You clear your cookies. You use private browsing. You even switch to a different browser. Yet somehow, advertising networks still seem to know who you are. The technology making this possible is called browser fingerprinting — and it works without storing anything on your device at all.
What Is Browser Fingerprinting?
Browser fingerprinting is a tracking technique that identifies users by collecting a combination of attributes about their browser and device configuration. Each attribute alone — screen resolution, installed fonts, browser version — is not unique. But combined, they form a fingerprint that is statistically unique for a surprisingly high percentage of users.
Research by the Electronic Frontier Foundation found that browser fingerprints were unique for 83% to 94% of users tested. A 2020 study found that even partial fingerprints were sufficient to re-identify users across sessions with high accuracy.
What Data Is Used to Build Your Fingerprint
Canvas fingerprinting
The most widely deployed fingerprinting technique. JavaScript draws an invisible image using the HTML5 Canvas API — the exact rendering depends on your GPU, graphics drivers, operating system, and font rendering engine. The resulting pixel data is hashed into a short identifier. Two devices with identical hardware and software will produce identical canvas fingerprints; any difference — even a driver version — produces a different hash.
WebGL fingerprinting
Similar to canvas fingerprinting but uses the WebGL API to render 3D graphics. Extracts detailed information about your graphics hardware — GPU vendor, renderer string, and supported extensions. Highly unique across different devices and very stable over time.
Audio fingerprinting
Uses the Web Audio API to process audio signals and measure how your browser and hardware handle them. Like canvas and WebGL, the output varies based on hardware and software configuration. Harder to block than canvas fingerprinting because it is less well-known.
Navigator properties
Your browser exposes dozens of properties through the navigator JavaScript object — browser name and version, operating system, installed plugins, language settings, number of CPU cores, device memory, and whether cookies and JavaScript are enabled. Individually common, combined they narrow the field significantly.
Screen and display
Screen resolution, colour depth, pixel density, available screen area (minus taskbars), and whether a touchscreen is present. These vary enough across devices to contribute meaningfully to fingerprint uniqueness.
Timezone and language
Your browser's timezone setting and accept-language header are sent with every request. Combined with other attributes, they help differentiate users in similar geographic areas.
Installed fonts
JavaScript can detect which fonts are installed by measuring how text renders at various sizes. The set of installed fonts varies by operating system version, language, and installed applications — providing a high-entropy fingerprinting surface. This technique is less effective in modern browsers that limit font detection, but still used by some trackers.
How Fingerprinting Differs From Cookies
| Cookies | Fingerprinting | |
|---|---|---|
| Stored on device | Yes | No |
| Can be deleted | Yes | No |
| Works in private mode | Partially | Yes |
| Blocked by browser settings | Yes | Difficult |
| Works across browsers | No | No (per browser) |
| GDPR consent required | Yes (non-essential) | Yes (contested) |
| Persists after clearing history | No | Yes |
Who Uses Browser Fingerprinting?
Advertising networks use fingerprinting to track users across sites even after cookie consent is refused or cookies are cleared. It is widely used as a "cookie alternative" for persistent tracking.
Fraud prevention systems use fingerprinting to flag suspicious logins — if a login comes from a device whose fingerprint does not match previous sessions, it may trigger additional verification.
Publishers and paywalls use fingerprinting to enforce article limits on users who clear cookies to bypass metered paywalls.
DRM and anti-bot systems use fingerprinting to identify and block automated scrapers and bots that might rotate cookies and IPs but cannot easily randomise their full fingerprint.
Check Your Browser Fingerprint
The Anonymiz Browser Fingerprint Tool shows your browser fingerprint hash and a breakdown of the individual signals contributing to it — canvas hash, WebGL data, screen properties, navigator attributes, and more. Use it to see exactly how unique your browser appears to tracking systems.
Also run the Browser Privacy Score for a complete 12-point privacy audit including fingerprinting, WebRTC leaks, DNS leaks, and tracker exposure.
How to Reduce Your Fingerprint
Use a privacy-focused browser
Brave randomises canvas, WebGL, and audio fingerprints on every site visit, making fingerprint-based tracking much harder. Firefox with privacy.resistFingerprinting enabled in about:config also provides substantial protection. Both are free and maintain full browsing functionality.
Browser extensions
Canvas Blocker (Firefox) and JShelter (Chrome/Firefox) block or randomise canvas, WebGL, and audio fingerprinting APIs. They are more surgical than full browser-level protection but effective against most fingerprinting scripts.
The Tor Browser approach
Tor Browser takes a different approach — instead of randomising fingerprints, it makes all users look identical. All Tor Browser users have the same screen size, the same fonts, the same canvas hash. This "blend into the crowd" strategy is theoretically stronger than randomisation, at the cost of some functionality.
Frequently Asked Questions
Does fingerprinting work in private/incognito mode?
Yes. Private browsing prevents your browser from saving history and cookies locally, but your browser still sends all the same hardware and configuration signals that make up your fingerprint. Fingerprinting is completely unaffected by incognito mode.
Is browser fingerprinting legal under GDPR?
This is actively contested. The EDPB (European Data Protection Board) has indicated that fingerprinting constitutes personal data processing under GDPR, requiring a lawful basis — including consent for tracking purposes. However, enforcement has been inconsistent, and fingerprinting used for fraud prevention may qualify for legitimate interests. The legal landscape is evolving.
Can I have the same fingerprint as someone else?
Yes, but it is rare. The probability depends on how many attributes are collected and their individual uniqueness. Research suggests 1 in 286,000 users share identical fingerprints when a comprehensive set of attributes is measured. In practice, trackers combine fingerprinting with other signals to achieve higher individual identification rates.
