facebook-pixel

Browser Fingerprinting: How Websites Track You Without Cookies

L
Lunyb Security Team
··9 min read

You clear your cookies. You use private browsing. You even block third-party trackers. And yet, somehow, websites still seem to recognize you. Advertisers still follow you. Fraud detection systems still flag you as a returning visitor. How?

The answer, in most cases, is browser fingerprinting — a silent, cookieless tracking technique that has quietly become the backbone of modern web identification. Unlike cookies, you can't simply delete a fingerprint. And unlike IP tracking, changing networks won't shake it off.

This guide breaks down exactly how browser fingerprinting works, what data it collects, why it's so hard to escape, and what you can realistically do to reduce your exposure.

What Is Browser Fingerprinting?

Browser fingerprinting is a tracking technique that identifies and re-identifies users by collecting dozens of small, seemingly harmless details about their browser and device, then combining them into a unique signature. That signature — the "fingerprint" — can follow a user across sites without any cookies, logins, or explicit identifiers.

The core idea is statistical: any single data point (like your screen resolution) is not unique. But when you combine 20, 30, or 50 of them — screen size, installed fonts, GPU model, time zone, language settings, browser version, audio processing quirks — the resulting combination becomes extraordinarily rare. In many cases, it identifies exactly one person on the internet.

Research from the Electronic Frontier Foundation's Panopticlick project found that more than 80% of browsers produce a fingerprint unique enough to identify a single user. On systems with unusual configurations, that number climbs even higher.

Fingerprinting vs. Cookies

Cookies are visible, controllable, and deletable. Fingerprints are none of those things. A cookie is a file the browser stores; a fingerprint is a pattern the browser emits just by existing. There is no "delete fingerprint" button because the fingerprint is a byproduct of how your browser answers ordinary technical questions.

How Browser Fingerprinting Works

At a technical level, fingerprinting scripts run silently in the background of a webpage. They ask the browser a series of questions using standard web APIs, then hash the answers into a short, stable identifier. The process typically follows these steps:

  1. Data collection: JavaScript queries the browser for device, environment, and behavior attributes.
  2. Normalization: The raw values are cleaned and standardized (e.g., trimming whitespace, sorting font lists).
  3. Hashing: The combined attributes are run through a hash function to produce a compact identifier.
  4. Storage and comparison: The hash is stored server-side and compared to future visits from the same or similar signatures.
  5. Cross-site linking: Companies that run fingerprinting scripts on many sites can correlate the same fingerprint across those sites.

Because these APIs exist for legitimate reasons — rendering graphics, adjusting layouts, supporting accessibility — the browser can't simply refuse to answer without breaking the web.

What Data Goes Into a Browser Fingerprint?

Fingerprinting scripts can collect a surprising range of signals. Some are obvious; others are almost invisible.

Category Examples Uniqueness Contribution
Browser attributes User agent, version, language, platform Low to medium
Screen & display Resolution, color depth, pixel ratio, available screen size Medium
Hardware CPU cores, device memory, GPU model (via WebGL) High
Canvas fingerprinting Rendering of hidden text/images using HTML5 canvas Very high
Audio fingerprinting Subtle differences in how the AudioContext processes signals High
Fonts & plugins List of installed fonts, extensions detectable via side channels High
Environment Time zone, keyboard layout, Do Not Track setting Medium
Behavioral Mouse movement, typing rhythm, scroll patterns Medium (used mainly for fraud)

Canvas Fingerprinting

One of the most powerful techniques is canvas fingerprinting. The script asks the browser to draw a hidden image containing text, emojis, and shapes on an HTML5 canvas element. Because rendering depends on the GPU, drivers, operating system, and installed fonts, the resulting pixels vary slightly from device to device. The image is converted to a data string and hashed — producing a stable identifier that persists even across browser sessions.

WebGL and Audio Fingerprinting

WebGL exposes information about your GPU and its rendering behavior. Audio fingerprinting works similarly: the browser processes an inaudible sound, and tiny mathematical differences in the output reveal the underlying hardware and software stack. Both techniques are extremely hard to spoof without breaking web functionality.

Who Uses Browser Fingerprinting — and Why?

Fingerprinting isn't always malicious. It sits on a spectrum from legitimate security use to invasive commercial surveillance.

Legitimate Uses

  • Fraud prevention: Banks and payment processors detect stolen credentials by noticing that a login is coming from a device that doesn't match the account's normal fingerprint.
  • Bot detection: Sites distinguish humans from automated scrapers by looking at fingerprint consistency and behavioral signals.
  • Account security: Multi-factor systems use device recognition to skip challenges on trusted devices.

Commercial and Advertising Uses

  • Cross-site tracking: Ad networks correlate behavior across sites without cookies.
  • Retargeting: Products you viewed on one site follow you to others.
  • Price discrimination: Some sites reportedly adjust prices based on device and location signals.
  • Analytics: Marketers estimate returning visitors even in privacy-focused browsers.

Concerning Uses

  • Identifying users who've opted out of tracking through other means.
  • Building shadow profiles of people who never created an account.
  • De-anonymizing whistleblowers, journalists, or activists in high-risk environments.

Why Browser Fingerprinting Is Hard to Block

Blocking fingerprinting is fundamentally harder than blocking cookies because you can't just refuse the data — the data is the browser doing its job. Here's why the problem is so stubborn:

  1. The APIs are legitimate. Canvas, WebGL, and AudioContext power games, video conferencing, and accessibility tools. Disabling them breaks the modern web.
  2. Blocking creates uniqueness. Ironically, if you disable JavaScript or spoof unusual values, you become more identifiable, not less. Standing out is the opposite of hiding.
  3. Fingerprints are stable enough to survive updates. Even when browser versions change, enough attributes stay constant for tracking scripts to re-link the identity.
  4. Server-side collection is invisible. You can't inspect what a fingerprinting service actually stores or how it correlates data across sites.

How to Reduce Your Browser Fingerprint

You probably can't eliminate fingerprinting entirely, but you can meaningfully reduce your exposure. The goal is to blend in with a large population of similar users rather than to appear unique.

1. Use a Browser Designed to Resist Fingerprinting

Some browsers actively fight fingerprinting by standardizing the values they report. The Tor Browser is the gold standard — it makes every user look nearly identical. Brave and Firefox (with resist-fingerprinting settings enabled) also offer meaningful protections by randomizing or normalizing canvas, audio, and font outputs.

2. Keep Your Browser and OS Up to Date

Running the latest stable version means you share your fingerprint with millions of others on the same version. Running an outdated build makes you stand out.

3. Be Selective With Extensions

Every extension you install can potentially be detected and adds to your uniqueness. A common mistake is loading a dozen privacy extensions — the combination itself becomes a fingerprint. Stick to a small, well-vetted set.

4. Disable or Isolate High-Entropy APIs

Where possible, disable WebGL if you don't need it, block third-party scripts by default, and use site isolation features. Firefox's privacy.resistFingerprinting flag and Brave's shields are strong starting points.

5. Use Encrypted DNS and Network-Level Protections

While these don't stop fingerprinting directly, encrypted DNS (DoH or DoT) prevents your network provider from correlating your browsing with your device identity. Combined with a fingerprint-resistant browser, this reduces the number of parties who can piece together your activity.

6. Compartmentalize Your Browsing

Use separate browsers or browser profiles for different activities: one for banking and shopping, another for casual browsing, another for research. Container tabs (available in Firefox) provide similar isolation with less friction.

7. Test Your Fingerprint

Free tools like the EFF's Cover Your Tracks, amiunique.org, and browserleaks.com let you see your own fingerprint and how unique it is. Test before and after making changes to see what actually helps.

Browser Fingerprinting and Link Sharing

Fingerprinting isn't limited to the destination site — it can also happen at intermediate steps like ad networks, redirect chains, and some link shorteners. If you're sharing links publicly or in a professional context, the shortener you choose matters. Services that log excessive click-side data or embed tracking pixels can expose your audience to fingerprinting scripts they never agreed to.

Privacy-conscious link shorteners like Lunyb focus on clean redirects without invasive tracking layered on top. If you're comparing options, our 2026 buyer's guide to URL shorteners breaks down which providers prioritize user privacy and which lean heavily on analytics. For a deeper look at a popular paid option, see our Rebrandly review.

The Future of Browser Fingerprinting

Two forces are pushing back against fingerprinting. First, browser vendors — even Chrome, under pressure — have begun standardizing certain attributes and reducing the entropy exposed to scripts. Firefox and Safari have gone further, actively randomizing canvas outputs or clamping precision on sensitive APIs.

Second, privacy regulations like the EU's GDPR and California's CPRA classify fingerprinting as personal data collection in most contexts, requiring consent. Enforcement is uneven, but the legal risk has already changed how some large ad platforms operate.

At the same time, fingerprinters are getting more sophisticated. Machine learning models can now match "similar" fingerprints even when individual attributes change, and behavioral signals (like typing cadence) are increasingly used as a second layer. The arms race isn't ending — but the tools available to ordinary users are stronger than they've ever been.

Frequently Asked Questions

Can browser fingerprinting identify me personally?

Not by name, on its own. A fingerprint is a device-and-browser identifier, not a name or email. But if the fingerprint is ever linked to an identified session — for example, when you log into an account — that link can persist across future visits, effectively de-anonymizing all your prior activity from the same browser.

Does private or incognito mode stop fingerprinting?

No. Private mode only prevents your browser from saving local history and cookies. The technical attributes used for fingerprinting — screen size, GPU, fonts, canvas output — remain the same in private mode, so scripts can still identify your device.

Will disabling JavaScript stop browser fingerprinting?

It stops most active fingerprinting scripts, but it also breaks most modern websites. It also makes you extremely unusual, which paradoxically makes the passive fingerprint (HTTP headers, TLS characteristics) more identifiable. It's not a practical solution for daily browsing.

Is browser fingerprinting legal?

It depends on jurisdiction and purpose. Under GDPR, CPRA, and similar laws, fingerprinting for tracking or advertising generally requires informed consent. Fingerprinting for security and fraud prevention often falls under legitimate-interest exceptions. In practice, enforcement varies widely.

What's the single most effective step against fingerprinting?

Switching to a browser with built-in fingerprinting resistance — such as the Tor Browser for high-risk use, or Firefox with resist-fingerprinting enabled and Brave for everyday browsing. No amount of extension tweaking on a standard browser matches what these browsers do at the engine level.

Conclusion

Browser fingerprinting is one of the most sophisticated and least visible tracking techniques on the modern web. It survives cookie clearing, incognito mode, and even network changes. But it isn't invincible. By choosing a fingerprint-resistant browser, keeping software up to date, being disciplined about extensions, and testing your own fingerprint periodically, you can move from being uniquely identifiable to being just another face in a crowd — which, on the internet, is exactly where privacy lives.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles