What Is Browser Fingerprinting and How Does It Affect You
by Scott
Most people who think about online privacy think about cookies. They have seen the consent banners, they understand vaguely that cookies track their movements around the web, and some of them have taken the step of regularly clearing their cookies or using browser settings that block third-party cookies. This is a reasonable response to a real problem, but it addresses only one layer of the tracking infrastructure that the modern web has built around its users. Beneath the cookie layer, and significantly harder to detect or disable, is a tracking technique called browser fingerprinting that operates without storing anything on your device, works even when you are browsing in private or incognito mode, and is capable of identifying you with a reliability that cookies in their most sophisticated form cannot match.
Browser fingerprinting works by collecting a large number of attributes about your browser and device configuration, combining them into a composite profile, and using that profile as an identifier. The individual attributes that make up a fingerprint are not secret or sensitive in themselves. They are things like the version of your browser, the operating system you are running, the fonts installed on your system, the screen resolution and color depth of your display, the timezone your device is set to, the language settings of your browser, the list of browser plugins and extensions you have installed, and the way your browser handles certain rendering tasks. None of these attributes individually identifies you. But the combination of all of them together, taken simultaneously, produces a profile that is statistically unique for the vast majority of users.
The mathematics underlying this uniqueness are not complicated to understand. If your browser version narrows the possible population of users to a few percent of all web users, and your operating system version further narrows it, and your screen resolution further narrows it, and your installed fonts further narrow it, and your timezone further narrows it, and your browser plugins further narrow it, the successive narrowing of the population at each step quickly reduces the plausible set of users who share all of those attributes simultaneously to a very small number, often to just one. Research published by the Electronic Frontier Foundation in a project called Panopticlick found that approximately eighty-three percent of the browsers they tested carried a fingerprint that was unique within their dataset of hundreds of thousands of test subjects. Subsequent research with larger datasets has confirmed that fingerprint uniqueness is high and has, if anything, increased as browsers have become more configurable and devices more diverse.
The collection of fingerprinting attributes happens through entirely standard web technologies that browsers implement as part of their normal functionality. JavaScript, the programming language that runs in web browsers and powers interactive web content, provides access to a wide range of information about the browser environment. A script running on a webpage can query the navigator object for information about the browser and operating system, query the screen object for display characteristics, query the window object for viewport dimensions, and enumerate the list of installed plugins. None of this requires any special permission or user consent. It is functionality that browsers provide to enable legitimate web development, and its use for fingerprinting is a secondary application that the designers of these APIs did not specifically intend but also did not prevent.
Canvas fingerprinting is one of the most widely used and most reliable fingerprinting techniques, and it exploits a subtler aspect of browser behavior. The HTML5 Canvas element is a drawing surface that web pages can use to render graphics using JavaScript. When a script draws a specific image or renders specific text on a canvas element, the exact pixel-level output that the browser produces is influenced by the graphics hardware, the operating system, the browser’s rendering engine, the antialiasing and text rendering settings, and various other factors that differ between devices and configurations. By instructing the canvas to render a specific sequence of drawing operations and then reading back the pixel data, a script can obtain a value that reflects all of these hardware and software characteristics simultaneously, producing a highly stable and highly unique identifier derived from the device’s rendering characteristics rather than from any stored data.
WebGL fingerprinting operates on a similar principle but uses the three-dimensional graphics processing capabilities of the browser rather than the two-dimensional canvas. By rendering a specific three-dimensional scene and analyzing the output, a script can obtain detailed information about the graphics processing unit in the device, including the manufacturer, the model, the driver version, and various performance characteristics. This information is both highly specific and highly stable, because the graphics hardware of a device does not change and its rendering characteristics are deterministic for a given input. The combination of canvas and WebGL fingerprinting alone is sufficient to uniquely identify a large proportion of devices.
Audio fingerprinting uses the browser’s Web Audio API, which provides access to audio processing capabilities, in a similar way. By generating a specific audio signal and processing it through the browser’s audio stack, a script can obtain a value that reflects the audio hardware and software configuration of the device, adding another stable and unique dimension to the fingerprint. The audio processing path involves the operating system’s audio subsystem, the device’s audio hardware, and various software processing stages, each of which introduces characteristic variations that distinguish one device from another.
The stability of browser fingerprints over time is one of their most valuable properties from a tracking perspective. A cookie is deleted the moment a user clears their browser data, and its tracking value is lost immediately. A browser fingerprint cannot be deleted because it is not stored on the device. It is a property of the device itself, derived from its configuration, hardware, and software. A fingerprint changes only when something about the device changes, such as a browser update, an operating system update, the installation or removal of a font, or a change in display settings. These changes happen occasionally but not constantly, and the fingerprint remains stable for extended periods between them. When a change does occur, the new fingerprint can often be linked to the old one through partial matching and continuity analysis, maintaining the tracking relationship across the change.
The relationship between browser fingerprinting and the privacy mechanisms that most users rely on is one that deserves particular attention, because it reveals a significant gap between what users believe they are protected against and what they are actually protected against. Private or incognito browsing is designed to prevent the browser from storing cookies, history, and other data locally after the browsing session ends. It does not affect the information that the browser sends to websites during the session, and it does not change the fingerprint that the browser presents. A website that fingerprints visitors will identify a private browsing session as a distinct browser instance, but it will recognize the same browser instance if it appears again in private mode, because the fingerprint has not changed.
Virtual private networks, which encrypt the connection between the device and the VPN server and mask the user’s IP address by substituting the VPN server’s address, provide no protection against browser fingerprinting. The VPN operates at the network layer, affecting how traffic is routed and concealing the user’s geographic location and IP address from the websites they visit. It does not affect the browser-level attributes that make up the fingerprint. A website that receives a connection from a VPN server can still fingerprint the browser making that connection and identify it across subsequent visits even if the VPN server’s IP address changes.
Ad blockers provide partial protection against fingerprinting in some cases, because some fingerprinting scripts are hosted on domains that are included in the blocklists that ad blockers use. When the script is blocked before it can execute, the fingerprinting attempt fails. But fingerprinting scripts embedded in the first-party code of a website, or hosted on domains that are not on block lists, will execute without interference. The protection provided by ad blockers against fingerprinting is therefore inconsistent and cannot be relied upon as a comprehensive defense.
The browsers that have made the most serious attempts to address fingerprinting as a privacy threat have generally done so by making the browser’s reported attributes less informative rather than by attempting to block fingerprinting scripts directly. The Tor Browser, which is designed for high-anonymity browsing, takes the approach of standardizing as many fingerprinting attributes as possible so that all Tor Browser instances present an identical fingerprint. Canvas rendering is randomized slightly on each request so that the output varies and cannot be used as a stable identifier. Fonts are restricted to a standard set. The window size is constrained to specific dimensions. The goal is not to make the browser unfingerprint-able but to make all Tor Browser instances look identical, so that an individual user cannot be distinguished from the crowd of other Tor Browser users.
Firefox has introduced a feature called Enhanced Tracking Protection that, in its strictest mode, blocks many known fingerprinting scripts and applies some randomization to fingerprinting attributes. Safari has implemented a form of fingerprinting protection called Intelligent Tracking Prevention that limits the information available to cross-site tracking scripts. Google has proposed various mechanisms under the Privacy Sandbox initiative, including noise injection into fingerprinting attributes, though the implementation and effectiveness of these mechanisms remain subjects of active development and debate. None of these browser-level protections eliminates fingerprinting as a tracking mechanism, but they raise the difficulty and reduce the reliability of fingerprinting in ways that meaningfully limit its effectiveness for some use cases.
The commercial ecosystem that uses browser fingerprinting is diverse and not uniformly malicious in its intent. Fingerprinting is used by fraud detection systems to identify suspicious patterns of access, for example recognizing that a device claiming to be a first-time visitor has a fingerprint matching a device that previously attempted fraudulent transactions. It is used by digital rights management systems to prevent unauthorized sharing of accounts. It is used by analytics companies to track user journeys across sessions without cookies. And it is used by advertising technology companies to build cross-site profiles of users for targeted advertising. The range of uses means that fingerprinting is not a technology associated exclusively with bad actors, but the absence of any meaningful consent mechanism in its deployment means that users are subjected to it regardless of whether the specific use case would be one they would accept if asked.
The legal treatment of browser fingerprinting under privacy regulations varies and has not been definitively resolved in most jurisdictions. The European Union’s General Data Protection Regulation and the ePrivacy Directive require that the collection of personal data and the storage of information on users’ devices be subject to informed consent. Some interpretations of these regulations treat browser fingerprinting as covered by these requirements because the fingerprint constitutes personal data when used for tracking. Others distinguish between fingerprinting, which involves reading information from the browser, and cookie-setting, which involves writing information to the device, and apply the consent requirements only to the latter. The practical enforcement of these rules against fingerprinting has been limited, and the technology continues to operate largely without regulatory constraint in most markets.
The gap between the tracking capabilities of sophisticated fingerprinting systems and the awareness of those capabilities among ordinary web users is significant. Most people who have thought about online privacy think of it primarily in terms of cookies, and some of them have taken steps to manage their cookie exposure. Very few are aware that their browser is broadcasting a detailed profile of their device configuration to every website they visit, that this profile is being collected and used to track their movements across the web and across time, and that the tools they use to protect their cookie privacy provide almost no protection against this alternative form of identification. The web’s tracking infrastructure has always run ahead of user awareness and regulatory frameworks, and browser fingerprinting represents one of the most significant ways in which it continues to do so.