Canvas Fingerprinting: How to Stop the Web's Sneakiest Tracking Tool in Your Browser
Canvas fingerprinting is the web's trickiest privacy threat, but it's not impossible to stop. With all the media attention it's gotten lately, it's time we lay out exactly how to detect and prevent this invasive tracking technique.
There used to be a day when sites tracked your behavior through cookies, but that day is over. Since web users have become increasingly aware of how to delete and block cookies, companies have come up with a more candid and difficult-to-stop tracking method to deliver targeted ads, and that's canvas fingerprinting.
Canvas fingerprinting takes advantage of the canvas API in modern browsers. The canvas API interacts with a computer's graphics chip and allows us to play games and interact with webpages. However, with canvas fingerprinting, invisible images are sent to the browser, then returned to the server with a "fingerprint" of the computer and location.
Avoiding this invasive new technology is not impossible, but it does take a little more work than clearing your cache and deleting cookies. There are several methods, and some are a little more foolproof.
Before trying to plug the dam, let's drain the water. The Network Advertising Intiative has given us the ability to manually opt-out of targeted ads by one or more companies. This is worth checking out. If none of our blocking methods work, at least you can knock out 96 companies,including AddThis.com.
Simply go to the Network Advertising Initative Opt-Out page and either select individual companies or click the "Select all" box.
After submitting your choices, click on the "Existing Opt Outs" tab and you will see all of the companies who are no longer allowed to track your online behavior.
Of course, who knows how effective this is. Though it's a measure worth taking, you'll probably want to go the extra yard and be sure to hit this beast from multiple angles. If you delete you browser's cookies, then you'll have to repeat this the next time you launch your browser.
Immediately after the study on canvas fingerprinting was released, Adblock Plus' lead developer released a statement claiming that Adblock Plus not only has the ability to block canvas fingerprinting, but they've had it for over five years.
By using the EasyPrivacy filter list, Adblock Plus promises to block the script that sets cookies, thereby blocking the script that enables canvas fingerprinting. Does this work? Who knows, but it's worth a try.
First, install AdBlock Plus on the web browser of your choice.
Once your installation is complete, it will automatically begin to function on your browser, but as Adblock Plus' lead developer said, you need to add the EasyPrivacy list.
By clicking on the "Add EasyPrivacy to Adblock Plus" link, you will be taken to a settings page where the "filter list location" field and "subscription title" field are automatically filled in. All you need to do is click the "Add" button.
Now you'll notice a new list—EasyPrivacy.
From Chameleon's GitHub page, simply click the "Download ZIP" to the right of the screen.
Once the application is downloaded and unzipped on your computer, you'll have to open Chrome and install it manually. Just go to chrome://extensions in your address bar, click the "Developer mode" box in the upper right, and click the "Load unpacked extension..." button.
The file you want to unpack is the "chrome" folder in your "chameleon-master" folder that was downloaded an unzipped from GitHub.
Once unpacked, you'll notice the new Chrome extension.
Now when you visit a site, Chameleon will do its work. As stated by the developer:
So with a quick visit to WhiteHouse.gov, we notice a fairly high number of detected scripts.
So, besides potentially only warning us of canvas fingerprinting, what good is Chameleon? Well, it actually decreases your likelihood of being tracked by making your browser less unique. After all, canvas fingerprinting is sort of a crapshoot anyway, despite how sneaky it appears to be, it is not very accurate.
Using the site Panopticlick before installing Chameleon, my browser was said to be unique among the 4,360,028 browsers previously tested on the site. This means that out of all those who've visited the site, I'm pretty easy to identify.
After installing Chameleon I ran the test again. This time, I was told that only 1 in 4,064 visitors have the same fingerprint as me. That's fairly decent and it almost analogous to my results while using Tor.
If you're not a Chrome user but you want the results I achieved with Chameleon, why not run Tor? There are several benefits to browsing with Tor, and one of them is that it's virtually impossible for sites to track you.
The Onion Router, or TOR, is an open source browser that sends encrypted data through a complicated web of proxy servers. Each of these serves has no idea what the data contains or where it is heading. All each proxy server knows is the IP address it just came from and where it is immediately going next.
You can download Tor from the Tor Project.
Available for both Mac and Windows, simply click "Download Tor," install the software, and start browsing anonymously.
If you've opted-out of targeted ads, installed AdBlock Plus, started NoScript or SafeScript, installed Chameleon, and/or started browsing with Tor, theres a damn good chance your online behavior very difficult to track.
The consequences of canvas fingerprinting reach beyond targeted ads. If you have a future in politics or any public career, you might want to make your browsing as untraceable as possible considering all the porn sites that use canvas fingerprinting (aside from YouPorn now, of course). Imagine how much a company could profit off of smearing you.
Regardless, who knows what will be considered "suspicious activity" in the years to come. It's best to remain as anonymous as possible.