facebook-pixel

Browser Fingerprinting: How Websites Track You Without Cookies

L
Lunyb Security Team
··9 min read

Every time you visit a website, your browser quietly hands over dozens of technical details about your device. Combined, these details form a nearly unique signature known as a browser fingerprint. Unlike cookies, you can't simply delete it, and unlike an IP address, changing networks won't reset it. This guide explains exactly how browser fingerprinting works, why it's replacing traditional tracking, and what you can realistically do to reduce your exposure.

What Is Browser Fingerprinting?

Browser fingerprinting is a tracking technique that identifies and follows users across websites by collecting a combination of technical attributes from their browser and device. Instead of storing an identifier on your computer (like a cookie does), the tracker builds an identifier from your computer using signals you can't easily hide.

The core idea is statistical: any single attribute (like your screen resolution) is not unique, but 20 or 30 attributes combined almost always are. Research by the Electronic Frontier Foundation's Panopticlick project found that most browsers produce fingerprints unique among hundreds of thousands of visitors. In 2026, with expanded APIs and richer device data, uniqueness rates are even higher.

Fingerprinting vs. Cookies: The Key Difference

Cookies are stored on your device and can be cleared. Fingerprints are computed on demand from your device's characteristics, so "clearing" them isn't possible in the traditional sense. This is why fingerprinting is often called stateless tracking—no state is stored on your machine, yet you remain identifiable.

How Browser Fingerprinting Works

Fingerprinting happens in a few silent steps that complete in milliseconds after you load a page:

  1. Signal collection: A JavaScript library on the page queries browser APIs for device information.
  2. Hashing: The collected attributes are combined into a single string and hashed into a compact identifier.
  3. Server storage: The hash is sent to the tracker's server, which links it to a profile of behavior, interests, and prior visits.
  4. Re-identification: When you visit another site using the same tracker, the process repeats and matches you to your existing profile.

Because this happens server-side after data collection, browser-based blockers can only stop it by preventing the script from running or by returning fake or generic data.

What Data Points Build a Fingerprint?

Modern fingerprinting scripts pull from dozens of sources. Here are the most impactful signals and roughly how much entropy (identifying power) each contributes.

SignalExampleUniqueness
User Agent stringChrome 131 on Windows 11Medium
Screen resolution & color depth2560x1440, 24-bitMedium
Installed fontsArial, Helvetica, custom fontsHigh
Canvas fingerprintRendered image hashVery High
WebGL fingerprintGPU rendering signatureVery High
AudioContext fingerprintAudio stack output hashHigh
Timezone & languageUTC-5, en-USLow
Hardware concurrency8 CPU coresLow
Battery status (mobile)78%, chargingLow but session-linking
Browser plugins & extensionsDetectable via DOM changesHigh

Canvas Fingerprinting Explained

Canvas fingerprinting is one of the most powerful techniques. The script asks your browser to render a hidden image—usually text with mixed fonts, colors, and emoji. Tiny rendering differences caused by your GPU, drivers, operating system, and font rendering engine produce a hash unique to your machine. Two devices that look identical in every other way will still generate different canvas hashes.

WebGL and Audio Fingerprinting

WebGL fingerprinting works similarly but uses 3D graphics rendering, exposing the exact GPU model and driver stack. AudioContext fingerprinting generates a silent audio signal and measures how your device processes it—again, subtle hardware and software differences produce unique outputs.

Why Websites Use Fingerprinting

Fingerprinting isn't inherently malicious. It's used for a mix of legitimate and invasive purposes:

  • Fraud prevention: Banks and payment processors detect stolen accounts by flagging logins from unfamiliar fingerprints.
  • Bot detection: Ticketing sites and airlines block scraping by identifying automated browsers.
  • Advertising and analytics: Ad networks build cross-site behavior profiles even when third-party cookies are blocked.
  • Content personalization: Publishers tailor content or paywalls based on repeat-visit detection.
  • Account takeover defense: Services trigger additional verification when a known account is accessed from a new fingerprint.

The problem is that the same technique used to catch fraud can be used to follow you across the web without consent, and current privacy laws are inconsistent about whether fingerprinting requires user permission.

The Regulatory Landscape in 2026

Under the EU's ePrivacy Directive and GDPR, fingerprinting for tracking purposes generally requires informed consent because it involves "accessing information stored on a user's device." The UK ICO, France's CNIL, and Germany's data protection authorities have all confirmed this interpretation.

In the US, state laws like California's CPRA and Colorado's CPA treat persistent identifiers—including fingerprints—as personal information subject to opt-out rights. However, enforcement is uneven and many trackers still fingerprint by default.

How to Detect if You're Being Fingerprinted

You can test your own browser and see what a tracker would learn:

  1. Visit coveryourtracks.eff.org to see your fingerprint's uniqueness score.
  2. Try amiunique.org for a detailed breakdown of every attribute.
  3. Use browser dev tools (Network tab) to spot requests to known fingerprinting domains like fpjs.io, fingerprint.com, or maxmind.com.
  4. Look for suspicious canvas or audio API calls in the Sources panel of Chrome DevTools.

How to Protect Yourself from Browser Fingerprinting

You can't eliminate fingerprinting entirely, but you can dramatically reduce your uniqueness. The goal isn't invisibility—it's blending in with a large crowd of similar users.

1. Use a Privacy-Focused Browser

Some browsers actively fight fingerprinting by returning generic or randomized values:

  • Tor Browser: The gold standard. All Tor users share nearly identical fingerprints by design.
  • Brave: Randomizes canvas and audio outputs on each session, breaking cross-site linkage.
  • Firefox with resistFingerprinting enabled: Reports standardized values for many APIs.
  • LibreWolf: A hardened Firefox fork with fingerprinting resistance on by default.

2. Disable or Limit JavaScript Selectively

Most fingerprinting requires JavaScript. Extensions like NoScript or uMatrix let you block scripts on untrusted sites while allowing them where needed. The tradeoff is convenience, but for sensitive browsing it's highly effective.

3. Block Known Fingerprinting Domains

Content blockers with fingerprinting-specific lists (like EasyPrivacy or the Disconnect list) prevent common trackers from loading in the first place. uBlock Origin with these lists enabled blocks most commercial fingerprinting services.

4. Use Encrypted DNS

DNS-over-HTTPS (DoH) or DNS-over-TLS with a privacy-respecting resolver (like Quad9 or NextDNS with tracker blocking) can filter out fingerprinting domains at the network level, protecting every browser and app on your device.

5. Avoid Fingerprint-Amplifying Extensions

Ironically, installing too many privacy extensions can make you more unique. Each extension you install may modify the DOM in detectable ways. Stick to a small, well-known set (uBlock Origin plus your browser's built-in protections is often enough).

6. Compartmentalize with Browser Profiles or Containers

Use separate browser profiles for banking, social media, shopping, and general browsing. Firefox Multi-Account Containers isolates cookies and site data per container, and combined with fingerprint resistance it limits cross-context tracking.

Comparing Anti-Fingerprinting Approaches

ApproachEffectivenessUsability ImpactBest For
Tor BrowserExcellentSlow, breaks some sitesAnonymous research
BraveVery GoodMinimalDaily browsing
Firefox + resistFingerprintingVery GoodModerate (site breakage)Power users
LibreWolfExcellentModeratePrivacy enthusiasts
Chrome + uBlock OriginFairMinimalCasual protection
Safari (default)GoodNoneApple users

Fingerprinting and Link Sharing

When you click a link, fingerprinting can start before you even see the destination page—especially if the link goes through a redirect service that runs scripts. This is one reason to choose link shorteners carefully. A reputable shortener should redirect quickly, not run tracking scripts on the intermediate page, and give you control over analytics. If you manage links for a business, look for services that publish clear privacy practices—our 2026 buyer's guide to URL shorteners compares options on exactly these criteria.

Lunyb, for example, uses server-side redirects and aggregate analytics rather than embedding fingerprinting scripts on redirect pages. If you're curious about how it handles user data, our honest Lunyb review walks through the privacy model in detail. For teams weighing branded-link tools, our Rebrandly review is another useful comparison.

The Future of Fingerprinting

As browsers phase out third-party cookies, advertisers are investing heavily in fingerprinting alternatives. Google's Privacy Sandbox proposes replacing individual tracking with cohort-based targeting, but critics argue it doesn't stop fingerprinting itself—only certain uses of it. Meanwhile, new APIs (like WebGPU and the Compute Pressure API) create fresh signals that trackers can exploit.

Expect an ongoing arms race: browsers add resistance, trackers find new signals, regulators try to catch up. The practical takeaway is that privacy is a moving target. Reviewing your setup once or twice a year is a reasonable habit.

Frequently Asked Questions

Can I completely block browser fingerprinting?

Not entirely. Any interactive website needs some information about your browser to display correctly. The realistic goal is to reduce uniqueness—look like millions of other users rather than a snowflake. Tor Browser comes closest to full protection, at the cost of speed and site compatibility.

Does incognito or private mode stop fingerprinting?

No. Private browsing clears cookies and history when you close the window, but your browser still reports the same fonts, GPU, screen size, and other fingerprint signals. Trackers can re-identify you across private sessions just as easily as normal ones.

Is browser fingerprinting legal?

It depends on jurisdiction and purpose. In the EU and UK, using fingerprinting for tracking or advertising generally requires explicit consent under GDPR and the ePrivacy Directive. In the US, state laws like CPRA give users opt-out rights. Using fingerprinting purely for fraud prevention is more widely accepted, but the line is blurry and enforcement varies.

Will using a different device or network change my fingerprint?

Yes—your fingerprint is tied to the specific combination of browser, operating system, hardware, and configuration. A different laptop or phone will produce a different fingerprint. Changing networks alone (for example, moving from home Wi-Fi to mobile data) changes your IP address but not your browser fingerprint.

Do mobile browsers fingerprint less than desktop browsers?

Slightly, because mobile devices are more standardized (fewer fonts, similar screen sizes within a model line). However, mobile browsers expose extra signals like device orientation, battery status, and touch capabilities. In practice, mobile fingerprints are still highly unique, especially when combined with app-level identifiers.

Final Thoughts

Browser fingerprinting is one of the most sophisticated tracking techniques in use today, and it's growing more powerful as browsers add new APIs. You can't switch it off with a single setting, but by choosing a privacy-respecting browser, blocking known trackers, using encrypted DNS, and being thoughtful about extensions, you can shrink your fingerprint to the point where most trackers can't reliably follow you across the web. Combine those habits with careful choices about the services you route your traffic through—including link shorteners, DNS providers, and analytics tools—and you'll have a meaningfully more private browsing experience in 2026 and beyond.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles