Canvas Fingerprinting: The Invisible Tracker You Can't Clear

I remember the first time someone explained canvas fingerprinting to me. I thought they were messing with me. You're telling me a website can identify my computer by asking it to draw a picture? Like a digital handwriting sample?

Yeah. That's basically what it is.

How it actually works

Every browser has the Canvas API. It's meant for drawing graphics on web pages - charts, games, image editors, that kind of stuff. Totally legitimate technology.

But here's what makes it useful for tracking. When a website tells your browser "draw this text in this font with this color," the exact pixels that get produced are slightly different on every machine. We're talking sub-pixel differences. Invisible to your eye but measurable in code.

The site draws something, calls toDataURL() or getImageData(), and gets back raw pixel data. Hash that data and you've got a fingerprint. No cookies. Nothing stored on your device. Can't clear it. Can't see it happening.

The rendering differences come from a few places:

Your GPU and its drivers. An NVIDIA card renders anti-aliased curves differently than AMD. Same card with driver version 545.29 renders differently than 546.01. Tiny differences, but they compound.

Your operating system's font engine. Windows uses DirectWrite, macOS uses Core Text, Linux uses FreeType. Each one handles sub-pixel positioning and hinting differently.

Your display scaling. 100% vs 125% vs 150% changes how text gets rasterized.

Even your color profile matters. sRGB vs P3 vs whatever custom calibration you're running.

All of these stack up. The result is that your canvas fingerprint is effectively unique. Research from Princeton back in 2014 showed canvas fingerprinting could identify individual devices with around 90% accuracy. It's gotten better since then.

The crypto connection

So why should wallet farmers care about this?

Because airdrop projects use it. Specifically, the analytics companies that projects hire to filter out Sybils.

Saw a discussion in a Discord server after the Starknet airdrop situation. Someone had dug into the JavaScript loaded by one of the qualifying dApp frontends. Found canvas fingerprinting code collecting hashes alongside connected wallet addresses. Standard analytics stuff from the site's perspective. Devastating for anyone running multiple wallets from the same browser.

Think about it. You can change your IP with a proxy or VPN. You can use different wallet addresses. You can vary your transaction timing. But if all your wallets connect through the same Chrome install, they all produce the same canvas hash.

Twelve wallets. One canvas fingerprint. Clustered.

This ties directly into the broader browser fingerprinting problem we've covered before. Canvas is just one signal, but it's one of the strongest ones because it's so hard to fake convincingly.

Why blocking canvas doesn't work

First thing people try: install an extension that blocks canvas access. Site asks for canvas data, extension returns blank or blocks the call.

Two problems with this.

One, it breaks websites. Tons of legitimate sites use canvas for rendering. CAPTCHAs use it. Some DEX interfaces use it for charts. Block canvas and stuff stops working.

Two, and this is the bigger issue - blocking canvas is itself a fingerprint. Something like 0.03% of real users block canvas API access. If you're in that tiny group, congratulations, you just made yourself extremely identifiable. You traded one fingerprint for a worse one.

The noise injection approach

Better idea: don't block canvas. Let it work. But modify the output slightly.

This is noise injection. Before toDataURL() returns its data, you intercept it and tweak a few pixel values by imperceptible amounts. The drawn image looks identical to the human eye but produces a different hash.

Sounds perfect, right? Well, there's a catch.

If you inject random noise every time a site checks your canvas, you create a new problem. Legitimate computers produce the same canvas output every time. If a site runs the canvas test three times in one page load and gets three different hashes, that's a massive red flag. Normal users don't have fluctuating hardware. Only people running anti-fingerprint tools do.

I've seen some cheap antidetect extensions that do exactly this. Random noise per call. It's worse than doing nothing because now you're not just fingerprintable - you're flagged as actively trying to evade detection.

Seed-based deterministic noise

The proper solution is deterministic noise. You pick a seed value per browser profile. That seed feeds into a pseudo-random number generator that determines exactly which pixels get modified and by how much.

Same seed, same modifications, same canvas hash. Every time. Consistent like a real device would be, but producing a unique fingerprint that's different from your real one and different from your other profiles.

Profile A has seed "abc123" and always produces canvas hash X. Profile B has seed "def456" and always produces canvas hash Y. Both look like real devices with real hardware. Neither matches your actual canvas fingerprint.

This is what Raven Wallet does with its browser profiles. Each profile gets a unique fingerprint seed at creation. Every canvas operation in that profile gets deterministic noise applied based on that seed. Consistent across page loads, across sessions, across reboots.

Beyond just canvas

Canvas isn't the only rendering-based fingerprint. There's also:

WebGL fingerprinting. Similar concept but using 3D rendering. Your GPU reports its vendor and renderer string through WebGL, and the rendered output of 3D operations varies per device.

AudioContext fingerprinting. Your browser's audio processing pipeline has measurable characteristics. Process a signal through an oscillator and compressor, read the output. Different hardware, different output.

ClientRects fingerprinting. How your browser calculates the bounding boxes of HTML elements varies by font rendering engine and display scaling.

Each of these follows the same pattern as canvas. Legitimate API, slightly different output per device, hashable into a fingerprint. And each one needs the same solution: deterministic noise, not blocking, not random changes.

If you're only spoofing canvas but ignoring WebGL and audio, you've still got two other high-entropy fingerprint vectors linking your profiles. It's why the antidetect approach needs to be comprehensive. Half-measures get you flagged faster than doing nothing.

What the ad networks know

Google, Meta, and basically every major ad platform uses canvas fingerprinting. It's been documented extensively. They combine it with dozens of other signals to build persistent user profiles that survive cookie deletion, browser restarts, even device changes in some cases.

The same technology has been adopted by crypto analytics firms for Sybil detection. If your wallets share a canvas fingerprint, they share an identity. Doesn't matter what the on-chain data looks like.

Gonna be honest, when I first started looking into this stuff I thought people were being paranoid. Then I checked my own canvas fingerprint on amiunique.org. Unique among their entire sample. One data point. One API call. Uniquely me.

Check yours. And if you're running multiple wallets through the same browser, maybe reconsider that setup.