facebook-pixel

Browser Fingerprinting: How Websites Track You Without Cookies

L
Lunyb Security Team
··9 min read

Every time you visit a website, your browser silently broadcasts dozens of technical details about your device — from screen resolution and installed fonts to graphics card quirks and time zone. Together, these details form a unique signature that can identify you across the web, even if you clear your cookies, use private browsing, or hop between networks. This is browser fingerprinting, and it has quietly become one of the most powerful tracking techniques on the modern internet.

In this guide, we'll unpack how browser fingerprinting works, what data points it uses, why it's harder to block than cookies, and what you can realistically do to reduce your exposure.

What Is Browser Fingerprinting?

Browser fingerprinting is a tracking technique that identifies and follows users based on the unique combination of settings, hardware characteristics, and software configurations their browser reveals to websites. Unlike cookies, no data is stored on your device — the "fingerprint" is generated on the fly each time you visit a site.

The concept was popularized in 2010 when the Electronic Frontier Foundation launched its Panopticlick project (now Cover Your Tracks). Researchers found that the majority of browsers had a fingerprint unique enough to single out individual users among millions. More than a decade later, the technique has only grown more sophisticated.

Fingerprinting vs. Cookies: Key Differences

Cookies are small files placed on your device that identify you when you return. Fingerprints are inferred from characteristics your browser already exposes. That distinction matters:

FeatureCookiesBrowser Fingerprinting
Where data livesOn your deviceDerived from your browser signals
User consent required (EU)Usually yesOften ignored or unclear
Easy to delete?Yes — clear browser dataNo — you can't "clear" your device profile
Works in private browsing?LimitedYes, fully
Cross-site trackingRestricted by modern browsersStill widely possible

How Browser Fingerprinting Works

When your browser loads a page, it exchanges information with the server so the site renders correctly. Fingerprinting scripts collect and combine these signals to build a stable, identifying profile. The process typically follows five steps:

  1. Signal collection. JavaScript running on the page queries browser APIs for details like user agent, language, screen size, and installed plugins.
  2. Active probing. The script may draw hidden images, play silent audio, or query the graphics card to trigger device-specific rendering behavior.
  3. Hashing. All collected values are combined and hashed into a compact identifier.
  4. Storage server-side. The hash is sent to a tracker's servers, where it's linked to previous visits and any known identity data.
  5. Cross-site linking. When the same fingerprint appears on other participating sites, your browsing activity is stitched into a single profile.

Common Data Points Used

Individually, most of these attributes are harmless. Combined, they're often unique:

  • User agent string (browser, version, operating system)
  • Screen resolution, color depth, and device pixel ratio
  • Time zone and system language
  • Installed fonts and language packs
  • Browser plugins and extensions
  • Hardware concurrency (CPU cores) and device memory
  • Touch support and pointer capabilities
  • HTTP headers and their exact order

Advanced Fingerprinting Techniques

Basic fingerprinting relies on data your browser openly reports. Advanced techniques go further by probing hardware-level behavior that varies subtly between devices — even ones with identical specs.

Canvas Fingerprinting

Canvas fingerprinting instructs your browser to render a hidden image using HTML5's Canvas API — often a short line of text with emojis or unusual glyphs. Tiny differences in your GPU, graphics drivers, font rendering engine, and anti-aliasing settings produce a slightly different pixel output. That output is hashed into an identifier that's remarkably stable across sessions.

WebGL Fingerprinting

WebGL exposes your graphics card to web apps. Fingerprinters render a 3D scene off-screen and analyze the resulting pixels, along with metadata about your GPU vendor and renderer. Two identical laptop models can still produce distinguishable WebGL fingerprints due to manufacturing variance.

Audio Fingerprinting

Using the Web Audio API, a fingerprinter can generate an inaudible waveform and measure exactly how your device processes it. Differences in audio stack, sample rate handling, and floating-point precision create a unique acoustic signature — no microphone required.

Font and Language Enumeration

By measuring the width of text rendered in different font families, scripts can infer which fonts you have installed. Combined with language preferences, this reveals region, profession (designers often have unusual fonts), and even software you've installed.

Behavioral and Network-Level Signals

Newer techniques observe how you move your mouse, the cadence of your typing, and even the specific way your device negotiates TLS connections ("TLS fingerprinting"). These are harder to spoof because they emerge from real device and human behavior.

Why Browser Fingerprinting Matters

Fingerprinting is used across a spectrum of purposes, some defensible and others deeply invasive.

Legitimate Use Cases

  • Fraud prevention. Banks and payment processors use fingerprints to spot account takeover attempts and stolen credentials being used from unfamiliar devices.
  • Bot detection. Sites distinguish humans from automated scrapers by looking for inconsistent or headless browser fingerprints.
  • Account security. Recognizing a returning device helps flag suspicious logins.

Invasive Use Cases

  • Cross-site advertising. Ad networks build behavioral profiles even after users clear cookies or opt out of tracking.
  • Price discrimination. Some e-commerce sites adjust prices or offers based on inferred device value and browsing history.
  • Deanonymization. Journalists, activists, and whistleblowers can be re-identified across supposedly anonymous sessions.
  • Regulatory circumvention. Trackers use fingerprinting to sidestep GDPR and ePrivacy consent requirements that focus narrowly on cookies.

How Unique Is Your Browser?

Studies from Mozilla, the EFF, and academic researchers consistently find that the average desktop browser fingerprint is unique among tens or hundreds of thousands of users. Mobile browsers tend to be slightly less unique because iPhones and popular Android models share more hardware and software attributes — but they still leak plenty of signals.

Ironically, installing many privacy extensions can make you more identifiable, not less. A rare combination of anti-fingerprinting tools stands out just as clearly as a rare font list.

How to Reduce Your Browser Fingerprint

You can't eliminate fingerprinting entirely, but you can substantially shrink your attack surface. The goal is to blend in with a large crowd of similar users rather than stand out.

1. Use a Privacy-Focused Browser

Some browsers are engineered specifically to resist fingerprinting:

  • Tor Browser standardizes screen sizes, disables many APIs, and makes users look alike by design. It offers the strongest protection but at a performance cost.
  • Brave randomizes certain fingerprintable values on each session and blocks known trackers.
  • Mullvad Browser ships a hardened Firefox configuration built with the Tor Project.
  • Firefox offers a resistFingerprinting flag and Enhanced Tracking Protection.

2. Disable or Restrict JavaScript Selectively

Most fingerprinting relies on JavaScript. Extensions like NoScript or uBlock Origin's advanced mode let you allow scripts only from trusted domains. Expect breakage on modern web apps, but the privacy gain is significant.

3. Keep Your Browser Stock and Updated

A vanilla, up-to-date browser looks like millions of others. Heavily customized browsers with unusual extensions, fonts, or settings become uniquely identifiable. Update regularly so your version doesn't lag behind the herd.

4. Use Encrypted DNS and Trusted Networks

Encrypted DNS (DNS over HTTPS or DNS over TLS) prevents your internet provider and local network operators from watching every domain you visit. This complements browser-level protections by closing off a separate layer of tracking.

5. Compartmentalize Your Browsing

Use separate browsers or browser profiles for different activities — one for banking and email, another for shopping, a third for research. Firefox Multi-Account Containers and browser profiles make this easy without juggling apps.

6. Be Cautious With Extensions

Every extension you install adds to your fingerprint and may itself collect data. Stick to well-audited privacy tools and remove anything you don't actively use.

7. Shorten and Mask Sensitive Links

When sharing links — especially on social media, in emails, or across teams — using a privacy-respecting URL shortener like Lunyb prevents recipients' clicks from being logged by aggressive third-party trackers embedded in raw URLs. You can read our honest review of Lunyb for more detail on how it handles user data.

Fingerprinting Countermeasures Compared

MethodEffectivenessUsability ImpactBest For
Tor BrowserVery HighHigh (slow, some sites blocked)Journalists, activists, high-risk users
Mullvad / Hardened FirefoxHighMediumPrivacy-conscious daily use
BraveMedium-HighLowMainstream users wanting better defaults
Firefox + Enhanced Tracking ProtectionMediumVery LowGeneral audiences
Script blocking (NoScript)HighHigh (site breakage)Advanced users
Encrypted DNSComplementaryVery LowEveryone

The Future of Fingerprinting and Privacy

Browser vendors are pushing back. Safari's Intelligent Tracking Prevention actively limits fingerprintable APIs. Firefox blocks known fingerprinting scripts by default. Google's Privacy Sandbox proposes replacing cross-site tracking with aggregated, less identifying signals — though critics argue it entrenches Google's advertising position.

Meanwhile, trackers continue to innovate. Machine learning models can now identify users from fewer signals than ever, and TLS-level fingerprinting operates below the browser entirely. Expect a long cat-and-mouse game.

For businesses that share links publicly, choosing tools that don't participate in the tracking economy matters more than ever. Our 2026 buyer's guide to URL shorteners and our Rebrandly review both examine how different services handle click data and user privacy.

Frequently Asked Questions

Can browser fingerprinting identify me personally?

Not by name on its own. A fingerprint is a pseudonymous identifier — a unique code tied to your device. However, once you log into any site that knows your identity (email, social media, e-commerce), that fingerprint can be linked to your real name, and any future anonymous browsing tied to the same fingerprint becomes attributable to you.

Does private or incognito browsing stop fingerprinting?

No. Private browsing prevents your browser from saving history and cookies locally, but it does not change the signals your browser sends to websites. Fingerprinting works just as effectively in incognito mode as in a regular session.

Will clearing my cookies reset my fingerprint?

Clearing cookies has no effect on your fingerprint. The fingerprint is regenerated on every visit from your device's characteristics, so trackers using this technique can re-identify you immediately after any cookie purge.

Is browser fingerprinting legal?

It depends on jurisdiction. Under the EU's GDPR and ePrivacy Directive, fingerprinting for tracking purposes generally requires user consent, just like cookies. Enforcement is inconsistent, and many sites still fingerprint without proper disclosure. In the United States, regulations vary by state, with California's CCPA and CPRA providing some protections.

Can I test how unique my browser fingerprint is?

Yes. Free tools like the EFF's Cover Your Tracks (coveryourtracks.eff.org) and AmIUnique.org analyze your browser and estimate how identifiable you are. Running these tests before and after applying privacy measures is a good way to see what actually works for your setup.

Final Thoughts

Browser fingerprinting is a reminder that privacy on the modern web is rarely about a single setting or tool. It's about layered choices: which browser you use, which extensions you trust, how you compartmentalize activity, and which services you route your links and traffic through. You can't be invisible, but you can be indistinguishable — and for most people, that's a meaningful upgrade.

Start by testing your current fingerprint, switching to a hardened browser, and being intentional about the extensions and services you rely on. Small, consistent habits compound into real privacy gains over time.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles