Paint a canvas fingerprint and collect the Monet

“This website attempted to extract HTML5 canvas image data, which may be used to uniquely identify your computer,” read the alert that popped up while I was surfing with the Tor Onion browser.

Example lifted from

Well, what’s that – and does it really matter?

Canvas fingerprinting is a technique for tracking internet users. It uses HTML5, the latest version of the web content markup language, to have your browser paint or draw a 3D graphic shape or a line of text and then converts this into a digital token. This “painting” is influenced by computer variables such as operating system, browser, programs, and screen settings. You can even see the technique in action at the ProPublica site.

Example of fingerprinting, https://freedom-to-tinker.com/blog/englehardt/retrospective-look-at-canvas-fingerprinting/ from

As paintings often are, these are collected. But this time, the paintings are collected by data brokers to create a profile of computer user’s online activities. If they learn that computer with browser X is visiting sites A, B, and D, this information enables them to fine-tune the sale and presentation of advertisements. How closely this tracking enables them to link “computer with browser ‘X” and you is a debatable issue.

The canvas is evolving

Getting the numbers for this sort of tracking is difficult. Back in 2014, researchers found that 5% of the top 100,000 sites were utilizing canvas fingerprinting – and a 97% of this was provided through two tracking firms –  AddThis and Ligatus. In the years since, the situation has changed. The January 2016 study found that the number of distinct trackers on the market utilizing canvas fingerprinting has more than doubled, but that the technique is used on fewer publisher sites. This means you are now more apt to be tracked by a greater number of trackers with canvasing techniques, but applied more unevenly across the web.

A question of transparency

The researchers’ believe the change is driven by transparency – but there is a catch. The 2014 research resulted in a firestorm of articles and negative coverage. When people realized that they are being tracked, they reacted negatively, and companies responded by pulling back from this specific tracking technology on their websites. “Providing transparency into privacy violations online has the potential for huge impact,” explained Steven Englehardt, an author of the 2014  paper, The Web Never Forgets.

Size matters when it comes to influencing tracking

The catch is that pressure from transparency has a larger impact on the big players or publishers which are more sensitive to negative press. “A tracker which is present on a large number of sites, or is present on sites which receive more traffic is more likely to be the focus of news articles or subject to lawsuits,” said Englehardt. Smaller sites are more apt to just carry on with their tracking.

But there is a clear risk in ignoring the issue. “Without constant monitoring and transparency, level of privacy violations can easily creep back to where they were. A single, well-connected tracker can re-introduce a tracking technique to a large number of first-parties,” he warned .

End tracking at the source – your browser

Canvas fingerprinting is just one of many ways your online activities can be tracked. Notice that Englehardt said “a tracking technique” and not “the”.

While pushing for legal action against illegal data collection is one option, another more simple option you have is to block trackers from collecting information about you in the first place. Canvas fingerprinting can be blocked by some ad blockers, the Tor Onion browser, by the PrivacyBadger extension from the Electronic Frontier Foundation, and by Avira’s own Scout Browser.

In addition to having PrivacyBadger baked inside, Scout includes Avira’s own ABS extension to shut out identified trackers and malicious websites. This gives you a double-barreled approach that looks at both tracker behavior and a growing whitelist of known trackers.

If you don’t want someone painting your portrait, kick them out of the room. The choice is yours.

Here is the link to the Englehardt article.

Follow the Monet to the Musee d'Orsay

This post is also available in: GermanFrenchItalian

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.