In 2012, Keaton Mowery and Hovav Shacham proposed a new original method to fingerprint a browser using HTML5: Pixel perfect: Fingerprinting Canvas in HTML5. It uses a new feature <canvas> of HML5. <canvas> defines an area of the screen that can be drawn by primitives. The idea is to write a text, ideally a pangram, into a canvas, to retrieve the rendered bitmap of the canvas area (using command toDataURL) and calculates from this image a digest. The expectation was that rendering would slightly differ depending on the operating system, the version of the browser, the graphical card and the version of the corresponding driver. Fingerprinting canvas differentiated users. Furthermore, all modern browsers support HTML5.
Canvas fingerprinting is transparent to the user. It bypasses any cookies protection, any private browser mode… If combined with other fingerprinting parameters such as, for instance, http agent or font detection, the uniqueness of the fingerprint is high. The site http://www.browserleaks.com/ demonstrates the differentiation. Do not hesitate to test with your configuration.
This paper was a nice academic study. This month, Gunes Acar et al. published a paper “The Web never forgets: Persistent tracking mechanisms in the wild.” They studied different tracking methods used by the top 100,000 web sites (ranking by Alexa). They discovered that 5.5% of these sites used fingerprinting canvas! It is mainly used by the “AddThis.com” system. Furthermore, by reverse engineering the AddThis code, they highlighted that AddThis improved the technique described in the seminal paper. For instance, the developers used a perfect pangram, or draw two rectangles and checked whether a specific point was part of the path…
User tracking is an arm race and tracking softwares use the latest academic research results.
Note 1: you can opt out from AddThis at http://www.addthis.com/privacy/opt-out. they put a cookie on the computer to signal the opt out :(
Note 2: a pangram is a sentence that uses all the letters of the alphabet. A perfect pangram is a sentence that uses all the letters of the alphabet only once.