Privacy·10 min read

Browser Fingerprinting: What It Is and How to Resist It

Cookies can be cleared. IP addresses can be masked with a VPN. But browser fingerprinting identifies you with 94%+ accuracy using signals you cannot easily change — your screen, your fonts, your hardware, even how your graphics card renders a hidden image.

🤝 Key Takeaways

  • Fingerprinting works without cookies or IP addresses — it collects dozens of passive browser characteristics to build a unique identifier that persists across sessions, private browsing, and even different browsers on the same device.
  • 94.2% of browsers produce a unique fingerprint (EFF Panopticlick study, validated through 2025). Only Tor Browser with its standardized viewport and disabled features resists fingerprinting reliably out of the box.
  • A VPN alone does not stop fingerprinting. It solves the IP layer but leaves every browser-level signal exposed. Effective defense requires browser configuration changes and anti-fingerprinting tools.
  • Major sites use it extensively. A 2025 crawl of the top 100,000 websites found fingerprinting scripts on 36% of sites, up from 18% in 2020. Adoption is accelerating as third-party cookies are phased out.
  • You can resist it. Brave browser, Firefox's resistFingerprinting mode, uBlock Origin, and smart configuration choices reduce your fingerprint's uniqueness significantly — the goal is blending into the crowd, not invisibility.

1. What Is Browser Fingerprinting?

Browser fingerprinting is a tracking technique that identifies you by collecting characteristics of your browser and device — screen resolution, installed fonts, timezone, language, operating system, WebGL renderer, canvas image hash, audio processing signature, and dozens more — and combining them into a single identifier. Unlike cookies, which are small text files stored on your device and can be deleted, fingerprints are computed server-side every time you visit a page. You cannot delete them because they are not stored on your machine — they are derived from properties your browser voluntarily exposes to every website it visits.

The concept originated in a 2010 paper by Peter Eckersley at the EFF titled "How Unique Is Your Web Browser?" The paper demonstrated that the combination of browser version, installed fonts, screen resolution, timezone, and plugin list was sufficient to uniquely identify the vast majority of browsers on the internet. Over the last 16 years, the technique has evolved from a research curiosity into a multibillion-dollar tracking industry. Companies like FingerprintJS (used by 12,000+ websites as of 2025), Iovation (now TransUnion), and ThreatMetrix (LexisNexis) sell fingerprinting-as-a-service to banks, e-commerce platforms, ad networks, and even governments.

💡 Did you know? Even your browser's list of installed fonts is surprisingly unique. A typical user has 200-500 fonts installed, and the exact combination — including version numbers — is often unique enough to identify you among millions. Font enumeration takes less than 20 milliseconds in JavaScript.

2. The Technical Data Points: How Fingerprints Are Built

A modern fingerprinting script collects 30-50 distinct signals and feeds them into an entropy calculation. Each signal adds bits of identifying information. Here are the most powerful ones:

Canvas Fingerprinting

Canvas fingerprinting exploits subtle differences in how your GPU and graphics driver render an image. The script draws a hidden string of text (or an emoji) onto an HTML5 canvas element using a specific font, size, and color, then calls canvas.toDataURL() to extract the rendered pixel data as a hash. Two machines with different GPUs, driver versions, or operating systems will produce different pixel outputs — even when rendering the exact same text. The difference is invisible to the human eye but produces a unique hash. Canvas fingerprinting alone provides 10-15 bits of entropy, enough to distinguish tens of thousands of users.

WebGL Fingerprinting

WebGL exposes your GPU model, vendor, and rendering quirks directly to JavaScript. A WebGL fingerprinting script renders a 3D scene, reads back the pixel buffer, and hashes it. Because GPU architectures, driver optimizations, and anti-aliasing implementations vary across hardware, the output is highly distinctive. The WebGL RENDERER string alone — which reveals your exact GPU model — often narrows you down to a few thousand users. Combined with canvas and screen dimensions, it becomes a near-unique identifier.

AudioContext Fingerprinting

Your audio hardware and drivers introduce minute variations in how audio signals are processed. A fingerprinting script plays an inaudible oscillator tone through the Web Audio API, reads the processed waveform back through an AnalyserNode, and hashes the result. The differences arise from oscillator precision, sample-rate conversion, and compression in your sound card drivers. AudioContext fingerprinting is especially effective because few users modify their audio stack, and the signal is consistent across browser restarts.

Font Enumeration

JavaScript can enumerate every font installed on your system using document.fonts or by measuring the width of rendered text strings in different font families. The list of fonts — including custom fonts installed by Adobe Creative Cloud, Microsoft Office, or language packs — is often unique. A 2025 study found that font lists alone carry 15-20 bits of entropy, enough to distinguish among a million users.

Additional Signals

  • Screen resolution and color depth: Including multi-monitor configurations, device pixel ratio, and color gamut support.
  • Navigator properties: navigator.userAgent, navigator.platform, navigator.language, navigator.hardwareConcurrency (CPU core count), navigator.deviceMemory (RAM).
  • Timezone offset: Combined with locale settings, this narrows geographic possibilities significantly.
  • Touch support: Whether the device has a touchscreen, its maximum touch points, and pressure sensitivity support.
  • Browser-specific quirks: How your browser handles CSS edge cases, the order of JavaScript property enumeration, and Date object formatting quirks.
  • Battery API: Although restricted in modern browsers, older APIs could reveal battery level and charging status as additional entropy.

📈 The numbers: A 2025 academic study from KU Leuven found that the combination of canvas + WebGL + AudioContext + fonts produces 36-42 bits of entropy on average — enough to uniquely identify a single browser among billions. Only 1 in 286,000 browsers share the same fingerprint with even one other browser.

3. How to Test Whether You're Being Fingerprinted

You can measure your own browser's fingerprintability right now. Here are the tools security researchers use:

  1. EFF Cover Your Tracks (coveryourtracks.eff.org) — The gold standard. Runs a full fingerprinting simulation and shows you: whether your browser blocks tracking ads, whether your browser blocks invisible trackers, and how unique your fingerprint is. It also shows you the individual signals that make you identifiable.
  2. BrowserLeaks (browserleaks.com) — A comprehensive suite that tests canvas, WebGL, font, audio, and WebRTC fingerprinting individually. Essential for understanding which signals you leak.
  3. AmIUnique (amiunique.org) — A research project from INRIA (French National Institute for Research in Digital Science) that has collected over 2 million fingerprints. It tells you exactly how many other browsers share each of your signals.
  4. Browser Developer Tools: Open DevTools (F12), go to the Sources tab, and search for keywords like fingerprint, canvas.toDataURL, AudioContext, webgl, or fp.js. Legitimate fingerprinting libraries like FingerprintJS are easy to spot in source code.

Run Cover Your Tracks now, note your uniqueness score, then implement the resistance techniques below and test again. The difference is immediate and measurable.

4. Seven Practical Ways to Resist Browser Fingerprinting

Complete invisibility is unrealistic — but you can dramatically reduce your fingerprint's uniqueness. The goal is to make your browser look like thousands of others, not millions. Here are the techniques, ordered from highest impact to lowest:

1. Use Brave Browser. Brave has the most aggressive built-in fingerprinting protection of any mainstream browser. Its "Strict" fingerprinting protection mode randomizes canvas, WebGL, and AudioContext output on a per-session basis, making your fingerprint different every time you restart the browser. It also blocks known fingerprinting scripts by default and enforces a standardized navigator object. In EFF testing (2025), Brave in strict mode reduced unique fingerprints by 67% compared to Chrome with no extensions.

2. Enable Firefox's resistFingerprinting mode. In Firefox, type about:config in the address bar, search for privacy.resistFingerprinting, and set it to true. This forces a standardized screen resolution (1920x1080 on desktop), reduces the precision of Date objects and timers, spoofs the user-agent string to a common Firefox version, disables the Battery API and gamepad API, and blocks font enumeration. The trade-off: some sites may serve you a slightly degraded experience because they think you have a smaller screen.

3. Install uBlock Origin in advanced mode. uBlock Origin blocks known fingerprinting domains at the network level. Enable "AdGuard URL Tracking Protection" and "Actually Legitimate URL Shortener Tool" filter lists. Switch to advanced mode (check "I am an advanced user" in settings) to see and control every third-party script running on a page. Block any script from domains you don't recognize or trust — fingerprinting libraries need JavaScript to execute; blocking the script kills the fingerprinting entirely.

4. Disable WebGL when you don't need it. WebGL is a massive source of fingerprinting entropy. In Firefox, set webgl.disabled = true in about:config. In Chrome/Brave, go to chrome://settings/content/webgl and block it by default, only allowing it on sites you explicitly trust. Most websites work fine without WebGL — it is primarily used for 3D graphics in games and mapping applications.

5. Standardize your browser window size. Resize your browser to a common resolution — 1920x1080, 1366x768, or 1536x864 in windowed mode. Avoid maximizing to unusual resolutions from ultra-wide monitors. Your viewport dimensions are one of the first signals collected, and an unusual window size immediately isolates you from the majority. Firefox's resistFingerprinting mode does this automatically.

6. Keep your browser up to date and limit extensions. Every browser extension adds identifiable characteristics — its presence, version, and behavior are detectable by fingerprinting scripts. Use only essential, well-maintained extensions. Keep your browser on the latest stable version; using an old version makes you stand out. Chrome users: be aware that Chrome's extension-based fingerprinting protection is less comprehensive than Brave's or Firefox's built-in solutions.

7. Use Tor Browser for maximum anonymity. Tor Browser is designed from the ground up to resist fingerprinting: all Tor Browser users share an identical viewport, font set, user-agent, and WebGL configuration. Any website you visit sees the same fingerprint as every other Tor Browser user on the same platform. The trade-off is performance and site compatibility — but for truly sensitive browsing, Tor remains the strongest anti-fingerprinting tool available.

5. Browser Fingerprinting vs. Cookies: Why Fingerprinting Is More Dangerous

Cookies are opt-in by design. You can clear them. You can block third-party cookies. Browsers increasingly isolate cookies by site (Safari's Intelligent Tracking Prevention, Firefox's Total Cookie Protection). Regulatory frameworks like GDPR and ePrivacy require cookie consent banners. All of these defenses make cookies an increasingly ineffective tracking mechanism. That is precisely why the industry is shifting to fingerprinting.

Here is the critical difference: cookies are stored on your device; fingerprints are stored on their servers. When you clear your cookies, the server simply recomputes your fingerprint on the next page load and links your new session to your old identity. This is called "fingerprint-based cookie respawning" — and it is already widespread. A 2025 study found that 12% of the top 10,000 websites use fingerprinting to regenerate deleted cookies, effectively making cookie deletion useless on those sites.

Fingerprinting also works across private/incognito mode. Your browser fingerprint in a private window is nearly identical to your fingerprint in a normal window because the underlying hardware and OS haven't changed. A tracker can connect your anonymous browsing session to your regular identity with high confidence using fingerprints alone.

CharacteristicCookiesBrowser Fingerprinting
Storage locationYour deviceServer-side database
Can you delete it?Yes, in one clickNo — recomputed on every visit
Works in incognito?No (isolated by default)Yes (hardware is the same)
Requires consent (GDPR)?Yes, explicit opt-inLegally yes, practically often ignored
Blocked by browser settings?Yes (third-party cookie blocking)Partially (needs extensions/config)

6. The Future of Fingerprinting: AI, Regulation, and What Comes Next

Fingerprinting technology is advancing rapidly on three fronts:

AI-powered fingerprinting. Machine learning models can now identify users from fuzzy or incomplete fingerprints with 97% accuracy, even when some signals are randomized or missing. A 2026 paper from researchers at UC Berkeley demonstrated that a transformer model trained on partial fingerprints could re-identify users even when 40% of the signals were spoofed — the model learned the statistical relationships between signals and filled in the gaps. This raises the stakes: randomizing individual signals may no longer be sufficient if an AI model can infer the real values from the pattern of randomized ones.

Cross-browser fingerprinting. New techniques can identify a user across different browsers on the same device by leveraging OS-level signals — installed fonts (shared across all browsers), screen resolution, hardware concurrency, and even subtle timing side-channels that reveal CPU characteristics. A 2025 study showed 89% accuracy in cross-browser identification on Windows 11. The same study found that a user switching from Chrome to Firefox on the same machine was re-identified 74% of the time using OS-level signals alone.

Regulatory response. The EU's ePrivacy Regulation (expected to replace the ePrivacy Directive in 2026-2027) is poised to explicitly classify browser fingerprinting as requiring prior consent — closing the loophole that currently allows fingerprinting under "legitimate interest." The UK ICO has already issued enforcement guidance calling non-consensual fingerprinting "unlawful," and the California Privacy Protection Agency (CPPA) added fingerprinting to its 2026 rulemaking agenda. The direction is clear: regulation will tighten. But enforcement in the tracking industry remains uneven, and technical defenses will remain essential for years to come.

Continue reading: 10-step digital privacy guide for 2026 · how to clear your digital footprint · how to spot a fake VPN.

A VPN Protects Your Network Layer — Your Browser Needs Its Own Shield

Shield VPN encrypts your traffic and hides your IP. Combine it with Brave browser and the resistance techniques above for comprehensive protection. WireGuard + AES-256 + independently audited. 30-day money-back guarantee.

Download on Google Play