What Gets Collected
Fingerprinting scripts read attributes across several categories:
Basic browser attributes: User-Agent string (browser name, version, OS), Accept-Language header, screen resolution and color depth, device pixel ratio, timezone, whether cookies are enabled, whether Do Not Track is set.
Canvas fingerprinting: JavaScript draws text and shapes to an invisible HTML canvas element. The exact pixel rendering varies by OS, GPU, graphics driver, and antialiasing implementation. The resulting image is hashed — the same browser on the same hardware produces the same hash every time, and different hardware/OS combinations produce different hashes. This is one of the most discriminating fingerprinting signals available.
WebGL fingerprinting: Similar to canvas but using 3D rendering. The WebGL renderer string explicitly identifies the GPU model and driver (e.g., "ANGLE (NVIDIA GeForce RTX 3080 Direct3D11 vs_5_0 ps_5_0)"). The actual rendering output also varies by hardware.
Font enumeration: JavaScript measures the rendered size of text in various fonts. Fonts present on the system render at specific dimensions; missing fonts fall back to defaults with different dimensions. By testing many fonts, a script builds a list of which fonts are installed — a stable identifier tied to the user's software environment.
AudioContext fingerprinting: The Web Audio API processes an audio signal through the browser's audio stack. Minor floating-point differences in the output are consistent per device and browser and are used as an additional signal.
TLS fingerprinting (passive): The cipher suites, extensions, and their order in the TLS ClientHello message vary by browser and version. A server can identify the browser type from TLS alone, before any JavaScript runs.
How Unique Is a Fingerprint?
EFF's Cover Your Tracks project found that approximately 83% of browsers have a fingerprint unique enough to be identifiable within their dataset. The combination of canvas, WebGL, font, and basic attributes produces a hash that matches only one browser across all observed visits. Fingerprints are also stable — they change only when the user updates their browser, OS, or graphics driver, meaning tracking can persist for weeks or months without any client-side state.
Fingerprinting vs Cookies
| Property | Cookies | Fingerprinting |
|---|---|---|
| Stored on device | Yes | No |
| User can delete | Yes | No |
| Blocked by private mode | Yes (not saved) | No |
| Requires JavaScript | No (HTTP only) | For advanced techniques |
| Cross-session persistence | Until expiry or deletion | Until browser/OS update |
| Regulated by cookie laws | Yes (GDPR, ePrivacy) | Debated — largely unregulated |
Defenses Against Fingerprinting
Tor Browser: Designed to make all users look identical. Canvas fingerprinting prompts a permission dialog. Font enumeration is blocked. Screen resolution is reported as a standard value. The goal is not to hide the fingerprint but to make it the same as every other Tor Browser user — rendering it useless for identification. The tradeoff is speed (Tor routing) and occasional site breakage.
Brave Browser: Randomizes canvas, WebGL, and AudioContext fingerprinting output slightly on each page load — different enough that tracking across sites is broken, but stable enough within a session that sites work normally. Does not require Tor. Built-in, no extension required.
Firefox with resistFingerprinting: Set privacy.resistFingerprinting = true in about:config. Applies many of the same normalizations as Tor Browser. Some site breakage is possible.
uBlock Origin: Blocks known fingerprinting scripts by domain. Does not alter the fingerprint itself — if a first-party script runs, it still collects data. Effective against third-party tracking networks; less effective against first-party fingerprinting.
Frequently Asked Questions
Does private browsing or incognito mode prevent fingerprinting?
No. Incognito mode prevents cookies and history from being saved to disk — it does not change screen resolution, installed fonts, canvas rendering, or any other fingerprinted attribute. A fingerprinting script in incognito produces the exact same fingerprint as in normal mode. Use Tor Browser or Brave's fingerprint randomization for actual protection.
Will blocking JavaScript prevent fingerprinting?
Blocking JavaScript prevents canvas, WebGL, and AudioContext fingerprinting — the most powerful techniques. But passive fingerprinting via HTTP headers (User-Agent, Accept-Language) and TLS fingerprinting still works without JavaScript. Blocking JS also breaks most websites, making it impractical. A better approach is using Tor Browser or Brave, which normalize fingerprinting surfaces without breaking the web.