What is browser fingerprinting? How sites identify you without cookies

You can delete every cookie, switch to incognito, and clear your cache, and a tracking company can still recognise the same browser an hour later. That is browser fingerprinting: instead of storing an identifier on your device, sites read characteristics your browser freely reveals and stitch them into a stable, near-unique signature. This article explains how those signals combine, why uniqueness is measured in bits of entropy, the difference between passive and active fingerprinting, and which defences are worth your time.

The core idea: a fingerprint is many weak signals combined

No single property your browser exposes identifies you. Plenty of people use the same browser version, the same screen resolution, or the same timezone. The trick is combination. Suppose 1 in 8 visitors uses your browser version, 1 in 16 uses your exact screen geometry, and 1 in 10 has your timezone and language pair. If those traits are independent, the odds of all three matching drop to roughly 1 in 1,280 before a tracker has even touched anything exotic.

Add a rendered canvas hash, a list of installed fonts, GPU details, and audio-stack quirks, and the combined space balloons past the number of people on Earth. At that point your browser is, for practical purposes, unique, and the tracker no longer needs a cookie to follow you across sites that share its script.

Entropy: measuring uniqueness in bits

Privacy researchers quantify how identifying a signal is using entropy, expressed in bits. One bit of entropy halves the population. If a trait splits everyone into two equally likely groups it carries one bit; a trait that picks one of 1,024 equally likely buckets carries about ten bits.

To single out one person from roughly eight billion you need about 33 bits of identifying information, because 2 to the power of 33 is about 8.6 billion. Individual signals contribute surprisingly large amounts. A detailed User-Agent string can be worth around 10 bits. A canvas fingerprint often contributes 5 to 8 bits. The list of installed fonts can exceed 10 bits on a machine with design or office software. You do not need many strong signals before the total clears 33 bits.

The catch for trackers, and the opportunity for you, is that signals are not fully independent and bits do not always add cleanly. But the direction is clear: every distinctive attribute your browser exposes spends part of your anonymity budget. privacyscore.dev estimates how many bits your current browser is leaking and shows which signals are the heaviest contributors, so you can see where your exposure actually comes from rather than guessing.

Passive vs active fingerprinting

Fingerprinting techniques fall into two families, and the distinction matters for defence.

Passive fingerprinting

Passive methods read information the browser sends automatically, without running any special code. Every HTTP request carries headers: the User-Agent, Accept-Language, Accept-Encoding, and increasingly a set of Client Hints. The order and exact formatting of these headers, the TLS handshake characteristics (sometimes called a JA3 or JA4 fingerprint), and the IP address all arrive at the server for free. Passive fingerprinting is invisible to you because no JavaScript needs to execute. Blocking scripts does not stop it.

Active fingerprinting

Active methods run JavaScript to probe the browser and device. They render text and graphics to a hidden canvas and hash the pixels, ask WebGL for the GPU vendor and renderer string, generate inaudible tones through the Web Audio API and measure the output, enumerate fonts by measuring text dimensions, and query dozens of properties on objects like navigator and screen. Active fingerprinting is more powerful and more invasive, but because it requires code to run, it is the part you can most effectively disrupt.

Where the bits come from: the signal inventory

A modern fingerprinting script collects a long list. The heaviest contributors typically include:

  • Canvas and WebGL rendering — the same drawing instructions produce subtly different pixels depending on GPU, drivers, and anti-aliasing, yielding a stable hash.
  • Installed fonts — the set of fonts on your system reflects your OS plus installed applications, and is often startlingly distinctive.
  • User-Agent and Client Hints — browser, version, platform, and architecture.
  • Screen and window geometry — resolution, colour depth, device pixel ratio, available work area.
  • Audio stack — floating-point differences in audio processing across hardware and OS builds.
  • Timezone, language, and locale — including the list of preferred languages, not just the primary one.
  • Hardware hintsnavigator.hardwareConcurrency (logical CPU cores) and deviceMemory (rounded RAM).
  • Enumerable extras — supported codecs, available media devices (count and kinds), touch support, and the presence of specific APIs.

Individually these are mundane. Hashed together, they form an identifier far more durable than any cookie.

Why it survives cookie clearing and incognito

Cookies and local storage are data the site writes to your device, so clearing them removes the identifier. A fingerprint is different: it is derived from what your device already is. Wiping storage does not change your GPU, your fonts, or your screen size, so the same fingerprint re-emerges on your next visit.

Private or incognito windows are routinely misunderstood. They isolate cookies and history from your normal session and discard them when closed, but they do not change your hardware or most browser characteristics. A canvas hash or font list computed in incognito generally matches the one from your normal window. Incognito protects you from people who share your computer; it does very little against a remote fingerprinter.

The EFF insight: your browser is probably unique

The Electronic Frontier Foundation demonstrated this vividly with its Panopticlick project, later relaunched as Cover Your Tracks. By collecting fingerprints from hundreds of thousands of visitors, the EFF showed that the large majority of browsers were unique within the sample, meaning no other visitor shared the same combination of attributes. The lesson is counter-intuitive: a heavily customised browser, with unusual fonts, niche extensions, and a non-default configuration, is often easier to track, because every customisation adds entropy. Blending into a crowd beats standing out.

How privacyscore.dev measures your exposure

privacyscore.dev runs the same kinds of probes a real tracker would, entirely in your browser, and reports back rather than selling the result. It computes a canvas and WebGL hash, enumerates the signals above, and estimates the total entropy your browser is exposing. Each high-entropy attribute is flagged so you can see, for example, that your font list or your WebGL renderer string is doing most of the damage. The score is a snapshot of how identifiable you are right now, and a way to check whether a change you made actually reduced your exposure or just rearranged it.

High-impact defences

You cannot eliminate fingerprinting, but you can meaningfully reduce uniqueness. In rough order of impact for effort:

  • Use a browser that standardises its fingerprint. The Tor Browser is the gold standard: it ships a fixed font set, normalises screen size via letterboxing, and works hard to make every user look identical. Hardened Firefox forks and browsers with built-in fingerprinting resistance reduce entropy for everyone running the same defaults.
  • Enable fingerprinting protection if your browser has it. Firefox offers privacy.resistFingerprinting and a fingerprinting-protection feature; Brave randomises canvas and audio readings per site and session, which poisons the hash rather than blocking the API.
  • Block known fingerprinting scripts. A content blocker using lists such as EasyPrivacy stops many trackers from running their probes at all.
  • Resist the urge to over-customise. Stick close to defaults, avoid rare fonts and exotic extensions, and do not maximise customisation in the name of privacy. Uniqueness is the enemy.
  • Do not spoof your User-Agent ad hoc. Manual spoofing usually creates contradictions between what you claim and what your browser actually does, which is itself a strong, rare signal.

Run a measurement first, change one thing, then measure again. Treat your fingerprint as a budget you are trying to spend down, and let the numbers, not intuition, tell you whether a tweak helped.