Canvas Fingerprinting: How Sites Track You by Drawing Invisible Images

Q: What is canvas fingerprinting?

Canvas fingerprinting is a tracking technique that draws hidden text and graphics onto an HTML5 canvas, then reads the rendered pixels back and turns them into a unique identifier. Because devices render those pixels slightly differently based on their GPU, drivers, operating system, and fonts, the result acts like a device signature. It does not store anything on your computer.

Q: Can canvas fingerprinting track me without cookies?

Yes. It does not rely on cookies or any stored data, so clearing cookies or browsing history does not stop it. The identifier is recalculated from your hardware and software every time you visit a site. This is what makes it harder to evade than traditional cookie tracking.

Q: Does incognito or private mode block canvas fingerprinting?

No. Private and incognito modes prevent your browser from saving local history and cookies, but they do not change how your device renders the canvas. The same fingerprint is produced whether you are in a normal or private window. You need an anti-fingerprinting browser or extension to interfere with it.

Q: How accurate is canvas fingerprinting?

On its own it is a moderately identifying signal, and it becomes much more powerful when combined with other signals such as fonts, screen size, and audio fingerprinting. It is also fairly stable over time because the underlying hardware and drivers rarely change. It is not guaranteed to be unique for every device, but it meaningfully narrows down who you are.

Q: How do I stop canvas fingerprinting?

The most effective options are the Tor Browser, which asks permission before any canvas can be read, and Brave, which randomizes canvas output per site. Firefox offers a resistFingerprinting setting, and extensions such as CanvasBlocker can add noise or block readback. None of these are perfect, and some defenses can themselves be detectable.

~/sheets/canvas-fingerprinting.md

Tracking That Draws a Picture You Never See
Canvas fingerprinting is one of the most widely deployed ways to track a browser without storing anything on it. A script asks your browser to draw text and shapes onto a hidden HTML5 canvas, reads the rendered pixels back, and turns them into an identifier. Because the drawing is invisible and nothing is saved to your device, most people never know it happened. You can see what your own browser exposes with our browser fingerprint tool, and this page is the deep-dive companion to our overview of browser fingerprinting.
How It Works
The script renders a string of text, often mixing fonts and emoji, into an off-screen canvas element. It then calls toDataURL(), which returns the canvas as an encoded PNG image, or getImageData(), which returns the raw pixel values. Hashing that output produces a short, repeatable fingerprint. The same instructions run on your machine every visit and produce the same hash.
Why Two Devices Render Differently
The pixels are not identical across devices because rendering depends on your GPU, graphics driver, operating system, installed fonts, font rasterization and hinting, and anti-aliasing. These differences are far too small to see, but they are easy to measure at the pixel level. Emoji are especially useful to trackers because they look noticeably different across platforms and OS versions.
Where It Came From
The technique was introduced in the 2012 academic paper Pixel Perfect: Fingerprinting Canvas in HTML5 by Keaton Mowery and Hovav Shacham. It was later measured across the live web in the 2014 study The Web Never Forgets, which documented real tracking scripts using it, the AddThis social widget being the most prominent named example at the time.
Why It Is Hard to Escape
Canvas fingerprinting is stateless. Clearing cookies, clearing local storage, or opening a fresh private window does not change it, because there is nothing stored to clear. The identifier is recomputed from your hardware and software stack on every visit, and that stack rarely changes, so the fingerprint tends to stay stable over time. Combined with TLS fingerprinting and audio fingerprinting, it becomes a strong cross-visit signal.
How to Reduce It
The Tor Browser prompts before any canvas can be read, so silent fingerprinting returns blank data. Brave applies per-site randomization, sometimes called farbling, so your canvas output differs across sites. Firefox offers a resistFingerprinting setting, and extensions such as CanvasBlocker can add noise or block readback. None of these are perfect, and an unusual anti-fingerprinting setup can itself make you stand out unless many users share it.
Frequently Asked Questions
What is canvas fingerprinting?
Canvas fingerprinting is a tracking technique that draws hidden text and graphics onto an HTML5 canvas, then reads the rendered pixels back and turns them into a unique identifier. Because devices render those pixels slightly differently based on their GPU, drivers, operating system, and fonts, the result acts like a device signature. It does not store anything on your computer.
Can canvas fingerprinting track me without cookies?
Yes. It does not rely on cookies or any stored data, so clearing cookies or browsing history does not stop it. The identifier is recalculated from your hardware and software every time you visit a site. This is what makes it harder to evade than traditional cookie tracking.
Does incognito or private mode block canvas fingerprinting?
No. Private and incognito modes prevent your browser from saving local history and cookies, but they do not change how your device renders the canvas. The same fingerprint is produced whether you are in a normal or private window. You need an anti-fingerprinting browser or extension to interfere with it.
How accurate is canvas fingerprinting?
On its own it is a moderately identifying signal, and it becomes much more powerful when combined with other signals such as fonts, screen size, and audio fingerprinting. It is also fairly stable over time because the underlying hardware and drivers rarely change. It is not guaranteed to be unique for every device, but it meaningfully narrows down who you are.
How do I stop canvas fingerprinting?
The most effective options are the Tor Browser, which asks permission before any canvas can be read, and Brave, which randomizes canvas output per site. Firefox offers a resistFingerprinting setting, and extensions such as CanvasBlocker can add noise or block readback. None of these are perfect, and some defenses can themselves be detectable.
Last updated: April 2026