The great myth of canvas fingerprinting

APRIL 5, 2019 | FINGERPRINTS

Have you heard that Canvas fingerprinting helps websites to track down visitors? Most likely you have since you are reading this article. Let me ask a question, though. Why do you believe it? Did you read some research? Or did you conduct one on your own? Maybe you just saw something in printed sources or heard from a friend. Intrigued? Keep reading, because today we are going to bust some myths.

Indeed, if we analyzed thousands of different devices with different operating systems and browsers made in the past 25 years, we would get quite a lot of unique canvas fingerprints. It is what several academic papers reveal.

But what would happen if we only analyze devices and operating systems popular at the moment? It’s great to know that websites can easily track down someone browsing the Internet from a 15-year-old grandma’s computer with Windows 95 and Internet Explorer 5.0. However, it does not answer the question of how unique your Dell XPS with Windows 10 and Chrome 73 is.

The experiment

Analyzing all fingerprints used by websites would have taken us several months, so we decided to limit this research to the most controversial and misunderstood one – Canvas.

In collaboration with a local computer shop that sells new and used computers, we gained access to hundreds of machines with different hardware on board. We selected those having different graphics adapters and drivers. In the majority of tests, Windows 10 and the latest version of Chrome browser was used.

Amazingly, after testing over one hundred completely different machines, we discovered that most of them have identical canvas fingerprint.

Here are some highlights from our research:

  • Dell XPS 2018 year had the same canvas fingerprint as HP laptop from the 2012 year

  • All MacBook Pros from 2011 to 2018 had the same fingerprint on Chrome 73 with uniqueness 100.00% according to browserleaks.com (Note: Chrome 73 just came out at the moment of research)

  • A windows tab PC had the same canvas signature as many laptops

  • 17 laptops tested in a row had the same canvas fingerprint

  • Many discrete video adapters produced the same canvas as integrated graphics adapters.

So what do our findings mean?

The conclusion we draw from this experiment it is much easier to blend in with a crowd than we previously thought. If you are using anything other than an old laptop with a popular GPU model, Windows 10 and one of the latest versions of popular browsers like Chrome or Firefox, you are all set. The same works for Apple devices. You don’t need any additional masking of canvas fingerprint. It turns out that the canvas fingerprint itself does not add much uniqueness to your overall digital fingerprint.

Knowing this, we decided to change the default value for Canvas fingerprint protection in Multilogin to OFF. The same we did for AudioContext as this fingerprint adds even less uniqueness than Canvas according to recent academic papers.

We did not change the default value of WebGL Image fingerprinting protection, however, as we don’t possess enough data yet. We aren’t aware of any popular website, that would utilize WebGL Image fingerprint for user identification purposes. Perhaps, because WebGL fingerprint is not as stable as AudioContext or Canvas. Another possible reason is that rendering a WebGL image takes too many resources and sometimes cannot even be completed within a short session.

When it comes to WebGL metadata, however, several popular web sites indeed read it and might be analyzed as a part of user’s digital fingerprint. For now, we recommend leaving WebGL masking set to ON in Multilogin. Soon we will add a possibility to separately control masking of WebGL image and Metadata. Should our further research reveal any information related to WebGL fingerprinting, we will publish it later on our blog.