How does HTML5 Canvas uniquely identify a device?

I noticed that when using the Tor browser, some websites request my HTML5 canvas permission. At this point, the Tor browser warns me that this can uniquely identify my device.

I find this very concerning. How does it uniquely identify my computer?

If I have two devices of the same model, with the same chip, running the same version of the operating system and the same version of the browser, would their data be exactly the same? Or would there be differences?

If their data is different, what causes this difference? Would system updates and browser upgrades change this identifier? Would switching to a different browser change this identifier? Would using virtual machines with different operating systems change this identifier?

I’m feeling anxious about this. If you know the answers, please let me know. Thank you very much for your help.

After reading this, I still have a question: Is this like a device serial number that is unchangeable, or is it possible to change with updates to my browser or operating system?

Why post an AI answer? Here’s an explanation from a website that actually fingerprints you: Canvas Fingerprinting - BrowserLeaks

No it’s very changeable, in fact browsers like the tor browser can randomize your canvas fingerprint and essentially eliminate it as a fingerprinting vector. Firefox, Safari, Brave, etc can do this with certain settings enabled.

1 Like

The mere fact that your canvas fingerprint is random is fingerprintable in and of itself. The only situation in which its not is when e.g. you use something like the tor browser since that is intentionally configured/designed in a way that all tor browser installations look the same and have the same fingerprint.

It’s a feature in the actual browsers and it’s turned on by default for private tabs in most of them, so there’s a large group of people already using randomized canvas fingerprints. So what’s the problem here? I would agree with you if it was some extension like canvasblocker that only a small subset of users have installed. The goal isn’t for them all to have the same fingerprint, it’s for each user to have a unique fingerprint every time they visit the site so it can’t be used to persistently identify you.

That’s a false assumption. You could enable all cookies and tracking and be less finger-printable, but you will be the average joe – and therefore 100% tracked.

This is the main point which people overlook. Fingerprinting is one of the tracking methods, and is useful for companies when you try to avoid other tracking approaches.
If you sign in your Google account in chrome on android, Google does not need to fingerprint you.
If you sign into the websites in Chrome, they already know who you are. No fingerprinting needed.

Citing Arkenfox,

you do nothing on desktop, you are already uniquely identifiable - screen, window and font metrics alone are probably enough - add timezone name, preferred languages, and several dozen other metrics and it is game over. Here is a link to the results of a study done in 2016 showing a 99.24% unique hit rate (and that is excluding [IP addresses]