By now pretty much everyone knows what a browser cookie is; websites ask your browser to hang onto a little file, to be retrieved later. Cookies are used to help remember things about your visit, and that has implications to how your browser’s behavior can be tracked. A lot of privacy regulation, as well as some dramatic changes in the web-content industry, revolve around these little guys.
But we’re not going to talk about that today. Instead:
Look at this
and this.
This is two browsers’ interpretations of the same javascript code. Meaning I viewed the same webpage with two different computers, and took screenshots.
If you can see beyond my lazy screenshotting, they look the same, as you’d expect. Unless, that is, you’re a computer. If you are, those images look like this:
fd4a728c5353f856a47b29fce3d5d6ea747f1a59365d0b83aa303b6bcf1d8939
and this
1c170243174eddfadf94455f6abfecd702c53910a63330c7a3fdc3c4abd11607
which I think we can agree are not the same at all.
If we look at canvas fingerprinting through that same lens, we find that none of that control is there; it’s difficult to tell if it’s happening to you, it’s equally difficult to prevent, and the use of these technologies is in something of a gray area when it comes to right and wrong.
This is something called canvas fingerprinting, which is a method to exploit subtle variations in each computer’s operating environment. Different hardware, different software, different configuration and customization all add up to different results when a browser is asked to draw a picture. It’s effectively unique to the device, like a fingerprint is effectively unique to you.
Here’s why this matters: as traditional browser cookies dry up under the glare of privacy regulation, businesses and malefactors will look for other ways to gather valuable information about your behavior online.
When it comes to our old friend the browser cookie, you can do things like delete your cookies, or change your browser profile, or use an “incognito” window to exert some amount of control over what’s being tracked. If we look at canvas fingerprinting through that same lens, we find that none of that control is there; it’s difficult to tell if it’s happening to you, it’s equally difficult to prevent, and the use of these technologies is in something of a gray area when it comes to right and wrong; a little bit of the eye of the beholder.
And here’s the rub: canvas fingerprinting is just one example of this kind of involuntary identification, sometimes collectively called “supercookies.”
I have no thoughtful words of conclusion, I just thought you’d like to know.
Like and share and subscribe, etc.
—
Note:
I used this to generate the images and hashes.