How Browser Fingerprinting Tracks You Even When Cookies Are Blocked

The TLDR

Browser fingerprinting identifies you without cookies by combining dozens of data points about your browser and device – screen resolution, installed fonts, GPU characteristics, timezone, language settings, and more – into a hash that’s often unique to you. The EFF’s Cover Your Tracks project found that most browsers produce a fingerprint unique among at least 300,000 others. Blocking cookies, clearing history, using incognito mode – none of that changes your fingerprint. This is the tracking technique the ad industry is pivoting to as third-party cookies die, and it’s much harder to defend against because the same data that makes your browser unique is also what makes websites render correctly.

The Reality

Go to EFF’s Cover Your Tracks and run the test. It will tell you how unique your browser fingerprint is. Most people are shocked – they expected some anonymity, and instead they find their browser is a snowflake, one in hundreds of thousands or even millions.

In 2010, researchers Peter Eckersley at the EFF published “How Unique Is Your Web Browser?” and found that 94.2% of browsers with Flash or Java enabled were uniquely identifiable. Flash and Java are dead now, but the fingerprinting surface has only grown. Modern browsers expose more APIs, more hardware capabilities, and more configuration options than browsers did in 2010. The fingerprint got richer, not thinner.

The uncomfortable truth: making your browser more private often makes your fingerprint more unique. If you’re one of the 0.1% of people running Firefox on Linux with 14 specific privacy extensions, congratulations – you’re extremely easy to identify because almost nobody else has that exact configuration. The privacy tools designed to protect you become the signature that identifies you.

How It Works

A fingerprinting script – typically embedded in a webpage as JavaScript – queries your browser for dozens of data points and hashes them into a single identifier. Here’s what goes into the recipe:

The Core Components

User Agent String. Your browser identifies itself with a string like Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0. This tells the server your browser, version, and operating system. It’s the most basic fingerprint component, and it alone narrows the field considerably.

Screen Resolution and Color Depth. Your monitor’s resolution (1920x1080, 2560x1440, 3840x2160), the viewport size of your browser window, the device pixel ratio (for Retina/HiDPI displays), and your color depth (24-bit, 30-bit). The combination of these narrows things quickly – someone with a 3440x1440 ultrawide at 30-bit color depth on Linux is a small population.

Timezone and Language. America/Chicago, en-US. These seem generic, but combined with everything else, they add entropy. Someone in the Asia/Kolkata timezone with fr-FR language settings is unusual.

Installed Fonts. JavaScript can enumerate which fonts are installed on your system by measuring how text renders. Your OS ships with a set of default fonts, but if you’ve installed fonts for design work, foreign language support, or because an application bundled them, your font list becomes distinctive. A typical Windows install has 200-300 fonts. A designer’s Mac might have 1,500. A Linux machine might have 80. Each combination is relatively unique.

Plugins and Extensions. While modern browsers have reduced plugin enumeration, some information still leaks. The number and type of installed extensions can sometimes be fingerprinted through their side effects – modified HTTP headers, injected CSS, blocked resources.

Canvas Fingerprinting

This is one of the most powerful techniques. When JavaScript draws text or graphics to an HTML5 Canvas element, the exact pixel-by-pixel rendering depends on your GPU, GPU driver version, operating system, font rendering engine, and anti-aliasing settings. The script draws a specific piece of text or shape, reads the resulting pixels, and hashes them.

Two computers with different GPUs will render the same text with subtle differences – different anti-aliasing, different sub-pixel positioning, different color interpolation. These differences are consistent for the same machine and different between machines. A 2014 study by Mowery and Shacham at UC San Diego found that canvas fingerprinting could uniquely identify 90% of tested browsers.

The genius of canvas fingerprinting is that there’s no obvious way to block it without breaking websites. Canvas is how the web renders graphics, charts, games, and visual content. You can’t just turn it off.

WebGL GPU Fingerprinting

Similar to canvas fingerprinting but using WebGL (the browser’s 3D graphics API). WebGL exposes your GPU’s vendor and model (NVIDIA GeForce RTX 4070, Intel UHD 630), supported extensions, shader precision, and maximum rendering capabilities. A WebGL fingerprint is more hardware-specific than a canvas fingerprint – it tells the tracker not just how your browser renders, but what graphics hardware you’re running.

The WEBGL_debug_renderer_info extension directly exposes the GPU vendor and renderer strings. Some browsers have started restricting this, but the information can often be inferred from other WebGL parameters.

Audio Fingerprinting

The AudioContext API processes audio signals, and the exact output depends on your hardware and software audio stack. A fingerprinting script creates an oscillator, processes the signal, and reads the output values. The tiny differences in how your audio pipeline handles floating-point math create a consistent, machine-specific signature.

The Princeton Web Transparency and Accountability Project found audio fingerprinting deployed on hundreds of popular websites as early as 2016.

The Battery API (Mostly Dead)

The HTML5 Battery API exposed your device’s battery level, charging status, and estimated time to full charge or discharge. Researchers demonstrated in 2015 that the combination of battery level and estimated times could be used as a short-term tracking identifier. Mozilla removed the API from Firefox, and other browsers restricted it, but it demonstrated how any sufficiently specific data point can become a fingerprint component.

Other Signals

• HTTP headers: Accept, Accept-Language, Accept-Encoding, DNT (Do Not Track, ironically), and other headers
• JavaScript engine behavior: Timing of math operations, handling of edge cases in the ECMAScript spec
• Installed media codecs: Which video and audio formats your browser supports
• Pointer and touch capabilities: Whether you have a mouse, trackpad, touchscreen, or stylus
• Hardware concurrency: navigator.hardwareConcurrency reveals your CPU core count
• Device memory: navigator.deviceMemory reveals approximate RAM (4GB, 8GB, etc.)

The Fingerprint Stability Problem

A good fingerprint needs to be both unique and stable – it should identify you today, tomorrow, and next month. Individual components change (browser updates, screen resolution changes when you dock a laptop), but the overall fingerprint is remarkably persistent. Research published at the IEEE Symposium on Security and Privacy showed that fingerprints could be linked across browser updates with over 90% accuracy.

Some tracking companies maintain fingerprint evolution models that account for gradual changes. If 90% of your fingerprint stays the same but your browser version incremented, they can link the old and new fingerprints with high confidence. You’d have to change virtually everything simultaneously to break the chain – and even then, behavioral patterns might re-link you.

Cross-Device Tracking

Fingerprinting on one device is powerful. Cross-device tracking – linking your phone, laptop, tablet, and work computer to the same person – is where it gets dystopian.

Probabilistic cross-device tracking combines fingerprint data with behavioral signals: same login events, same IP addresses, same WiFi networks, similar browsing patterns. If your phone and your laptop both visit the same websites in the same order from the same IP address, a tracker can infer they belong to the same person. Add in deterministic signals (logging into the same Google or Facebook account on both devices), and the link is confirmed.

Companies like Tapad, Drawbridge, and Oracle’s CrossWise (before Oracle exited ad tech) built entire businesses on cross-device identity graphs. Even without cookies, even without a login, they claim to link devices to individuals with 70-90% accuracy.

How Trackers Use It

The Post-Cookie Pivot

As third-party cookies die in Chrome (eventually) and are already dead in Safari and Firefox, the advertising industry is pivoting to fingerprinting as a primary tracking mechanism. The industry term is “stateless tracking” or “deterministic device recognition” – marketing jargon for “we fingerprint you instead.”

FingerprintJS (now Fingerprint.com), one of the most prominent commercial fingerprinting libraries, openly markets 99.5% accuracy for browser identification. Their open-source library is embedded on thousands of websites. While they position it for fraud prevention and bot detection (legitimate uses), the same technology is indistinguishable from surveillance when used for ad tracking.

Fraud Prevention vs. Surveillance

Here’s the tension: fingerprinting has legitimate uses. Banks use it to detect fraudulent login attempts. Anti-bot systems use it to distinguish humans from scrapers. These are genuinely useful applications. But the exact same technology, collecting the exact same data, becomes surveillance when used to track people across websites for advertising purposes. There’s no technical difference between “fraud prevention fingerprinting” and “ad tracking fingerprinting.” The difference is only in intent.

What You Can Do

Browser Choice Matters

Brave takes the most aggressive approach to fingerprinting. It randomizes canvas and WebGL fingerprints, spoofs font enumeration, and adds noise to audio fingerprinting. The goal is to make your fingerprint different on every page load, so trackers can’t build a consistent identity. Brave’s anti-fingerprinting documentation details what they randomize and why.

Firefox offers privacy.resistFingerprinting in about:config, which standardizes many fingerprint components – reporting a generic screen size, timezone, and other values. The trade-off is visual – websites may not render optimally because Firefox is lying about your display capabilities. Firefox also blocks known fingerprinting scripts through its Enhanced Tracking Protection.

Tor Browser goes furthest by making all Tor Browser instances look identical to fingerprinters. Every Tor Browser reports the same screen size, the same fonts, the same canvas output. The cost is performance and usability.

Safari includes some fingerprinting protections through Intelligent Tracking Prevention, presenting a simplified system configuration to trackers. It’s not as aggressive as Brave or Tor but better than Chrome.

Chrome does very little about fingerprinting. The Privacy Sandbox proposals don’t meaningfully address it. This is consistent with Chrome being developed by the world’s largest advertising company.

Practical Limits

Here’s the hard truth: there is no way to completely prevent fingerprinting without breaking the web. Every technique that makes you “look like everyone else” trades either functionality or usability. The goal isn’t perfection – it’s raising the cost and reducing the accuracy of tracking to the point where it’s not worth the effort for most trackers.

The most practical approach for most folks:

1. Use Firefox with Enhanced Tracking Protection set to Strict, or use Brave
2. Install uBlock Origin – it blocks many known fingerprinting scripts before they run
3. Don’t install unusual browser extensions – each one makes you more unique
4. Use private browsing for sensitive searches – it won’t stop fingerprinting but reduces the data available
5. Consider different browsers for different activities – one for logged-in services, one for general browsing

The more you deviate from default configurations, the more unique you become. Paradoxically, the safest fingerprint is often the most common one – a stock Chrome on a stock Windows machine with no extensions. But that trades fingerprint anonymity for total cookie-based tracking. Pick your battle.

Sources & Further Reading

1. EFF Cover Your Tracks – Test your browser’s fingerprint uniqueness
2. Peter Eckersley, “How Unique Is Your Web Browser?” – The foundational research on browser fingerprinting (EFF, 2010)
3. Mowery & Shacham, “Pixel Perfect: Fingerprinting Canvas in HTML5” – Canvas fingerprinting research (UC San Diego, 2014)
4. Princeton Web Transparency and Accountability Project – Large-scale studies of web tracking including fingerprinting
5. Brave Anti-Fingerprinting Documentation – How Brave randomizes fingerprint components
6. FingerprintJS / Fingerprint.com – Commercial fingerprinting library (understand the adversary)
7. Mozilla: Firefox Privacy Protections – Firefox’s Enhanced Tracking Protection details
8. MITRE ATT&CK T1592: Gather Victim Host Information – How fingerprinting maps to the ATT&CK framework