Browser Fingerprinting: How You're Tracked Without Cookies¶

Fingerprinting identifies your browser from a combination of system characteristics without cookies, history, or other common tracking vectors. It survives private browsing, cookie clearing, and most tracker blockers. But there's a lot we can do to beat this mysterious form of tracking.

📖 The Basics¶

What It Is¶

Browser fingerprinting is a tracking technique that identifies your browser and other devices by collecting a set of characteristics about your system and combining them into a unique identifier. Unlike cookies, it stores nothing on your device. There's nothing to clear, nothing to block at the storage level, and no indication visible to you that it's happening.

The technique works because the combination of ordinary, individually unremarkable attributes like your screen resolution, your time zone, your installed fonts, the way your graphics hardware renders a specific shape, and many other inherent attributes of your device(s) produces a profile that is statistically unique to your device. You can delete every cookie in your browser, open a private window, and block every known tracker, and a fingerprinting script can still identify you the moment a page loads.

How It Works¶

When your browser loads a page, JavaScript running on that page can query your browser about your system. The process is passive, invisible, and requires no permission from you.

Some Attributes That Make Up a Fingerprint¶

Canvas fingerprinting: a script draws an invisible image in an off-screen canvas element and reads back the pixel data. Because the image is rendered by your specific combination of graphics hardware, drivers, and operating system, the output differs subtly between devices. This is one of the most determinative signals.
WebGL fingerprinting: similar to canvas, but using 3D rendering. The GPU model and driver version produce characteristic variations in how scenes are rendered, even when the input is identical.
Audio context fingerprinting: measures how your system processes audio through the browser's Web Audio API. Hardware and OS differences produce measurable variation in the output waveform.
Installed fonts: your browser can be queried about which fonts are available on your system. The specific set of fonts can differ meaningfully between users.
User agent string: sent automatically with every browser request. Contains your browser name, version, and operating system. Readable by any server you connect to without any JavaScript needed.
Screen resolution and color depth, time zone, language settings, browser plugins and extensions: each when combined can narrow the population of matching browsers dramatically.
Behavioral signals: fingerprinting can extend beyond static attributes to include typing patterns, mouse movement dynamics, and interaction timing. These behavioral biometrics are harder to spoof and can achieve high identification accuracy even when static signals are partially randomized.

Combined, these signals can make browsers unique or near-unique. Early large-scale studies like the EFF's Panopticlick research (Eckersley, 2010) found 83.6–94.2% of fingerprints were unique across nearly half a million browsers; more sophisticated techniques using OS and hardware-level signals have achieved up to 99% uniqueness in research settings (Cao et al., NDSS 2017). The exact figure varies by method, but the practical conclusion is consistent: for most browsers with no active mitigation, the fingerprint is unique or near-unique.

And this form of tracking is widespread. A 2016 Princeton study (Englehardt & Narayanan) crawled the Alexa top 1 million sites and found canvas fingerprinting running on over 14,000 of them...not just on the sketchy edges of the web, but across mainstream retail sites, news sites, and the ad networks embedded throughout them. Those scripts don't have to be deployed directly by every site: a single third-party analytics or advertising service with fingerprinting baked in can appear across thousands of sites simultaneously. The technique moved from "interesting research finding" to "default surveillance infrastructure" years ago. Browser vendors and regulators have started pushing back, but the baseline expectation is that many sites you visit are running some form of fingerprinting, directly or through an embedded third party.

Test Your Own Fingerprint¶

These tools let you see what your browser is actually exposing, each with a different focus. None of these directly translate to how possible it is for a malicious site to fingerprint you, but they are educational tools to help you see what each of your browsers can expose to sites.

Cover Your Tracks (EFF): a solid starting point. Runs real fingerprinting techniques against your browser and gives a clear verdict on how protected you are. Tests tracker blocking, fingerprinting resistance, and shows how your browser appears to the tracking ecosystem. Run it before and after switching browsers, the difference is concrete and measurable.
AmIUnique: focuses specifically on uniqueness. It compares your fingerprint against a large pool of collected fingerprints to show how identifiable you are within the broader population. Good complement to Cover Your Tracks.
BrowserLeaks: a technically detailed option. Breaks down each fingerprinting surface individually like canvas, WebGL, audio, fonts, WebRTC, IP leaks, and more, so you can see exactly what each API is exposing. Useful if you want to dig into specific signals.
CreepJS: open-source and research-oriented. Shows how modern fingerprinting scripts actually work by running the same detection techniques attackers use, then displaying the raw results.

How Browsers Try To Beat Fingerprinting¶

No single mitigation stops fingerprinting entirely...but layered together, these four strategies meaningfully raise the cost of tracking you.

Blocking known fingerprinting scripts: Tools like uBlock Origin, Brave Shields, and/or Firefox's Enhanced Tracking Protection (in Strict mode) block scripts from known fingerprinting vendors before they ever run. This is highly effective against cross-site fingerprinting infrastructure. A single blocked library can prevent your fingerprint from being collected across dozens of sites at once. It doesn't stop first-party fingerprinting, where a site runs the fingerprinting logic itself without a third-party script, but it removes a large class of reusable tracking infrastructure that makes tracking possible.
Coarsening and normalizing signals: Rather than blocking fingerprinting outright, some browsers reduce the precision of what they expose. Firefox in Strict mode and Private Browsing adds noise when sites read back canvas data, limits font exposure to standard OS-bundled fonts instead of your full installed set, and coarsens hardware signals like CPU core count and screen dimensions. Safari's fingerprinting protection takes a similar approach. These protections make your fingerprint less distinctive without breaking most sites, since the data is still served, just with reduced entropy.
Uniformity (Tor Browser, Mullvad Browser): standardize as many fingerprinting signals as possible across all users of the same browser. If every Tor Browser user presents the same canvas output, the same font set, the same user agent, then fingerprinting can't distinguish between them. This is the strongest theoretical approach, but comes with usability sacrifices.
Randomization (Brave): change fingerprinting signals each session so they can't be used reliably for tracking across sessions or sites. Your canvas output this session differs from your canvas output next session. This is effective against passive, large-scale fingerprinting operations that rely on a stable identifier, and has far less friction than the uniformity approach for everyday use.

Script blocking is a strong baseline for almost everyone. Signal coarsening (Firefox Strict, Safari) adds a meaningful layer on top at low cost. Uniformity (Tor Browser) provides the strongest protection against sophisticated adversaries but customizing the browser at all undermines it. Randomization (Brave) is a nice middle ground for users who want active resistance against commercial tracking without overhauling how they browse. These aren't mutually exclusive, the strongest setups layer multiple strategies.

On "Anti-Fingerprinting" Extensions¶

Extensions that claim to block fingerprinting can often make things worse. An extension that injects custom values into canvas or WebGL queries, blocks specific APIs, or randomizes signals may create a fingerprint pattern that's more unique than the default, since now your browser looks like the small population of people running that specific extension with those specific settings. Generally, browser-level mitigations work better than extension-level ones because the browser controls the base signals and can coordinate across them. Extensions see only part of the picture.

🎯 Why It Matters¶

Everyone should test this themselves. Open your current browser, go to coveryourtracks.eff.org and run the test. If you're using a typical browser, you'll very likely see that your browser is "unique" or "nearly unique" against the population of tested browsers.

Now consider what that fingerprint accumulates over time. Every site that runs fingerprinting tools can correlate your visits without any login or cookies, even in incognito windows. You browse an article about a health condition on one site. You look at a medication on another. You research something financial on a third. None of these required a login. You cleared your cookies between sessions. From the perspective of a tracking network with fingerprinting deployed across all three, it was the same person each time.

The implications scale with your threat model. For most people, the consequence is persistent ad targeting that follows you across sites in ways you didn't agree to and can't easily see. For journalists, activists, or anyone who needs their browsing to be unassociated across sites, fingerprinting is a meaningful surveillance vector that requires a deliberate response.

The honest answer on mitigation is that it requires accepting some tradeoffs. Tor Browser provides the strongest protection but the most friction. Brave's randomization approach provides decent protection against commercial tracking with far less disruption to everyday use. The worst outcome is assuming that clearing cookies, only using a tracker blocker, or using incognito mode has handled it, when in reality those measures don't touch fingerprinting at all.

💡 Common Misconceptions¶

"Google Chrome is more private than a privacy browser, because privacy tools make me more unique."¶

This is a prevalent (and dangerous!) misconception, which can push people toward exactly the wrong choice. The reasoning has a kernel of truth...adding signals can make you more identifiable, but the conclusion is wrong because it assumes that not customizing your browser means there are no signals to identify you. Even when you do nothing, your device still produces a unique canvas fingerprint, a unique WebGL fingerprint, an audio context fingerprint, a font list, a user agent, a list of installed extensions, behavioral signals from how you type and move the mouse, and more.

Chrome will do nearly nothing to prevent those signals from leaking to each site you access. Resisting fingerprinting is an active property of a browser, not the absence of customization. Browsers that actually resist fingerprinting—Brave, Firefox, Safari, Mullvad Browser, or Tor Browser—are all better at this than stock Chrome on every meaningful axis. The "blending in by doing nothing" intuition is almost always wrong.

This is a natural place to introduce an important lesson: the lack of doing something bad is not the same as the act of doing something good. A browser that doesn't ship invasive telemetry, doesn't sell your data, and doesn't actively betray you is privacy-respecting...that's the lack of doing something bad. A browser that also takes active steps to randomize or normalize your identifiable signals across sites is privacy-focused...that's the act of doing something good. Both properties matter, but anti-fingerprinting falls mostly in the second category.

"Fingerprinting is too hard to defend against, so there's no point trying."¶

This leaves a lot of protection on the table. Most people are not the target of motivated fingerprinting operations. What they actually face is the commercial tracking ecosystem which is large-scale, automated, and passive. That ecosystem can be meaningfully beat by an ad & tracker blocker and a browser that does any form of active resistance. You don't need perfect anonymity to make the tracking ecosystem less effective at building a profile of you. Brave's randomization, Firefox or Safari with fingerprint resistance, or Mullvad Browser's uniformity gets users most of the benefits.

"A browser that blocks trackers is the same as an anti-fingerprinting browser."¶

It isn't. Tracker blocking stops third-party scripts from loading, which prevents a large category of third-party fingerprinting. But it does not address first-party fingerprinting, where the site you're actually visiting is running fingerprinting code itself—2025 research from Zhang et al. found that sites actively use first-party fingerprinting for ad targeting and cross-session tracking even when users have attempted to opt out. A genuinely anti-fingerprinting browser also takes active steps to obscure or randomize the underlying signals that make first-party fingerprinting possible, like signal-level defenses that tracker blockers alone cannot provide. If a browser is doing only the first half, calling it anti-fingerprinting is a marketing claim that the architecture doesn't back up.

🗣️ Henry's Take¶

The single most important thing to take away from this category is that the "stock browser is more anonymous" argument is wrong, and acting on it pushes people toward exactly the wrong browser. Chrome is not anonymous. Stock Chrome with the default configuration still generates every signal a fingerprinting script could ask for.

The realistic answer for almost everyone is to combine a browser that does active fingerprinting resistance with a tracker and ad blocker that prevents most of the scripts from running in the first place. That combination: Brave with Shields, Firefox with uBlock Origin, Mullvad Browser, Tor Browser, etc. can all battle this fingerprinting problem without requiring a different lifestyle. The friction is low, and most users will never notice the protection working for them.

I use Brave as my default browser. Mullvad Browser is my pick when uniformity-based resistance is the better fit...things like research that doesn't need to be linkable to my identity, account-free browsing, anything where standing out is the actual threat. Tor Browser is what I reach for when network-level anonymity is also part of the requirement. None of these are the universal answer; they're tools for slightly different jobs, and I install multiple browsers for exactly this reason.

If you take one thing from this article, take this: don't downgrade to a browser you think is "safer because it does less." That move is louder than the customization it's trying to avoid.

✅ Henry's Picks¶

Brave: randomization-based fingerprinting resistance enabled by default through Brave Shields, paired with native tracker and ad blocking. A low-friction option for users who want meaningful protection against the commercial tracking ecosystem without adopting a different browsing lifestyle. My default.

Mullvad Browser: uniformity-based resistance built on the same approach as Tor Browser, but connecting to the regular internet. Designed to pair with a VPN. Ephemeral by design (clears all data on close). Higher friction than Brave: more CAPTCHAs, more site compatibility quirks in exchange for stronger anti-fingerprinting properties. The right pick when standing out is the threat you're actually worried about. I use this with Mullvad VPN which is what they suggest.

Tor Browser: the strongest fingerprinting resistance available in a mainstream browser, layered on top of network-level anonymity via the Tor network. Slower, with more compatibility tradeoffs, but covered in depth in Understanding Tor for the situations where it's the right tool.

Pair any of these with an ad and tracker blocker. uBlock Origin on Firefox, Brave Shields by default on Brave, and Mullvad Browser's built-in blocking by default all do this. Browser + blocker is the combination that handles most of what most people face. Ghostery and AdGuard are two other great, open-source extensions for something more approachable.

Test your own fingerprint. Cover Your Tracks (EFF) and AmIUnique both let you see what your current browser is exposing. Worth running once before you switch and once after: the difference is concrete.

See the broader recommendation set at Techlore's SPA Tools.

🔗 Go Deeper¶

Related wiki articles:

Techlore content:

Go Incognito v2, Lesson 4.7—Browser Fingerprinting

External sources:

Found an error? Report it here →