That is why bypassing Canvas requests is an extremely complex task.

Using its own mathematical algorithms, Octo Browser introduces random yet consistent noise into Canvas, affecting the result of the image CRC data check. These changes are invisible to the naked eye, but the hash of the image will be different. After this, the digital fingerprint becomes both unique and “regular” for each profile you run. Websites perceive these virtual profiles as regular visitors, while your device remains protected from tracking.

Adding random hardware noise is not always justified. Web trackers compare the generated hash with millions of other standard values. With such a vast database, websites can recognize randomly generated noise. This is why regularity is just as important a feature as uniqueness.

If you disable the addition of hardware noise and interception of Canvas API requests, websites will receive the real hash code of the device. This can be useful when websites react poorly to a fully unique or blocked Canvas.

For virtual profiles with enabled Canvas setting, the hash will not remain consistent across launches on different devices with varying hardware.

In Octo Browser the added hardware noise is constant but acts as a filter over the existing Canvas fingerprint. Thus, if the device changes, the resulting hash value also changes.

Here’s an example: launching the same virtual profile on two different devices. Despite the added hardware noise in the profile, the Canvas verification results differ.

True, the hardware, drivers, and browser versions of a device can influence the generated graphic objects. However, in real-world scenarios, Canvas fingerprint hashes are not always unique because many PCs, Macs, and laptops share identical configurations. Your Canvas fingerprint blends with other users with similar setups.

Canvas fingerprints can differ for several reasons:

All these factors can influence how Canvas renders graphics, leading to differences in fingerprints. However, we found out that devices with identical GPUs, operating systems, drivers, and browser versions are likely to produce identical results.

If you need consistent and invariant Canvas fingerprints for safe work across multiple devices, try using profiles on identical device models with matching hardware, drivers, and operating systems. Since the data used for Canvas checks will come from the same hardware, fingerprints will remain consistent across sessions.

One way to make virtual profile fingerprints indistinguishable from regular common configurations is using Octo Browser on Mac devices. Since identical Mac models share the same build, their Canvas fingerprints are also nearly identical.

Canvas Fingerprinting is a powerful and subtle user identification method. Its key feature is that the parameters for generating the fingerprint are server-side. As a result, without the user’s awareness, their device can generate various graphical objects using the Canvas API, which are then converted into a hash. Spoofing the hash effectively is impossible without knowing the hashing algorithm.

Disabling the Canvas API was once considered a simple way to prevent hardware fingerprinting. However, this approach is now outdated. Many websites actively use the Canvas API to function correctly, and blocking this element may arouse suspicions or even restrict access to the site altogether.

Modern website tracking systems are constantly evolving. Canvas-based fingerprinting is often combined with other tracking methods, enabling the creation of a more accurate and reliable browser fingerprint. This can pose significant challenges for multi-accounting.

With Octo Browser, you have full control over your digital fingerprint and can decide how websites perceive it. If you need to conceal certain browser fingerprint parameters and replace them with unique values, you can enable hardware noise. If you wish to blend in with the crowd, leave the noise disabled. This way, you won’t stand out among visitors with similar hardware settings.

Based on our experience, we recommend avoiding adding hardware noise unless absolutely necessary, as some services may react to it sensitively. Always keep in mind that Canvas-based hash verification is just one of the factors influencing a website’s decision whether or not to block your device. All parameters of the virtual profile and its digital fingerprint should be indistinguishable from those of real devices, and this is exactly where Octo Browser excels.