Canvas Fingerprinting: How to Stop the Web's Sneakiest Tracking Tool in Your Browser

Canvas fingerprinting is the web's trickiest privacy threat, but it's not impossible to stop. With all the media attention it's gotten lately, it's time we lay out exactly how to detect and prevent this invasive tracking technique.

What Is Canvas Fingerprinting & Who Uses It?

There used to be a day when sites tracked your behavior through cookies, but that day is over. Since web users have become increasingly aware of how to delete and block cookies, companies have come up with a more candid and difficult-to-stop tracking method to deliver targeted ads, and that's canvas fingerprinting.

A study released last week by researchers at Princeton and KU Leuven in Belgium exposed 5,000 popular websites that use canvas fingerprinting scripts on their sites. Of all the sites exposed, 95% of them—including WhiteHouse.gov—receive their fingerprinting access from a JavaScript widget created by the tech company AddThis.com.

Canvas fingerprinting takes advantage of the canvas API in modern browsers. The canvas API interacts with a computer's graphics chip and allows us to play games and interact with webpages. However, with canvas fingerprinting, invisible images are sent to the browser, then returned to the server with a "fingerprint" of the computer and location.

Avoiding this invasive new technology is not impossible, but it does take a little more work than clearing your cache and deleting cookies. There are several methods, and some are a little more foolproof.

1. Manually Opt Out of Interest-Based Advertising

Before trying to plug the dam, let's drain the water. The Network Advertising Intiative has given us the ability to manually opt-out of targeted ads by one or more companies. This is worth checking out. If none of our blocking methods work, at least you can knock out 96 companies,including AddThis.com.

Simply go to the Network Advertising Initative Opt-Out page and either select individual companies or click the "Select all" box.

After submitting your choices, click on the "Existing Opt Outs" tab and you will see all of the companies who are no longer allowed to track your online behavior.

Of course, who knows how effective this is. Though it's a measure worth taking, you'll probably want to go the extra yard and be sure to hit this beast from multiple angles. If you delete you browser's cookies, then you'll have to repeat this the next time you launch your browser.

2. Use AdBlock Plus to Block Canvas Fingerprinting

Immediately after the study on canvas fingerprinting was released, Adblock Plus' lead developer released a statement claiming that Adblock Plus not only has the ability to block canvas fingerprinting, but they've had it for over five years.

By using the EasyPrivacy filter list, Adblock Plus promises to block the script that sets cookies, thereby blocking the script that enables canvas fingerprinting. Does this work? Who knows, but it's worth a try.

First, install AdBlock Plus on the web browser of your choice.

Once your installation is complete, it will automatically begin to function on your browser, but as Adblock Plus' lead developer said, you need to add the EasyPrivacy list.

By clicking on the "Add EasyPrivacy to Adblock Plus" link, you will be taken to a settings page where the "filter list location" field and "subscription title" field are automatically filled in. All you need to do is click the "Add" button.

Now you'll notice a new list—EasyPrivacy.

3. Use the NoScript & ScriptSafe Add-Ons

Since canvas fingerprinting operates through JavaScript, there is a chance you can block it with the popular Firefox add-on "NoScript" and its Chrome counterpart "ScriptSafe" extension.

With these add-ons, you will have the ability to selectively block JavaScript in your browser. This is better than just disabling JavaScript altogether, which as I've shown in my article on blocking lightbox modals for websites, makes the web a very, very dull place.

Once the add-on is installed, JavaScript will be blocked, and you will notice that some sites have little or nothing at all to show. For example, after using NoScript, a Facebook feed is nonexistent.

To temporarily or permanently allow JavaScript on a site, click the small "Options" button on the status bar at the bottom of the screen running NoScripts, and choose what you wish to allow (there is a very similar option for ScriptSafe on Chrome).

4. Confuse Sites with Chameleon for Chrome

There is a Chrome extension called Chameleon, currently available on GitHub, that claims to detect fingerprinting-like activity by making the browser look like a Tor Browser. Does it protect users? No. But it might be worth using in conjunction with NoScript and SafeScript if you want to know which sites to disable JavaScript in.

From Chameleon's GitHub page, simply click the "Download ZIP" to the right of the screen.

Once the application is downloaded and unzipped on your computer, you'll have to open Chrome and install it manually. Just go to chrome://extensions in your address bar, click the "Developer mode" box in the upper right, and click the "Load unpacked extension..." button.

The file you want to unpack is the "chrome" folder in your "chameleon-master" folder that was downloaded an unzipped from GitHub.

Once unpacked, you'll notice the new Chrome extension.

Now when you visit a site, Chameleon will do its work. As stated by the developer:

"Chameleon detects font enumeration and intercepts accesses of fingerprinting-associated JavaScript objects like Window.navigator. The number over Chameleon's button counts the number of distinct attempts to collect information about your browser on the current page. Higher numbers suggest fingerprinting might be taking place."

So with a quick visit to WhiteHouse.gov, we notice a fairly high number of detected scripts.

So, besides potentially only warning us of canvas fingerprinting, what good is Chameleon? Well, it actually decreases your likelihood of being tracked by making your browser less unique. After all, canvas fingerprinting is sort of a crapshoot anyway, despite how sneaky it appears to be, it is not very accurate.

Using the site Panopticlick before installing Chameleon, my browser was said to be unique among the 4,360,028 browsers previously tested on the site. This means that out of all those who've visited the site, I'm pretty easy to identify.

After installing Chameleon I ran the test again. This time, I was told that only 1 in 4,064 visitors have the same fingerprint as me. That's fairly decent and it almost analogous to my results while using Tor.

5. Go Stealth Mode with the Tor Browser

If you're not a Chrome user but you want the results I achieved with Chameleon, why not run Tor? There are several benefits to browsing with Tor, and one of them is that it's virtually impossible for sites to track you.

The Onion Router, or TOR, is an open source browser that sends encrypted data through a complicated web of proxy servers. Each of these serves has no idea what the data contains or where it is heading. All each proxy server knows is the IP address it just came from and where it is immediately going next.

You can download Tor from the Tor Project.

Available for both Mac and Windows, simply click "Download Tor," install the software, and start browsing anonymously.

After All This, Am I Safe from Canvas Fingerprinting?

If you've opted-out of targeted ads, installed AdBlock Plus, started NoScript or SafeScript, installed Chameleon, and/or started browsing with Tor, theres a damn good chance your online behavior very difficult to track.

The consequences of canvas fingerprinting reach beyond targeted ads. If you have a future in politics or any public career, you might want to make your browsing as untraceable as possible considering all the porn sites that use canvas fingerprinting (aside from YouPorn now, of course). Imagine how much a company could profit off of smearing you.

Regardless, who knows what will be considered "suspicious activity" in the years to come. It's best to remain as anonymous as possible.