Canvas fingerprinting

Last updated

Canvas fingerprinting is one of a number of browser fingerprinting techniques for tracking online users that allow websites to identify and track visitors using the HTML5 canvas element instead of browser cookies or other similar means. [1] The technique received wide media coverage in 2014 [2] [3] [4] [5] after researchers from Princeton University and KU Leuven University described it in their paper The Web never forgets. [6]

Contents

Description

Canvas fingerprinting works by exploiting the HTML5 canvas element. As described by Acar et al. in: [6]

When a user visits a page, the fingerprinting script first draws text with the font and size of its choice and adds background colors (1). Next, the script calls Canvas API’s ToDataURL method to get the canvas pixel data in dataURL format (2), which is basically a Base64 encoded representation of the binary pixel data. Finally, the script takes the hash of the text-encoded pixel data (3), which serves as the fingerprint ...

Variations in which the graphics processing unit (GPU), or the graphics driver, is installed may cause the fingerprint variation. The fingerprint can be stored and shared with advertising partners to identify users when they visit affiliated websites. A profile can be created from the user's browsing activity, allowing advertisers to target advertise to the user's inferred demographics and preferences. [4] [7]

By January 2022, the concept was extended to fingerprinting performance characteristics of the graphics hardware, called DrawnApart by the researchers. [8]

Uniqueness

Since the fingerprint is primarily based on the browser, operating system, and installed graphics hardware, it does not uniquely identify users. In a small-scale study with 294 participants from Amazon's Mechanical Turk, an experimental entropy of 5.7 bits was observed. The authors of the study suggest more entropy could likely be observed in the wild and with more patterns used in the fingerprint. While not sufficient to identify individual users by itself, this fingerprint could be combined with other entropy sources to provide a unique identifier. It is claimed that because the technique is effectively fingerprinting the GPU, the entropy is "orthogonal" to the entropy of previous browser fingerprint techniques such as screen resolution and browser JavaScript capabilities. [9]

Much more unique identification becomes possible with DrawnApart, published in 2022, which was shown to boost tracking duration of individual fingerprints by 67% when used to enhance other methods. [8]

History

In May 2012, Keaton Mowery and Hovav Shacham, researchers at University of California, San Diego, wrote a paper Pixel Perfect: Fingerprinting Canvas in HTML5 describing how the HTML5 canvas could be used to create digital fingerprints of web users. [4] [9]

Social bookmarking technology company AddThis began experimenting with canvas fingerprinting early in 2014 as a potential replacement for cookies. 5% of the top 100,000 websites used canvas fingerprinting while it was deployed. [10] According to AddThis CEO Richard Harris, the company has only used data collected from these tests to conduct internal research. Users will be able to install an opt-out cookie on any computer to prevent being tracked by AddThis with canvas fingerprinting. [4]

A software developer writing in Forbes stated that device fingerprinting has been utilized for the purpose of preventing unauthorized access to systems long before it was used for tracking users without their consent. [3]

As of 2014 the technique is widespread in many websites, used by at least a dozen high-profile web ads and user tracking suppliers. [11]

In 2022, the capabilities of canvas fingerprinting were much deepened by taking minute differences between nominally identical units of the same GPU model into account. Those differences are rooted in the manufacturing process, making units more deterministic over time than between identical copies. [8]

Mitigation

Typical Tor Browser notification of a website attempting a canvas read. Typical Tor Browser notification of a canvas read attempt.png
Typical Tor Browser notification of a website attempting a canvas read.

Tor Project reference documentation states, "After plugins and plugin-provided information, we believe that the HTML5 Canvas is the single largest fingerprinting threat browsers face today." [12] Tor Browser notifies the user of canvas read attempts and provides the option to return blank image data to prevent fingerprinting. [6] However, Tor Browser is currently unable to distinguish between legitimate uses of the canvas element and fingerprinting efforts, so its warning cannot be taken as proof of a website's intent to identify and track its visitors. Browser add-ons like Privacy Badger, [10] DoNotTrackMe, [13] or Adblock Plus [14] manually enhanced with EasyPrivacy list are able to block third-party ad network trackers and can be configured to block canvas fingerprinting, provided that the tracker is served by a third party server (as opposed to being implemented by the visited website itself).[ citation needed ]Canvas Defender, a browser add-on, spoofs Canvas fingerprints. [15]

The LibreWolf browser project includes technology to block access to the HTML5 canvas by default, only allowing it in specific instances green-lit by the user.

See also

Related Research Articles

<span class="mw-page-title-main">Adobe Flash</span> Discontinued multimedia platform used to add animation and interactivity to websites

Adobe Flash is a discontinued multimedia software platform used for production of animations, rich internet applications, desktop applications, mobile apps, mobile games, and embedded web browser video players.

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

Internet privacy involves the right or mandate of personal privacy concerning the storage, re-purposing, provision to third parties, and display of information pertaining to oneself via the Internet. Internet privacy is a subset of data privacy. Privacy concerns have been articulated from the beginnings of large-scale computer sharing and especially relate to mass surveillance.

The canvas element is part of HTML5 and allows for dynamic, scriptable rendering of 2D shapes and bitmap images. It is a low level, procedural model that updates a bitmap. HTML5 Canvas also helps in making 2D games.

<span class="mw-page-title-main">HTTP cookie</span> Small pieces of data stored by a web browser while on a website

HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.

Web3D, also called 3D Web, is a group of technologies to display and navigate websites using 3D computer graphics.

A device fingerprint or machine fingerprint is information collected about the software and hardware of a remote computing device for the purpose of identification. The information is usually assimilated into a brief identifier using a fingerprinting algorithm. A browser fingerprint is information collected specifically by interaction with the web browser of the device.

Mobile web analytics studies the behaviour of mobile website users in a similar way to traditional web analytics. In a commercial context, mobile web analytics refers to the data collected from the users who access a website from a mobile phone. It helps to determine which aspects of the website work best for mobile traffic and which mobile marketing campaigns work best for the business, including mobile advertising, mobile search marketing, text campaigns, and desktop promotion of mobile sites and services.

Web storage, sometimes known as DOM storage, is a standard JavaScript API provided by web browsers. It enables websites to store persistent data on users' devices similar to cookies, but with much larger capacity and no information sent in HTTP headers. There are two main web storage types: local storage and session storage, behaving similarly to persistent cookies and session cookies respectively. Web Storage is standardized by the World Wide Web Consortium (W3C) and WHATWG, and is supported by all major browsers.

<span class="mw-page-title-main">WebGL</span> JavaScript bindings for OpenGL in web browsers

WebGL is a JavaScript API for rendering interactive 2D and 3D graphics within any compatible web browser without the use of plug-ins. WebGL is fully integrated with other web standards, allowing GPU-accelerated usage of physics, image processing, and effects in the HTML canvas. WebGL elements can be mixed with other HTML elements and composited with other parts of the page or page background.

Web tracking is the practice by which operators of websites and third parties collect, store and share information about visitors’ activities on the World Wide Web. Analysis of a user's behaviour may be used to provide content that enables the operator to infer their preferences and may be of interest to various parties, such as advertisers. Web tracking can be part of visitor management.

<span class="mw-page-title-main">Epic (web browser)</span> Indian Web Browser based on chromium

Epic is a proprietary privacy-centric web browser. It was developed by Hidden Reflex, a software product company founded by Alok Bhardwaj, using Chromium source code. Epic is always in private browsing mode, and exiting the browser deletes all browser data. The browser's developers claim that Google's tracking code has been removed, and that blocks other companies from tracking the user.

<span class="mw-page-title-main">Evercookie</span> JavaScript application programming interface

Evercookie is a JavaScript application programming interface (API) that identifies and reproduces intentionally deleted cookies on the clients' browser storage. It was created by Samy Kamkar in 2010 to demonstrate the possible infiltration from the websites that use respawning. Websites that have adopted this mechanism can identify users even if they attempt to delete the previously stored cookies.

A zombie cookie is a piece of data usually used for tracking users, which is created by a web server while a user is browsing a website, and placed on the user's computer or other device by the user's web browser, similar to regular HTTP cookies, but with mechanisms in place to prevent the deletion of the data by the user. Zombie cookies could be stored in multiple locations—since failure to remove all copies of the zombie cookie will make the removal reversible, zombie cookies can be difficult to remove. Since they do not entirely rely on normal cookie protocols, the visitor's web browser may continue to recreate deleted cookies even though the user has opted not to receive cookies.

Ghostery is a free and open-source privacy and security-related browser extension and mobile browser application. Since February 2017, it has been owned by the German company Cliqz International GmbH. The code was originally developed by David Cancel and associates.

Firefox was created by Dave Hyatt and Blake Ross as an experimental branch of the Mozilla browser, first released as Firefox 1.0 on November 9, 2004. Starting with version 5.0, a rapid release cycle was put into effect, resulting in a new major version release every six weeks. This was gradually accelerated further in late 2019, so that new major releases occur on four-week cycles starting in 2020.

Google Chrome Experiments Online showroom of web browser based experiments

Google Chrome Experiments is an online showroom of web browser based experiments, interactive programs, and artistic projects. Launched on March 1, 2009, Google Chrome Experiments is an official Google website that was originally meant to test the limits of JavaScript and the Google Chrome browser's performance and abilities. As the project progressed, it took the role of showcasing and experimenting latest open-source web-based technologies, such as JavaScript, HTML5, WebGL, Canvas, SVG, CSS, and some others. All the projects on Chrome experiments are user submitted and are made using open source technologies. As of February 24, 2015, there were 1,000 different Chrome projects posted on the website.

A web beacon is a technique used on web pages and email to unobtrusively allow checking that a user has accessed some content. Web beacons are typically used by third parties to monitor the activity of users at a website for the purpose of web analytics or page tagging. They can also be used for email tracking. When implemented using JavaScript, they may be called JavaScript tags. Web beacons are unseen HTML elements that track a webpage views. Upon the user revisiting the webpage, these beacons are connected to cookies established by the server, facilitating undisclosed user tracking.

<span class="mw-page-title-main">PlayCanvas</span>

PlayCanvas is an open-source 3D game engine/interactive 3D application engine alongside a proprietary cloud-hosted creation platform that allows for simultaneous editing from multiple computers via a browser-based interface. It runs in modern browsers that support WebGL, including Mozilla Firefox and Google Chrome. The engine is capable of rigid-body physics simulation, handling three-dimensional audio and 3D animations.

<span class="mw-page-title-main">Babylon.js</span>

Babylon.js is a JavaScript library and 3D engine for displaying real time 3D graphics in a web browser via HTML5. The source code is available on GitHub and distributed under the Apache License 2.0.

References

  1. Obaidat, Muath (2020). "Canvas Deceiver - A New Defense Mechanism Against Canvas Fingerprinting". Journal of Systemics, Cybernetics and Informatics. 18 (6): 66–74.
  2. Knibbs, Kate (July 21, 2014). "What You Need to Know About the Sneakiest New Online Tracking Tool". Gizmodo . Retrieved July 21, 2014.
  3. 1 2 Joseph Steinberg (July 23, 2014). "You Are Being Tracked Online By A Sneaky New Technology -- Here's What You Need To Know". Forbes . Retrieved November 15, 2014.
  4. 1 2 3 4 Angwin, Julia (July 21, 2014). "Meet the Online Tracking Device That is Virtually Impossible to Block". ProPublica . Retrieved July 21, 2014.
  5. Kirk, Jeremy (July 21, 2014). "Stealthy Web tracking tools pose increasing privacy risks to users". PC World . Retrieved July 21, 2014.
  6. 1 2 3
  7. Nikiforakis, Nick; Acar, Günes (2014-07-25). "Browser Fingerprinting and the Online-Tracking Arms Race". ieee.org. IEEE. Retrieved October 31, 2014.
  8. 1 2 3 Laor, Tomer; Mehanna, Naif; Durey, Antonin; Dyadyuk, Vitaly; Laperdrix, Pierre; Maurice, Clémentine; Oren, Yossi; Rouvoy, Romain; Rudametkin, Walter; Yarom, Yuval (2022). "DRAWNAPART: A Device Identification Technique based on Remote GPU Fingerprinting". Proceedings 2022 Network and Distributed System Security Symposium. arXiv: 2201.09956 . doi: 10.14722/ndss.2022.24093 . ISBN   978-1-891562-74-7.
  9. 1 2 Mowery, Keaton; Shacham, Hovav. "Pixel Perfect: Fingerprinting Canvas in HTML5" (PDF). Retrieved March 22, 2018.
  10. 1 2 Davis, Wendy (July 21, 2014). "EFF Says Its Anti-Tracking Tool Blocks New Form Of Digital Fingerprinting". MediaPost. Retrieved July 21, 2014.
  11. "Websites using HTML5 canvas fingerprinting". WebCookies.org. Archived from the original on 2014-12-28. Retrieved 2014-12-28.
  12. "The Design and Implementation of the Tor Browser [DRAFT]". www.torproject.org. Retrieved 2018-05-25.
  13. Kirk, Jeremy (July 25, 2014). "'Canvas fingerprinting' online tracking is sneaky but easy to halt". PC World . Retrieved August 9, 2014.
  14. Smith, Chris. "Adblock Plus: We can stop canvas fingerprinting, the 'unstoppable' new browser tracking technique". BGR. PMC. Archived from the original on July 28, 2014.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.