You cleared your cookies. You enabled private browsing mode. You might even use a VPN. But websites can still identify and track you with remarkable accuracy using a technique called browser fingerprinting, and most people have never heard of it.
What Is Browser Fingerprinting?
Every time you visit a website, your browser shares a surprising amount of information about itself and your system. Individually, each data point seems harmless. Combined, they create a unique identifier, a fingerprint, that distinguishes your browser from virtually every other browser on the internet.
Unlike cookies, which are stored on your device and can be deleted, a browser fingerprint is calculated from your system's characteristics each time you visit a site. There is nothing stored locally to clear, no prompt to accept, and no obvious way to know it is happening.
What Data Creates Your Fingerprint
The amount of information your browser exposes is extensive:
- User agent string containing your browser name, version, and operating system
- Screen resolution and color depth
- Installed fonts because your specific set of system fonts is surprisingly unique
- Canvas rendering where a hidden image is drawn and the pixel-level rendering differences between GPUs and operating systems create a unique hash
- WebGL renderer information that reveals your graphics card model and driver version
- Timezone and language settings
- Browser plugins and extensions and their versions
- Hardware concurrency revealing how many CPU cores your device has
- Audio context fingerprinting that exploits differences in how devices process audio signals
- Battery status API (on supported browsers) that can expose charge level and charging state
- Touch support and device memory information
How Unique Is Your Fingerprint?
Research by the Electronic Frontier Foundation through their Panopticlick project (now called Cover Your Tracks) found that the vast majority of browsers carry a unique fingerprint. In their studies, over 83% of browsers had a completely unique fingerprint, and when Flash or Java were available, that number climbed to over 94%.
Even without those legacy plugins, modern fingerprinting techniques using canvas rendering, WebGL, and audio context achieve extremely high uniqueness rates. Your combination of operating system, browser version, screen size, installed fonts, GPU, and timezone is almost certainly unique among the millions of browsers visiting any given site.
Fingerprinting vs. Cookies
Traditional cookie-based tracking has an important limitation from the tracker's perspective: users can delete cookies, block them, or use private browsing mode. Browser fingerprinting eliminates these problems for trackers:
- Persistent across sessions. Clearing your cookies does not change your fingerprint because it is derived from your system configuration, not stored data.
- Works in private/incognito mode. Private browsing prevents cookies from persisting but does nothing to alter your browser's fingerprint.
- Cross-browser tracking. Some fingerprinting techniques can even identify users across different browsers on the same machine by focusing on hardware and OS-level attributes.
- Invisible to the user. There is no cookie banner, no permission prompt, and no way to see it happening without specialized tools.
Defense Strategies
Defending against browser fingerprinting is challenging because the most effective defenses involve trade-offs:
Tor Browser
Tor Browser is specifically designed to make all users look identical. It standardizes window size, disables JavaScript APIs used for fingerprinting, blocks canvas and WebGL access, and routes traffic through the Tor network. It is the most effective defense but comes with slower browsing speeds and some website compatibility issues.
Firefox with Resist Fingerprinting
Firefox offers a privacy.resistFingerprinting setting that spoofs many of the data points used for fingerprinting. It reports generic values for timezone, screen size, user agent, and other attributes. Enable it in about:config for meaningful protection without the speed penalty of Tor.
Brave Browser's Randomization
Brave takes a different approach by randomizing fingerprint-relevant values on each session. Instead of making everyone look the same (like Tor), Brave makes you look different every time. Canvas, WebGL, and audio context values are subtly randomized so trackers cannot build a consistent profile.
Browser Extensions
Extensions like CanvasBlocker can block or spoof specific fingerprinting techniques. However, extensions themselves can become part of your fingerprint, since the set of extensions you have installed is a distinguishing characteristic.
The Anti-Fingerprinting Paradox
There is an inherent paradox in fingerprinting defense: the very act of using anti-fingerprinting tools can itself make you more identifiable. If only 0.1% of users have a particular extension installed, having it makes you part of a very small group. The most effective approach is using a browser where anti-fingerprinting is built in and widely adopted, so you blend in with a large crowd of identically configured browsers.
You can test your own browser's fingerprint at the EFF's Cover Your Tracks tool to see how unique your browser appears. The results may surprise you.