A modern browser, on a typical computer, makes itself uniquely identifiable to the web roughly the moment it loads its first page. The technology that does this, browser fingerprinting, works without setting any cookies, without storing any state on the device, and largely without the user noticing. It is the second-leading mechanism of cross-site tracking after cookies and increasingly the leading mechanism as cookies are deprecated.
Understanding what fingerprinting actually does, and what defends against it, is one of the more useful things any privacy-conscious internet user can know.
How fingerprinting works
A browser fingerprint is a hash of attributes that the browser exposes to JavaScript and to HTTP requests. Each individual attribute has low entropy on its own. The combination of dozens of such attributes typically produces a value unique to a single browser-machine-user combination.
The classic attributes:
User-Agent string. Browser, version, operating system. Many users share the same User-Agent.
Screen dimensions and color depth. Window size, scroll position, available pixels.
Installed fonts. The list of system fonts is highly distinctive across machines.
Time zone and language. Often combined with IP geolocation.
Hardware concurrency. Number of CPU cores.
WebGL renderer. The GPU model name and driver version returned by WEBGL_debug_renderer_info.
Canvas fingerprinting. Have the browser draw a specific image onto an HTML5 canvas; the resulting pixel-level rendering varies subtly based on graphics drivers, anti-aliasing settings, and font rasterisation. The hash of the rendered output is highly distinctive.
AudioContext fingerprinting. Generate a specific audio waveform and capture the output; the floating-point arithmetic varies subtly across hardware and OS.
Battery status, network type, accelerometer data, and various Sensor APIs (mostly mobile).
WebRTC IP leakage. The WebRTC API exposes local network IP addresses that bypass VPN routing.
The Electronic Frontier Foundation’s seminal "Panopticlick" research in 2010 (now Cover Your Tracks at coveryourtracks.eff.org) established the basic finding: 84 percent of browsers had a unique fingerprint based on a small number of attributes. The proportion has climbed as more attributes have been added by JavaScript APIs.
What fingerprinting is used for
Three main uses, in rough order of legitimacy:
Fraud detection. Banks, e-commerce, and ad networks use fingerprinting to detect bot traffic and account takeover. ThreatMetrix, Iovation (now TransUnion), Sift, Riskified, Forter, and Kount are the dominant vendors. The use is generally accepted by privacy regulators, although the specific data flows are increasingly scrutinised under GDPR.
Tracking and advertising. The displaced cookie economy increasingly leans on fingerprinting to maintain cross-site identity. Most ad-tech vendors do not call it fingerprinting in their marketing; they call it "deterministic ID matching," "probabilistic identification," or "cookieless attribution." The mechanism is the same.
Government and corporate surveillance. State-level adversaries can use fingerprinting against high-value targets to track their devices across the web, even when those targets are deliberately attempting to be anonymous. This is part of the threat model the Tor Project addresses extensively.
What does not defend
A surprising number of common privacy practices do not affect fingerprinting:
Private browsing / Incognito mode. These prevent storage of cookies and history but do not change the fingerprint exposed to scripts. Your fingerprint in Incognito is the same as in regular mode, modulo small differences in extensions.
Clearing cookies. Deletes the cookie-based identifier; the fingerprint persists.
VPN. Hides the IP address, which is one fingerprint attribute. Other attributes are unchanged.
Most third-party-cookie blocking. Stops the cookie pathway; does not stop the fingerprint pathway.
Most ad blockers, in their default configurations. Block ad content; do not block fingerprinting scripts unless explicitly configured.
What does defend
The defensive landscape is led by browsers that prioritise fingerprinting resistance:
Tor Browser. The reference implementation. Tor Browser homogenises every fingerprint attribute it can: same User-Agent for everyone, same window size (with letterboxing), same fonts, no canvas access without prompt, no WebRTC leakage. The goal is that every Tor Browser user has the same fingerprint. Documentation at support.torproject.org.
Brave. Implements "Farbling", randomised noise on canvas, audio, and WebGL outputs to make the fingerprint differ on each session. Strong defaults; minimal configuration required.
Firefox with Enhanced Tracking Protection set to Strict, plus the about:config setting privacy.resistFingerprinting. Approaches Tor’s level of homogenisation. Some site breakage is the cost.
Safari. Has fingerprinting countermeasures, pinned User-Agent, font enumeration restrictions, partial canvas randomisation, but is less aggressive than Tor or Brave by default.
Chrome and Chromium-based browsers (Edge, Opera, etc.) without specific privacy modes have weak fingerprinting defences. Chrome’s Privacy Sandbox includes some fingerprinting reductions (User-Agent Client Hints, reduced precision in some APIs) but does not fundamentally homogenise.
Useful add-ons:
CanvasBlocker (Firefox), adds noise to canvas fingerprints.
NoScript, blocks JavaScript by default; nuclear option that breaks many sites.
Decentraleyes / LocalCDN, locally serves common CDN libraries to reduce fingerprinting through CDN requests.
Fingerprinting in 2026 specifically
Three trends matter:
Migration to client hints. The classic User-Agent string is being phased out in favour of structured Client Hints with reduced precision. This narrows one fingerprinting vector but creates new structured channels for advertisers to negotiate access to information.
Anti-fraud sophistication. Modern fraud-detection vendors operate sophisticated machine-learning models on hundreds of fingerprint attributes plus behavioural biometrics (mouse movements, typing patterns, touch dynamics). The models are highly accurate and largely opaque to users.
Mobile fingerprinting differences. Apps fingerprint differently than browsers, more privileged access to device sensors and identifiers, but also more constrained by OS-level controls (App Tracking Transparency on iOS, Privacy Sandbox on Android). The mobile-app fingerprinting world is less visible to the user than the browser equivalent.
The pragmatic recommendation
For most users:
Use Firefox or Brave with strong default privacy settings. Both are real improvements over Chrome.
Use Tor Browser when the threat model warrants, investigative journalism, evasion of state surveillance, sensitive private research.
Recognise that perfect fingerprint resistance breaks websites. The trade-off is real and the right balance is personal.
Accept that fraud-detection use of fingerprinting is largely unavoidable; the right battle to fight is over the advertising and aggregation use, not the bank login.
The deeper issue is that the web platform was designed to expose enough information to enable functionality, and the same information enables tracking. Browser vendors have been retrofitting privacy onto a permissive design for two decades. The result is partial, contested, and slowly improving. Fingerprinting will not disappear; it will become more constrained and more sophisticated in roughly equal measure.