You clear cookies. You change your IP. You launch incognito. You even update Chrome. The site greets you back like an old friend, with the same recommendations, the same fraud-flag status, the same price tier. Three small hashes are doing most of that recognition work, and none of them live in storage you can clear.
They are the Canvas fingerprint, the WebGL fingerprint, and the AudioContext fingerprint. Each is derived from the hardware and driver stack underneath the browser, not from anything the page wrote to your machine. Together they form a static device signature that persists across restarts, profile resets, fresh installs, and most privacy extensions. This is the layer below cookies, and it is where modern tracking actually lives. Updated: 2026.
A static device fingerprint is a hash derived from the way your hardware and drivers respond to a workload (a canvas drawn, a 3D scene rendered, a sine wave processed). It is not stored on your device, so there is nothing to clear. Two machines from the same factory batch can still produce different hashes because of GPU silicon variance and driver build numbers. We already covered the broad picture in Browser Fingerprinting: How Websites Track You. This post drills into the three vectors that do most of the work.
Why these three, out of dozens
A modern fingerprinting script probes about 40 vectors on a typical page. User-Agent, screen size, language headers, font list, installed plugins, timezone offset, pointer precision, hardware concurrency. Most of those values are short integers or short strings, and each carries between one and five bits of entropy in practice. They are useful as glue, not as identifiers.
Canvas, WebGL, and AudioContext are different. Each one runs a deterministic workload through the device and hashes the output. The hash depends on GPU silicon, driver version, OS font rasterizer, anti-aliasing strategy, and the audio subsystem's floating-point implementation. That is why a fresh install of Chrome on the same machine still produces almost the same three hashes the next day, while the same machine with a different GPU driver produces visibly different ones.
The numbers from the EFF's Cover Your Tracks dataset and the Inria AmIUnique corpus put the canvas hash at roughly ten bits of entropy, WebGL renderer information at six to eight bits, and AudioContext at four to five bits. A session that exposes all three pushes well past eighteen bits, enough to single you out of a quarter million users, which is more than enough for ad targeting, fraud scoring, and most analytics pipelines.
Canvas fingerprinting in detail
A canvas fingerprint is the hash of a picture your browser was asked to draw and never showed you. The script creates an off-screen <canvas>, fills it with a few shapes and a string of text in two or three fonts, then calls toDataURL() and hashes the resulting PNG bytes. Nothing is visible to the user, and the entire process takes a few milliseconds.
The hash is stable on a given machine because the rendering path is deterministic. The same GPU plus the same driver plus the same OS font rasterizer plus the same anti-aliasing mode produces the same PNG, byte for byte. Change any one of those and the hash flips. That is why a Windows feature update sometimes makes a previously stable user look brand new to a tracker, and why enterprise machines with locked driver versions look almost identical to each other.
A skeleton of the attack reads like this:
const c = document.createElement("canvas");
const ctx = c.getContext("2d");
ctx.textBaseline = "alphabetic";
ctx.font = "14px 'Arial'";
ctx.fillStyle = "#069";
ctx.fillText("Cwm fjordbank glyphs vext quiz, ", 2, 15);
ctx.fillStyle = "rgba(102,204,0,0.7)";
ctx.fillText("Cwm fjordbank glyphs vext quiz, ", 4, 17);
const png = c.toDataURL();
// hash(png) becomes your canvas fingerprintThat snippet is not exotic. It is essentially the routine that FingerprintJS, ThreatMetrix, and Cloudflare Bot Management run on first contact, with variations. Brave and uBlock Origin defend by adding a small per-session noise function before the hash is read, which produces a different hash every time. The protection works against naive aggregators but is itself detectable: a hash that never repeats is a signal in its own right, and trackers file you under "user with canvas randomization".
WebGL fingerprinting in detail
WebGL gives the page direct access to your GPU through a JavaScript shim of the OpenGL ES API. Two things are immediately interesting. First, a tiny extension named WEBGL_debug_renderer_info exposes the GPU vendor and the rendered string verbatim, which on most desktop machines looks like ANGLE (NVIDIA, GeForce RTX 4070, OpenGL 4.5.0) or something similarly specific. That single string can carry more than ten bits of entropy on its own, because it includes the driver branch and sometimes a build hash.
Second, even when the extension is masked or disabled, the rendered output of a moderately complex 3D scene (a textured torus, a gradient sphere, a few rotated triangles) is still hashable. Different shader compilers, different precision settings, and different blending implementations move pixels by small but consistent amounts. The script reads back the framebuffer with readPixels(), hashes it, and stores the result.
Disabling WebGL outright is the cleanest defense and the most expensive. Google Maps, most browser games, half of the modern SaaS tools that render charts on the GPU, and a surprising number of e-commerce 3D viewers stop working. Firefox exposes a webgl.disabled preference for users who accept that trade. Tor Browser leaves WebGL enabled but normalizes the renderer string to a uniform value across all installs, which is why two Tor users on completely different hardware report the same WebGL signature to the page.
AudioContext fingerprinting in detail
AudioContext fingerprinting is the quietest of the three, in every sense. The script instantiates an OfflineAudioContext, generates a triangle or sine wave at a fixed frequency, runs it through a dynamics compressor with set parameters, and reads the resulting samples back as a Float32Array. No sound ever reaches the speakers. The device does not need to be unmuted. Headphones do not matter. What matters is the floating-point math your audio stack used to produce those samples.
Audio output looks identical to a human (and to any spectrum analyzer that cares about audible content), but the underlying float32 values differ between implementations of the compressor algorithm. Browser builds, OS audio engines, and even some CPU microcode revisions push the least-significant bits around in stable patterns. Hashing the buffer or summing it produces a number that survives reboot, profile reset, and most extensions.
AudioContext carries less entropy than canvas (typically four to five bits), so on its own it does not single anyone out. Its real value to a tracker is that almost nobody defends it. Canvas and WebGL get noisy attention from privacy tooling, but audio sits underneath. A script that finds matching canvas and audio hashes across two sessions is more confident in the match than canvas alone would justify, because the audio number is unlikely to repeat by accident.
How the three compare
Side by side, the three vectors have different strengths. The table below summarizes what each one buys a tracker, what it costs you to defend, and how visible the defense itself is to the tracker.
| Vector | Avg entropy | Persistence | Defenses | Defense detectable | Used by |
|---|---|---|---|---|---|
| Canvas | ~10 bits | Until GPU, driver, or font stack changes | Brave randomization, CanvasBlocker, Tor uniform image | Yes (noise pattern itself signals) | FingerprintJS, ThreatMetrix, Cloudflare Bot Management |
| WebGL | ~6 to 8 bits (renderer string up to 10) | Until GPU or driver changes | Mask renderer info, disable WebGL, Tor uniform | Yes (mismatched UA vs renderer flags) | FingerprintJS, ad-tech SDKs, fraud platforms |
| AudioContext | ~4 to 5 bits | Across reboots and reinstalls | Rare. Audio noise extensions, Tor partial | Low (defense is uncommon) | FingerprintJS, anti-bot vendors, analytics suites |
The pattern is consistent. Each vector is hard to defeat in isolation, and the defenses that work are conspicuous. A tracker that sees normal canvas plus normal WebGL plus a missing AudioContext flag is looking at a small slice of the population, and that itself is identifying.
Why Tor still leaks one of them
Tor Browser is the most aggressive consumer-grade defense against static fingerprinting. By default, canvas reads return a uniform white image (the user is prompted before any real data is released). WebGL is enabled but the renderer string is normalized to a single value across every Tor install on the same platform, and the rendered output is rounded to remove driver variance. Two of the three vectors are effectively dead inside Tor.
AudioContext is the loose thread. Tor Project's threat model covers it (ticket tor-browser#13017 and related Mozilla bug reports go back years), but the floating-point output of an OfflineAudioContext still depends on the build chain. A Tor Browser running on Linux x86_64 against a Tor Browser running on macOS arm64 produces measurably different audio hashes, even when both report the same platform string. Researchers have published working AudioContext distinguishers for Tor several times, including in the original AmIUnique work and more recent academic follow-ups.
The remediation is hard because the alternative is to disable OfflineAudioContext entirely, which breaks every web app that decodes audio in the background (podcast players, video conferencing, browser games, accessibility tools). The Tor Project has stayed conservative on that change. The result is that even the most carefully hardened consumer browser still exposes one of the three.
What actually defeats these
The three vectors share a property: they are all derived from physical hardware behavior. Software-only defenses help, but the only complete answers change what the page sees from your machine, not what your machine actually is.
Run on different physical hardware
A different GPU, a different CPU microarchitecture, and a different audio chip produce different hashes on all three vectors at once. This is the strongest defense, and it is also the most inconvenient. Most people will not buy a second laptop for sensitive browsing.
Boot a different OS install
Even on the same hardware, a fresh OS image with different driver versions, a different font set, and a different audio stack shifts every hash. A bootable Tails USB is the canonical example. The cost is that you live inside a separate environment with separate state, which is fine for occasional use and painful as a daily setup.
Use a remote, containerized browser
The most practical version is to push the browser off your machine entirely. A containerized remote browser presents the container's GPU, the container's audio stack, and the container's font set to the page. Your local hardware never participates in the render. Each fresh session starts with a new container, which means a new canvas hash, a new WebGL signature, and a new AudioContext value, none of them connected to your real machine. That is the model Browser.lol uses.
Install a noise extension, with caveats
CanvasBlocker, Trace, and similar extensions inject randomness into the canvas readback and sometimes WebGL. The hashes change every session, which beats naive trackers. The cost is that "user with canvas randomization" is itself a category, so a sophisticated tracker can still bucket you, just into a smaller and arguably more interesting group. Treat extensions as a partial defense, not as a fix.
FAQ
Can I disable canvas in Chrome?
Not cleanly. Chrome does not expose a setting to disable canvas, and an extension that blocks toDataURL() breaks most webmail clients, mapping tools, and signature pads. The realistic options on Chrome are noise extensions like CanvasBlocker (with the trade-off above) or routing sensitive browsing through an isolated environment.
Does a VPN change my fingerprint?
No. A VPN changes your IP and your apparent geolocation, both of which are useful signals to a tracker, but it does not touch canvas, WebGL, or AudioContext. The hash your GPU produces is the same whether the bytes leave through your home connection or through a Mullvad exit node.
Why does my fingerprint change after a Windows update?
Cumulative Windows updates frequently bump the GPU driver, the DirectWrite font rasterizer, or the audio engine. Any of those shifts at least one of the three hashes. Trackers expect this and use correlation with other signals (IP range, login cookies, behavior patterns) to bridge the gap. The change buys you a brief window of looking like a new user, not permanent reset.
Are these fingerprints unique on their own?
No single one is enough. Canvas alone collides for thousands of users with the same GPU plus driver plus OS combination. The risk is the join: canvas plus WebGL plus AudioContext, together with screen size and timezone, narrows the population to a handful of people.
Does incognito mode help against any of them?
No. Incognito clears cookies and history at the end of the session, but the hardware and drivers underneath the browser do not change. Every incognito window on a given machine produces the same canvas, WebGL, and AudioContext values as a normal window on the same machine.
Where this leaves you
Canvas, WebGL, and AudioContext together push past eighteen bits of entropy in a single session. That is enough to pick one user out of more than 250,000, and every tool aimed at the cookie era (incognito, VPNs, most privacy extensions) leaves all three untouched. The hashes come out of your GPU, your drivers, your fonts, and your audio stack, and that is exactly the layer those tools never reach.
Defending one vector at a time is itself visible. Canvas randomization, WebGL masking, and audio noise all produce detectable anomalies, so trackers can bucket "defended" users into a smaller and arguably more interesting group. Tor closes two of the three convincingly and still leaks the audio signature. The only fix that closes all three is to change the hardware and software stack the page is allowed to see, which in practice means a different physical machine, a different OS install, or a remote containerized browser like Browser.lol.
Ready to unlock desktop power on any device?
Try Browser.lol free and experience true mobile productivity.
Start Your Desktop BrowserNo downloads required • Works on any device
