Browser fingerprinting is a tracking technique that identifies you based on your browser’s unique configuration, not cookies or IP address. Your browser reveals thousands of identifying characteristics: fonts installed, screen resolution, audio playback capabilities, GPU rendering differences, browser plugins, timezone, language settings, and yes, even how your mouse moves. Combined, these characteristics create a unique fingerprint that persists across private browsing, cookie deletion, and IP changes. Websites use fingerprinting to track you, advertisers use it to build profiles, and malicious actors use it for fraud prevention and account linking. Defending against it requires understanding which fingerprints are visible, how they’re collected, and which tools actually prevent identification.

How Browser Fingerprinting Works

Your browser is a complex piece of software with hundreds of configurable properties. Most of these properties are exposed to JavaScript running on websites, usually without your knowledge or consent.

The Data Collected

Canvas Fingerprinting: Canvas is a browser API for drawing graphics. Each browser renders graphics slightly differently due to:

• GPU differences (NVIDIA, AMD, Intel, Apple Silicon render differently)
• Font rendering differences
• Anti-aliasing algorithms
• Dithering and color space handling

A website draws the same text or pattern on a canvas on every computer, then hashes the resulting pixel data. Your GPU+font combination produces a unique pattern. Even if you have the same CPU as another user, different GPU = different hash.

// Simple canvas fingerprint example
const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
ctx.textBaseline = 'top';
ctx.font = '14px Arial';
ctx.fillText('Browser Fingerprint', 2, 2);
const hash = canvas.toDataURL(); // Unique output per browser

WebGL Fingerprinting: WebGL is a 3D graphics API. Similar to canvas, websites can:

• Render the same 3D scene on your GPU
• Extract GPU vendor and driver information (ANGLE for Windows, Metal for Mac)
• Measure rendering performance
• Extract texture compression capabilities
• Identify GPU model from rendering artifacts

WebGL reveals:

const canvas = document.createElement('canvas');
const gl = canvas.getContext('webgl');

// Directly identifies GPU vendor and capabilities
const debugInfo = gl.getExtension('WEBGL_debug_renderer_info');
const vendor = gl.getParameter(debugInfo.UNMASKED_VENDOR_WEBGL); // "Apple Inc."
const renderer = gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL); // "Apple M2"

These values are unique per GPU, and most browsers don’t randomize them.

Audio Context Fingerprinting: Web Audio API allows analyzing audio capabilities and rendering. Websites can:

• Check available audio codecs
• Create an oscillator and measure subtle differences in output
• Analyze frequency responses unique to your audio driver

const audioContext = new (window.AudioContext || window.webkitAudioContext)();
const oscillator = audioContext.createOscillator();
oscillator.frequency.value = 10000;
// Subtle differences in oscillator output reveal audio driver

Font Enumeration: Fonts installed on your system leak identifying information. A website can:

• Measure text width for hundreds of fonts
• Determine which fonts you have installed (serif vs. sans-serif preferences are regional)
• Combine with OS detection for high-confidence identification

function detectFont(fontName) {
  const canvas = document.createElement('canvas');
  const ctx = canvas.getContext('2d');
  ctx.font = `12px Arial`;
  const widthDefault = ctx.measureText('abcdefghijklmnopqrstuvwxyz').width;

  ctx.font = `12px ${fontName}`;
  const widthTest = ctx.measureText('abcdefghijklmnopqrstuvwxyz').width;

  return widthDefault !== widthTest; // Font is installed
}

This was so common that browsers now restrict font enumeration, but circumvention techniques still exist.

Screen Dimensions and Color Depth:

// Trivial to detect
console.log(`${window.screen.width}x${window.screen.height}x${window.screen.colorDepth}`);
// Output: "1920x1080x32"
// Only ~500 common combinations exist, but exact dimensions are identifying

Timezone and Locale:

// Reveals timezone independent of IP
const timezone = Intl.DateTimeFormat().resolvedOptions().timeZone; // "America/New_York"
const language = navigator.language; // "en-US"

Browser Plugins:

// Enumerates all installed plugins
Array.from(navigator.plugins).map(p => p.name);
// Output: ["Google Chrome PDF Plugin", "Chrome PDF Viewer", "Native Client Plugin", ...]

User Agent:

// Heavily fingerprinting even with randomization
navigator.userAgent; // "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)..."

Performance Metrics: High-resolution timers reveal subtle timing differences that are fingerprinting:

performance.now(); // Can measure CPU performance and cache behavior
// Timing differences under 1 millisecond can identify CPU model

HTTP Headers: Even before JavaScript, servers see:

• Accept-Language (timezone + language)
• Accept-Encoding (browser preferences)
• User-Agent (browser + OS + version)
• TLS cipher support (reveal browser version)

WebRTC Leaks: WebRTC (real-time communication) APIs can leak your local IP address:

const pc = new RTCPeerConnection({iceServers: []});
pc.createDataChannel('');
pc.createOffer().then(offer => pc.setLocalDescription(offer));
pc.onicecandidate = (ice) => {
  if (!ice || !ice.candidate) return;
  const ipRegex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/;
  const ipAddress = ipRegex.exec(ice.candidate.candidate)[1]; // Your actual local IP!
};

Your local IP, combined with other fingerprints, can identify you even through VPN.

Fingerprinting in Practice: How This Becomes Your Profile

A website like Everify or MaxMind combines hundreds of signals:

1. Canvas fingerprint (GPU+font)
2. WebGL fingerprint (GPU driver)
3. Audio context fingerprint (audio driver)
4. Screen resolution (1920x1080 narrows to ~30% of internet users)
5. Timezone (EDT narrows further)
6. Plugins (Google Chrome PDF is narrow)
7. Fonts (Arial + Helvetica + DejaVu = Windows common)
8. Browser version (Chrome 124 released March 2024)
9. OS indicators from User-Agent

With 8-10 signals combined, your fingerprint is unique among millions. With 15+ signals, uniqueness approaches 99.9%.

If you visit site-a.com and site-b.com, trackers can correlate:

• Canvas hash from site-a matches site-b (same person)
• WebGL renderer matches
• Timezone matches
• Screen resolution matches

Even without cookies, trackers identify you as the same person across different sites.

Measuring Your Fingerprint Uniqueness

Online Fingerprinting Tests

Panopticlick (Electronic Frontier Foundation): Visit https://panopticlick.eff.org/

• Measures your fingerprint across 18+ signals
• Estimates uniqueness: “1 in 500,000” or similar
• Shows which signals identify you most
• Free, open source, doesn’t store results

BrowserLeaks: Visit https://browserleaks.com/

• Tests WebGL, WebRTC, DNS, local IP, and more
• Visual display of what sites can see
• Multiple fingerprinting techniques tested
• Run locally, results not stored

FingerprintJS: https://fingerprint.com/

• Commercial fingerprinting service (the enemy)
• But provides a demo showing how thorough fingerprinting is
• Shows your actual fingerprint compared to millions

Running these tools is eye-opening. Most users find they’re unique among millions.

How to Prevent and Mitigate Fingerprinting

Browser-Level Defenses

1. Tor Browser Tor Browser is purpose-built to prevent fingerprinting.

What Tor does:

• Randomizes canvas output (all canvases return same hash)
• Blocks WebGL entirely (can’t be fingerprinted if unavailable)
• Randomizes screen resolution (all users appear to use 1280x720)
• Randomizes fonts (only default fonts available)
• Blocks plugins
• Randomizes timezone
• Disables high-resolution timers
• Prevents WebRTC leaks

Result: Your fingerprint is identical to ~1 million other Tor users. You’re not uniquely identified; you’re one of millions.

Trade-off: Some sites don’t work well on Tor (sites that heavily rely on JavaScript, high-resolution graphics).

2. Firefox with Privacy Hardening

Firefox doesn’t prevent fingerprinting by default, but hardening helps.

Settings to enable:

// about:config settings for fingerprinting resistance
privacy.resistFingerprinting = true  // Enables fingerprinting defenses
privacy.trackingprotection.enabled = true  // Block tracking
privacy.fingerprintingProtection = true  // Enable Canvas randomization
privacy.fingerprintingProtection.overrides = "+CANVAS"  // Canvas randomization

What this does:

• Randomizes canvas output per domain
• Blocks WebGL entirely
• Randomizes window size to common dimensions
• Disables high-resolution timers
• Restricts font enumeration

Limitations:

• Not as as Tor
• WebGL still leaks some information
• Site compatibility better than Tor, but some sites break

3. Chrome/Chromium Options

Chrome offers less fingerprinting protection than Firefox.

What Google does:

• Restricts some font APIs
• Partial canvas randomization (inconsistent)
• Some WebGL blocking (but less than Firefox)

Reality: Chrome is worse for privacy than Firefox or Tor. Google profits from tracking, so their privacy features are minimal.

Browser Extensions

Extensions attempt to block fingerprinting:

Canvas Fingerprint Blocker:

• Intercepts canvas calls
• Returns randomized data per domain
• Prevents canvas fingerprinting

Effectiveness: ~80%. Some sophisticated trackers detect the extension’s randomization.

NoScript/uBlock Origin:

• Disable JavaScript entirely
• Also disable canvas, WebGL, and font APIs
• Most effective but breaks sites heavily

Effectiveness: 100% (but breaks web)

Privacy Badger:

• Blocks trackers
• Doesn’t directly prevent fingerprinting
• Complements other defenses

Effectiveness: ~30% (not fingerprint-specific)

HTTPS Everywhere + Script Blocking: Combine HTTPS with JavaScript blocking to prevent fingerprinting. But this breaks most modern websites.

System-Level Defenses

1. Virtual Machine Running browser in VM with fake hardware:

• Fake GPU (VirtualBox GPU often identified as “NVIDIA Corporation”)
• Consistent screen resolution (VM resolution)
• No real plugins
• Can reset VM state regularly

Limitations:

• VMs are identifiable as VMs
• Hypervisor detection possible (browser can tell it’s in VM)
• Performance penalty

2. Dedicated Hardware Use identical device to thousands of others:

• iPhone users mostly identical (same GPU, same screen, same browser)
• Windows users with baseline laptop more similar

Reality: Still identifiable within similar device cohort. iPhone 15 users are ~40 million people, not a perfect anonymity set.

3. Randomized Settings Regularly change:

• Screen resolution (change zoom level)
• Language
• Timezone
• Etc.

Limitations:

• Tedious
• May break sites
• Still not as effective as coordinated randomization (Tor)

Advanced: Creating Resistance

Custom Browser Compilation

Build Tor Browser or ungoogled-chromium yourself with additional hardening:

# Build custom Tor Browser with additional canvas randomization
./mach build
# ... compile with fingerprinting defenses enabled

This requires significant technical knowledge but provides maximum control.

Headless Browser Fingerprinting (For Developers)

If you’re building services, test fingerprinting detection:

// In your application, test if browser is fingerprintable
async function testFingerprinting() {
  const tests = {
    canvas: () => {
      const canvas = document.createElement('canvas');
      const ctx = canvas.getContext('2d');
      ctx.textBaseline = 'top';
      ctx.font = '14px Arial';
      ctx.fillText('Test', 2, 2);
      return canvas.toDataURL();
    },
    webgl: () => {
      const canvas = document.createElement('canvas');
      const gl = canvas.getContext('webgl');
      if (!gl) return 'blocked';
      // ... WebGL tests
    },
    fonts: () => {
      // Font enumeration test
    }
  };

  const results = {};
  for (const [test, fn] of Object.entries(tests)) {
    try {
      results[test] = fn();
    } catch (e) {
      results[test] = 'blocked';
    }
  }
  return results;
}

This helps you understand what your users’ browsers reveal.

Practical Strategy: Balancing Privacy and Usability

For most users:

1. Use Firefox with privacy.resistFingerprinting = true
2. Install uBlock Origin (blocks trackers)
3. Keep browser updated
4. Avoid plugins (Flash, etc.)
5. Clear cookies regularly

This provides ~70-80% protection without breaking sites.

For higher privacy (journalists, activists):

1. Use Tor Browser for sensitive browsing
2. Use separate Firefox profile for everyday use
3. Keep both updated
4. Accept that some sites won’t work perfectly on Tor

This provides ~95% protection (some trade-offs with usability).

For maximum anonymity:

1. Use Tails OS (includes Tor Browser)
2. Accept reduced usability
3. Don’t log into identifying accounts
4. Use in isolation (new session each time)

This provides ~99% protection.

What Sites Are Actually Using Fingerprinting?

According to research studies:

• 90% of top 10k websites use some form of fingerprinting
• 70% specifically use canvas fingerprinting
• Major ad networks: Google (DoubleClick), Facebook (Meta), Amazon (ad network) all use fingerprinting
• Fraud prevention: Everify, MaxMind, Sift Science
• Paywalls: Some news sites use fingerprinting to bypass subscription paywalls
• Financial institutions: Some use fingerprinting for account verification (bad UX when you change devices)

Limitations of Fingerprinting Defense

Even perfect fingerprinting defense (Tor Browser) has limitations:

Behavioral tracking: How you navigate is identifiable. If you have a distinctive browsing pattern (always visit sites A, B, C in sequence), you’re trackable.

Login defeat: If you log into your email account, all anonymity is defeated.

Side-channel leaks: Timing attacks, power analysis, other side-channel attacks could theoretically identify hardware.

Future techniques: As defenses improve, trackers will develop new fingerprinting vectors.

The best defense is behavioral: don’t voluntarily identify yourself (login to identifying accounts), and assume you’re somewhat identifiable if your browsing pattern is distinctive.

Testing Your Defenses

After implementing defenses, test them:

1. Run Panopticlick before and after
2. Check BrowserLeaks for WebGL, WebRTC, DNS leaks
3. Use browser developer tools to see what JavaScript can access
4. Test actual site functionality (does everything work?)

Good results:

• Panopticlick shows “You have moderate protection” or better
• Canvas tests show “blocked” or randomized
• WebGL shows “blocked”
• WebRTC shows no local IP leak
• Sites you care about still work

Related Articles

• How Browser Fingerprinting Works Explained
• How to Prevent Mobile Apps From Fingerprinting Your Device
• How to Test if Your Anti-Fingerprinting Setup Actually Works
• Browser First-Party Isolation: What It Does and How It Works
• How Browser Storage Partitioning Works Firefox Chrome Privac

Built by theluckystrike — More at zovo.one