Canvas fingerprinting is one of a number of browser fingerprinting techniques of tracking online users that allow websites to identify and track visitors using HTML5 canvas element instead of browser cookies or other similar means. The technique received wide media coverage in 2014 after researchers from Princeton University and KU Leuven University described it in their paper The Web never forgets.
Canvas fingerprinting works by exploiting the HTML5 canvas element. When a user visits a website with canvas fingerprinting, their browser is instructed to "draw" a hidden line of text or 3D graphic that is then converted to a digital token. Variations in which GPU is installed or the graphics driver cause the variations in the rendered digital token. The token can be stored and shared with advertising partners to identify users when they visit affiliated websites. A profile can be created from the user's browsing activity allowing advertisers to target advertising to the user's inferred demographics and preferences.
The fingerprint is primarily based on browser, operating system, and installed graphics hardware, so does not uniquely identify users. In a small-scale study with 294 participants from Amazon's Mechanical Turk, an experimental entropy of 5.7 bits was observed, but the authors of the study suggest more entropy could likely be observed in the wild and with more patterns used in the fingerprint. While not sufficient to uniquely identify users by itself, this fingerprint could be combined with other sources of entropy to provide a unique identifier. It is claimed that because the technique is effectively fingerprinting the GPU, that the entropy is "orthogonal" to the entropy of previous browser fingerprint techniques such as screen resolution and browser JavaScript capabilities.
Tor Browser notifies the user of canvas read attempts and provides the option to return blank image data to prevent fingerprinting. Browser add-ons like Privacy Badger,DoNotTrackMe or Adblock Plus manually enhanced with EasyPrivacy list are able to block third-party ad network trackers and will block canvas fingerprinting provided that the tracker is served by a third party server (as opposed to being implemented by the visited website itself).