Skip to main content
Back to blog

Browser Fingerprinting — What You Leak Without Knowing

privacybrowsersfingerprinting

Browser Fingerprinting — What You Leak Without Knowing

You clear your cookies, use private browsing, and avoid logging into tracking-heavy sites. But websites can still identify you — or at least narrow you down to a very small group — using nothing but the properties your browser volunteers on every page load. This technique is called browser fingerprinting, and it works by combining dozens of seemingly innocuous signals into a profile that's often unique to you.

How fingerprinting works

Every time your browser loads a page, it sends and exposes a collection of properties: your screen resolution, installed fonts, timezone, language preferences, browser version, operating system, GPU model, and more. Individually, none of these are unique — millions of people use 1920×1080 screens. But the combination of all these properties together is often unique, or close to it.

Think of it like describing a person in a crowd. "Wearing a blue shirt" matches thousands of people. "Wearing a blue shirt, red shoes, glasses, and a watch on the left wrist" might match only one. Browser fingerprinting works the same way — stacking low-entropy signals until the combination has high entropy.

A fingerprint doesn't know your name. It creates a hash or identifier that's consistent across visits, allowing a tracker to say "this is the same browser we saw yesterday" without storing anything on your device.

Which signals contribute the most

Not all browser properties are equally useful for fingerprinting. Research from the EFF's Panopticlick project (now Cover Your Tracks) and academic studies have identified the signals that carry the most identifying information:

Canvas fingerprinting

Your browser can draw text and graphics to an invisible HTML canvas element. The exact rendering depends on your GPU, graphics drivers, operating system, font rendering engine, and sub-pixel antialiasing settings. A fingerprinting script draws a specific string or shape, reads back the pixel data, and hashes it. Even small differences in rendering produce different hashes.

Canvas fingerprinting is particularly effective because GPU and font rendering vary across hardware in ways that are hard to standardize. Two people with the same browser version on different hardware will usually produce different canvas hashes.

WebGL fingerprinting

WebGL exposes your GPU vendor and renderer string (e.g., "ANGLE (Intel, Mesa Intel UHD Graphics 620)") and a set of supported extensions. Combined with the WebGL rendering test — similar to canvas fingerprinting but using 3D graphics — this is one of the most discriminating signals. The GPU model alone narrows the population significantly, and the renderer string often includes driver version details.

Screen and display properties

Screen resolution, color depth, device pixel ratio, and available screen height (total minus taskbar/dock) all contribute. Device pixel ratio is particularly useful for distinguishing between Retina/HiDPI and standard displays. The combination of resolution + pixel ratio + color depth is fairly discriminating.

Fonts

JavaScript can detect which fonts are installed by measuring the rendered width and height of text in different font families. If a test string rendered in "Consolas" has different dimensions than the same string in "monospace" (the fallback), Consolas is installed. By testing hundreds of fonts, a script can build a list of your installed fonts, which varies significantly across operating systems, language packs, and installed applications.

Timezone and language

Your timezone offset (new Date().getTimezoneOffset()) and language preferences (navigator.language, navigator.languages) are low-entropy individually but contribute to the overall fingerprint. The full language preference list (e.g., ["en-US", "en", "fr"]) is more discriminating than just the primary language.

Navigator properties

navigator.platform, navigator.hardwareConcurrency (CPU core count), navigator.deviceMemory (RAM, where available), navigator.maxTouchPoints, and the list of installed plugins all contribute. The deprecation of plugins in modern browsers has reduced this signal's value, but it still helps distinguish older browsers.

Audio fingerprinting

The AudioContext API can generate a unique audio signal by processing a tone through an oscillator and compressor. The resulting waveform varies by audio stack, hardware, and OS — similar to canvas fingerprinting but using audio processing instead of graphics rendering.

How fingerprinting differs from cookies

Cookies are stored on your device. You can see them, delete them, and block them. When you clear cookies, the tracker loses its identifier and has to start fresh. Cookie consent laws (GDPR, ePrivacy) specifically address this kind of storage.

Fingerprinting doesn't store anything. The identifier is computed from your browser's existing properties each time — there's nothing to delete. This makes fingerprinting harder to detect, harder to block, and harder to regulate. Some interpretations of GDPR do consider fingerprinting a form of tracking that requires consent, but enforcement has been inconsistent.

Fingerprinting is also more fragile than cookies in some ways. Updating your browser, changing your screen resolution, installing a new font, or updating your GPU driver can change your fingerprint. But in practice, these changes happen infrequently enough that trackers can link old and new fingerprints using partial matches.

How unique are you?

The EFF's Panopticlick (now Cover Your Tracks) study found that 83.6% of browsers had a unique fingerprint, and 94.2% of browsers with Flash or Java enabled were unique. Even without plugins, the combination of canvas, WebGL, fonts, and screen properties makes most browsers distinguishable.

A 2020 study by Laperdrix et al. ("Browser Fingerprinting: A Survey") found that fingerprinting accuracy has increased over time as browsers expose more APIs (WebGL, AudioContext, Battery Status, Network Information). The study also found that mobile browsers are somewhat less unique than desktop browsers, because mobile devices have fewer configurable properties — most iPhones running the same iOS version look similar.

You can see what your browser exposes with our browser info tool. It shows your canvas fingerprint hash, WebGL renderer, screen properties, language settings, and other signals that fingerprinting scripts typically collect.

What actually reduces fingerprint uniqueness

Tor Browser

Tor Browser is specifically engineered to resist fingerprinting. It sets a fixed window size (to eliminate screen resolution as a signal), blocks or standardizes canvas and WebGL output, uses a fixed set of fonts, and removes or normalizes most navigator properties. Every Tor Browser user looks as similar as possible to every other Tor Browser user. This is the strongest anti-fingerprinting defense available, but it comes with significant usability tradeoffs — slower browsing, frequent CAPTCHAs, and some sites blocking Tor entirely.

Firefox with Enhanced Tracking Protection

Firefox's "Strict" Enhanced Tracking Protection blocks known fingerprinting scripts by domain. Firefox also includes privacy.resistFingerprinting (disabled by default), which normalizes many browser properties — reporting a fixed screen resolution, timezone, and language. When enabled, it significantly reduces fingerprint uniqueness but can break some websites that depend on accurate screen or language detection.

Brave

Brave randomizes canvas and WebGL output on each page load, returning slightly different values each time. This doesn't make you invisible — it makes your fingerprint unstable, so trackers can't link visits across time. Brave also blocks known fingerprinting scripts by default.

Safari (Intelligent Tracking Prevention)

Safari takes a more limited approach: it presents a simplified version of some APIs (like a fixed set of system fonts to JavaScript) and blocks known trackers via Intelligent Tracking Prevention. Safari's WebKit rendering engine is also less granular in what it exposes compared to Chromium-based browsers.

What doesn't work

Private/Incognito mode does not reduce fingerprinting. It clears cookies and history but doesn't change any of the properties that fingerprinting relies on — your screen resolution, GPU, fonts, and canvas rendering are identical in private mode.

VPNs change your IP address but don't affect your browser fingerprint at all. A VPN combined with an unchanged browser fingerprint could actually make tracking easier, since the consistent fingerprint acts as an identifier across IP addresses.

Clearing cookies and cache doesn't affect fingerprinting, since fingerprints don't rely on stored data.

The arms race

Fingerprinting exists in a tension between web standards that want browsers to expose device capabilities (so websites can adapt to screens, languages, and hardware) and privacy advocates who want to minimize distinguishing information. The W3C's Privacy Interest Group (PING) reviews new web specifications for fingerprinting surface, and some high-entropy APIs (like the Battery Status API, which Firefox removed) have been deprecated specifically because they added fingerprinting vectors with minimal utility.

The trend is toward browsers reducing their fingerprint surface while maintaining usability. Chrome's Privacy Sandbox initiative, Safari's font restriction, and Firefox's fingerprinting resistance all move in this direction. But as long as browsers need to render different screen sizes, support different GPUs, and respect different language preferences, some fingerprinting surface will always exist.

Check what your browser exposes with our browser info tool — it shows the same signals that fingerprinting scripts collect, so you can see exactly how much information your browser is volunteering.