Canvas Fingerprinting
IntermediateA tracking technique that draws an invisible image in your browser and hashes the result — tiny GPU and driver differences make the hash nearly unique to your device.
In depth
Canvas fingerprinting exploits the HTML5 canvas element — the browser API for drawing graphics — as an identification tool. A script instructs your browser to render text and shapes to an off-screen canvas, reads the resulting pixels back, and hashes them. You never see anything; the tracker gets a stable identifier.
Why the same drawing differs per device
Rendering is a long pipeline: font files, anti-aliasing strategy, sub-pixel smoothing, the graphics driver, and the GPU itself all influence exactly which pixel gets which color value. Two machines given identical drawing commands produce imperceptibly different images — but hashes are unforgiving, so "imperceptibly different" becomes "completely distinct identifier." The hash is stable for your device across sessions, surviving cookie wipes, private browsing, and IP changes.
Defenses and their trade-offs
- Blocking canvas reads (some privacy extensions) works but is itself detectable — refusing the test is an answer, and an uncommon one.
- Adding noise (Firefox's protections, Brave's farbling) randomizes output slightly per site, breaking cross-site linkage — though exotic noise patterns can also stand out.
- Substituting coherent values — the antidetect-browser approach: each profile returns a canvas result consistent with its claimed hardware, so every profile looks like a different, plausible, real device rather than a masked one.
The consistency trap
A spoofed canvas hash must agree with the rest of the fingerprint. Claiming an Intel GPU in the WebGL renderer string while producing an NVIDIA-typical canvas output is a contradiction detectors specifically hunt for.
Examples
- A script draws a hidden phrase with emoji to a canvas, hashes the pixels, and recognizes the returning visitor across cookie wipes.
- An anti-bot system clusters thousands of automated visits because they all share one canvas hash.
- An antidetect browser gives each profile a distinct canvas response consistent with its claimed GPU.
Common use cases
FAQs
You can block or noise it — Firefox and Brave ship built-in defenses, and extensions exist. But blocking is itself a signal: sites see a canvas refusal or an ever-changing hash, which marks you as privacy-tooled. Blending in beats disappearing.
No. Incognito clears cookies and history, but your GPU, drivers, and fonts render identically in private windows — the canvas hash stays the same, which is exactly why trackers adopted the technique.
Broadly yes today, though privacy regulations like GDPR classify fingerprints as personal data requiring a lawful basis, and regulators increasingly scrutinize consentless tracking. It remains ubiquitous in both ad-tech and anti-fraud systems.