Browser Fingerprinting: How Websites Track You

What is browser fingerprinting?

Imagine walking into a store wearing a unique combination: purple hat, green jacket, yellow shoes, red umbrella, blue bag. Even if you never say your name, anyone who sees that combination will recognize you when you return. Browser fingerprinting works the same way. Websites don't need to store anything on your device, they simply read the unique characteristics your browser reveals and combine them into a signature.

That's the fundamental difference between cookies and fingerprints. Cookies are little files the site stores on your computer. You can block, delete, or disable them, and you control when they exist. Fingerprints are derived from your system's configuration, not stored on your device. You can't delete yours, and the browser reveals most of its components automatically whenever you load a page.

This matters more every year. Major browsers are phasing out third-party cookies and users are getting better at blocking trackers. Fingerprinting doesn't care about any of that. It works regardless of your cookie settings, works in incognito, and persists across private sessions.

The 20+ data points that identify you

Your browser reveals a lot of information automatically, without asking for permission. The four broad categories are display and graphics, system configuration, browser details, and user preferences.

Display and graphics covers your screen resolution and color depth, GPU vendor and renderer, WebGL capabilities, the Canvas fingerprint (a hash of how your device draws a specific image), monitor count, and orientation.

System configuration adds operating system and version, CPU architecture, RAM, battery status, and the device sensors your browser exposes.

Browser details pulls in the type and version, installed plugins, supported MIME types, detectable extensions, and your Do Not Track setting.

User preferences contributes language preferences, timezone, installed fonts (300+ are detectable), the AudioContext fingerprint, and the presence of LocalStorage and SessionStorage.

Here's the uncomfortable part. No single data point is very unique. Millions of people use Chrome on Windows with 1920×1080 screens. But when you combine twenty or more of these characteristics, the intersection becomes incredibly specific. Research shows that with just 8-10 attributes, your browser fingerprint becomes unique among millions.

How advanced fingerprinting scripts work

Modern tracking scripts go well beyond reading basic browser headers. They actively probe your device, render invisible graphics, and compare micro-delays to build a signature that survives private browsing, VPNs, and most tracker blockers.

Canvas and WebGL rendering. The script asks your browser to draw hidden graphics using Canvas or WebGL. Tiny differences in your GPU, drivers, and anti-aliasing create a unique hash, effectively a hardware fingerprint. Extensions that block Canvas access often break legitimate sites, so isolation tends to be a better defense.

AudioContext and battery signals. Even the way your device processes an inaudible sound wave, or how it reports battery charge, reveals manufacturing differences. Trackers aggregate these micro-signals to stabilize your fingerprint when other attributes change.

Behavioral and performance profiling. Some scripts time how fast your browser executes code, scrolls, and loads fonts. The resulting baseline behaves like a fingerprint that persists even if you block static attributes. The only reliable defense is rotating to a fresh environment.

Cross-session correlation. Fingerprinters combine your device signature with login status, IP range, and browsing patterns. Even when one attribute changes, correlation algorithms reconnect returning visitors with more than 90% accuracy. This is why advice like "change your user agent string" doesn't work; it changes one signal out of dozens.

Fingerprinting is a layered strategy. Attackers assume you will block some techniques, so they gather many. The only reliable countermeasure is to change environments entirely so the fingerprint they build cannot be linked back to you. For more on why private modes don't help, see Incognito Mode Is a Lie.

How unique is your fingerprint?

The Electronic Frontier Foundation's research on millions of browsers produced a few numbers worth remembering.

Eighteen bits of entropy means 1 in 262,144 uniqueness. With billions of users online, thousands share your exact fingerprint in theory, but tracking companies combine it with IP address and browsing patterns to narrow things down to you specifically.

Test your own fingerprint in five minutes

The quickest way to appreciate the problem is to measure it yourself. This workflow takes a few minutes and doesn't require any special tools.

1. 1

   Visit a reputable fingerprint test

   Try coveryourtracks.eff.org or browserleaks.com. Both run locally in your browser and show what a third party would see.
2. 2

   Note the uniqueness score and attributes

   Pay attention to anything unexpected: installed fonts, precise hardware details, AudioContext values.
3. 3

   Retest inside Browser.lol

   Launch a fresh session and run the same test. You'll see a completely different fingerprint, and it disappears when the session ends.
4. 4

   Compare the two reports

   Anything identical across environments is tied to your network, typically your IP. A VPN covers that. Isolation covers the rest.

Who's fingerprinting you, and why

Fingerprinting isn't one company, it's an industry. Four groups dominate. Advertising networks like Google, Meta, and Amazon track you across millions of sites to build ad profiles; your fingerprint follows you across domains. Analytics vendors (Google Analytics, Hotjar, Mixpanel) use it to track unique visitors even when cookies are blocked, and they sell the data to website owners.

Fraud prevention systems at banks and eCommerce sites use fingerprinting legitimately, to detect suspicious logins. A sudden fingerprint change triggers security alerts. It's a reasonable use case that nonetheless creates a permanent record of your device characteristics tied to your identity.

And then there are the data brokers (Acxiom, Experian, Oracle) who purchase device data and resell it. Your fingerprint becomes part of a dossier that's sold hundreds of times to marketers, insurers, and employers.

What defenses actually work

Most people think they're protected because they use privacy tools. Here's the uncomfortable truth about what each one does against fingerprinting.

Tor Browser is specifically designed to defeat fingerprinting by making every user look alike. It works, but it's slow, many sites block it, and it's overkill for normal browsing. You wouldn't use it to shop on Amazon or check social media.

The broader insight is that you can't hide your fingerprint while maintaining normal browsing behavior. What you can do is use a different fingerprint each time. A disposable, isolated browser gives you a completely different signature on every launch, with no connection back to your real identity or other sessions.

Taking back your privacy

Browser fingerprinting is a real shift in how tracking works. The old playbook (blocking cookies, using incognito, clearing data) was built for cookies, not for device-based identification. That playbook is obsolete for the fingerprinting-first web we actually live in.

The approach that works is tiered. Normal browsing goes through your regular browser with tracker blockers; accept some tracking, minimize it where possible. Sensitive browsing (research, shopping, competitor analysis) goes through an isolated session so the fingerprint can't be connected to you. For maximum anonymity, combine isolation with a VPN: isolation prevents fingerprinting, the VPN masks your IP.