What Is Browser Fingerprinting and Can Websites Really Identify You?

Most people assume that clearing cookies makes them anonymous online. It doesn't. Long before you accept or reject a cookie banner, the page has already learned dozens of things about your browser — and the combination is usually enough to recognize you the next time you visit, even from a different IP and a freshly wiped cache.

This is browser fingerprinting: identifying a visitor not by something stored on their device, but by the constellation of technical details their browser quietly exposes. No login, no tracker, no cookie. Just the act of loading a page is enough.

The technique has been mainstream for over a decade. The countermeasures are newer and uneven. Here's what's actually going on.

Fingerprints, plural

The concept is older than the web. A literal fingerprint isn't unique because of any one ridge; every ridge is shared with millions of other people. The pattern of dozens of ridges, taken together, is what no one else has.

Browsers work the same way. Your screen resolution is shared by tens of millions of people. So is your operating system. So is your timezone, your default language, your CPU core count, even your installed font list. But the precise combination of all of those values, recorded in the same instant, almost always belongs to just one person.

Researchers and trackers refer to this combined signal as your fingerprint. The point of fingerprinting code on a webpage is to compute it, hash it, and use the hash as an identifier — exactly the way a cookie ID would be used, except the user can't see it or clear it.

The signals websites collect

There's no single property a tracker reads. There are dozens. The most-used ones fall into a handful of categories.

Canvas rendering. The page asks the browser to draw a short piece of text and a few shapes to an invisible canvas, then reads back the pixel data and hashes it. The output looks identical to a person but isn't identical at the byte level — different GPUs, font stacks, and anti-aliasing settings produce subtly different pixels. Two users with the same operating system but different graphics cards will produce different canvas hashes.

WebGL. A close cousin of canvas. The page asks for your GPU's name and capabilities through the WEBGL_debug_renderer_info extension, getting back a precise string like ANGLE (NVIDIA, GeForce RTX 3080…). That's one of the most stable cross-site identifiers a browser exposes: the GPU rarely changes unless you upgrade hardware.

Audio. The browser's audio stack does floating-point math, and tiny differences in how that math is rounded result in slightly different output buffers. Fingerprinting code plays a silent tone through an OfflineAudioContext, captures the result, and hashes a slice of it. Two installations of the same browser on the same OS often produce subtly different audio signatures.

Screen and display. Window dimensions, device pixel ratio, color depth, dark-mode preference, supported color gamuts, dynamic-range support. None of these are very unique on their own, but they combine.

Installed fonts. This is a surprisingly powerful signal. The set of fonts on your machine reveals your operating system (Calibri on Windows, Helvetica Neue on macOS, DejaVu on Linux), what software you've installed (Microsoft Office adds dozens, Adobe products add dozens more), and sometimes even your profession — designers tend to have hundreds of fonts a typical user wouldn't. Research by the EFF put fonts at roughly 14 bits of entropy on average, which is more than many trackers need.

Navigator properties. User agent, platform, vendor, language preferences in order, hardware concurrency (number of CPU cores), device memory, touchpoint count, timezone. Most of these are visible without any sneaky tricks — they're properties of the navigator object that every script can read.

WebRTC. A real-time communication API designed for video calls, but it does something unsettling as a side effect: it can leak your local network address (like 192.168.1.42) directly to a page. Even more concerning, in some VPN configurations it leaks both your VPN-assigned public IP and your real local IP at the same time, defeating the point of the VPN. We have a separate piece on what those public vs private IP addresses mean and why this matters; the IP lookup tool shows what's visible.

How unique is your fingerprint?

The seminal paper on this was the EFF's Panopticlick study, which collected fingerprints from hundreds of thousands of volunteers in 2010 and found that 83.6% of browsers were unique in their dataset. Even after excluding the highly distinctive plugin and font lists, more than half were still unique.

Later research on much larger populations — like a 2020 paper that analyzed two million fingerprints — found lower uniqueness rates, around 33%. That sounds reassuring until you realize it still means one in three people are individually identifiable from their browser alone, and most of the rest are in groups small enough that a few additional signals (the IP address; the referrer; the time of day) narrow things down to one.

The unit researchers use here is bits of entropy. Twenty bits means roughly one chance in a million. A typical browser exposes 15-25 bits across all the signals combined; high-resolution displays, niche GPUs, and large font sets push the total higher.

The cookie difference

Cookies are a thing the website asks the browser to store. You can clear them. You can block third-party ones. You can browse in incognito mode and they don't follow you. There's a regulatory regime built on top of them — cookie banners, consent records, opt-out flows.

Fingerprinting is the opposite of all that. The browser doesn't store anything; the website just observes properties the browser inherently exposes. There's no cookie banner because there's no cookie. Clearing your storage has no effect because nothing was stored. Incognito mode helps a little (no shared cookies, no shared cache) but barely — the fingerprint itself is the same in private windows as in regular ones.

The legal status is also fuzzier. GDPR and ePrivacy recognize fingerprinting as a form of tracking that requires consent, but in practice enforcement is light and the controls users have are mostly browser-side.

What browsers are doing about it

The defenses have improved significantly in the last few years, and they look very different across vendors.

Firefox ships the most ambitious built-in defenses. Enhanced Tracking Protection in strict mode adds noise to canvas and audio outputs, normalizes screen dimensions, clamps hardware concurrency to a small set of common values (4 or 8), restricts which fonts pages can enumerate, and rounds the timezone. Firefox 145 in late 2025 expanded the set considerably. The cost is occasional site breakage — pages that genuinely rely on canvas or precise viewport size sometimes misbehave.

Brave takes a different approach called farbling: canvas, audio, and WebGL outputs get randomized noise injected per session. The fingerprint is still computable, but it's different every browser session, so it can't be used to recognize you across visits. The trade-off is similar — some sites break — but the protection is on by default and has been for years.

Safari added Advanced Fingerprinting Protection in 2023. It works by inspecting which scripts on the page resemble known fingerprinting libraries and feeding them defanged values. The approach is more conservative than Brave's blanket randomization but adds basically zero compatibility cost.

Chrome does the least. The user agent string has been frozen to reduce one source of entropy, but canvas, audio, WebGL, and font enumeration are all standard-issue, and Google has been slow to adopt the kind of randomization other browsers ship. If you care about fingerprint resistance, Chrome is the wrong choice.

Tor Browser remains the gold standard. It returns zeroed-out values for almost every fingerprinting signal — blank canvas data, a single fixed screen size, a tiny font set, no WebGL renderer info — to make every Tor user look identical. The cost is significant: Tor is slower, some sites refuse to serve Tor IPs at all, and the visual experience is more limited.

What you can actually do

Most of the practical advice for normal users comes down to three things.

Use a browser that fights fingerprinting. Firefox with ETP set to strict, or Brave with its default settings, will materially reduce your trackability. Tor if your threat model genuinely needs it. Chrome is the worst choice here.

Understand what a VPN does and doesn't do. A VPN hides your IP. It does not stop fingerprinting. The website behind the VPN sees the VPN's IP instead of yours, but the canvas hash, font list, and GPU string look identical with or without it. VPNs are valuable for the IP part — keeping your ISP and apparent location private — but they aren't a fingerprinting defense.

Be careful with extensions. Many privacy extensions paradoxically make you more unique by adding signals (custom user agents, blocked-content patterns, distinctive injected code) that very few other users share. The Tor Project's research has consistently found that the most effective defense is blending in — using a common browser, on a common OS, with default settings — rather than piling on extensions that mark you as someone who cares.

The unsatisfying truth is that perfect fingerprint resistance is currently impossible without sacrificing significant browsing comfort. The achievable goal is making your fingerprint unstable (so it can't track you across visits) and less distinctive (so you blend into a larger group). The browser defenses above do both, imperfectly.

And while you're at it, the VPN check tool shows whether your IP looks like a known commercial VPN, proxy, or Tor exit — useful for sanity-checking that whatever you're using to hide your IP is actually doing the job.