Availability: All modern browsers with HTML5 Canvas support
A canvas hash is a cryptographic fingerprint generated from the rendered output of HTML5 canvas operations. It works by:
Rendering Process: JavaScript draws specific text and graphics on an invisible canvas
Data Extraction: The pixel data is converted to a data URL (base64-encoded PNG)
Hash Generation: The data URL is passed through a hash function (MD5, SHA-256, or custom)
Unique Identifier: The resulting hash is stable across sessions and acts as a digital fingerprint
2. Background & Purpose
Historical Context:
Canvas fingerprinting was first documented in 2012 by Keaton Mowery and Hovav Shacham in their paper "Pixel Perfect: Fingerprinting Canvas in HTML5." The technique exploits subtle differences in how different systems render graphics.
How Canvas Hashing Works:
Draw Operations: A website uses JavaScript to draw text (with specific fonts) and shapes on an HTML5 canvas element
Pixel Rendering: Different combinations of hardware (GPU), software (graphics drivers), and OS render the same canvas slightly differently at the pixel level
Data Extraction: The canvas is converted to a PNG image encoded as a base64 data URL using toDataURL()
Hashing: The data URL string (typically 4,000-10,000 characters) is passed through a hash function to create a short, unique identifier
Tracking: This hash remains consistent for the same browser/system combination and can track users across websites
Why Hashing Instead of Raw Data?
Reduces data size from ~5-10KB to 16-64 characters
Makes comparison faster (string matching instead of image comparison)
Provides stable identifier for database storage
Easier to share across tracking networks
3. Hash Characteristics & Uniqueness
Common Hash Functions Used:
MD5: 128-bit hash (32 hexadecimal characters) - Fast but older
SHA-1: 160-bit hash (40 hex characters) - More secure than MD5
SHA-256: 256-bit hash (64 hex characters) - Most secure, slower
Custom: Simple hash algorithms like the one used in this demo (variable length)
Uniqueness Statistics:
Study/Source
Uniqueness Rate
Notes
Mowery & Shacham (2012)
~5.7% unique
Early study, limited sample
Acar et al. (2014)
89-99% unique
Combined with other attributes
AmIUnique (2020)
~80% unique
Canvas fingerprint alone
BrowserLeaks
~90-95% unique
When combined with WebGL
What Makes Each Hash Unique?
GPU & Graphics Driver: Different GPUs (Intel, NVIDIA, AMD) render slightly different pixel values
Operating System: Windows, macOS, and Linux use different rendering engines
Font Rendering: Subtle differences in anti-aliasing and subpixel rendering
Browser Engine: Chromium, Gecko, and WebKit render canvases slightly differently
Image Compression: PNG encoding algorithms vary slightly between implementations
4. Common Uses
Legitimate Uses:
Fraud Detection: Banks and payment processors use canvas fingerprinting to detect suspicious login attempts from unfamiliar devices
Bot Detection: Distinguishing human users from automated bots (bots often have consistent canvas fingerprints)
Security Enhancement: Adding an extra layer to multi-factor authentication
A/B Testing: Ensuring users get consistent experiences across sessions without cookies
Privacy-Invasive Uses:
Cross-Site Tracking: Tracking users across different websites without consent
Cookie Resurrection: Re-identifying users who deleted their cookies
Incognito Mode Bypass: Tracking users even in private browsing mode
Profile Building: Creating detailed behavioral profiles tied to device fingerprints
Ad Targeting: Serving targeted ads based on persistent device identification
⚠️ Important: Canvas fingerprinting works silently in the background. There's no browser notification, permission prompt, or visual indicator when it occurs.
5. Platform & Browser Differences
Platform/Browser
Canvas Rendering Engine
Hash Consistency
Windows + Chrome
DirectX / ANGLE
Very consistent per system
macOS + Safari
Core Graphics / Metal
Highly consistent, Apple-specific
Linux + Firefox
OpenGL / Cairo
Varies by distribution
Android + Chrome
OpenGL ES / Skia
Consistent per device model
iOS + Safari
Core Graphics / Metal
Uniform across iOS devices
Key Observations:
Hardware Dependent: Same browser on different hardware = different hashes
Driver Updates: Graphics driver updates can change the canvas fingerprint
OS Updates: Major OS updates may alter rendering engines slightly
Mobile Consistency: Mobile devices of the same model often produce identical hashes
6. Privacy Implications & Tracking Risks
Privacy Risk Level:VERY HIGH
⚠️ Critical Concern: Canvas fingerprinting is one of the most powerful tracking techniques available. It creates a persistent identifier that cannot be cleared like cookies.
Why Canvas Hashing is Dangerous for Privacy:
Cookie-less Tracking: Works without cookies, localStorage, or any browser storage
Cannot Be Cleared: Deleting cookies, cache, or browsing history doesn't remove your fingerprint
Persistent Across Sessions: Same hash appears in normal and incognito/private mode
Cross-Site Tracking: Different websites can share your hash to build unified profiles
No User Consent: Runs silently without permission prompts or notifications
Highly Stable: Fingerprint remains consistent for months or years on the same system
Combined Fingerprinting: When combined with other techniques (WebGL, audio), uniqueness approaches 99.9%
Real-World Tracking Scenarios:
Ad Networks: Track users across thousands of websites for behavioral advertising
Analytics Companies: Build detailed behavioral profiles linked to device fingerprints
Data Brokers: Sell fingerprint-linked profiles to third parties
Social Media: Track users even when logged out or using private browsing
Legal and Ethical Concerns:
GDPR Compliance: Canvas fingerprinting may violate EU privacy regulations without explicit consent
CCPA Issues: California privacy law requires disclosure of tracking methods
Informed Consent: Most users are unaware that canvas fingerprinting is occurring
7. Protection & Countermeasures
Browser-Based Protections:
Tor Browser (Best Protection):
Returns blank canvas or standardized values
All Tor users get identical canvas fingerprints
Completely defeats canvas tracking
Downside: Some websites may break or detect Tor usage
Brave Browser (Balanced Approach):
Randomizes canvas fingerprint on each session (called "farbling")
Different hash on every visit to the same site
Prevents persistent tracking while maintaining compatibility
Enabled by default in Standard shields mode
Firefox (Manual Configuration):
Set privacy.resistFingerprinting to true in about:config
Returns white canvas or standardized values
Part of broader anti-fingerprinting protection
May cause some websites to malfunction
Browser Extensions:
CanvasBlocker (Firefox): Blocks or randomizes canvas fingerprinting attempts
Privacy Badger (EFF): Detects and blocks tracking scripts including canvas fingerprinting
uBlock Origin: Can block known canvas fingerprinting scripts
What Doesn't Work:
❌ Clearing cookies and cache (fingerprint is regenerated immediately)
❌ Private/Incognito mode (generates the same fingerprint as normal mode)
❌ VPNs alone (only change IP address, not device fingerprint)
❌ Disabling JavaScript (breaks most modern websites)
Best Practices:
Use Tor Browser for maximum anonymity
Use Brave or Firefox with anti-fingerprinting enabled for daily browsing
Avoid using unique font collections or browser configurations
Keep your system and graphics drivers updated (changes fingerprint occasionally)
Use multiple browsers for different types of activities
8. Learn More
MDN: Canvas API Mozilla's comprehensive documentation on the HTML5 Canvas API