facebook-pixel

Browser Fingerprinting: How Websites Track You Without Cookies

L
Lunyb Security Team
··8 min read

Every time you visit a website, your browser quietly reveals dozens of details about your device — screen resolution, installed fonts, graphics card, time zone, and much more. Combined, these seemingly harmless data points create a unique signature known as your browser fingerprint. Unlike cookies, you can't simply delete it, and unlike an IP address, changing networks won't hide it. This makes browser fingerprinting one of the most powerful — and controversial — tracking techniques used online today.

In this guide, we'll break down exactly how browser fingerprinting works, what companies do with the data, why it's so hard to defeat, and the practical steps you can take to reduce your exposure.

What Is Browser Fingerprinting?

Browser fingerprinting is a tracking technique that identifies and follows users online by collecting a combination of characteristics about their browser and device. When enough of these attributes are combined, they produce a nearly unique identifier that can distinguish you from millions of other internet users — without storing anything on your device.

The concept was popularized by the Electronic Frontier Foundation (EFF) in 2010 through its Panopticlick project (now called Cover Your Tracks), which demonstrated that the vast majority of browsers are, in fact, uniquely identifiable. Since then, fingerprinting has evolved into a sophisticated industry powering ad networks, fraud detection systems, and analytics platforms.

Fingerprinting vs. Cookies: Key Differences

FeatureCookiesBrowser Fingerprinting
Storage locationStored on your deviceNothing stored — derived from device traits
User controlCan be blocked or deletedVery difficult to prevent
VisibilityDisclosed via consent bannersOften invisible to the user
Cross-site trackingLimited by browser policiesWorks across sites by default
Requires user login?NoNo

How Browser Fingerprinting Actually Works

Fingerprinting scripts silently query your browser for dozens of technical details, then hash them together into a unique identifier. The process typically involves the following steps:

  1. Data collection: A JavaScript snippet loaded on the page requests device and browser attributes.
  2. Active probing: The script runs tests (like rendering hidden graphics) to extract details your browser doesn't openly share.
  3. Aggregation: All collected attributes are combined into a long string.
  4. Hashing: The string is hashed (e.g., SHA-256) to create a compact fingerprint ID.
  5. Matching: The ID is sent to a server and matched against known fingerprints to identify returning visitors.

Common Attributes Used in a Fingerprint

  • User agent string: Browser name, version, and operating system.
  • Screen resolution and color depth: Highly variable across devices.
  • Installed fonts: Can reveal software you've installed (e.g., Adobe, Office).
  • Language and time zone: Reveal your general geographic region.
  • Browser plugins and extensions: Fewer plugins in modern browsers, but still enumerable.
  • Hardware concurrency: The number of CPU cores your device has.
  • Device memory: Approximate RAM available to the browser.
  • Touch support: Distinguishes desktops from mobile devices.

Advanced Fingerprinting Techniques

Beyond basic attributes, modern trackers use sophisticated methods that exploit how your device renders and processes data. These techniques can identify users even when they change browsers or use privacy tools.

1. Canvas Fingerprinting

Canvas fingerprinting instructs your browser to draw a hidden image or text using the HTML5 <canvas> element. Because rendering depends on your GPU, graphics drivers, operating system, and font rendering engine, the resulting pixel data varies slightly between devices. That subtle variation is captured, hashed, and used as a nearly unique ID.

2. WebGL Fingerprinting

Similar to canvas fingerprinting but more powerful, WebGL fingerprinting uses your device's 3D graphics capabilities. It extracts detailed information about your GPU vendor, renderer, and shader precision, producing an identifier that's extremely hard to spoof without breaking legitimate websites.

3. Audio Fingerprinting

The Web Audio API lets browsers process sound. Fingerprinters generate a silent audio signal, run it through processing nodes, and measure the exact output. Tiny differences in audio processing hardware and software create yet another unique signature.

4. Font Enumeration

By measuring the pixel width of text rendered in various fonts, scripts can detect which fonts are installed on your system — including obscure ones tied to specific software packages or corporate environments.

5. Battery and Sensor APIs

While many browsers have restricted these APIs, some still expose battery level, charging status, and motion sensor data. When combined with other attributes, these values narrow identification further.

Why Websites Use Browser Fingerprinting

Browser fingerprinting has both legitimate and controversial uses. Understanding the motivations helps clarify why it's so widespread.

Legitimate Use Cases

  • Fraud prevention: Banks and e-commerce sites use fingerprints to detect stolen credentials being used from unfamiliar devices.
  • Bot detection: Ticketing sites and social networks fingerprint visitors to block automated scrapers and bots.
  • Account security: Login systems flag suspicious sign-ins from unrecognized fingerprints.
  • Compliance and licensing: Streaming services enforce device limits by identifying unique endpoints.

Controversial Use Cases

  • Cross-site advertising: Ad networks track users across the web to build behavioral profiles.
  • Persistent identification: Even after clearing cookies or switching to private browsing, users can be re-identified.
  • Price discrimination: Some retailers show different prices to different "segments" of users.
  • Data brokerage: Fingerprints are sold to third parties for profiling.

How Unique Is Your Fingerprint?

Research consistently shows that most desktop browsers are uniquely identifiable. According to studies by the EFF and academic researchers:

  • Roughly 80–90% of desktop browsers have a completely unique fingerprint.
  • Mobile browsers are somewhat harder to distinguish because hardware and software configurations are more standardized, but attributes like installed apps and language settings still provide differentiation.
  • Even browsers with the same version on the same OS can be distinguished through canvas or WebGL rendering.

You can test your own fingerprint uniqueness using free tools like the EFF's Cover Your Tracks or AmIUnique.org.

How to Protect Yourself From Browser Fingerprinting

Completely defeating fingerprinting is difficult, but you can significantly reduce your uniqueness with the right combination of tools and habits.

1. Use a Privacy-Focused Browser

Browsers like Tor Browser, Brave, and Firefox (with enhanced tracking protection) actively resist fingerprinting. Tor Browser is the gold standard: it makes every user look identical by standardizing the user agent, screen size, and other attributes.

2. Enable Fingerprinting Protection Settings

  • Firefox: Go to Settings → Privacy & Security → Enhanced Tracking Protection → Strict.
  • Brave: Shields are enabled by default and randomize fingerprintable values.
  • Safari: Includes Intelligent Tracking Prevention (ITP) that limits cross-site tracking.

3. Install Anti-Fingerprinting Extensions

Extensions like uBlock Origin, Privacy Badger, and CanvasBlocker can block known fingerprinting scripts or add noise to canvas and WebGL outputs. Be cautious, though — installing too many extensions can actually make you more identifiable.

4. Use Encrypted DNS

DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) prevents your internet provider and network intermediaries from seeing which sites you visit. While it doesn't stop fingerprinting directly, it strengthens your overall privacy posture.

5. Disable JavaScript Selectively

Most fingerprinting relies on JavaScript. Extensions like NoScript allow you to disable scripts by default and enable them only on trusted sites. This is aggressive but highly effective.

6. Avoid Unnecessary Browser Customization

Ironically, the more you customize your browser (rare fonts, unusual extensions, custom themes), the more unique — and identifiable — you become. Sticking to defaults on a widely used browser helps you blend in.

7. Be Mindful of Links You Click

Shortened or redirected links can lead to pages loaded with fingerprinting scripts. Using a privacy-respecting URL shortener like Lunyb — which doesn't attach invasive tracking parameters — helps reduce your exposure when sharing or clicking links. If you're comparing options, our 2026 buyer's guide to URL shorteners breaks down which services handle user data responsibly.

Comparing Anti-Fingerprinting Approaches

ApproachEffectivenessEase of UseDownsides
Tor BrowserVery HighMediumSlower browsing, some sites block Tor
Brave with ShieldsHighVery EasySome sites may break
Firefox + strict modeHighEasyRequires configuration
Anti-fingerprint extensionsMediumEasyCan increase uniqueness if overused
Disabling JavaScriptVery HighHardBreaks most modern websites

The Future of Browser Fingerprinting

As third-party cookies phase out across major browsers, advertisers and analytics companies are leaning more heavily on fingerprinting. Regulators have taken notice: the EU's GDPR and California's CCPA both classify fingerprinting as personal data processing that requires user consent in most contexts.

Meanwhile, browser vendors are pushing back. Apple's Safari and Mozilla's Firefox have implemented significant anti-fingerprinting measures, and Google Chrome's Privacy Sandbox aims to replace both cookies and fingerprinting with more privacy-preserving alternatives — though critics argue it still enables targeted advertising in new ways.

Expect the arms race between trackers and privacy tools to intensify over the next few years, with machine learning increasingly used on both sides to identify — or obscure — users.

Key Takeaways

  • Browser fingerprinting identifies you based on device and browser characteristics, without storing anything on your device.
  • Techniques like canvas, WebGL, and audio fingerprinting are extremely difficult to detect and block.
  • Most desktop browsers have unique fingerprints, making cross-site tracking possible without cookies.
  • Privacy-focused browsers like Tor and Brave offer the strongest defense.
  • Blending in with defaults is often more effective than heavy customization.

Frequently Asked Questions

Can browser fingerprinting identify me personally?

Not directly. A fingerprint doesn't contain your name or email. However, if you log into a site while being fingerprinted, that identifier can be linked to your real identity — and then used to track you across other sites where you're anonymous.

Does private or incognito mode prevent fingerprinting?

No. Incognito mode only prevents your browser from saving history, cookies, and form data locally. It does nothing to change your fingerprint, so websites can still identify you across sessions.

Is browser fingerprinting legal?

It depends on jurisdiction. Under GDPR (EU) and similar laws, fingerprinting for tracking purposes generally requires informed user consent. In the U.S., regulations vary by state, with California's CCPA offering the strongest protections. Enforcement, however, remains inconsistent.

Will changing my IP address hide my fingerprint?

No. Your fingerprint is based on browser and device characteristics, not your network. Changing IP addresses affects location-based tracking but leaves your fingerprint intact.

What's the single best step to reduce fingerprinting?

Switching to Tor Browser offers the strongest protection because it standardizes almost every fingerprintable attribute. For everyday use, Brave or Firefox with strict tracking protection provides a strong balance between privacy and usability.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles