What Is Browser Fingerprinting?

Browser fingerprinting is a tracking technique that identifies you by the unique combination of attributes your browser exposes to every website you visit. Unlike cookies, it does not store anything on your device. Instead, it silently collects characteristics of your browser and device and combines them into a "fingerprint" — a signature that identifies you across sessions, devices, and even across different browsers.

The technique was first documented by Peter Eckersley of the Electronic Frontier Foundation in 2010. By 2026, it is used by the majority of large websites and virtually all major advertising networks. Browser fingerprinting is technically legal in most jurisdictions (a grey area the advertising industry exploits deliberately), despite violating the spirit of privacy laws like GDPR.

The Technical Mechanics

The Canvas API

When a website calls the HTML5 Canvas API to draw something, your browser renders it using your GPU, operating system, and installed fonts. The rendered image is then converted to a data string. Because rendering varies by hardware and software, even identical drawing instructions produce slightly different pixel outputs on different machines.

A fingerprinting script might draw a string like "BrowserLeaks,com <canvas> 1.0" in a specific font at a specific size, then read back the pixel data. The resulting hash is stable across sessions on the same device but differs between devices. Combined with other signals, canvas fingerprinting alone can identify users with 90%+ accuracy.

Here is a simplified version of what the JavaScript looks like:

const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
ctx.textBaseline = 'top';
ctx.font = '14px Arial';
ctx.fillStyle = '#f60';
ctx.fillRect(125, 1, 62, 20);
ctx.fillStyle = '#069';
ctx.fillText('Browser fingerprint', 2, 15);
const fingerprint = canvas.toDataURL();

Privacy extensions that modify the Canvas API return slightly randomised pixel data each time, making the fingerprint different each session and breaking the cross-session tracking.

WebGL Fingerprinting

The WebGL API exposes your GPU model, driver version, and rendering capabilities. The combination is often unique. A fingerprinting script queries:

RENDERER: e.g. "NVIDIA GeForce RTX 4070/PCIe/SSE2"
VENDOR: e.g. "Google Inc. (NVIDIA Corporation)"
Supported extensions and their order
Precision values for various shader operations

The exact combination of these values is unique to your GPU and driver version. Unlike canvas fingerprinting, WebGL fingerprinting is harder to randomise without breaking WebGL-dependent web applications like interactive maps and 3D visualisations.

Font Enumeration

Your device has a specific set of fonts installed, determined by your operating system, installed applications, and manual additions. Websites can probe for fonts by rendering text in various fonts and measuring the dimensions. If the text renders at the expected size, the font is installed; otherwise, a fallback font (with different dimensions) is used.

A typical device has between 100 and 500 installed fonts. The specific combination — which professional software you have installed, which system fonts, which language support packages — creates a highly identifying signal. macOS users with Microsoft Office installed have a different font set from macOS users without it, for example.

AudioContext Fingerprinting

The Web Audio API allows JavaScript to generate and process audio. The specific way your audio hardware and software stack processes an audio signal produces a measurable signature. This technique is largely invisible because no sound is produced — the audio is generated and processed in memory, and only the numerical output is read.

The Full Signal Set

A comprehensive fingerprint collects dozens of signals simultaneously:

User agent string (browser name, version, OS)
Screen resolution and colour depth
Timezone and locale settings
List of installed plugins (reduced in modern Chrome but still partially exposed)
Do Not Track header setting (ironically, having DNT enabled is itself a distinctive signal)
Battery level and charging status (on mobile)
Device memory amount
CPU core count
Touch support and maximum touch points
Hardware concurrency

No single attribute is unique. But combined, they often are. The EFF's Panopticlick research found that 83% of browsers carry a unique fingerprint. More recent research puts the number higher, as device diversity has increased.

Why It Persists Through Clearing Cookies and Incognito Mode

Cookies are stored on disk. Clearing them removes the identifier. Fingerprinting generates the identifier from your hardware and software configuration — nothing stored on disk, nothing to clear.

Incognito mode opens a fresh session with no saved cookies or history. But your GPU is the same. Your fonts are the same. Your screen resolution and timezone are the same. Your fingerprint in incognito mode is identical to your fingerprint in normal mode.

VPNs change your IP address but not your browser fingerprint. A VPN user with a unique canvas fingerprint is as trackable as a non-VPN user.

Practical Defences

Browser-Level Randomisation

The most effective defence is an extension that randomises the values returned by fingerprinting APIs. Rather than blocking the API calls (which would break legitimate uses), randomisation returns slightly different values each session. A tracker that sees a different canvas fingerprint on each visit cannot build a cross-session profile.

PrivacyGuard applies this approach to the Canvas API, WebGL, AudioContext, and font enumeration, while preserving normal browser functionality.

Using Tor Browser

Tor Browser applies an aggressive fingerprint normalisation strategy: every Tor user presents the same fingerprint. This is highly effective but comes with significant usability trade-offs — reduced JavaScript compatibility, very slow browsing, and inability to log into many services.

Firefox with Resistfingerprinting

Firefox includes a privacy.resistFingerprinting setting that normalises several fingerprinting vectors. It is not as comprehensive as a dedicated extension but is better than nothing.

What Does Not Work

Clearing cookies: Has no effect on fingerprinting
Incognito mode: Has no effect on fingerprinting
VPN alone: Changes IP, not fingerprint
User agent spoofing without API randomisation: Changes one signal while leaving dozens intact

The Legal Landscape

Under GDPR, fingerprinting that is used to identify individuals is processing of personal data, which requires a lawful basis — typically consent. The regulation's Article 25 (Privacy by Design) and its provisions on transparency technically prohibit covert fingerprinting of EU residents.

In practice, enforcement has been limited. The Irish Data Protection Commission, which oversees Google and Meta in the EU, has issued fines but has not comprehensively addressed fingerprinting. The EU's ePrivacy Regulation, which would more explicitly cover fingerprinting, has been stalled in legislative process for years.

California's CCPA gives residents the right to opt out of the "sale" of personal information, which might include fingerprint data. But the definition of "sale" is interpreted narrowly by most industry actors, and the enforcement mechanism requires consumers to take active steps most never take.

Installing Protection Now

PrivacyGuard's anti-fingerprinting module activates automatically on installation. No configuration required. The extension's privacy score dashboard shows which fingerprinting techniques are being used on sites you visit, so you can see the protection working in real time.

Fingerprinting is the tracking technology that survives every cookie-clearing, every incognito session, every VPN connection. Protection requires addressing it at the API level — which is exactly what PrivacyGuard does.