SSysLeak

Guide

What Is Canvas Fingerprinting? The Invisible Image That IDs You

One of the most effective tracking techniques works by asking your browser to draw a picture you never see. It's called canvas fingerprinting, and it turns a harmless drawing feature into a surprisingly stable device ID — all in the time it takes a page to load.

This guide explains how a hidden image can identify your machine, and how to see the value your own browser produces.

How drawing a picture becomes an ID

Browsers include the HTML canvas, a feature for drawing graphics and text on the fly. Here's the trick: when two different devices render the exact same drawing instructions, the resulting pixels are subtly different.

Those differences come from the unique mix of:

  • Your GPU and graphics drivers
  • Your operating system's text rendering and anti-aliasing
  • Installed fonts and how they're smoothed
  • Browser version and rendering settings

A tracking script draws some hidden text and shapes off-screen, reads back the pixels, and hashes them into a short string. Your device tends to produce the same hash every time — so that hash becomes an identifier, with no cookie and nothing stored.

Why it's powerful — and quiet

Canvas fingerprinting is attractive to trackers because it is:

  • Silent. The image is never shown; there's no prompt and no visible effect.
  • Persistent. Clearing cookies or using private mode doesn't change your hardware, so the hash survives.
  • Hard to notice. It runs in milliseconds during a normal page load.

It's one of the strongest individual signals in a browser fingerprint — and, like the rest of fingerprinting, it works even behind a VPN, because it has nothing to do with your IP address.

Can you defend against it?

A few approaches help, with trade-offs:

  • Some browsers randomize canvas output per session or per site, so the hash never settles into a stable ID.
  • Tor Browser makes many users return an identical, blank-ish result on purpose, so the signal carries no information.
  • Anti-fingerprinting extensions can add noise, though clumsy ones can make you more unique by standing out.

As always, the smart move is to measure first. See the actual scene your browser renders and the device-specific hash it produces below.