« Blog Home

Why the Canvas Fingerprinting Controversy is Completely Overblown

Jul 22, 2014

Something evil this way comes

There's been a flurry of recent articles about Canvas Fingerprinting, a sneaky new online tracking tool" that is impossible to block." On the surface, the story makes great fodder for sinister, exotic, and highly clickable "Online Privacy Under Attack" headlines (the great irony of which is that the article pageviews thus generated are creating millions of opportunities for tracking events to occur and ad impressions to be served), but if you take a little time to understand how Canvas Fingerprinting actually works, it quickly becomes apparent that this is a non-scandal.

How does "Canvas Fingerprinting" work?

I’ll admit, I was drawn in by the ominous headlines, having noticed the ProPublica article on Digg (which, yes, I still read — feel free to point and laugh). And given that I’m in the business of delivering personalized display ads that utilize anonymized tracking, I was interested to learn what the fuss was about. But ProPublica, Gizmodo, and other content factories are just doing what they always do: regurgitating the same vague information without providing any depth.

Thanks to a Gizmodo commenter (as usual, the comments reveal far more than the articles), I was led to these two descriptions of how Canvas Fingerprinting works:

Based on those documents, here's a summary of how Canvas Fingerprinting works:

  • A piece of Javascript tracking code installed in a web page instructs the visitor’s browser to draw a hidden image using the HTML5 <canvas> spec. I'm assuming this is always a standard image, such as the letter "A."
  • Pixel by pixel, the drawn image is then converted to a base 64 encoded string.
  • Due to factors (e.g., anti-aliasing or image metadata) that are unique to individual browsers, devices, browser settings, and operating systems, every browser (or almost every browser — see further commentary regarding limited accuracy) will draw the image slightly differently, therefore the base 64 encoded string from the previous step will be unique to the browser.
  • The base 64 encoded string can be converted to something like an MD5 hash that can serve as a unique ID for that browser, such that when the same MD5 hash is found again, the browser can be identified/recognized. And of course other information can be tied to that unique ID in a database.

Why the "controversy" is a total crock

Anything I’m about to say is irrespective of the greater debate over online privacy. I'm in the online ad industry and I'm a pragmatist, so I'm looking at this relative to what's already happening (and will likely continue happening) in the world of web tracking. Through that lens, Canvas Fingerprinting, while quite clever, doesn't seem like that big a deal vis a vis privacy. Here's why:

  • Like browser cookies, Canvas Fingerprinting tracks the browser, and not the person. This means that in the vast majority of possible use cases, it's completely anonymous. Most of the companies out there dropping cookies are collecting information about web browsers (the software applications, not the people using them), with no intention or means of tying that data back to real people.
  • There are many companies developing the ability to track users across devices and browsers. Again, this is being done in an anonymized fashion, but it's far closer to tracking people. Canvas Fingerprinting, on the other hand (like cookies), doesn't reveal any ties between a person’s laptop browsing, tablet browsing, and/or mobile browsing.
  • Canvas Fingerprinting doesn't work in browsers that don’t support HTML5, whereas cookies are universally supported (which is separate from the question of whether they’ve been blocked or deleted).
  • It seems like Canvas Fingerprinting isn't 100% accurate in identifying web browsers uniquely (see the first page here), whereas cookies, as long as they're not blocked or deleted, are 100% accurate.
  • The following are my own assumptions, but it seems like Canvas Fingerprinting could easily break whenever the user updates their browser version (which happens a lot for some browsers), updates their OS, changes their browser settings/defaults, switches to a different browser on the same device, or buys a new device. With those factors taken together, Canvas Fingerprinting sounds less persistent than the venerable old browser cookie.
  • The "virtually impossible to block" claim made by ProPublica seems very, very speculative. Canvas Fingerprinting requires some fairly specific Javascript to be run, which means there's a way to recognize that code and either prevent it from running or at least notify the user. Any number of new or existing ad blocker, antivirus, tracking blocker, or online privacy browser plugins could incorporate this as a feature, just as they've built features to recognize and then block or throttle other tracking technologies.

Worry about something that's actually bad, like stubbing your toe

Canvas Fingerprinting appears to be more complex than existing tracking technologies (e.g., cookies), while at the same time being less reliable, begging the question of why very many companies might ever adopt it. Even if it does end up being widely adopted, most implementations will look like cookies, wherein Canvas Fingerprinting will collect anonymized data that isn't tied to a name, photo, phone number, email address, SSN, or anything else that’s personally identifiable. It might also play a role in supplementing existing tracking "vectors" such as cookies, IP addresses, and device IDs.

But in the end, Canvas Fingerprinting certainly doesn't appear to be the pernicious, invincible harbinger of doom that many sites (who, let's not forget, make their money dropping cookies and selling ad impressions when you read their sensational articles) are making it out to be.

Contact us to learn more about the Canned Banners Dynamic Ads platform.