Canvas-based Fingerprinting: What Is It and How Does It Work?

These traces were erased, the IP was spoofed. I even wiped the mouse with a wet wipe, but my actions were still tracked. But how is this possible? After all, all digital traces were erased. And Canvas?

Privacy on the internet is not as simple as it seems... In fact, it doesn't exist at all. No matter how hard a user tries to cover their tracks, long-nosed advertising networks, analytical platforms, and anti-fraud systems will still track and identify their interests, tastes, and preferences. And then they'll find out your gender, age... and not far from there, your full name and address. That's why it's important to protect your data properly by replacing it with someone else's. This includes Canvas, which many anti-detection users forget about... because they don't know what this "canvas" is.

Let's go through all the components of a fingerprint

Hiding with the help of anonymous browsers is convenient and effective. With their help, you can sometimes disguise yourself so well that you won't even recognize yourself. And such cases have happened in practice. But to achieve such high results, you need to properly prepare your digital fingerprints. It is these fingerprints that anti-detection tools use to hide the true characteristics of the user.

A fingerprint is a complex of features encapsulated in a single term. The signals that make up the fingerprint allow anti-detection tools to bypass all website blocks. And also to engage in multi-account activities on them, regardless of volume.

The parameters that make up the set of fingerprint parameters can be divided into several groups:

• Basic - these include: OS, browser, its version, screen resolution, CPU clock frequency, and RAM size. As well as values that are part of the User-Agent.

The User-Agent string is part of the HTTP header sent by the application (in our case, the browser) to the server. This string contains values of the characteristics of the user's device and its local settings. Some of the parameters specified in the User-Agent coincide with the parameters transmitted through other parts of the fingerprint. Therefore, it is important to ensure their compatibility. For this purpose, Undetectable has added a tool to check the identity of these data values to the fingerprint settings.

• Network - time zone, geolocation, WebRTC.

The WebRTC protocol is used to transmit packets of information over the internet using peer-to-peer technology. It is most commonly used for transferring multimedia data (voice and sound) between web applications. All streaming services are based on this protocol. This protocol also allows trackers and anti-fraud systems to determine the client's IP address bypassing the proxy server.

• System - window size of the application, set of fonts, WebGL, and Canvas.

The WebGL library is used to add the ability to create 3D graphics in any browser using JavaScript. The library also allows security systems to obtain information about the user's video processor.

And so gradually, step by step, we have reached our goal for today - the system parameter of the Canvas fingerprint. Now it will receive all our attention, and here's why...

What is Canvas?

The essence and purpose of this element can be easily understood from its name. Canvas allows the browser to independently draw graphical content on a web page. It is most often used together with the built-in JavaScript script on the page. But it cannot be characterized and explained in just two sentences. Because it is multifaceted.

First of all, Canvas is an HTML tag that was added to the language after the launch of HTML5. With the help of this tag, you can not only draw 2D graphics on a web page, but also embed multimedia content in the canvas. Including video and audio.

At the moment, Canvas is a widely accepted standard in web development. It is supported by all versions of mobile and desktop browsers. Including Internet Explorer, which is practically no longer used and is no longer supported by Microsoft.

And this is not a digression about the hard fate of IE, but an undeniable fact that will help us understand how important Canvas is for high-quality multi-account activities using anti-detection tools.

But what does anonymity, fingerprints, and anti-detection browsers have to do with it? After all, you can't track a user's actions and identify them based on an HTML tag. Because Canvas is a widely recognized, widely used technology and these tags are present (used) in the markup of millions of websites...

All these questions arise because we are unaware of another, secondary side of Canvas. But one that advertising and analytical platforms, which stick their noses into every aspect of users' online lives, know so well.

Other talents of Canvas

Every person has their own handwriting, which is unique to them. Therefore, through graphological expertise, it is possible to determine the author of a particular text. But it turns out that not only people have handwriting, but also computers.

The main condition that must be met to identify a user through Canvas is to make the device render some primitive. After that, the "handwriting" sample needs to be sent to a graphologist, which in the case of fingerprints is performed by anti-fraud systems and analytical platforms.

The mechanism of tracking using Canvas is based on the peculiarities of processing the same rendered graphic element by each computer, smartphone, or other type of user device.

The identification mechanism based on Canvas works as follows:

• When a user visits a website integrated with a tracker, the browser receives an instruction to render some graphic primitive.
• Then, based on the analysis of the rendered data, a unique token is generated, which allows for up to 90% accuracy in determining the "identity" of the device.
• The value of the generated token is not stored in cookies, but is recorded in a global database.
• After that, each subsequent visit to any tracking resource will involve a similar rendering of a graphic primitive, and the obtained identifier will be compared with the values in the database.

When determining a user's digital identity using Canvas, the following technical characteristics of the device are taken into account:

• Central processor.
• Video card.
• OS.
• Processing mechanism features.
• Image compression level.
• Export parameters.

Also, instead of a graphic primitive, a text string can be sent to the browser as a sample for identification. In this case, the above-mentioned set is supplemented with anti-aliasing and subpixel rendering settings.

It should be understood that using Canvas as a separate source of information for device identification is not very effective. Because the aggregated information used to generate the token is only passed through the User-Agent string, which provides low accuracy of identification.

Moreover, the entire mechanism of fingerprinting based on Canvas depends entirely on the browser's support for JavaScript. It is JavaScript that is used to load and render graphic primitives on demand. If the browser does not support JS or script execution is disabled, the tracking system will not be able to obtain the data needed to generate the token.

In addition, no tracking or website security system relies solely on information obtained through Canvas. We mentioned the effectiveness of this identification method at the 90% level. But such a high level is achieved only under laboratory conditions. And in practice?

How reliable is Canvas?

In reality, if all anti-fraud systems relied solely on identification based on "canvas", there would be no need for high-quality anti-detection tools like Undetectable.

To obtain an invalid token generated based on Canvas, a user simply needs to change their browser or even update it to a new version. Therefore, this mechanism is only a secondary part of the fingerprinting technology.

Field tests of this method of digital identity identification also prove its low effectiveness. To test the accuracy of fingerprints based on Canvas, the authors of the experiment used over a hundred computers. The majority of them were running Windows 10, which created even more stringent testing conditions. However, the computers, tablets, and laptops differed significantly from each other in terms of technical specifications. Primarily, in terms of video card models and characteristics, as well as the installed set of drivers.

A brief summary of the experiment results:

• The tokens of many discrete cards coincided with the tokens of Canvas computers with integrated video cards.
• Fifteen consecutive laptops tested had the same fingerprints.
• The digital fingerprints of computers from different manufacturers also matched.

For example, a Dell laptop from the 2018 model range has the same Canvas fingerprint as an HP laptop from 2012.

• All MacBook Pro models released over a six-year period (from 2012 to 2018) also have the same tokens.
• Tablets and laptops running Windows have similar fingerprints.

As you can see, achieving uniqueness in Canvas-based digital fingerprints is difficult. Therefore, passing verification based solely on this type of fingerprint is very easy. Because the probability of the token value matching another user's token is quite high. This is also due to the constantly increasing number of mobile and desktop devices connected to the internet.

It is also possible to question the validity of the databases where tokens based on Canvas are stored. Most likely, about 10-15% of their values are repeated. So using these databases for user identification without other fingerprint parameters is not very effective.

So should we be worried?

Based on the facts listed above, it becomes clear that Canvas is a weak signal for anti-fraud systems due to its low accuracy of identification.

Nevertheless, in some situations, the value of this parameter can be decisive. Therefore, it is present in the fingerprint settings of Undetectable. However, the user of the anti-detection tool can disable it or choose the "Noise" mode, in which the Canvas value will be randomly generated.