Browser fingerprinting is a tracking technique that identifies and follows users across the web by collecting unique characteristics of their browser configuration, operating system, hardware, and device settings — without storing anything on the user's device. The Electronic Frontier Foundation's Cover Your Tracks project found that 83.6% of browsers have a completely unique fingerprint, making them identifiable without any cookies, login credentials, or explicit identifiers. When combined with an IP address, uniqueness rises to over 94%. Unlike cookies, which can be deleted, or tracking pixels, which can be blocked, browser fingerprints are inherently persistent — they're a byproduct of how your browser communicates with websites, and there is no simple "clear fingerprint" button. Understanding how fingerprinting works is the first step toward protecting yourself from a tracking method designed to be invisible.
How Does Browser Fingerprinting Work?
Browser fingerprinting works by using JavaScript APIs to query dozens of properties about your browser and device, then combining those properties into a hash value that serves as a unique identifier. When you visit a website, your browser automatically shares information with the server — your user agent string, accepted languages, screen resolution, timezone, and more. Fingerprinting scripts go further, actively probing your browser to collect properties that aren't necessary for rendering the page but are highly distinctive.
The process is invisible to users. A fingerprinting script runs silently in the background, typically taking less than 100 milliseconds to complete. It queries APIs like Canvas, WebGL, AudioContext, and Navigator to collect 33 or more individual data points. Each data point alone isn't uniquely identifying — millions of people have 1920x1080 screens. But the combination of all data points together creates a statistical signature that is unique to your specific browser, device, and configuration. This signature is hashed into a compact string that serves as your fingerprint ID.
The critical difference between fingerprinting and cookie-based tracking is that fingerprinting is stateless. Cookies store an identifier on your device — delete the cookie, and the tracker loses you (until it sets a new one). Fingerprinting reads an identifier from your device's inherent properties — there's nothing stored, so there's nothing to delete. Clearing your cookies, browsing history, and cache does not change your browser fingerprint. Even switching to incognito mode typically leaves your fingerprint identical, since private browsing doesn't alter your browser's underlying configuration.
What Data Points Make Up Your Fingerprint?
A comprehensive browser fingerprint collects 33 or more individual data points, each contributing to the overall uniqueness of your identifier. The most commonly collected signals include: screen resolution and color depth (how many pixels and how many colors your display supports), timezone and language settings (your system locale configuration), the user agent string (browser name, version, and operating system), the platform string (underlying OS architecture), and hardware concurrency (number of CPU cores available to the browser).
More advanced signals include: installed fonts (each system has a unique combination of fonts based on applications installed), device memory (how much RAM the browser reports), touch support capabilities (whether your device has a touchscreen and how many touch points it supports), and the battery API (which until it was deprecated in most browsers could report exact battery level and charging status — a surprisingly unique data point). WebGL reports your GPU renderer string and vendor, which identifies your exact graphics card model. The Navigator API provides information about installed plugins, enabled features, "do not track" settings, and cookie preferences.
Each of these properties carries a certain amount of entropy — a measure of how much identifying information it contributes. The user agent string typically carries 10-15 bits of entropy, canvas rendering carries 8-12 bits, WebGL carries 6-10 bits, and timezone carries 3-4 bits. When you combine 33+ signals, the total entropy easily exceeds the roughly 33 bits needed to uniquely identify any single person among the world's 8 billion inhabitants. In practice, even 18-20 bits of combined entropy is sufficient to identify most users within the population of people visiting a given website.
What Is Canvas Fingerprinting?
Canvas fingerprinting is the most common and most powerful individual fingerprinting technique. It exploits the HTML5 Canvas API — originally designed for drawing graphics on web pages — to identify users based on tiny differences in how their browser renders visual content. A fingerprinting script creates an invisible canvas element, draws a specific combination of text, shapes, and colors onto it, and then reads back the rendered pixel data. Due to differences in GPU hardware, display drivers, font rendering engines, operating system graphics libraries, and anti-aliasing implementations, the exact pixel output varies from system to system.
The rendered canvas image is converted to a data URL and hashed to produce a compact fingerprint value. Two computers with the same monitor, same browser, and same operating system may still produce different canvas fingerprints if they have different GPUs, different driver versions, or different font installations. Research by Princeton's Web Transparency and Accountability Project (WebTAP) found that canvas fingerprinting is used by over 60% of the top 10,000 websites, making it the most deployed fingerprinting technique on the web.
Canvas fingerprinting is particularly effective because it's difficult to block without breaking legitimate website functionality. The Canvas API is used by thousands of legitimate web applications — maps, charts, games, image editors, and data visualizations all depend on it. Blocking Canvas entirely would break these applications. Some privacy browsers like Brave and Tor randomize or normalize canvas output, but this can create visual artifacts or trigger anti-fraud systems that interpret canvas blocking as suspicious behavior. The tension between privacy and functionality makes canvas fingerprinting especially insidious — it weaponizes a useful web standard into a surveillance tool.
Browser Fingerprinting Techniques Compared
| Technique | Data Collected | Uniqueness Contribution | Blockable? | Detection Difficulty |
|---|---|---|---|---|
| Canvas fingerprinting | Rendered pixel data from invisible canvas element — reflects GPU, drivers, fonts, OS rendering | High (8-12 bits of entropy) | Partially — randomization possible but may break sites | Very hard — no visible indicators, runs in <50ms |
| WebGL fingerprinting | GPU renderer string, vendor, supported extensions, shader precision formats | High (6-10 bits of entropy) | Partially — can spoof renderer string but reduces WebGL functionality | Very hard — queries hardware capabilities silently |
| AudioContext fingerprinting | Audio signal processing differences from oscillator node output — reflects audio stack and hardware | Medium (5-8 bits of entropy) | Partially — Brave and Tor add noise to audio output | Very hard — processes audio signal in background without playing sound |
| Font enumeration | List of installed system fonts — varies by OS, installed applications, user customization | High (8-15 bits of entropy) | Yes — Firefox restricts font visibility, Tor uses standard font list | Moderate — detectable by monitoring font measurement APIs |
| Navigator properties | User agent, platform, language, hardware concurrency, device memory, plugins, do-not-track | Medium (10-15 bits combined) | Partially — user agent can be spoofed but other properties are harder to mask | Easy to detect but impossible to block without breaking the web |
| Screen and display | Screen resolution, color depth, device pixel ratio, available screen area, orientation | Medium (4-8 bits of entropy) | Partially — can report false values but may break responsive layouts | Easy — queries standard screen properties |
| Battery API | Battery level, charging status, time to charge/discharge (deprecated in most browsers) | Low-Medium (2-4 bits when available) | Yes — most browsers have removed or restricted this API | Easy — API call is detectable and now mostly unavailable |
How Accurate Is Browser Fingerprinting?
Browser fingerprinting achieves remarkably high accuracy for a technique that stores nothing on the user's device. The EFF's Cover Your Tracks experiment tested over one million browsers and found that 83.6% had a completely unique fingerprint based on browser properties alone. When combined with the user's IP address, the uniqueness rate climbs to 94.2%. For the remaining non-unique browsers, most fall into small groups of 2-5 identical fingerprints rather than large anonymous crowds — meaning even a "non-unique" fingerprint narrows identification to a tiny pool.
Fingerprinting's accuracy persists across sessions in a way cookies cannot. Research published in the IEEE Symposium on Security and Privacy demonstrated that fingerprints remain stable for an average of 74 days without any user interaction, and that even when fingerprints change (due to browser updates or configuration changes), algorithmic techniques can link the old fingerprint to the new one with over 99% accuracy by tracking gradual changes. This means fingerprinting provides persistent tracking even as browser versions update, plugins change, and system configurations evolve.
The entropy analysis behind fingerprinting reveals why it's so effective. With 33+ data points, each contributing multiple bits of entropy, the combined fingerprint carries 40-60 bits of identifying information. To uniquely identify one person among 8 billion on Earth, you need only about 33 bits of entropy. Browser fingerprinting provides nearly double that — meaning it could theoretically identify any single person on the planet, and in practice easily identifies individuals within the much smaller population visiting any given website.
Can You Prevent Browser Fingerprinting?
Tor Browser is the most effective defense against fingerprinting. Tor is specifically designed to make all users look identical by normalizing nearly every fingerprintable property — window size, user agent, timezone (always UTC), fonts (standard set), Canvas output (disabled or normalized), and WebGL (disabled). The goal is to make every Tor user's fingerprint identical, so there's no signal to distinguish one user from another. The trade-off is significant: Tor is notably slower due to onion routing, many websites block Tor exit nodes, and some interactive features are disabled for privacy reasons.
Brave Browser takes a different approach with fingerprint randomization. Rather than making all users identical (which fails if even one property leaks), Brave adds random noise to fingerprintable APIs. Each session produces a slightly different Canvas output, AudioContext result, and WebGL rendering. This doesn't make you anonymous — it makes your fingerprint change constantly, so trackers can't build a persistent profile over time. Brave's approach balances privacy with usability better than Tor, though it's less comprehensive.
Firefox offers the privacy.resistFingerprinting flag in about:config, which enables many of the same protections as Tor (since Tor Browser is based on Firefox). When enabled, it normalizes timezone, user agent, screen dimensions, and font visibility. However, this flag can break websites and is not enabled by default — users must actively seek it out. Safari provides limited canvas API restrictions and presents a simplified system configuration to reduce fingerprint uniqueness, but its protections are less comprehensive than Brave or Firefox's resist fingerprinting mode.
Browser extensions like CanvasBlocker can block or randomize specific fingerprinting vectors, but they only address individual techniques rather than the full fingerprint surface. Importantly, VPNs do not help with browser fingerprinting. VPNs hide your IP address and encrypt network traffic, but fingerprinting operates entirely within the browser using JavaScript APIs that have nothing to do with your network connection. A VPN changes one data point (IP address) while leaving the other 33+ fingerprinting signals completely untouched.
Anti-Fingerprinting Protection by Browser
| Protection | Chrome | Firefox | Safari | Brave | Tor |
|---|---|---|---|---|---|
| Canvas protection | None — full canvas output exposed to all scripts | Opt-in via resistFingerprinting flag — normalizes output | Limited — adds minor noise to canvas reads | Randomized per-session — different output each time | Blocked or normalized — identical across all Tor users |
| WebGL protection | None — full GPU renderer and vendor strings exposed | Opt-in — spoofs renderer to generic string when RFP enabled | None — full WebGL info exposed | Randomized — spoofs renderer and adds noise to output | Disabled entirely — WebGL unavailable by default |
| Font fingerprint blocking | None — all system fonts accessible via JavaScript | Partial — restricts to base font list when RFP enabled | Minimal — uses system font list without restriction | Restricted — limits visible fonts to standard set | Full — uses fixed standard font list identical for all users |
| Audio fingerprint blocking | None — full AudioContext output exposed | Opt-in — normalizes AudioContext when RFP enabled | None — full audio processing exposed | Randomized — adds noise to audio output per session | Normalized — identical AudioContext output for all users |
| Hardware info hiding | None — device memory, CPU cores, GPU fully exposed | Partial — spoofs some hardware values when RFP enabled | Minimal — limits some hardware API access | Partial — randomizes device memory, spoofs some values | Full — reports standardized hardware values for all users |
| Default enabled? | No protections enabled by default | No — requires manually enabling privacy.resistFingerprinting | Some basic protections enabled by default | Yes — all fingerprinting protections enabled by default | Yes — maximum protections enabled by default |
How Adreva Eliminates the Need for Fingerprinting
Adreva's architecture makes browser fingerprinting not just unnecessary but structurally impossible as a tracking vector. Traditional advertising requires identifying and tracking users to build behavioral profiles for targeting — fingerprinting is one of many techniques deployed to maintain persistent identification. Adreva's on-device ad matching eliminates this requirement entirely by performing all ad selection locally within the user's browser. No user identifier — fingerprint, cookie, device ID, or otherwise — is ever transmitted to an external server.
With on-device matching, the user declares their interests through explicit category selection, and the matching algorithm runs locally to compare those interests against available ad campaigns. The advertiser never learns which specific user saw their ad — they receive only aggregate, anonymized engagement metrics. This means there is no fingerprinting, no cookie tracking, no cross-site identification, and no behavioral profiling. The entire surveillance infrastructure that fingerprinting represents becomes unnecessary when the ad system doesn't need to identify users in the first place.
This represents a fundamentally different philosophy from the "detect and block" approach that privacy tools currently use. Tor, Brave, Firefox, and extensions like CanvasBlocker are all playing defense — trying to neutralize fingerprinting techniques after they've been deployed. Adreva eliminates the incentive for fingerprinting by creating an advertising model where user identification provides no advantage. For a comprehensive look at how online ads track you across the web, including fingerprinting, cookies, and other techniques, and how privacy by design differs from privacy by policy, explore our detailed guides on building a more private internet.
Frequently Asked Questions
Is browser fingerprinting legal?
The legality of browser fingerprinting varies by jurisdiction and is evolving. Under the EU's GDPR and ePrivacy Directive, fingerprinting is considered a form of tracking that requires user consent — the same as cookies. However, enforcement has been inconsistent, and many sites fingerprint without consent. In the United States, there is no federal law specifically prohibiting browser fingerprinting, though state laws like the CCPA may cover it as "collection of personal information." The regulatory gap means fingerprinting operates in a legal gray area in most of the world.
Can incognito mode prevent fingerprinting?
No. Incognito (or private browsing) mode prevents your browser from saving history, cookies, and form data locally, but it does not change your browser's fingerprintable properties. Your Canvas rendering, WebGL output, installed fonts, screen resolution, timezone, and hardware properties remain identical in incognito mode. Studies have confirmed that private browsing fingerprints are typically identical to normal browsing fingerprints — making incognito mode completely ineffective against fingerprinting-based tracking.
How can I test my browser fingerprint?
Several free tools let you see your browser's fingerprint. The EFF's Cover Your Tracks (coveryourtracks.eff.org) tests your browser against known fingerprinting techniques and tells you how unique your fingerprint is. AmIUnique.org provides a detailed breakdown of each fingerprinting vector and your entropy contribution. BrowserLeaks.com offers granular tests for individual APIs including Canvas, WebGL, AudioContext, fonts, and more. Testing your fingerprint is a sobering experience — most users discover they are uniquely identifiable.
Is fingerprinting worse than cookies?
In several important ways, yes. Cookies can be deleted, blocked, or managed through browser settings — users have at least some control. Browser fingerprints cannot be deleted because they are not stored on your device. They are derived from your browser's inherent properties, which means they persist across sessions, survive clearing all browser data, and work in incognito mode. Fingerprints are also invisible — there is no browser UI showing you're being fingerprinted, unlike cookie consent banners. Regulators are beginning to address this, but fingerprinting remains less regulated and harder to control than cookies.
Do VPNs prevent browser fingerprinting?
No. VPNs encrypt your network traffic and mask your IP address, but browser fingerprinting operates entirely through JavaScript APIs within the browser. Your Canvas rendering, WebGL output, installed fonts, screen resolution, timezone, and hardware properties are completely unrelated to your network connection. A VPN changes exactly one potential fingerprinting signal (IP address) while leaving the other 33+ signals completely untouched. VPNs are valuable privacy tools for other reasons, but they provide essentially zero protection against browser fingerprinting.
Which websites use browser fingerprinting?
Browser fingerprinting is far more common than most people realize. Princeton's Web Transparency and Accountability Project found that over 60% of the top 10,000 websites deploy some form of fingerprinting. Usage spans both legitimate and invasive purposes: banks and e-commerce sites use fingerprinting for fraud detection and bot prevention, while ad networks and data brokers use it for cross-site tracking and behavioral profiling. Major fingerprinting-as-a-service providers like FingerprintJS serve both use cases, offering device identification SDKs to thousands of websites. The line between "legitimate fraud prevention" and "invasive tracking" often depends on who is deploying the technology and for what purpose.