facebook-pixel

Browser Fingerprinting: How Websites Track You Without Cookies

L
Lunyb Security Team
··10 min read

You clear your cookies, browse in private mode, and assume you're invisible online. You're not. A silent tracking technique called browser fingerprinting can identify you across websites even when every cookie is wiped and every tracker is blocked. It works by combining dozens of tiny details about your device into a unique signature — and unlike cookies, you can't just delete it.

This guide explains exactly how browser fingerprinting works, what data websites collect, why regulators are worried, and what you can realistically do to reduce your exposure.

What Is Browser Fingerprinting?

Browser fingerprinting is a tracking technique that identifies a device by collecting information about its browser, operating system, hardware, and configuration, then combining those attributes into a unique or near-unique identifier. Unlike cookies, no data is stored on your device — the fingerprint is generated on the fly every time you visit a site.

Research by the Electronic Frontier Foundation (EFF) through its Panopticlick and later Cover Your Tracks projects showed that the majority of browsers produce a fingerprint unique enough to identify a single user out of millions. In practice, this means a website can recognize you on your second visit even if you switched networks, cleared cookies, and used a different account.

Fingerprinting vs. Cookies: The Key Difference

Cookies are files stored on your device that a site can read back later. You can see them, delete them, and block them. Fingerprints are computed from properties your browser already reveals to render web pages correctly. There is nothing to delete, and blocking the data entirely would break most modern websites.

How Browser Fingerprinting Works

Fingerprinting scripts silently query dozens of browser APIs and combine the answers into a hash. Here is the typical process:

  1. Script loads — usually as part of an analytics, ad, or anti-fraud library.
  2. Attributes are collected — user agent, screen size, installed fonts, GPU details, audio stack, and more.
  3. Values are hashed — the combined signature becomes a single ID string.
  4. ID is sent to a server — where it's matched against previously seen fingerprints.
  5. You are re-identified — often across different sites that share the same fingerprinting vendor.

Common Data Points Collected

A modern fingerprint can pull from more than 50 signals. The most powerful ones include:

  • User agent string — browser name, version, and OS.
  • Screen resolution and color depth — including scaling factor.
  • Installed fonts — detected through canvas or CSS measurement tricks.
  • Time zone and language — reveals rough location and locale.
  • Hardware concurrency — number of CPU cores.
  • Device memory — approximate RAM.
  • Canvas fingerprint — how your GPU renders a hidden image.
  • WebGL fingerprint — 3D rendering signature from your graphics driver.
  • AudioContext fingerprint — how your audio stack processes a silent signal.
  • Battery status, sensors, and permissions state — subtle behavioral signals.

The Main Types of Browser Fingerprinting

Not every fingerprinting technique works the same way. Understanding the categories helps you evaluate defenses.

Type What It Measures Uniqueness Hard to Block?
Canvas fingerprinting How your GPU + drivers rasterize text and shapes Very high Yes
WebGL fingerprinting 3D rendering pipeline output Very high Yes
Audio fingerprinting Floating-point audio processing quirks High Yes
Font fingerprinting Which fonts are installed Medium-high Partial
HTTP header fingerprinting Accept-Language, Accept-Encoding, order Medium Partial
TLS/JA3 fingerprinting The exact way your browser negotiates HTTPS High Very hard
Behavioral fingerprinting Mouse movement, typing rhythm, scroll patterns High over time Very hard

Canvas Fingerprinting Explained

Canvas fingerprinting is the most famous technique. A script draws hidden text and shapes on an HTML5 canvas, then reads the pixels back. Because GPU, driver version, anti-aliasing settings, and installed fonts all subtly affect the output, the resulting image hash is remarkably unique — often stable across browser restarts and even OS updates.

TLS and Network-Level Fingerprinting

Even before a page loads, your browser negotiates an HTTPS connection. The order of cipher suites, extensions, and elliptic curves it offers creates a JA3 or JA4 signature. This happens below JavaScript, so client-side privacy tools cannot hide it. It's why anti-bot services can often detect automation even when the browser looks perfectly normal.

Why Websites Use Browser Fingerprinting

Fingerprinting isn't always malicious. It sits in a gray zone between security and surveillance.

Legitimate Uses

  • Fraud prevention — banks and payment processors detect stolen credentials by spotting new devices.
  • Bot detection — separating real users from scrapers and credential stuffers.
  • Account security — flagging suspicious logins from unfamiliar hardware.
  • License enforcement — ensuring one paid seat isn't shared across many machines.

Controversial Uses

  • Cross-site advertising — building profiles without consent as third-party cookies are phased out.
  • Price discrimination — showing different prices based on device or location clues.
  • Re-identification after opt-out — tracking users who explicitly declined cookies.
  • Data broker enrichment — matching fingerprints to real-world identity databases.

Is Browser Fingerprinting Legal?

Legality depends on jurisdiction and purpose. Under the EU's GDPR and the ePrivacy Directive, fingerprinting for non-essential purposes generally requires informed consent — the same standard as cookies. The UK's ICO, France's CNIL, and Germany's data protection authorities have all issued explicit guidance that fingerprinting is regulated.

In the United States, the picture is more fragmented. California's CCPA/CPRA classifies persistent identifiers — including fingerprints — as personal information. Several state laws now follow that lead. Enforcement, however, has been uneven, and many sites use fingerprinting without clear disclosure.

How to Test Your Own Browser Fingerprint

Before you defend yourself, see what sites see. Free, reputable tools include:

  1. Cover Your Tracks (EFF) — shows uniqueness and which trackers your browser blocks.
  2. AmIUnique.org — academic project with detailed per-attribute breakdowns.
  3. CreepJS — advanced test that exposes lie-detection and workers-based tricks.

Run the same test in normal mode, private mode, and on different browsers. You'll often find that private mode barely changes your fingerprint at all.

How to Reduce Your Browser Fingerprint

There is no single switch that makes you invisible. Effective defense combines browser choice, configuration, and habits.

1. Choose a Browser That Prioritizes Fingerprint Resistance

  • Tor Browser — the gold standard. Everyone using it looks nearly identical because it standardizes screen size, fonts, and APIs.
  • Brave — randomizes canvas, audio, and WebGL outputs on each session, breaking the stability fingerprinting relies on.
  • Firefox with privacy.resistFingerprinting = true and strict Enhanced Tracking Protection.
  • Mullvad Browser — a hardened Firefox fork built with the Tor Project.

Chromium-based browsers other than Brave generally offer weaker fingerprint resistance because Google's business model depends on tracking.

2. Turn On Anti-Fingerprinting Settings

  • Enable strict tracking protection in your browser's privacy settings.
  • Block third-party scripts by default where possible.
  • Disable rarely-used APIs like WebGL if you don't need them.

3. Use Content and Script Blockers

Extensions like uBlock Origin (with the "Fingerprinting" filter lists enabled) and NoScript block most known fingerprinting vendors at the network level. This is one of the highest-impact steps you can take.

4. Avoid Rare Configurations

Counterintuitively, installing many privacy extensions can make you more unique. If only 0.01% of users have your exact combination of add-ons, that combination itself becomes a fingerprint. Stick to well-known privacy tools used by millions.

5. Use Encrypted DNS and Private Browsers Together

Encrypted DNS (DoH or DoT) prevents your resolver from logging every domain you visit, while a hardened browser handles what happens on-page. The two layers cover different attack surfaces.

6. Be Careful with Links You Click

Fingerprinting often starts the moment you land on a page. If you're sharing or receiving links, use tools that give you control over redirects and analytics. A privacy-respecting link platform like Lunyb lets you shorten and share URLs without loading heavy third-party tracker stacks — a small but meaningful reduction in the surface area sites can use to profile visitors. You can read our honest Lunyb review for background on how it compares to other shorteners.

Browser Fingerprinting vs. Other Tracking Methods

Method User Control Persistence Cross-Site Tracking
First-party cookies High (deletable) Until cleared No
Third-party cookies High (blockable) Until cleared Yes
Local storage / IndexedDB Medium Until cleared Limited
Browser fingerprinting Low Months to years Yes
IP address tracking Medium Days to weeks Yes
Account-based tracking Only by logging out Permanent Yes (across the same ecosystem)

The Future of Browser Fingerprinting

As third-party cookies disappear from Chrome and Safari, advertisers are quietly shifting budgets toward fingerprinting and server-side tracking. At the same time, browsers are pushing back:

  • Reduced User Agent — Chrome now sends less detail in the UA string, forcing sites to use the Client Hints API where consent is easier to enforce.
  • Privacy Budget proposals — experiments that would limit how many high-entropy APIs a site can query.
  • Regulatory attention — European regulators have started explicit fingerprinting investigations against major ad-tech vendors.

Expect an arms race: as browsers close old fingerprinting vectors, trackers will find new ones (installed extensions, GPU timing attacks, font metric quirks). Awareness and layered defenses remain your best tools.

Practical Checklist: Reduce Your Fingerprint Today

  1. Switch to Brave, Firefox (with resistFingerprinting), or Mullvad Browser.
  2. Install uBlock Origin and enable anti-fingerprinting filter lists.
  3. Disable WebGL if you don't play in-browser 3D games.
  4. Use encrypted DNS at the system level.
  5. Keep your browser updated — many fingerprinting vectors are patched quietly.
  6. Test yourself monthly on Cover Your Tracks.
  7. Use privacy-respecting tools for everyday tasks — from search to link shortening.

Frequently Asked Questions

Can browser fingerprinting identify me personally by name?

Not directly. A fingerprint is a device identifier, not an identity document. However, once you log into any account, the site can link your fingerprint to that identity — and data brokers can chain fingerprints across sites to build alarmingly detailed profiles that often include your name and email.

Does private or incognito mode stop fingerprinting?

No. Private mode only prevents your browser from saving history, cookies, and form data locally. The information websites use to fingerprint you — screen size, fonts, GPU, audio stack — is identical in normal and private mode. That's why testing sites often show the same fingerprint in both.

Will disabling JavaScript stop browser fingerprinting?

It stops most of it. JavaScript is required for canvas, WebGL, audio, and font enumeration attacks. However, HTTP headers and TLS fingerprints still work without JavaScript, and many websites become unusable when JS is disabled. A better middle ground is a script blocker that lets you allow JS selectively on sites you trust.

Is browser fingerprinting the same as device fingerprinting?

They overlap heavily. Browser fingerprinting focuses on signals visible through the browser (canvas, WebGL, user agent). Device fingerprinting is broader and can also include native app signals, IMEI on mobile, or hardware identifiers exposed by SDKs. In web contexts, the terms are often used interchangeably.

Can I ever be 100% unfingerprintable?

Realistically, no — not while still using a modern, functional browser. The goal is to be common enough that you blend in with a large crowd. Tor Browser achieves this best because every user is deliberately made to look the same. For everyday browsing, a hardened Firefox or Brave setup gets you most of the way there without breaking the web.

Final Thoughts

Browser fingerprinting is one of the most invasive tracking techniques on the modern web precisely because it works without your knowledge and can't be cleared. The good news: awareness alone changes your behavior, and a few well-chosen tools cut your exposure dramatically. Pick a fingerprint-resistant browser, block known trackers, test yourself regularly, and prefer privacy-respecting services for the small everyday tasks — like sharing links — where you have a genuine choice.

Privacy in 2026 isn't about vanishing. It's about not being uniquely identifiable to every site you visit. That goal is very much achievable.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles