A new method of web browser fingerprinting hit the press today: Meet the Online Tracking Device That is Virtually Impossible to Block.
We’ve been thinking how one might create a countermeasure to this kind of web canvas based browser fingerprinting.
Hash algorithms generally try to create a widely varying result even from small changes in the input. This means that if the canvas .png image changes even a tiny amount – for example if a pixel were to have a slightly different color – then the resulting hash would be very different.
Different hash values mean different fingerprints which means that the tracking attempt fails (which is good for users who are concerned about being tracked.)
So, it would seem that a useful countermeasure would be to change browser canvas code, particularly the canvas toDataURL() function so that introduces a few changes every time it is invoked. These changes could be ones that don’t really bother the human eye – for example altering a color by a couple of RGB values – or making changes to an alpha channel, perhaps in corners or along edges.
Since some of our common browsers are open source, some of us with more time than I have might want to run a few experiments to see whether the idea I have has any legs.
If anybody tries this could you drop me a note and let us know?