A New Form of Online Tracking: Canvas Fingerprinting 194
New submitter bnortman (922608) was the first to write in with word of "a new research paper discussing a new form of user fingerprinting and tracking for the web using the HTML 5 <canvas> ." globaljustin adds more from an article at Pro Publica: Canvas fingerprinting works by instructing the visitor's Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user's device a number that uniquely identifies it. ... The researchers found canvas fingerprinting computer code ... on 5 percent of the top 100,000 websites. Most of the code was on websites that use the AddThis social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish. ... Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a possible way to replace cookies ...
Is that what it is come down to? (Score:3, Funny)
Re:Is that what it is come down to? (Score:4, Funny)
They're already tracking you by your termcap.
Re: (Score:2)
Re: (Score:2)
links FTW, bitches!
(...then again, it would seem rather trivial to make/create an extension that blocks or modified the canvas tag contents, no?)
Re: (Score:2)
Note that it's not loading images, it's creating a new image.
Identical devices (Score:2)
I can see the privacy implications this has, but how in the world would such a method successfully discern between 2 identical devices?
Re: (Score:2)
Especially in corporate environments it's rather common to buy devices in bulk. They are often maintained by IT staff, ensuring the software stack installed on it is identical as well. Not to mention the external IP addresses.
Re: (Score:2)
It doesn't. It also has trouble detecting two identical versions of firefox. This is only really works as a few more bits to existing fingerprint frameworks.
Re:Identical devices (Score:5, Informative)
It looks like the technical details would be found in this link: http://cseweb.ucsd.edu/~hovav/... [ucsd.edu]
In that first article the CEO of AddThis says that "Itâ(TM)s not uniquely identifying enough" and the guy who originally developed it says it's only 90% accurate.
Re: (Score:2)
Re: (Score:1)
It can't. But that doesn't make it useless. There's a lot of variety out there. In a test out of 200 and some samples, it comes up with over a hundred different fingerprints.
It could be used if you want to differentiate when a known user (via account or other method) is using different devices. As a user is extremely unlikely to use 2 separate but identical computers.
It could be used in combination with other fingerprinting techniques to get closer to cookie levels of ID.
You might not care whether you get d
Re: (Score:2)
As a user is extremely unlikely to use 2 separate but identical computers.
Not even two iPads in a household?
Re:Identical devices (Score:5, Interesting)
I can see the privacy implications this has, but how in the world would such a method successfully discern between 2 identical devices?
I work with marketing software on and off. There are thousands of data points collected when you visit a site that cares enough to ID you. This would be just one. If this ID narrows the device down to 10 or so... and they also have date stamps, general location data based on your IP, browser type, etc? They can ID you specifically, pretty easily. I've not seen this particular method come up myself... in fact, most of the time the ways the marketing software ID's you is irrelevant to the site owner. They just buy the software and install it. Done. The general doesn't care that there's 1 new landmine in his arsenal when he's already blanketed the field with thousands of them.
Also, you need to understand that goal here... they don't care who you are. They just want to know that you are visitor 52467, and all the other times you were here you looked at products X, P and Q so they can display more information on those products. They also salt the site with "Free" offers that all you need to claim them is to input your contact information. Once you do that they link that contact information to your browsing history and shoot it over to a salesman and/or send you a personally designed advertisement to your email.
This may all sound dumb and horribly invasive... but it's amazingly successful. There is absolutely no way these companies would give it up voluntarily. Many of them wouldn't be in business without that sort of data... I'm not even sure you'd like it if it were gone. Getting ads is annoying, getting ads for African American hair styling products when you're a redhead is infuriating. Targeted ads are a good thing, it's the completely unaddressed side affects of that data collection that's a problem.
What needs to happen is laws governing how long the data can be kept need to be passed. As of now, it's kept forever as far as I know... because... well, why not? And who the data is shared with needs to be regulated. The intercooperation of these companies is pretty scary. Amazon should not know what I'm searching for on WebMD, and the fact of the matter is, as of now, pretty much every major site you visit is sharing data with every other site you visit for mutual profit. This likely includes government websites. I've seen the marketing companies brag about their government contracts so that's a tad scary. Lastly, pretty much all regulation is not-so-cleverly avoided by simply changing the tech. The regulation needs to be broad and easy to understand. As of now they do things like "Well, that's not a person, that's a device!" or "Is that really data?" etc... Bill Clinton word style play shouldn't absolve you of negligence.
No it is not infuriating (Score:3)
No it isn't for most people, because we got used a LOT for this with TV. TV nearly never showed us advertising targeted for us specifically but more to a watcher class. But you know to whom it is infuriating to not target ads ? Marketing people. Because targeted ads means a better probability to transform an ad into a sale. In fact if marketing people could totally break our privacy and pu
Re: (Score:2)
Well, that is perfect. I prefer to NEVER buy any product I see advertised. If they waste money on that, their products must not be good enough to sell on their own, or the competion can sell better products cheaper because they don't waste money on ads. As such I prefer ads for stuff I would never buy, make it too targeted and shopping becomes ... difficult.
Re: (Score:2)
So says you.
I don't give a shit about someone's ads, targeted or not. I'm not interested in them, and I will block them at every chance I get, as well as the ability to collect enough information to target me.
You want to let them give you targeted ads, fine, no problem. That's your choice.
I trust neither regulators to get this right (because so far their ability to regulate anything technology related is abysmal), nor do I trust the corporations to not try to ignore it.
If they
Re: (Score:2)
I think you're missing the point.
The targeted ads may or may not be a problem. Fine...
But there is a very clear and obvious bad side to this, even if you want targeted ads, I doubt you want geocities to be still retaining the data on how you trafficked that Herpes treatment site site back in 1997. The company has no financial interest in keeping that data, but why delete it? They've no cause to...
So often we get so caught up in "the principle" of an issue we completely miss easy opportunities to remedy 99%
Re: (Score:2, Insightful)
Well, the other real issue here, is that such fingerprinting is in place specifically to work around the "limitations" of cookies.
Which are those "limitations"? That users can delete them. Honestly, most of the people I've dealt with when they ask for "better" fingerprinting cite that very cause. Not that cookies are per-browser and not per-user (which is what they want to track and what would be understandable at least). Not that cookies don't work with embedded devices. Not all those real limitations, but
Re: (Score:2)
they don't care who you are.........They also salt the site with "Free" offers that all you need to claim them is to input your contact information. Once you do that they link that contact information to your browsing history and shoot it over to a salesman and/or send you a personally designed advertisement to your email.
So in other words, they very much care who I am.
Getting targeted ads is creepy. It's like having my own 24/7 personal stalker. I notice the advertisers often aren't that anxious to share their own details with me. Too often, they can't even manage to be honest about the products they're advertising.
I would rather get ads for irrelevant products and services. Or just ads that are relevant in a generic sort of way based on a few demographic observations.
Re: (Score:2)
Well, the easier solution is not to give them the option. It's also a lot more failsafe, since people *will* break a law, but *will not* do things that are impossible/too difficult/too expensive.
Targeted
Re: (Score:2)
Getting ads is annoying, getting ads for African American hair styling products when you're a redhead is infuriating.
Well, lots of things infuriate them; after all, you know, redheads. Maybe they should be targeted for anger management advertising instead?
Re: (Score:2)
In other words, digital marketing is a con. It's conning business into paying for technology.
Re: (Score:2)
it doesn't need to.
they only need to be able to claim it does to the chaps buying the service.
so except some unexpected spam any day now!
Privacy Badger (Score:5, Informative)
I guess this is probably the best place to plug privacy badger https://www.eff.org/privacybad... [eff.org] (although I'm not sure if it would defeat this... noscript + privacy badger?)
I just learned about privacy badger 2 days ago at HOPE.
Re:Privacy Badger (Score:4, Informative)
Yes, Privacy Badger is a great tool. It's a little tedious when loading content from CDN's, can make pages look pretty bad unless you let a little tracking in... So I also keep my privacy set to delete everything when I close the browser. I also follow the guidelines here [debian.org] ( Scroll down to the Web Browser section ). It's Debian specific but easily translated to whatever mozilla based browsing experience you're using.
As mentioned in the HowTo you can check your "fingerprint" here: https://panopticlick.eff.org/ [eff.org].
And all that said, I have no idea at the moment if any of the above defeats the technique from TFA.
Re: (Score:2)
Although a bit of a long read, the article about the data collected and what the stat's mean is pretty helpful. And unique among 4.3M is pretty bad. It means you are easy to identify and track.
What the results mean (PDF): https://panopticlick.eff.org/b... [eff.org]
Re: (Score:2)
Mine says: "Your browser fingerprint appears to be unique among the 4,310,202 tested so far."
Oh bugger indeed.
But seriously it's always been like that whenever I've tried it - even without the huge fingerprinting effect of the browser plugin reporting (I tried it with a completely fresh OS installation), in many cases just the combination of user agent and screen size - both reported in the HTTP headers - is unique. You might possibly blend in using some version of IE on Windows 7 on a 1024x768 or 1080p di
Re: (Score:1)
It doesn't solve the problem as yet. From the FAQ:
"Currently, Privacy Badger does not prevent browser fingerprinting, of the sort we demonstrated with the Panopticlick project. But we will be adding fingerprinting countermeasures in a future update!"
Also it only supports Firefox and Chrome.
Torbrowser however does prevent canvas fingerprinting.
Re: (Score:2)
I am an online advertising / tracking company. How do I stop Privacy Badger from blocking me? ...
If copies of Privacy Badger have already blocked your domain, you can unblock yourself by promising to respect the Do Not Track header in a way that conforms with the user's privacy policy.
Riiight, because the kind of scumbags who actively develop techniques to get around user preferences are the kind who would never "promise to behave this time, honest!".
If the EFF is that naive, I don't have much faith that I can count on their tool.
Yet another reason to turn off Ecmascript (Score:1)
Re: (Score:1)
You'll do precious litte on the internet without Javascript.
Re: (Score:2)
But being able to selectively disable it and block certain sites definitely helps.
You don't need to run the scripts for each of the 15 or so trackers in every page, just the ones which actually are needed.
Admittedly, in a few cases, they've made it more or less impossible to do anything unless you allow the 3rd parties.
In that case, the back button works just fine.
Re: (Score:2)
People who have Javascript disabled are the Amish of the internet.
Re:Yet another reason to turn off Ecmascript (Score:4, Insightful)
Yeah, but the Amish also don't receive telemarketing calls or email spam.
Re: (Score:2)
Lucky bastards.
Re: (Score:2)
Amish dude: "What be with yon multitude of new converts??"
Re: (Score:2)
So no, people that do not allow javascript are not much like the Amish of the internet. We are more like the 'people who know how to use condoms' of the internet.
Re: (Score:2)
But the Amish *do* use technology: hammers, nails, rakes, plows, et cetera are all technology.
We are more like the 'people who know how to use condoms' of the internet.
The most effective way of spreading your beliefs is to preach *not* to use condoms.
This can be confirmed by many religious leaders.
Just sayin.
Re: (Score:2)
Not really. The Amish reject technology across the board, whether useful or not.
Actually, at least for a lot of Amish this isn't the case. For example, many Amish communities will have phones. They may relegate them to emergency and/or communal space use because they don't think it's good for private family time to be disrupted by a phone call. They reject grid power but do use batteries and generators. They use LED flashlights and buggy lights rather than burning lamps in many cases. They use cash registers, alarm clocks, and even power tools to some extent.
Sure, they are a lot m
Re: (Score:2)
Michigan Amish also have TV sets and Dish TV. I see the dishes cleverly mounted to try and hide them.... The amish are not as pure as they want you to believe.
Re: (Score:2)
The Amish don't reject technology so much as they reject being dependent on outsiders. This has historically meant a limited use of technology, but the main beef isn't with technology itself.
Re: (Score:2)
"The Amish reject technology across the board, whether useful or not."
Clearly, cell phones are not technology.
Not a replacement for a cookie (Score:2)
And this ... (Score:2)
And this is why my browsers have as many privacy extensions as I can find.
AddThis is definitely one of the sites which are blocked.
If you let your browser load all of this crap, you are more or less asking for this garbage.
I don't care about your business model, I'm simply not going to allow your crap to load.
Re: And this ... (Score:3, Funny)
NSA Guy 1: Hey, there's that one guy that shows up as a black hole on the Internet.
NSA Guy 2: He is up a little early, isn't he?
NSA Guy 1: Yeah, he usually doesn't post his slashdot privacy rants until after browsing those "furry" sites for a half hour or so.
NSA Guy 2: He must not be in the mood.
Re: (Score:2)
Oh, I very much doubt I'm anywhere near as successful as that.
Only on weekends or when the wife is out of town.
Seriously though, it's your privacy. Nobody else is gonna protect it for you.
Re: (Score:2)
NoScript blocks it, according to its creator (Score:1)
Giorgio Maone says NoScript blocks "canvas" tracking:
https://twitter.com/ma1/status... [twitter.com]
Why does this work (Score:3)
Re: (Score:3)
Re: (Score:2)
yes, but, there is so much layers that are supposed to smooth the hardware difference:
Re: (Score:2)
Can't draw a circle on a square grid (Score:2)
if I ask JavaScript to draw a circle with (x,y) center and r radius
This is impossible to do exactly on a square grid of pixels. All a raster device can do is approximate a circle. Edge anti-aliasing is underspecified, I believe deliberately, to allow devices to implement the most appropriate AA method for the platform.
But I still think that software results that are independant of external input should not vary from one hardware to another. There is only one good output for a deterministic software function when always providing the same input.
And then we're back to the slowness and increased battery consumption of software rendering. Should all browsers default to a bit-perfect reference renderer and require the use of obscure configuration interfaces to enable hardware acceleration?
Imagine the horror if different processors would return different values when computing 1/0.999 just because they have different hardware
Before the sta
Re: (Score:2)
Different drivers, OS's, web browsers, GPU's etc all have slight effects when asked to render something onto the canvas.
So what you are telling me, is the best way to be anonymous on the internet is to install a new video card each week? Perfect!
Re: (Score:2)
Hell, there are even bugs* that have 100% different failure states on ATI vs. NVidia cards. All ATI cards default to white, NVidia cards to black**
*For example, rendering a NULL texture
** May be backwards
Re: (Score:2)
The claim of 90% accuracy for PCs is shockingly, quite high... But if tablets & mobile devices have problems with this
Rounding differences (Score:3)
I'm more curious about why "different computer draws the image slightly differently".
Slight rounding differences, shape edge antialiasing behavior, font antialiasing behavior, installed fonts, and the like are the big ones I can think of. HTML5 Canvas behavior isn't specified down to the bit level.
Re: (Score:2)
I'm more curious about why "different computer draws the image slightly differently".
Slight rounding differences, shape edge antialiasing behavior, font antialiasing behavior, installed fonts, and the like are the big ones I can think of. HTML5 Canvas behavior isn't specified down to the bit level.
Maybe it should. Providing an API and saying "it kinda work like this, most of the time, your mileage may vary" doesn't sound very good.
Re: (Score:2)
Re: (Score:3)
That already exists already - many formats specify practically subpixel accurate designs. E.g., PDF.
The thing is, HTML was never designed that way - it's a content-plus-format standard that says the content is marked up, and to provide some hints as to how to display it as the creator intended. But the user is free to override such choices as they see fit in case they don't
In the paper... (Score:1)
The easiest effective defense, then, is to simply require user approval whenever a script requests pixel data. Modern browsers already implement this type of security | for ex- ample, user approval is required for the HTML5 geolocation APIs. This approach continues the existing functionality of <canvas> while disallowing illegitimate uses, at the cost of yet another user-facing permissions dialog.
Does that sounds like lack of common sense or...? I would imagine that the user is the most vulnerable link of the entire system. Permission dialogs never work as a security sanity check because people simply click ok/yes/agree most of the time. Or the web site can witheld data until the user agrees to pixel extraction.
It's not "new" (Score:3)
The paper "Pixel Perfect: Fingerprinting Canvas in HTML5" [ucsd.edu] by Keaton Mowery and Hovav Shacham is from 2012.
Re: (Score:2)
Were you trying to hide it from us? Or did you think we all read the same things you do?
For the future, what's the cutoff for new? 6 months? 1 month? What percentage of people can know something before it stops being new?
Oh, sod it. Quit yer bitchin.
Confusing things together (Score:5, Informative)
The research paper discusses two entirely different things: Canvas fingerprinting, and "Evercookies & Respawning", which are two entirely different things. Canvas fingerprinting is just another method of trying to determine which browser the user is running, by looking at differences in the way the canvas renders text and the like. "fingerprinting doesn’t work well on mobile" because of the homogeneous nature of mobile devices - 90% of iOS devices are running version 7.1, for example, so they are all using the same web browser version and rendering code, thus they are going to draw canvas fingerprints exactly the same. Nothing in the research article says anything about canvas fingerprinting being used to track people.
Now the other topic "Evercookies & Respawning" is about tracking users. That is using multiple storage vectors to try and keep users from deleting cookies. For example, using tiny hidden Flash apps which have their own caching, actual cookies, HTML5 persistent storage, embedding unique identifiers directly in the HTML so when the cached page is pulled up the identifier is once again active.
So at this point canvas fingerprinting isn't about tracking, but browser identification. The leap to "A New Form of Online Tracking: Canvas Fingerprinting", as described in the Pro Publica article:
A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.
First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.
Well that's completely wrong - the bold text should read "this type of tracking, called Evercookies & Respawning". The persistent tracking has nothing to do with the canvas fingerprinting. It's mainly due to Flash (which also explains why it too is ineffective on mobile devices).
linux live key? (Score:2)
what about a linux "live key" ? don't people use those to avoid cookies?
would it help in this situation?
Re: (Score:2)
No, it wouldn't.
This takes advantage of driver/hardware differences, and settings for graphics.
Therefore, unless you update the drivers/change your settings/change your hardware it will not block this.
That said, it shouldn't be that difficult to block; I mean, who uses the Canvas anyway?
Re: (Score:3)
NoScript or Ghostery already block AddThis. It's just JavaScript.
Re:So (Score:5, Informative)
Use the RequestPolicy [mozilla.org] addon in Firefox. It's a whitelist for allowing certain sites to load resources (of any kind) from other sites. If the pairing between the site you're on and another site is not explicitly added to RequestPolicy, nothing gets loaded (the request is not even made to begin with). It covers JS, CSS, images, anything.
IMO it's a more practical approach than NoScript, although not as ultra-secure.
In case you're wondering what's the difference between RequestPolicy and Ghostery:
Re: (Score:3)
There are those who say you need to use RequestPolicy and Ghostery and AdBlock and NoScript (and some other stuff, like a cookie blocker) to catch everything....
Re: (Score:2)
A small problem with Ghostery:
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
You can configure RequestPolicy to filter on full domain, then only allow requests explicitly to www.example.com, and not to domainclick.example.com.
But I did NOT have it configured that way, thank you for the heads up about this trick.
Not entirely clear. (Score:5, Insightful)
'Block' as in 'make this specific mechanism fail' is the relatively easy question. If the attacker can't manipulate a canvas element and read the result, it won't work. So the usual javascript blockers or more selective breaking of some or all of the canvas element (the TOR browser apparently already does this for methods that can be used to read back the contents of a canvas element, so you can still draw on one but not observe your handiwork) will do the job.
Unfortunately the attacker doesn't actually care about making your browser draw a picture, they care about achieving as accurate a UID as they can. Given that, you might actually make yourself more distinctive if your attempt to break a given fingerprinting mechanism succeeds. In the case of the TOR browser, for instance, attempts to read a canvas will always be handled as though the canvas is all opaque white. This does prevent the attacker from learning anything useful about font rendering peculiarities or other quirks of your environment's canvas implementation; but it's also a behavior that, for the moment at least, only the TOR browser has. Relatively uncommon. Possibly less common than the result that you'd receive from an unmodified browser.
That's the nasty thing about fingerprinting attacks. Fabricating or refusing to return many types of identifying information is relatively easy (at least once you know that attackers are looking for them); but unless you lie carefully, your fake data may actually be less common (and thus more trackable) than your real data.
Re: (Score:2)
In the case of TOR, the site already knows you're accessing from a TOR exit node. At that point, making your browser indistinguishable from every other instance of the TOR Browser is probably good enough.
Re: (Score:2)
Sounds like it's time for a major browser to implement a default feature (so it becomes common as of the next update):
"Return opaque white canvas unless the user instructs otherwise."
Because I can't think of any good reason why the default should be "Return valid canvas" (tho "Ask" might also be a good setting).
I foresee the next step being websites that refuse to speak to you until they receive something they think is a valid canvas... at that point we'd want to add "Return random canvas" where "random" me
More hosts than that... (Score:5, Informative)
Since the sites using this exploit are sorted by Alexa rank, I gave up looking after a while, but here are "the biggies":
127.0.0.1 addthis.com
127.0.0.1 ligatus.com
127.0.0.1 cloudfront.net
127.0.0.1 vcmedia.vn
127.0.0.1 cloudflare.com
127.0.0.1 kitcode.net
127.0.0.1 pof.com
127.0.0.1 shorte.st
127.0.0.1 ringier.cz
127.0.0.1 insnw.net
127.0.0.1 domainsigma.com
Not sure how serious this would break things, but some are hosting the exploit on Amazon's cloud: 127.0.0.1 amazonaws.com
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
I don't know if it'll work on your particular system, but it's _supposed_ to be possible to represent IP addresses as a non-dotted decimal number, and '0' would be even shorter.
Re: (Score:2)
# Download: http://hosts-file.net/?s=Downl... [hosts-file.net]
Re: (Score:3)
blocking cloudfront is going to be a problem as it is a CDN from Amazon.
Re: (Score:2)
I'd be interested in code snippets that are shared by all the canvas fingerprinting implementations and unique to canvas draw.
I could nuke any script with that code and never think about it again.
Re: So (Score:5, Funny)
Noooo! Don't mention /etc/hosts, lest you summon ... him.
Re: (Score:2)
Re: (Score:3)
sudo echo '0.0.0.0 addthis.com' >> /etc/hosts
That would lead to a "Permission denied" error because the appending to file is done by the normal user.
Try instead: sudo sh -c "echo '0.0.0.0 addthis.com' >> /etc/hosts"
Re: (Score:2)
Only pussies use sudo.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Informative)
echo '0.0.0.0 addthis.com' | sudo tee /etc/hosts
also works.
That'll overwrite the whole file.
echo '0.0.0.0 addthis.com' | sudo tee -a /etc/hosts
will append.
Re: (Score:2)
Re: (Score:2)
And idiot webmasters need to stop loading their Javascript libraries from Google.
Then from whose shared CDN should webmasters load JavaScript libraries in order to become not idiots?
... until everyone does it (Score:2)
Re: (Score:2)
Re: (Score:2)
One might drag forth the "buggy manufacturers' argument": if your product is no longer needed or wanted, you can't force people to buy it.
Of course that would depracticalize a good deal of the Web, but point being that it's not a *right*. They can try to sell it to us, of course, but how invasive should they be allowed to become? At what point does their "making a living" become "at our expense" ??
The median user (Score:2)
At what point does their "making a living" become "at our expense" ??
Something becomes unacceptable to the median user at the point when 51 percent are fed up with it.
Re: (Score:2)
Real-time communication without JS (Score:2)
Webmail without JS is a trivial thing to implement.
In JS-free webmail, how would contact autocompletion work without having to resubmit the entire body text every time?
All website should provide base functionality without JS
"All" is a strong word.
Re: (Score:2)
A novel idea perhaps, but just maybe they should not try to push/throw everything into a webbrowser ?
In some cases, it's either deploy one JavaScript web app or deploy 15 native apps, one for each of 15 platforms. You can get the web app designed, implemented, tested, and deployed before you even become approved as a developer on half of those platforms.
If it's "unknown advertisement servers (Score:2)
Incompatibility with NoScript (Score:2)
Re: (Score:2)
So, a canvas randomizer is needed, isn't it? Or a means to get many, many machines to all appear identical.
Unfortunately, since this technique is almost certainly being used alongside a suite of others, it's tricky to know what tactic is most privacy-maximizing. Canvas randomization would ensure that your browser's canvas fingerprint does not remain stable; but if the attacker is able to determine that you are randomizing(by making multiple runs, possibly even from different domains, that ought to be identical but won't be if your canvas is randomized), that may also be a behavior distinctive enough to be useful