What Is Canvas Fingerprinting?
Canvas fingerprinting is one of the most precise and widely used browser tracking techniques available today. It works by using the HTML5 Canvas API — a standard web technology designed for drawing graphics in the browser — to generate a hidden image, then reading back the pixel data. Because graphics rendering differs subtly between devices based on GPU hardware, graphics drivers, and operating system font rendering, the resulting image is slightly different on every device. This difference becomes a unique identifier: your canvas fingerprint.
Unlike cookies, canvas fingerprints are not stored on your device. They are regenerated on every page visit by re-running the same JavaScript. This means clearing your browser history, deleting cookies, switching to incognito mode, or even reinstalling your browser has no effect on your canvas fingerprint — it is determined by your hardware and software stack, not by stored files.
How Canvas Fingerprinting Works Step by Step
The technical process behind canvas fingerprinting follows a consistent pattern that any website can implement with a few lines of JavaScript:
Create a hidden canvas element. JavaScript creates a
<canvas>element that is not visible to the user — it may have zero dimensions, be positioned off-screen, or have its opacity set to zero.Draw text and shapes. The script draws a specific combination of text (often including emoji, special characters, and mixed fonts), shapes, and gradients onto the canvas. The specific content is chosen to maximize variation across rendering environments.
Apply rendering operations. The script may apply blending modes, shadows, gradients, and other effects that stress-test the rendering engine and produce more variation between different GPU and driver combinations.
Read the pixel data. The rendered canvas is read back using
canvas.toDataURL(), which returns a Base64-encoded PNG image, orgetImageData(), which returns raw pixel values.Hash the result. The pixel string is hashed (commonly with MurmurHash or SHA-256) to produce a compact fingerprint value — typically a string of numbers and letters.
Send to tracking server. This hash is sent to the tracking service and associated with your browser session, IP address, and any other fingerprinting data collected simultaneously.
The entire process takes milliseconds and runs silently in the background. You will never see the canvas element or know that fingerprinting has occurred.
Why Canvas Rendering Differs Between Devices
The reason canvas fingerprinting works is that browser graphics rendering is not perfectly standardized. The same drawing operations produce subtly different pixel outputs across different environments for several reasons:
GPU Hardware Differences
Different GPUs implement graphics operations slightly differently at the hardware level. Anti-aliasing, sub-pixel rendering, and floating-point precision all vary between GPU manufacturers (NVIDIA, AMD, Intel, Apple Silicon) and between different GPU models from the same manufacturer.
Graphics Driver Versions
Graphics drivers translate high-level drawing commands into GPU-specific instructions. Different driver versions — even for the same GPU — can produce different pixel outputs for the same drawing commands.
Operating System Rendering Stack
Windows, macOS, Linux, iOS, and Android all have different graphics subsystems. Windows uses DirectX, macOS uses Metal, Linux typically uses OpenGL or Vulkan. These differences affect how canvas operations are executed and produce different outputs.
Font Rendering Engines
The way text is rendered — including anti-aliasing, hinting, and sub-pixel positioning — varies significantly between operating systems and can even be configured by users. Text rendering is a major source of canvas variation.
Browser-Specific Implementations
Chrome, Firefox, Safari, and Edge all implement the Canvas API slightly differently. Even the same browser on the same operating system may produce different canvas outputs across major version updates as rendering code is modified.
Canvas Fingerprint Accuracy and Uniqueness
Research consistently shows that canvas fingerprinting is one of the most accurate passive fingerprinting techniques:
Studies suggest that canvas fingerprints alone can identify approximately 5–10% of browser instances uniquely, rising to over 99% when combined with other fingerprinting signals
Canvas fingerprints are highly stable over time — they change only when hardware or drivers are updated
The fingerprint is consistent across browser sessions, incognito windows, and even across different browsers on the same device (since the underlying GPU and OS are the same)
Mobile devices often have more common canvas fingerprints because there are fewer GPU/OS combinations, but the growing diversity of Android hardware has reduced this uniformity
Canvas Fingerprinting in the Wild
Canvas fingerprinting is not a theoretical threat — it is deployed at scale across the web. Key findings from published research:
A 2014 Princeton University study found canvas fingerprinting scripts on over 5% of the Alexa top 100,000 websites, with a single company (AddThis) responsible for the majority of deployments
By 2020, canvas fingerprinting had become one of the most common tracking techniques used by advertising networks, appearing on the majority of major commercial websites
The technique is frequently used alongside other fingerprinting methods — WebGL, audio, font enumeration — to create composite fingerprints with near-perfect uniqueness
Many fraud prevention services, including those used by banks and e-commerce platforms, rely on canvas fingerprinting as a legitimate security tool to identify returning devices
How to Test Your Canvas Fingerprint
SpeedIQ's canvas fingerprint test shows you exactly what your canvas fingerprint looks like and provides an estimate of how unique it is. Running the test takes seconds and gives you actionable information. Here is what to look for in the results:
Fingerprint hash: The unique identifier generated from your canvas output. If this matches another session's hash, that session could be identified as the same device.
Canvas image preview: The actual rendered canvas image that your browser produces. Small visual differences between devices are what create the unique hash.
Uniqueness estimate: How common or rare your specific canvas fingerprint is compared to other users who have run the test.
Protection status: Whether your browser appears to be randomizing or blocking canvas fingerprinting.
How to Protect Against Canvas Fingerprinting
Use Brave Browser (Recommended)
Brave provides the best balance of canvas fingerprint protection and usability. By default, Brave randomizes canvas output: each website sees a slightly different canvas fingerprint, making cross-site tracking impossible. The randomization is subtle enough that canvas rendering still looks correct to the human eye, but the pixel-level data that fingerprinters read is unique to each site and session.
To verify Brave's protection is active: go to brave://settings/shields and check that "Fingerprinting" is set to "Block fingerprinting".
Use Firefox with ResistFingerprinting
Firefox's built-in fingerprint resistance mode standardizes canvas output, returning identical results for all users with the same setting enabled. To enable it:
Type
about:configin the address bar.Accept the risk warning.
Search for
privacy.resistFingerprinting.Set it to
true.
Note: This setting can break some websites and may cause canvas-based applications (like online photo editors or games) to behave differently. You can whitelist specific sites if needed.
Use CanvasBlocker Extension (Firefox)
The CanvasBlocker extension for Firefox offers fine-grained control over canvas fingerprinting protection:
Fake mode: Returns slightly randomized data, similar to Brave's approach
Block mode: Returns empty or blank canvas data
Ask mode: Prompts you when canvas fingerprinting is detected
Allow mode: Whitelist specific trusted sites
Fake mode is recommended — it provides protection without making you uniquely identifiable as "someone who blocks canvas fingerprinting."
Use the Tor Browser for Maximum Protection
The Tor Browser applies comprehensive fingerprint standardization, including canvas. All Tor Browser users appear identical for canvas purposes, completely eliminating canvas-based individuation. The trade-off is significantly slower browsing and blocked access to many websites that detect and block Tor exit nodes.
Avoid Counterproductive "Blocking"
Blocking canvas access entirely can backfire. If a fingerprinter detects that canvas is blocked, this itself becomes a distinguishing feature — you become identifiable as "someone running a canvas blocker." This is particularly true if you are the only user with a specific blocker configuration. Randomization (as used by Brave) is more effective than complete blocking for avoiding identification.
Canvas Fingerprinting vs. Other Fingerprinting Methods
Canvas fingerprinting is one of several fingerprinting techniques that are typically combined:
Canvas fingerprint: Based on GPU and rendering. High accuracy, very stable.
WebGL fingerprint: Based on GPU capabilities and driver details. Provides GPU model information directly.
Audio fingerprint: Based on audio processing hardware. Moderately accurate, complements canvas.
Font fingerprint: Based on installed fonts. High variation, especially on desktop systems.
CSS media query fingerprint: Based on screen dimensions, DPI, color scheme preference.
When combined, these techniques create a composite fingerprint that is unique for nearly every internet user. Canvas fingerprinting alone is powerful; as part of a combined fingerprint, it contributes to near-perfect tracking accuracy.
Frequently Asked Questions
Does canvas fingerprinting work in incognito mode?
Yes. Incognito mode does not change your GPU, graphics drivers, or operating system. The canvas rendering output is identical in incognito mode, making the fingerprint the same as in normal mode.
Can websites use canvas fingerprinting without my consent?
Under GDPR in Europe, using canvas fingerprinting for tracking purposes requires consent if it constitutes processing of personal data. Many privacy advocates and regulators argue that canvas fingerprints are personal data under GDPR. In practice, enforcement has been limited, and many websites deploy canvas fingerprinting without explicit consent.
Will disabling JavaScript prevent canvas fingerprinting?
Yes — canvas fingerprinting requires JavaScript. Disabling JavaScript entirely would prevent it. However, this breaks the vast majority of modern websites and is not a practical solution for regular browsing.
Does using a different monitor prevent canvas fingerprinting?
No. Canvas fingerprinting is based on the GPU and rendering pipeline, not on your monitor. Connecting to a different monitor does not change the GPU or driver, so the fingerprint remains the same.
Summary
Canvas fingerprinting is a precise, invisible tracking technique that creates a unique identifier from how your browser renders graphics. It is unaffected by cookies, VPNs, incognito mode, or clearing your browser data. It works because every GPU, driver, and OS combination renders graphics slightly differently at the pixel level.
The most effective protection is using Brave browser's built-in fingerprint randomization, or Firefox with privacy.resistFingerprinting enabled. Use SpeedIQ's canvas fingerprint test to see your current fingerprint, understand how unique it is, and verify whether your browser's protection is working.