Canvas fingerprint spoofed. What does that mean?

Question

I have recently visited a website which showed me device info and what drew my attention was "Canvas Fingerprint: Spoofed". What could that mean and how can I restore it?

Device info website #1:

Device info website #2:

Answer 1

Canvas fingerprinting is one part of Device fingerprint among many possible method (it's actually one of the weaker methods). Fingerprinting is commercially motivated to help websites to figure out your interests and habits, in order to display pertinent ads, even if you have not logged into the website to identify yourself.

Your browser is set to foil this method, but any website that intends to identify you uniquely in the world will have many other methods available. Just spoofing the Canvas method is far from sufficient.

You may leave the spoofing On or disable it, as in both cases your browser will still be fingerprinted if the website uses additional methods.

To convince yourself, visit the website of Am I Unique which will test to see if it can generate a unique fingerprint for identifying your browser (and computer). The website will also tell you which combination of tests enabled it to compute your fingerprint.

You may find some more information in the post Unique Browser / User ID?

Answer 2

You wouldn't want to restore it. From wikipedia's Canvas Fingerprinting -page:

Canvas fingerprinting is one of a number of browser fingerprinting techniques for tracking online users that allow websites to identify and track visitors using the HTML5 canvas element instead of browser cookies or other similar means

Canvas spoofing is a technique your browser uses to protect user against Canvas Fingerprinting. Wikipedia's page on Device Fingerprint has a section talking about spoofing and other mitigation techniques.

Answer 3

Your canvas is the "working" area that the website can draw in. Having the size or details of that working area available can mean that a website can accurately draw to the edges of your browser window.

This has a downside though. While many people might use their browser in "fullscreen" mode there are subsets of people who either have peculiar screen resolutions (such as the Surface Pro series with its 2736 x 1824 resolution) or have their browser set up to use only a specific area of the screen.

Those setups give what could be seen as a nearly "unique" browser canvas size that can be used to profile a user. Advertisers love any data they can get to uniquely identify users. For you as a user it is a bad thing, as it essentially means that you could be leaking information about yourself when you would rather not.

Having your canvas fingerprint spoofed can be good for security and privacy.

If you want to enable or disable Canvas Fingerprint Spoofing then it depends on your browser.

• Firefox protection against fingerprinting
• Edge Addon: Canvas Fingerprint Defender, Addon: Canvas Blocker - Fingerprint Protect
• Chrome Canvas Fingerprint Defender

Answer 4

I can think of 2 methods how websites can know that your canvas is spoofed. In order to understand it, please read the other answers or this article about canvas fingerprinting.

Method 1)

Several years ago it was popular to use a method called "noise" to spoof your canvas fingerprint. Anti-detect browsers can modify the rendered HTML canvas image: if they change the color of one single pixel of the image randomly, human eyes won’t recognize the difference but the png hash will be completely different.

According to browserleaks.com To create a signature hash from the canvas, we must export the pixels from the application's memory using the toDataURL() function, which will return the base64-encoded string of the binary image file. Then we can just create an MD5 hash of this string, or even extract CRC checksum from IDAT chunk which is placed from 16 to 12 byte from the end of every PNG file, and this will be our Canvas Fingerprint.

According to Kameleo anti-detect browser websites are using machine learning algorithms to detect canvas noise. Websites using advanced browser fingerprinting systems have a database of hashes that show how canvas image is rendered on existing, real-world devices. These images with the hashes are stored and once they got a new visitor, they generate the hash with the visitor's browser. Then they can look it up in the database, and if they find a matching hash they will know that this hash appeared before. They will also have information about the device, as basically the same hash can only be generated on a device with the same configuration. Once “canvas noise” is applied to an image the hash won’t match any valid configuration, it will be 100% unique, and it will be obvious that "noise" spoofing is applied.

Method 2)

Anti-detect browsers work in different ways. Browser extensions, and basic anti-detect vendors only spoof browser fingerprint values by overriding javascript functions. It is very difficult to override those functions without "leaving any trace". New methods of these trace detection are also founded time by time, so older methods are usually detected. So in your case, probably not the canvas noise that is detected, but the fact that an anti-detect browser is changing the behavior of the javascript engine.

Summary

To spoof canvas properly you need to select a vendor that alters the browser fingerprint with several techniques, not just Javascript function overriding, and not just adding noise to values.

If you want to learn more about how to spoof canvas fingerprint properly I suggest you to check out this video