Browser fingerprinting is the most powerful tracking technique on the modern web — and the one most users have no idea is happening to them. It works without cookies, survives incognito mode, and identifies your browser with over 99% accuracy across visits. This guide explains every part of how fingerprinting works, who uses it, how unique your own browser is, and what actually reduces your exposure. By the end you will know exactly which techniques fingerprint you, which defenses help, and which are theatre.
Test Your Canvas Fingerprint →Last updated: 13 May 2026 · 5,300 words · Reading time 23 min
Browser fingerprinting is a method of identifying and tracking users across the web without storing anything on their device. Instead of dropping a cookie that a browser could clear, a fingerprinting script asks the browser dozens of small technical questions — what fonts are installed, how does the GPU render a hidden image, what's the audio stack output for this signal, which TLS cipher suites are sent — and combines the answers into a stable identifier. That identifier is then used to recognise the same browser across sessions, websites, and even across cleared cookies or incognito windows.
The technique relies on a basic fact about software diversity: no two devices are configured identically. Hardware varies (GPUs, sound cards, screens), operating systems version differently, font sets accumulate over time, and browsers expose dozens of small implementation details that differ between installations. Combined, these signals produce a "fingerprint" — a multi-dimensional value that's stable for a given browser but statistically unique against the population.
Crucially, fingerprinting is generated on the fly, not stored. There's nothing to clear, no opt-out cookie banner can address it, and browser privacy mode does almost nothing to defend against it. A 2010 Electronic Frontier Foundation study found 84% of browsers had a unique fingerprint among the test population. A 2016 follow-up using a richer feature set raised that number to over 99%. Modern commercial fingerprinting libraries claim accuracy in the 99.5–99.9% range over weeks of repeat visits.
For a technical deep-dive into the underlying mechanics of each technique, see our companion article on how browser fingerprinting works in detail. This guide focuses on the strategic picture: what fingerprinting is, who uses it, what it can know, and how to reduce your exposure.
Browser fingerprinting is deployed by a much wider range of actors than most users realise. Understanding who uses it — and which uses are legitimate, which are dubious, and which are outright surveillance — is the first step in deciding how aggressively to defend against it.
The advertising industry is the largest user. Major ad-tech platforms and data brokers combine fingerprinting with cookies, IP-address logging, and behavioural data to build cross-site user profiles. When third-party cookies are blocked or expired, fingerprinting picks up the slack. Most large ad networks integrate at least canvas, WebGL, and font fingerprinting; some add audio and TLS layers for higher accuracy.
Fraud detection is the most defensible use case. Banks, payment processors, e-commerce sites, and login systems use fingerprinting to detect suspicious account activity — a login from a new fingerprint on a known account triggers additional verification, which catches credential-stuffing attacks and account takeovers. Companies like Sift, Fingerprint.com (formerly FingerprintJS), and Iovation specialise in this.
Bot detection uses fingerprinting to distinguish real browsers from automation tools. Real Chrome on real Windows produces a fingerprint that matches a known distribution; a headless browser or automation framework produces a fingerprint that often doesn't. Cloudflare, Akamai, and DataDome all use fingerprinting in their bot-mitigation products.
Government surveillance uses fingerprinting both directly (operating tracking infrastructure on services they control) and indirectly (accessing commercial fingerprinting databases via legal requests or data purchases). Several leaked surveillance-vendor catalogues describe fingerprinting-based tracking products sold to law enforcement.
Stalkerware and surveillance applications — including products marketed for tracking spouses, employees, and children — frequently embed fingerprinting libraries to identify and track target devices across web services. This is the most concerning category from a personal-safety perspective.
The same techniques serve very different ends. A bank using fingerprinting to flag a stolen account is doing different work than an ad network building a 30-day cross-site behaviour profile, even though the underlying APIs they call are identical.
Modern fingerprinting combines many signal sources. No single signal identifies a browser uniquely; the combination of seven or eight signals usually does. Here are the techniques in approximate order of how much entropy (uniqueness) they contribute.
The HTML5 Canvas API lets browsers draw 2D graphics — useful for legitimate applications like image editing, charting, or games. Fingerprinting scripts use it to draw a hidden image containing text in particular fonts, then read back the pixel data. Because GPU rendering, font rasterisation, and anti-aliasing differ between devices, the resulting image is subtly unique. The hash of the pixel data is a high-entropy identifier. Canvas is the single most widely used fingerprinting technique and remains highly effective. Test your exposure with our canvas fingerprint test.
WebGL exposes GPU rendering for 3D graphics. Fingerprinting scripts use it to extract GPU vendor strings, driver versions, and supported extensions — and to render hidden 3D scenes whose pixel output reveals deeper GPU-specific details. WebGL fingerprints tend to be even more unique than canvas fingerprints because GPU diversity is high. Our WebGL fingerprint test shows exactly what your GPU reveals.
The Web Audio API processes audio in the browser — designed for music apps and games. Fingerprinting scripts generate a short audio signal, process it through the AudioContext, and read the resulting waveform. Different audio stacks produce subtly different output. Audio fingerprinting works even when canvas and WebGL are blocked, which makes it a popular fallback. See our audio fingerprint test for a hands-on check.
The set of fonts installed on a device is surprisingly identifying. Operating systems ship with default fonts, but users install additional fonts for design work, language support, or specific applications. Scripts probe for the presence of hundreds of common and obscure fonts by measuring how text renders against the system fallback font. Our font fingerprint test reveals which fonts your system exposes.
Every HTTPS connection starts with a TLS handshake, during which the client sends a ClientHello message listing supported cipher suites, extensions, and capabilities in a specific order. The order and contents of this message — captured as a JA3 or JA4 hash — fingerprint the underlying TLS library, which in turn correlates strongly with the specific browser version and OS. TLS fingerprinting operates at the network layer and is not affected by browser-level privacy settings. See our TLS fingerprint deep-dive for the technical details.
Every HTTP request carries a set of headers — User-Agent, Accept, Accept-Language, Accept-Encoding, and many more. The exact set, order, and values of these headers fingerprint the browser. Even when User-Agent is spoofed, secondary headers often betray the real browser. Our HTTP headers guide walks through what each header reveals.
Whether you run an ad blocker is itself a fingerprinting signal. Sites detect blocking by checking whether bait elements (named to match adblock filter lists) load successfully. The detection result is added to your fingerprint, and additionally lets the site change behaviour (lock content, show anti-blocker notices). See our adblocker detection guide for the full mechanics.
Beyond the technical signals, more sophisticated fingerprinting reads mouse-movement patterns, scroll behaviour, typing rhythm, touch-screen pressure, battery API status (where still exposed), device-orientation sensors, and CPU performance benchmarks. Each adds entropy. Combined with the technical signals, they make near-perfect re-identification across sessions practical.
The uniqueness of a fingerprint is measured in bits of entropy. Each bit of entropy halves the population of matching browsers; 33 bits is enough to uniquely identify any single browser on Earth. A modern fingerprint typically delivers 25–35 bits of entropy from technical signals alone, with additional bits from behavioural data.
Entropy contributions vary by signal. User-Agent string typically contributes 8–10 bits. Canvas adds 7–10 bits. WebGL adds 5–8 bits. Font list adds 5–8 bits. Audio adds 3–5 bits. Timezone, screen resolution, language preferences, and platform contribute another 5–10 bits combined. Most users contribute over 30 bits of total entropy — making them uniquely identifiable across the global population of internet users.
This means: incognito mode does not help. Private browsing hides history and cookies; it does not change your GPU, fonts, timezone, screen resolution, or audio stack. Your incognito fingerprint matches your regular browsing fingerprint with very high probability. Most fingerprinting libraries detect and merge these sessions automatically.
Two strategies reduce uniqueness. The first is blending in — using a configuration close to the population median (default Tor Browser, default Brave with shields, default Firefox with resistFingerprinting). When millions of users share the same fingerprint, no one is uniquely identifiable. The second is actively randomising the fingerprint on each visit, breaking continuity across sessions. Both have trade-offs explored in the defense section below.
You can measure your own uniqueness by combining the test results from our canvas, WebGL, audio, and font fingerprint tests. The third-party site coveryourtracks.eff.org also provides a population-level uniqueness analysis.
Cookies and fingerprints both identify users, but they work fundamentally differently — and the difference matters for what defenses actually work.
Cookies are stored. A cookie is a small text file the browser saves locally. Clearing cookies, switching browsers, or using incognito mode removes them. GDPR and ePrivacy regulations require consent for non-essential cookies, and browsers expose UI controls to manage them. The user has clear technical and legal control.
Fingerprints are derived. A fingerprint is computed on every visit from properties of the device and browser. There's nothing to delete, no cookie consent dialog to click, and the GDPR position on derived identifiers is still being clarified case by case. The user has very limited technical control — the fingerprint can only be changed by changing the underlying configuration, which is non-trivial.
The practical consequence: a user who religiously clears cookies after every session believes they're un-tracked, but a fingerprinting script merges those sessions trivially. A privacy-conscious user running a hardened browser configuration with cookies disabled may have a more unique fingerprint than a default-configuration user, because rare configurations are themselves identifying.
Modern tracking is hybrid: cookies where allowed, fingerprinting as a fallback, and IP-address logging across both. Defenses that address only one layer leave the others operational. A VPN hides the IP but not the fingerprint; clearing cookies removes the cookie but not the fingerprint; a privacy-extension blocking known trackers removes the script but not the underlying API capability.
The best way to understand your exposure is to test it. Four targeted tests cover the major fingerprinting techniques and give you a concrete sense of how unique your browser actually is.
Start with canvas. The canvas fingerprint test renders a hidden image and shows you the resulting hash. Compare your hash against others by re-running the test in a different browser — the dramatic difference between Chrome and Firefox fingerprints on the same machine illustrates how much the browser itself contributes.
Then check WebGL. The WebGL fingerprint test reveals your GPU vendor, model, and driver version. This is often the most uniquely identifying single signal because GPU/driver combinations are highly fragmented.
Audio and fonts add depth. The audio fingerprint test shows your AudioContext output hash. The font fingerprint test enumerates which fonts your system reveals — a user who installs design software, language packs, or game launchers often has a very distinctive font set.
For network-layer fingerprinting, the TLS fingerprint guide explains what's transmitted in the TLS handshake; tools like the JA4 fingerprint endpoint at tls.peet.ws or browserleaks.com/tls let you see your own JA3/JA4 hash. The HTTP headers guide covers what your browser sends with every request.
After running all five, you'll have a concrete picture of which signals fingerprint you most strongly. Many users discover that a specific signal — typically GPU/WebGL or installed fonts — is the dominant contributor to their fingerprint, which suggests where defense effort is best targeted.
Most popular "anti-fingerprinting" tools provide less protection than users assume. Understanding what actually works requires distinguishing the two viable strategies and the many that aren't.
The strongest defense is to present a fingerprint that matches millions of other users — making identification statistically impossible. Tor Browser is the gold standard here: every Tor user presents the same fingerprint as every other Tor user on the same platform/version. Canvas returns a uniform image. WebGL is restricted. Fonts are bundled and identical. Timezone is normalised. The combined fingerprint identifies the user as "a Tor Browser user" — and nothing further.
The trade-off is that Tor is slow (traffic routes through three relays), some sites block Tor exit nodes, and the browsing experience is intentionally constrained.
Firefox with privacy.resistFingerprinting enabled provides much of the same protection without Tor's network overhead. The feature normalises timezone to UTC, canvas to a uniform output, font lists to a bundled set, and screen resolution to standard values. Combined with Firefox's strict tracking protection and a privacy-respecting search engine, this is a strong middle-ground configuration.
The opposite strategy is to present a different fingerprint on each visit, breaking continuity. Brave Browser implements per-session randomisation for canvas, WebGL, and audio fingerprints — adding tiny amounts of noise that don't break sites but produce different hashes on each load. LibreWolf (a Firefox fork) applies similar techniques.
Randomisation works against linkability (matching a visit to past visits) but doesn't help against single-visit identification, since each fingerprint is still unique per session.
User-Agent spoofing alone is insufficient — secondary signals reveal the real browser. Generic "privacy extensions" that block known tracking scripts help but don't address fingerprinting APIs themselves. VPNs hide IP addresses but leave the fingerprint untouched; combining a VPN with an unmodified Chrome gives you a "Chrome user with a VPN IP" identity, which is in many ways more unique than a Chrome user with their real IP.
Custom browser extensions that randomise individual signals (Canvas Defender, Chameleon, Trace) help but rarely cover all signals, and the act of running them is itself a fingerprinting signal in some setups.
Different browsers offer dramatically different levels of fingerprint protection out of the box. Here's where the major options stand in 2026.
| Browser | Default Protection | Approach | Trade-offs |
|---|---|---|---|
| Tor Browser | Excellent | Uniform fingerprint | Slow, blocked by some sites |
| Brave | Very Good | Per-session randomisation | Crypto wallet features unused by most |
| Firefox + resistFingerprinting | Very Good | Uniform values | Manual toggle, some sites break |
| Firefox (default) | Moderate | Strict tracking protection | Strong but limited APIs |
| LibreWolf | Very Good | Hardened Firefox | Smaller community |
| Safari (macOS/iOS) | Moderate | Intelligent Tracking Prevention | Apple ecosystem only |
| Chrome / Edge | Weak | No fingerprint defense | Largest market share |
The pattern is consistent: browsers built primarily on Chromium with Google's defaults (Chrome, Edge) provide no fingerprint defense. Firefox-based and Tor-based browsers provide the strongest defaults. Safari sits in the middle — strong on cookies and third-party tracking, weaker on active fingerprint defense.
For most users not in a high-threat model, Firefox with strict mode or Brave with shields offers the best practical balance of protection and usability. For users seeking maximum protection, Tor Browser remains unmatched.
The legal status of browser fingerprinting varies by jurisdiction and is still evolving. The trend is toward stricter regulation, but enforcement has lagged behind the technical reality.
European Union (GDPR + ePrivacy): Fingerprinting falls under the GDPR's definition of personal data when used to identify natural persons. The European Data Protection Board has clarified in multiple opinions that fingerprinting requires the same consent basis as cookies. In practice, enforcement against fingerprinting-only setups has been limited, but several large fines have been issued for combined cookie+fingerprint deployment without proper consent.
Germany (TTDSG/DDG): Section 25 of the German Telecommunications-Telemedia Data Protection Act (now consolidated in the DDG since 2024) explicitly covers "access to and storage of information on terminal equipment" — language broad enough to include fingerprinting. Consent is required unless the fingerprinting is strictly necessary for the requested service. The Bundeskartellamt has investigated several major ad-tech companies for fingerprinting practices.
United States: No federal fingerprinting-specific law. The California Privacy Rights Act (CPRA) covers fingerprinting under "personal information" and grants opt-out rights for "sale or sharing." State-level activity is increasing, but enforcement is patchy.
Recent court decisions in the EU have begun treating fingerprinting consent requirements with equal weight to cookie consent. The Court of Justice of the EU's Planet49 ruling (2019) and subsequent national-court extensions have shaped the current direction.
For the practical individual, the legal landscape doesn't yet provide reliable protection. Technical defenses remain more effective than relying on enforcement.
Two competing forces shape the next few years of browser fingerprinting.
Browser API restrictions are tightening. Chrome's Privacy Sandbox restricts cross-site tracking through proposed APIs like Topics and FedCM, but these address third-party cookies rather than fingerprinting. More relevant: Firefox and Safari continue to add fingerprint-specific protections, and Chrome has started restricting some high-entropy APIs (like Battery Status, which is now removed from most browsers). The User-Agent string is gradually being reduced to coarse-grained Client Hints, which carry less entropy by default.
Server-side fingerprinting is growing. As browser-side defenses improve, fingerprinting is shifting toward network-layer signals that browsers can't easily modify — TLS fingerprinting (JA3, JA4), TCP/IP stack characteristics, and HTTP/2 frame patterns. These can't be defeated by browser configuration alone; they require either masking via a proxy or matching common TLS clients.
AI-driven correlation is the third axis. Even when individual signals are weak, machine-learning models trained on large datasets can correlate weak signals across sessions to re-identify users. This works against most current defenses except blending in (where the model has no useful signal to correlate).
The strategic question for the next five years: do browsers move fast enough to outpace fingerprinting innovation, or does fingerprinting consolidate to the network layer where browsers can't help? Privacy-focused users should expect to maintain active defense strategies rather than relying on browser defaults to keep pace.
No. Incognito mode hides browsing history and cookies from your local device. It does not change your GPU, fonts, audio stack, screen resolution, or any other fingerprinting input. Your incognito fingerprint matches your regular fingerprint, and tracking scripts merge the sessions trivially.
No. A VPN hides your IP address from websites. Your browser fingerprint is generated from your device and browser, not from your IP — so it remains identical with or without a VPN. A VPN plus an unmodified browser gives you a "user with a VPN IP" identity that may actually be more uniquely identifying than your normal traffic.
Partially. Cross-browser tracking is harder because each browser produces a different fingerprint. However, some signals (GPU model, installed fonts, screen resolution) are the same across browsers, and sophisticated tracking can correlate sessions with reasonable confidence.
Default Chrome provides no fingerprint defense and Google's own ad-tech depends on it. For privacy-focused users, Firefox or Brave is a significantly better default. Chrome with privacy extensions still leaves the underlying API capabilities exposed.
Canvas fingerprinting renders a hidden image in your browser, then hashes the pixel data. Different devices render the same image slightly differently due to GPU and font variations, producing a unique hash. Test yours with our canvas fingerprint test.
WebGL exposes GPU rendering. Fingerprinting scripts extract GPU vendor strings, driver versions, and rendering characteristics — usually the single most uniquely identifying signal. Our WebGL test shows what your GPU exposes.
TLS fingerprinting (JA3/JA4) identifies the browser by the specific contents of its TLS ClientHello handshake message. It operates at the network layer and can't be defeated by browser settings alone. See our TLS fingerprint guide.
For most users, unique within the global internet population. Modern fingerprints provide 25–35 bits of entropy from technical signals; 33 bits is enough to uniquely identify any browser on Earth.
Disabling JavaScript stops most browser-side fingerprinting techniques — canvas, WebGL, audio, font enumeration. It does not stop TLS fingerprinting, HTTP-header fingerprinting, or IP-based tracking. It also breaks most modern websites.
Partially. Ad blockers stop known tracking scripts from loading, which prevents many fingerprinting attempts. They don't stop fingerprinting performed by the visited site itself, nor do they address TLS-layer fingerprinting. Whether you run an ad blocker is itself a fingerprinting signal — see our adblocker detection guide.
For most users not in a high-threat model: Firefox with strict tracking protection and resistFingerprinting enabled, or Brave with default shields. Add uBlock Origin for additional script blocking. Use a VPN if you also want IP-level privacy. For maximum protection, use Tor Browser for sensitive sessions.
Yes, in most cases. EU regulators have repeatedly clarified that fingerprinting requires the same consent basis as cookies. Enforcement varies, but the legal position is clear.
Not directly. A fingerprint identifies a browser, not a person. It becomes personal once that fingerprint is linked to identifying information (a login, a purchase, a verified account). Once linked, the fingerprint serves as an identifier even when other signals are absent.
Fingerprinting itself uses negligible bandwidth. Heavy fingerprinting scripts can slow page load slightly, but the impact is usually under 100 ms. Internet speed problems are almost always unrelated — see our internet speed guide for diagnosing those.
It depends on your threat model. For casual browsing, fingerprinting primarily feeds advertising profiles — annoying but not directly harmful. For journalists, activists, abuse victims, or anyone in an environment where being tracked is dangerous, fingerprinting is a serious concern that warrants Tor Browser or equivalent protection.
Part of the Vatha network — guides, tools, and analyses across the SpeedIQ family.