Some thoughts on a countermeasure to HTML canvas based fingerprint tracking

A new method of web browser fingerprinting hit the press today: Meet the Online Tracking Device That is Virtually Impossible to Block.

We’ve been thinking how one might create a countermeasure to this kind of web canvas based browser fingerprinting.

The canvas fingerprinting code that we’ve seen so far uses a chunk of javascript to create a canvas object, draws some text and graphics onto that canvas, then turns the canvas into a .png image, and, finally, does a hash on the png.

Hash algorithms generally try to create a widely varying result even from small changes in the input.  This means that if the canvas .png image changes even a tiny amount – for example if a pixel were to have a slightly different color – then the resulting hash would be very different.

Different hash values mean different fingerprints which means that the tracking attempt fails (which is good for users who are concerned about being tracked.)

So, it would seem that a useful countermeasure would be to change browser canvas code, particularly the canvas toDataURL() function so that introduces a few changes every time it is invoked.  These changes could be ones that don’t really bother the human eye – for example altering a color by a couple of RGB values – or making changes to an alpha channel, perhaps in corners or along edges.

Since some of our common browsers are open source, some of us with more time than I have might want to run a few experiments to see whether the idea I have has any legs.

If anybody tries this could you drop me a note and let us know?