Using HTML5 Canvas To Fingerprint Browsers

HTML5 CanvasTracking is the holy grail of the online advertising industry. Randomly throwing advertising at users has a very low success rate. The better advertisers can predict what a user will be interested in, the more likely they are to serve advertising that gets more clicks that convert to more sales. To target advertising, networks need to develop profiles of users, and the most common way to do that is with cookies. A cookie is placed in the user’s browser containing a unique identifying number, and whenever a browser visits a site that belongs to the advertising network, code on the page looks at the cookie. In this way, advertising networks can track users across the web — and if those users are logged in to a service like Google or Facebook, the tracking can be all the more accurate, because they can associate it with much richer data.

But not everyone is happy with being tracked across the web, and, as web users become more savvy to the privacy implications of tracking, many are choosing to block the third-party cookies used by advertising networks. That’s bad news for advertisers and for publishers, who are seeking alternative methods of tracking, one of which is browser fingerprinting.

Fingerprinting doesn’t rely on a cookie, instead it uses a combination of features associated with a browser (version numbers, installed plugins, operating systems, etc) to build up a relatively unique identity.

HTML5 Canvas fingerprinting is one method by which browsers can be identified in this way. The HTML5 canvas element allows a site to draw graphics using JavaScript. The exact image drawn depends on a host of different features from font settings to rendering engines. To track browsers, sites will use the canvas element to draw an (often invisible) image or piece of text. The image will be subtly different for each user (up to a point), but each user will create an image which is consistent across sites. By taking a hash of the graphic, the advertising and tracking networks can associate a browser fingerprint with a history of web use, building a sketch of the user which can be leveraged to target advertising.

If the same hash is produced on lots of sites focused on high-end watch reviews, then showing the user Rolex advertising has a greater chance of paying off han if they were shown advertising for kitty litter.

Fingerprinting with HTML5 Canvas isn’t impossible to block, but it’s more difficult than simply blocking third-party cookies, and blocking has the potential to damage user experience.

Of course, this is all predicated on the assumption that HTML5 Canvas fingerprinting is accurate enough to identify individuals, and the evidence is that on its own, it may not be. It’s nowhere near as accurate as cookies, which can reliably be associated with the same browser, but for an advertising industry worried about declining revenue and user suspicion, it’s better than nothing.

Matthew Davis is a technical writer and Linux geek for Future Hosting.

Dedicated Server Special

Take advantage of our Double RAM offer on the E3-1230v2 4 x 3.30GHz+HT server! Only $134.95 per month. Managed and Unmanaged options available at checkout.