What is browser fingerprinting?
Browser fingerprinting is a tracking technique that identifies you based on the unique combination of technical characteristics your browser exposes when you visit a website — without storing anything on your device. No cookies. No login required. No permission prompt.
The concept was first documented publicly by the Electronic Frontier Foundation (EFF) in 2010. Their research found that the combination of browser settings, installed fonts, screen properties, and timezone was unique enough to identify 1 in 286,777 browsers. Modern fingerprinting techniques are significantly more sophisticated.
When you load a webpage, your browser automatically shares dozens of data points with the server: your operating system, browser version, screen size, colour depth, timezone, language preferences, and more. Individually these signals are unremarkable. Combined, they form a fingerprint that is often unique to a single device.
Unlike cookies: Browser fingerprinting requires no storage on your device, persists through private browsing mode, survives cookie deletion, and cannot be blocked by standard cookie opt-out controls.
How fingerprinting works — the signals used
Fingerprinting scripts run silently in JavaScript and collect signals across several categories:
Basic browser signals
These are the simplest signals — your browser version, operating system, screen resolution, colour depth, device pixel ratio, and the list of supported MIME types and plugins. Alone they're not unique. Combined with behavioural signals, they narrow the field substantially.
Canvas fingerprinting
The most widely used advanced technique. A script draws an invisible image using the HTML5 Canvas API, then reads back the pixel data. Because different operating systems, graphics cards, and anti-aliasing engines render fonts and shapes slightly differently, the resulting pixel data varies between devices. The hash of that pixel data becomes a stable device identifier.
WebGL fingerprinting
Similar to canvas fingerprinting but uses the WebGL API to render 3D graphics. The GPU model, driver version, and graphics configuration all affect the rendering output. WebGL fingerprints are highly stable across browser sessions and even across different browsers on the same machine.
Font detection
Browsers can be queried to check which fonts are installed on the operating system. The list of installed fonts is surprisingly unique — particularly on Windows where users may have installed obscure fonts from older applications. A set of 500 common font checks can reliably distinguish most device configurations.
Audio context fingerprinting
The Web Audio API can be used to generate an audio signal and measure how the device's audio processing hardware handles it. Subtle differences in floating-point arithmetic between different hardware and OS combinations produce a stable numeric fingerprint.
Behavioural signals
More advanced fingerprinting systems also track how you move your mouse, how fast you type, and how you scroll — patterns that remain consistent for a given person across different devices and browsers.
| Signal | Method | Uniqueness | Blockable? |
|---|---|---|---|
| User agent | HTTP header | Low | Yes (spoofed) |
| Screen resolution | JavaScript | Medium | Partially |
| Canvas rendering | Canvas API | Very high | Partially (noise) |
| WebGL renderer | WebGL API | Very high | Partially (noise) |
| Installed fonts | JavaScript | High | Yes (blocked in Firefox) |
| Audio context | Web Audio API | High | Partially (noise) |
| Timezone + language | JavaScript | Medium | Yes (VPN + locale) |
Who uses browser fingerprinting — and why
Browser fingerprinting is used across a wide range of industries:
Advertising networks
Ad tech companies use fingerprinting to track users across websites after privacy legislation (GDPR, CCPA) made cookie-based cross-site tracking legally risky. Fingerprinting sidesteps consent requirements because it doesn't store data on the user's device. Studies have found fingerprinting scripts on roughly 25% of the top 10,000 websites.
Fraud detection
Banks and e-commerce platforms legitimately use fingerprinting to detect account takeovers. If a login attempt comes from a device with a completely different fingerprint than all your previous sessions, it's flagged as potentially fraudulent. This is a genuine security benefit of the same technology used for tracking.
Content protection and DRM
Some streaming services use device fingerprinting to enforce geographic licensing restrictions and detect account sharing — associating multiple simultaneous streams with different device fingerprints.
Paywall bypass detection
News sites with metered paywalls use fingerprinting to detect users who clear cookies to reset their free-article count. Even after clearing cookies, the same device fingerprint is recognised and the counter is not reset.
How to reduce your browser fingerprint
Complete fingerprint elimination is nearly impossible — the more you try to block individual signals, the more unusual your browser becomes, which can actually make you more identifiable. The effective strategy is to blend in, not to go dark.
Use Firefox with fingerprinting protection enabled
Firefox's Enhanced Tracking Protection (set to Strict mode) blocks known fingerprinting scripts and adds noise to Canvas, WebGL, and Audio API outputs. Go to Settings → Privacy & Security → Enhanced Tracking Protection → Strict.
Use the Tor Browser
The Tor Browser is purpose-built to make all users look identical. It standardises screen resolution, disables JavaScript APIs that leak hardware details, and routes traffic through the Tor network to also hide your IP. The trade-off is significantly slower browsing speeds.
Use Brave Browser
Brave adds random noise to Canvas, WebGL, and Audio API outputs by default, making each page load return a slightly different fingerprint value. This prevents stable identification over time without breaking most website functionality.
Install uBlock Origin
uBlock Origin with its default filter lists blocks many known fingerprinting scripts from ad networks. Enable the Privacy filter lists for broader coverage.
Use a VPN
A VPN doesn't block fingerprinting directly, but it hides your IP address and therefore prevents fingerprinting scripts from correlating your fingerprint with your real IP. See our guide to hiding your IP address for setup instructions.
Avoid installing unusual software and fonts
Niche fonts and software install unusual system fonts and GPU drivers that make your fingerprint rare. The fewer unusual fonts you have, the more common your fingerprint profile is — making it harder to single you out.
Private browsing mode does not help. Incognito / Private mode prevents cookie storage and browsing history on your device — but your browser still exposes all the same hardware and software signals to websites. Fingerprinting works identically in private mode.
Common questions
Is browser fingerprinting illegal?
In most jurisdictions, browser fingerprinting for cross-site tracking requires explicit consent under GDPR (EU) and similar laws. In practice, enforcement has focused mainly on cookies, and many fingerprinting implementations operate in a legal grey zone. Some countries classify fingerprinting data as personal data requiring consent; others do not. The legal landscape is still evolving.
Does a VPN stop browser fingerprinting?
A VPN hides your IP address but does not change your browser fingerprint. A tracker that has already linked your fingerprint to your identity will continue to recognise you even with a VPN active. VPNs and fingerprint protection complement each other — use both for stronger privacy.
Does clearing cookies stop fingerprinting?
No. Cookies and fingerprinting are separate tracking mechanisms. Clearing cookies removes stored identifiers from your device, but fingerprinting doesn't store anything on your device — it reads your hardware and software characteristics in real time. A tracker that uses fingerprinting will re-identify you immediately after you clear your cookies.
How unique is my browser fingerprint?
Studies by the EFF and academic researchers have consistently found that 80–90% of browsers produce a fingerprint unique enough to identify them among millions of samples. The EFF's Cover Your Tracks tool (coveryourtracks.eff.org) lets you test your own browser's uniqueness.
Start with the basics: hide your IP
A VPN doesn't stop fingerprinting — but it's the first layer of online privacy and prevents IP-based tracking. Learn how to set one up in under 5 minutes.