Canvas fingerprinting is one of the most widely used tracking techniques on the web, and one of the most clever. It identifies your device not by anything stored, but by how it draws.
The trick: draw something, then read it back
Every browser can draw graphics and text onto a "canvas" — a drawing surface used for charts, games and effects. Canvas fingerprinting abuses this. A tracking script asks your browser to draw something specific — usually a line of text in particular fonts, sometimes shapes and colours — onto a canvas you never see, because it is never displayed. Then it reads the result back, pixel by pixel.
Why the result differs between devices
Here is the part that makes it work. Drawing that same instruction does not produce a byte-for-byte identical image on every device. The exact pixels depend on your GPU, your graphics drivers, your operating system, the fonts installed, and how each of those handles things like anti-aliasing and sub-pixel rendering. The differences are tiny — invisible to a human — but they are real and measurable. The script reduces the pixel data to a short hash, and that hash is your canvas fingerprint.
Why it is effective
Canvas fingerprinting is popular with trackers for concrete reasons. It stores nothing on your device, so there is no cookie to clear and nothing to "delete." It is stable — the same device tends to produce the same result over and over, because the underlying hardware and software do not change often. And it is invisible: the drawing never appears on screen, and the whole process takes a fraction of a second. You cannot tell it happened.
How it fits with other signals
On its own, a canvas fingerprint is one strong signal. Trackers combine it with the others — screen size, time zone, fonts, WebGL rendering — to build a fuller browser fingerprint. Canvas is valued because it leans on the graphics stack, which varies a lot between devices and is hard to fake convincingly.
How to defend against it
The defences are the same as for fingerprinting generally, applied to this technique. Anti-fingerprinting browsers handle canvas specifically: some add a tiny amount of random noise to canvas readback, so the fingerprint changes each time and cannot be matched; others make all their users return a uniform result. Some privacy extensions block or spoof canvas readback. As always, the goal is not to have no canvas output — it is to stop that output from being a stable, unique identifier.
The takeaway
Canvas fingerprinting identifies your device by asking your browser to draw a hidden image and measuring the tiny rendering differences your specific hardware and software produce. It stores nothing, it is stable, and it is invisible — which is exactly why clearing cookies does nothing against it. The real defence is a browser or extension built to disrupt the canvas readback itself.