Browser Fingerprinting: Beyond IP Tracking
Understand how browser fingerprinting identifies you without cookies or IP addresses, and strategies to reduce your fingerprint.
What Is Browser Fingerprinting?
Browser fingerprinting is a tracking technique that identifies users by collecting information about their browser and device configuration. Unlike cookies (which can be deleted) or IP addresses (which can be masked by VPNs), a browser fingerprint is derived from dozens of data points that, combined, create a nearly unique identifier.
Research by the EFF's Panopticlick project found that the average browser fingerprint is unique among hundreds of thousands of users.
Data Points Used for Fingerprinting
| Category | Examples |
|---|---|
| Browser info | User-Agent string, browser version, installed plugins |
| Screen | Resolution, color depth, device pixel ratio |
| Fonts | List of installed fonts (varies widely between systems) |
| Canvas | Rendered graphics differ subtly between GPUs and drivers |
| WebGL | GPU model, supported extensions, rendering differences |
| Audio | AudioContext processing varies between hardware |
| Time zone | System timezone and offset |
| Language | Browser language preferences and accept headers |
| Hardware | CPU cores, device memory, touch support |
How Canvas Fingerprinting Works
Websites can draw hidden graphics using the HTML5 Canvas API and read back the pixel data. Different combinations of GPU, driver, OS, and font rendering produce slightly different results:
// Simplified canvas fingerprinting
const canvas = document.createElement("canvas");
const ctx = canvas.getContext("2d");
ctx.textBaseline = "top";
ctx.font = "14px Arial";
ctx.fillText("Hello, fingerprint!", 2, 2);
const dataURL = canvas.toDataURL();
// Hash of dataURL = part of your fingerprint
This technique works even with JavaScript cookies disabled and through VPNs.
Why VPNs Do Not Stop Fingerprinting
A VPN changes your IP address but does nothing to alter the dozens of browser and hardware attributes that compose a fingerprint. After connecting to a VPN, your canvas rendering, installed fonts, screen resolution, and browser configuration remain identical.
This means that even with a VPN, websites can potentially track you across sessions if your browser fingerprint is unique.
Reducing Your Fingerprint
Use Tor Browser
Tor Browser is specifically designed to resist fingerprinting by standardizing browser attributes across all users. All Tor Browser users report the same screen size, timezone (UTC), language, and fonts.
Firefox with Resist Fingerprinting
# In about:config
privacy.resistFingerprinting = true
This normalizes many fingerprinting vectors: timezone, screen dimensions, fonts, canvas, and more.
Browser Extensions
- Canvas Blocker -- Adds noise to canvas and WebGL fingerprinting.
- uBlock Origin -- Blocks many fingerprinting scripts at the network level.
General Practices
- Keep browser extensions to a minimum (each one changes your fingerprint).
- Use a common screen resolution (1920x1080 is the most popular).
- Avoid exotic fonts and plugins.
- Use private/incognito mode to reset state between sessions.