Browser (Canvas) Fingerprinting - A Sneaky Way to Track Website Visitors by Summer Hirst

Every time you visit a website, you leave a fingerprint. Every link you click, every form you fill reveals a bit more about you as a visitor. Companies use this trace to follow you and send various advertisements to you. Earlier on, websites would place cookies or small text files on your computer to monitor your online behavior. Now they are moving to browser (canvas) fingerprinting. It’s a sneaky tracking solution that helps websites identify your device. 

So, what is a browser (canvas) fingerprint?

Your fingerprint is your unique identification mark. Similarly, a canvas fingerprint is an identification mark of your computer. Only less unique.  Many computers who have the same or similar GPU will have similar fingerprints.  Websites can recognize visitors through this mark. 

What does fingerpriting look like?

Unlike cookies, which are text, a browser fingerprint is usually an image. Big images are modified by websites using hashes and are sent to the server to store. 

How is a canvas fingerprint created?

As soon as you visit a website or perform some actions on it, the website sends an instruction in the form of JavaScript. This script interacts with a feature of web browsers called API (application programming interface). API allows the browser to communicate with your computer's graphics hardware or graphics chip. The instruction is placed. Your computer is asked to draw a 3D image and it is sent to the server. It processes it and gives you back a mark - your device's fingerprint- which it will use to track you. Yet unlike cookies, browser fingerprints are stored on the server. 

Results from Canvas fingerprinting test: the less unique fingerprint the better.

A fingerprint can reveal a lot of information about the user. It uses a combination of their IP address, installed plug-ins and fonts, device knowledge (screen resolution, operating system, language, etc.), time zone, and lots more. 

How do I know if I’m being monitored?

A lot of companies try to keep tabs on you. There is no definitive way but there are a few giveaways. Here’s how you can know if your computer is being monitored.

How do companies use fingerprinting to their benefit?
Businesses are using fingerprints to create a database of users. This is actually like lead generation. Using fingerprints, they monitor your preferences and online behavior to send you targeted ads. They leverage it to display content - articles, news, videos, images - that you may like. 

The major use of canvas fingerprinting is for analytics. Businesses depend on it. If anything can get businesses close to their customers, it is analytics and online tracking. On the bright side, browser fingerprinting can be used to build customer profiles. These can also be used to prevent credit card and bank frauds. Ecommerce sites can use it to check fraudulent dealings. 

If it is a good thing, why should I be concerned?

Because it exposes you. 

Despite the pluses, the only people to gain anything out of it are advertisers, businesses who rely on it. For you and me, it only unmasks us. Canvas fingerprinting plays with user privacy and that is what makes the online community wary of it. Amid security concerns, there have been calls to ban it or at least let users understand how brands are using it. 

The only silver lining is that thousands of similar devices will have the same fingerprint. For example, if you are browsing from a particular laptop or mobile model, the digital sign will be the same for all laptops of the same model. Also, if it is a public computer, your personal identity is still protected. 

Cool, but can’t I just block it?

As of now, there is no mechanism to block a browser fingerprint. Unlike cookies that can be deleted, these digital marks can’t be. Once they are generated, they remain stored on the server with your device details. 

Neither do browsers have the option of stopping it. Only widgets that are known to be loaded with generator messages can be selectively disabled. But achieving this on a large scale with millions of users surely looks daunting. 

Isn't there any hope, some teensy little trick? 

If you use a browser with heavy add-ons, you’ll be fingerprinted pretty easily. But a lighter, perhaps more secure browser will keep you secure. The problem is that no matter what you do, websites will still use some kind of tool for ad tracking. What you need is a browser that keeps you secure and minimizes the ad tracking activities of websites.

When all is said and done, websites are constantly gathering data on users. Besides, since browser fingerprinting is rather generic, websites tend to remove the more one-of-a-kind marks. They are able to guess that those have been tampered with and will not lead them to the target user. 

But yes, not all hope is lost. Using a private browser can help you stay safe. When there are no extensions on your browser, it cannot be fingerprinted that easily. A private browser will keep your sessions secure and ensure that ad tracking is kept to a bare minimum.

About the Author:

Summer Hirst is a cybersecurity journalist who is interested in just about anything tech. When not writing, she loves playing with her dog and toddler. Or she could be watching reruns of Seinfeld for the 100th time. Apart from writing, she also loves scrolling through Reddit threads and laughing at memes. She’s a typical millennial, just not the Tide Pod eating kind.