Cookies and "private mode" do not remove your browser fingerprint: fonts, WebGL, audio, screen and more can still single you out.
Vectors, who uses them, law at a high level, practical defenses, and a score checklist. All quizzes Β· Jump to score
π How unique is your fingerprint? According to research from the EFF's Panopticlick project and AmIUnique.org, 83β90% of browsers have a completely unique fingerprint. If you use non-standard extensions or screen resolutions, that figure rises further. Your browser is, literally, one in a million β and that uniqueness is being used against you.
π Table of Contents
- What is browser fingerprinting?
- How it works: step by step
- The 13 signals tracked β ranked by entropy
- What your fingerprint actually looks like
- Cookies vs. fingerprinting: why cookies are the lesser evil
- Who uses fingerprinting and why
- Advanced fingerprinting: behavioral tracking in 2026
- The anti-fingerprinting paradox
- Is browser fingerprinting legal? GDPR, CCPA and the law
- How to protect your privacy: 3-level practical guide
- Browser comparison: which one actually protects you?
- Interactive: Your Privacy Protection Score
- Frequently Asked Questions (FAQ)
1. What Is Browser Fingerprinting?
Browser fingerprinting is an online tracking technique that identifies users by collecting technical characteristics of their browser and device. Think of it as a digital fingerprint: no two people have exactly the same combination of settings.
Every time you visit a website, your browser automatically sends a huge amount of technical information to the server: which browser you use, what operating system you have, your screen resolution, which fonts are installed, what plugins you use, your timezone, the configured language... and dozens more parameters.
None of these data points individually identifies you. But combined, they create a profile so specific it distinguishes you among millions of users. It's like each piece being a letter β together, they spell your full name.
2. How It Works: Step by Step
Fingerprinting works by exploiting standard browser APIs β functions that exist for legitimate reasons (like rendering graphics or playing audio) but which reveal unique information about your hardware and software.
- You visit a website: as the page loads, a JavaScript script runs silently in the background.
- Data collection: the script queries dozens of browser APIs, collecting information about your device, screen, hardware, software and configuration.
- Hash generation: all that data is combined and passed through a mathematical algorithm that generates a unique code (example:
a7f3b2c91e4d8...). - Remote storage: that hash is saved on the company's servers, NOT on your device. That's why clearing your history does nothing.
- Recognition: the next time you visit that website, the script runs again and generates the exact same hash. The website recognizes you instantly β no cookies required.
β οΈ The critical difference: Cookies are stored on YOUR computer and you can delete them. Your fingerprint is stored on the TRACKERS' SERVERS. You can't delete something that's not on your hard drive.
3. The 13 Tracking Signals β Ranked by Entropy (How Identifying They Are)
Entropy measures how much information a signal contributes to uniquely identifying you. Higher entropy = harder to hide in the crowd. Here are the 13 main browser fingerprinting vectors, ranked:
| Signal | Entropy | What it reveals | Risk |
|---|---|---|---|
| π User-Agent String | ~10.5 bits | Browser name, version, OS, CPU architecture β your device's ID card | π΄ Very High |
| π¨ Canvas Fingerprint | ~8.5 bits | Your GPU/OS renders invisible shapes differently β pixel-level unique hash | π΄ Very High |
| π€ Installed Fonts | ~7.5 bits | Every design tool, game and work app installs unique fonts β your library is one-of-a-kind | π΄ High |
| πΊ WebGL / GPU Renderer | ~7.2 bits | Your exact GPU model + driver version, exposed by every page β no permission needed | π΄ High |
| π Audio Fingerprint | ~5.4 bits | Silent tone processed through your audio hardware via Web Audio API β completely inaudible | π High |
| π Screen Resolution | ~4.8 bits | Width, height, color depth, pixel ratio β multi-monitor and HiDPI setups are very distinctive | π Medium |
| π Browser Language | ~4.2 bits | Multilingual users with uncommon language pairs can be nearly uniquely identified | π Medium |
| π Timezone | ~3.8 bits | Reported even behind a VPN β timezone/IP mismatch is a classic VPN detection signal | π Medium |
| βοΈ Hardware Profile | ~3.1 bits | CPU core count and RAM amount exposed via JavaScript APIs | π‘ Medium |
| π» Platform / OS | ~3.0 bits | OS family (Windows, macOS, Linux) β mismatches reveal browser spoofing attempts | π‘ Low |
| π Plugins & Extensions | ~2.5 bits | Ad blockers, password managers β ironically, privacy tools make your fingerprint more unique | π‘ Medium |
| π Battery Status | ~1.5 bits | Battery % and charging status exposed via Battery API (now restricted in most browsers) | π’ Low |
| β Do Not Track | ~1.2 bits | Only ~12% of users enable it β so having it ON is itself a tracking signal | π’ Low |
4. What Your Fingerprint Actually Looks Like
To understand how detailed your fingerprint is, here's an example of what a script extracts from your visit in milliseconds:
Screen: 1920 Γ 1080 (ratio: 1.25) | depth: 24-bit
Timezone: America/New_York (UTC-5)
Language: en-US, en, es
CPU Cores: 8
RAM: 16 GB
GPU: ANGLE (NVIDIA GeForce RTX 4070 Direct3D11 vs_5_0 ps_5_0)
Fonts (42): Arial, Calibri, Cambria, Consolas, DM Sans, Fira Code, Roboto...
Canvas hash: a7f3b2c91e4d856f2a8bc3e71094d5a2
Audio hash: f4c912b5e78d3a91b6c204e87f1d5c3a
Do Not Track: 1 (enabled β but ignored by 99% of trackers)
FINGERPRINT HASH: 8a4f2e6b1c9d3f7e2b5a8c3d1f6e9b4a
RESULT: Unique among 3,241,880 analyzed browsers. Estimated entropy: 21.4 bits.
5. Cookies vs. Fingerprinting: Why Cookies Are the Lesser Evil
The public debate focuses on rejecting cookies (those annoying pop-up banners), but cookies are far more transparent than fingerprinting:
| Feature | Cookies | Browser Fingerprinting |
|---|---|---|
| Stored where? | On your device (local) | On corporate servers (remote) |
| Can you delete it? | β Yes β two clicks in settings | β No β impossible to remove |
| Incognito protection? | β Yes (clears on session end) | β No β hardware fingerprint is identical |
| Is it visible? | β Yes β inspectable in DevTools | β No β runs silently in JS |
| Blocked by cookie banners? | β Yes (if GDPR-compliant) | β Rarely β most sites ignore consent |
| Survives browser reset? | β No | β Yes β always |
| VPN protection? | β Partial | β No β VPN doesn't change your GPU |
π The Incognito Mode trap: Incognito doesn't save your local history, but it doesn't change your GPU, your installed fonts, or your audio hardware. For external servers, you're still exactly you β just wearing sunglasses.
6. Who Uses Browser Fingerprinting and Why
Fingerprinting has both legitimate and invasive applications:
Legitimate use cases
- Banks and financial institutions: Fingerprinting is used as anti-fraud protection. If someone tries to log in with your credentials from a device with a different fingerprint, the bank flags and blocks the access.
- Anti-bot systems (Cloudflare, Akamai): To distinguish a real human from an automated script attempting a DDoS attack or credential stuffing.
Invasive use cases (the real problem)
- Ad networks and data brokers: Cross your fingerprint across thousands of websites to show hyper-targeted ads and build behavioral profiles, bypassing traditional cookie blockers.
- Paywall enforcement: News sites and streaming platforms use fingerprinting to enforce article limits and free trial periods. Clearing cookies resets the counter β fingerprinting does not.
- Session replay tools (Hotjar, FullStory, Microsoft Clarity): Record exact mouse movements, keystrokes and scrolling behavior on websites under the guise of "UX analytics". This data is tied to your fingerprint.
- Data broker dossiers: A 2025 investigation found that some brokers could link completely anonymous browsing sessions to real names and home addresses using only fingerprint data, combined with other purchased datasets.
7. Advanced Fingerprinting: Behavioral Tracking in 2026
The tracking industry has evolved beyond hardware signals. Today they also track how you behave:
- Keystroke dynamics: The exact rhythm and milliseconds between each key press β biometric keyboard typing patterns unique to you.
- Mouse micro-movements: Your micro-tremors, cursor speed, scroll patterns and click timing β statistically unique behavioral signatures.
- Cross-device tracking: AI correlates that mobile phone X and laptop Y belong to the same person, based on connection schedules, shared Wi-Fi networks, and behavioral similarities across devices.
- WebGPU fingerprinting (new in 2026): The newer WebGPU API exposes even more detailed GPU information than WebGL, creating a higher-entropy fingerprinting vector that few tools currently block.
8. The Anti-Fingerprinting Paradox
Here is the cruel irony at the heart of fingerprinting defense: some measures designed to protect your privacy can actually make you more identifiable.
- Enabling "Do Not Track": Only about 12% of users enable DNT. Having it on is itself a fingerprinting signal that narrows who you are.
- Installing privacy extensions: uBlock Origin, Privacy Badger, CanvasBlocker β each extension you add to your browser makes your fingerprint more distinctive. Having 6 specific extensions is rarer than having 0.
- Using an uncommon browser: Only ~3% of internet users use Firefox. Using a less common browser in itself narrows your anonymity set significantly.
- Heavily customizing settings: Changing default font sizes, zoom levels, or permissions creates a configuration that's statistically rarer and therefore more identifiable.
π‘ The counterintuitive solution: The most effective defense is not to customize your way to uniqueness β it's to blend in by using browsers specifically designed to make all users' fingerprints identical (like Tor Browser) or randomized per session (like Brave). You hide by being indistinguishable from millions of others, not by being a unique defender.
9. Is Browser Fingerprinting Legal? GDPR, CCPA and the Law
European Union (GDPR + ePrivacy Directive)
Under the GDPR, browser fingerprinting constitutes processing of personal data because it creates a unique identifier. This means it requires a lawful basis β almost always explicit consent β and must be disclosed in the privacy policy. The EU's ePrivacy Directive specifically covers fingerprinting and requires consent. In practice, most websites outside the EU fingerprint without consent or disclosure. The upcoming ePrivacy Regulation, still in progress as of 2026, is expected to significantly tighten enforcement.
United States (CCPA / CPRA and state laws)
Under California's CCPA and CPRA, browser fingerprints qualify as unique personal identifiers, giving California residents the right to opt out of their sale. Most US state privacy laws passed since 2023 β including those in Virginia, Colorado, Connecticut and Texas β include similar provisions. However, enforcement remains inconsistent, and most fingerprinting in practice happens without any opt-out mechanism being offered.
βοΈ Bottom line on legality: In Spain and the EU, fingerprinting without consent is illegal under GDPR. In the US, it depends on your state. In practice, it happens everywhere with near-zero enforcement. Don't rely on the law β rely on your browser and tools.
10. How to Protect Your Privacy: 3-Level Practical Guide
You can't be 100% invisible, but you can make trackers' lives significantly harder by applying these layers:
Level 1: For All Users
- Switch to a privacy-respecting browser: Abandon Chrome. Browsers like Brave or Firefox (properly configured) actively randomize Canvas, WebGL and audio fingerprinting values on every page load (Canvas Spoofing). Brave is the only mainstream browser with built-in fingerprint randomization that changes per session.
- Install uBlock Origin: The best blocker available. It doesn't just remove ads β it intercepts and destroys fingerprinting scripts before they can read your hardware. Set it to the "Medium mode" filter list for maximum coverage.
Level 2: Advanced Users
- Don't over-customize your browser: The more niche extensions you install and the more unusual settings you change, the more unique you become. The best way to hide in a forest is to be just another tree.
- Disable WebRTC: WebRTC can leak your real IP address even behind a VPN. In Firefox, go to about:config and set
media.peerconnection.enabledto false. In Chrome, use a WebRTC Control extension. - Test your fingerprint: Visit coveryourtracks.eff.org (EFF's official tool) or amiunique.org to see your actual fingerprint entropy score and how unique you are. Test before and after making changes.
Level 3: Maximum Privacy
- Use Tor Browser: Tor is designed around the principle of "anonymity through uniformity". It forces all users to have the same window resolution, the same fonts, and completely disables Canvas. To the server, all Tor users are exact clones β and that's precisely the point.
β Quick wins you can do right now: (1) Download Brave browser. (2) Install uBlock Origin. (3) Visit coveryourtracks.eff.org to see your current fingerprint score. These three steps take under 10 minutes and dramatically reduce your tracking exposure.
11. Browser Comparison: Which One Actually Protects You?
| Browser | Fingerprint blocking | Default protection | Privacy level |
|---|---|---|---|
| Tor Browser | Maximum (forced uniformity) | Absolute β all users identical | βββββ |
| Brave | High (per-session randomization) | Excellent (active blockers + shields) | βββββ |
| Firefox (Strict Mode) | Medium (blocks known FP scripts, restricts fonts) | Good | ββββ |
| LibreWolf | High (hardened Firefox fork) | Very good | ββββ |
| Safari (Apple) | Medium (hides some tracker signals) | Acceptable | βββ |
| Edge (Microsoft) | Low (some tracking prevention) | Minimal | ββ |
| Google Chrome | None β by design | Minimal (Google's business = your data) | β |
π The one thing you can fully control: your passwords
Your fingerprint is hard to hide β but the door to your email and bank depends entirely on you. Prevent takeovers by generating unique, unguessable 16-character keys for every account.
Generate a Secure Password Now βπ Interactive: Your Browser Privacy Protection Score
Check off each privacy protection you currently have in place. Your score updates instantly.
π‘οΈ Browser Privacy Score β 12 Protections
Tick each protection measure you currently have active. Higher score = harder to fingerprint.
Frequently asked questions
Tap a question to expand the answer.
Is fingerprinting legal (US/EU)?
Often treated as personal data; consent and notice rules apply in the EU; several US states grant opt-out style rights. Implementation on the web is messy β get legal advice if it matters for you.
Incognito?
No β local history only. Hardware and APIs look the same to a remote site.
VPN?
Hides IP, not canvas/WebGL/audio; mismatched timezone vs IP can add signal.
Do Not Track?
Rarely honored; being a DNT user can itself be a rarity signal. Prefer real blockers.
What actually works?
Brave (randomization) or Tor (uniformity) plus uBlock Origin; verify on Cover Your Tracks.
Anti-fingerprinting paradox?
Exotic extension stacks make you stand out. Blend in with serious tools instead of noisy tweaks.
