You cleared your cookies. You're using incognito mode. You installed a privacy extension. You enabled "Do Not Track."
You're still being tracked.
Browser fingerprinting identifies you based on unique characteristics of your browser and device — no cookies required. It works silently, invisibly, and is largely immune to the privacy controls most people rely on.
What Is a Browser Fingerprint?
Every time you load a webpage, your browser transmits hundreds of data points:
- User agent string (browser name, version, OS)
- Screen resolution and color depth
- Installed fonts (enumerated via JavaScript)
- Canvas rendering fingerprint (how your GPU renders graphics)
- WebGL fingerprint (3D graphics rendering signature)
- Audio context fingerprint
- CPU architecture and core count
- Network information
Combined, these form a fingerprint that uniquely identifies approximately 1 in 286,777 browsers — with no persistent storage required.
A 2010 EFF study found 84% of browsers were uniquely identifiable. By 2014: 94.2%. Modern techniques push this higher.
Canvas Fingerprinting: How Your GPU Identifies You
function getCanvasFingerprint() {
const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
ctx.textBaseline = 'top';
ctx.font = '14px Arial';
ctx.fillStyle = '#f60';
ctx.fillRect(125, 1, 62, 20);
ctx.fillStyle = '#069';
ctx.fillText('Browser fingerprinting test', 2, 15);
// PNG data differs based on GPU, driver, OS — produces unique hash
return canvas.toDataURL();
}
Different GPUs, drivers, and operating systems render the same canvas operations differently at the pixel level. The resulting PNG — when hashed — is consistent for a given device but distinct across devices.
You cannot detect canvas fingerprinting from the rendered page. The canvas is typically hidden. The operation takes milliseconds.
A 2014 Princeton study found canvas fingerprinting on 5.5% of the top 100,000 websites. By 2020 that figure had grown substantially.
WebGL Fingerprinting: Direct GPU Identification
function getWebGLFingerprint() {
const canvas = document.createElement('canvas');
const gl = canvas.getContext('webgl');
const debugInfo = gl.getExtension('WEBGL_debug_renderer_info');
return {
// Returns: "NVIDIA GeForce RTX 4080" or "Apple M3 GPU"
renderer: gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL),
vendor: gl.getParameter(debugInfo.UNMASKED_VENDOR_WEBGL),
extensions: gl.getSupportedExtensions()
};
}
WEBGL_debug_renderer_info directly exposes your GPU model. Firefox disabled this by default in 2020. Chrome and Edge still expose it.
Font Enumeration: 300 Fonts, One Unique Set
The specific set of fonts installed on a device is a reliable fingerprinting signal. If you have Fira Code installed, you're probably a developer. If you have specific Adobe fonts, you're probably a creative professional.
Modern fingerprinting services probe for 300-400 fonts in milliseconds — without triggering any browser warning.
TLS Fingerprinting: No JavaScript Required
The TLS handshake — the cryptographic negotiation for every HTTPS connection — reveals:
- Cipher suites offered, in order
- TLS extensions present
- Elliptic curves supported
This is the basis of JA3 fingerprinting. It's computed server-side from raw TLS handshake data. No JavaScript runs. The user has no visibility. No browser extension can block it. It works on all browsers, apps, and scrapers.
Who Is Running Fingerprinting Scripts?
FingerprintJS (Fingerprint Inc.) — Commercial SaaS claiming 99.5% correct identification. Integrated into marketing analytics across thousands of companies.
Google Analytics / Google Tag Manager — Collects numerous browser characteristics alongside behavioral data.
ThreatMetrix (LexisNexis Risk Solutions) — Financial fraud detection that fingerprints browsers for banking clients. The fingerprint from your bank visit is shared across LexisNexis's network of financial clients.
DoubleClick, The Trade Desk, Criteo — All run fingerprinting as part of cross-site tracking infrastructure.
According to Princeton's Web Transparency Project:
- Canvas fingerprinting: 14% of top 100,000 websites
- Font enumeration: 26% of top 100,000 websites
- The majority of high-traffic websites run at least one non-cookie tracking technology
The Cross-Site Tracking Problem
- You visit site A. The third-party fingerprinting script runs. Your fingerprint is logged.
- You visit site B. Same third-party script. You're identified as the same visitor.
- You visit sites C through Z. Same pattern.
After enough sites, the third party has a browsing history more complete than your own — purchases, medical research, job searches, political reading — all associated with your fingerprint, which persists across cookie clears, incognito mode, and device restarts.
Clicking "Reject All Cookies" typically does not disable canvas fingerprinting scripts.
What Doesn't Work (Common Misconceptions)
- Clearing cookies — fingerprinting doesn't use cookies
- Incognito mode — same browser, same GPU, same fonts → identical fingerprint
- "Do Not Track" — voluntary signal, almost universally ignored
- VPN — changes your IP, not your browser fingerprint
- Most ad blockers — block some fingerprinting domains but not all
What Partially Works
- Brave browser — ships with fingerprint randomization (adds noise to canvas, audio, WebGL outputs)
- Safari ITP — limits cross-site tracking, generalizes WebGL renderer string
-
Firefox with
privacy.resistFingerprinting = true— significant usability tradeoffs - Tor Browser — aggressively standardizes fingerprint; all Tor users look identical. Extreme usability cost.
Privacy-Respecting Design for Developers
# BAD: Collect canvas fingerprint, cross-reference with 50 sites, build shadow profile
# GOOD: Issue cryptographically random session tokens
import secrets
import requests
def create_session():
# Random token — not a fingerprint
return secrets.token_urlsafe(32)
def scrub_before_ai_call(user_prompt: str) -> str:
"""Remove PII before sending to any AI provider."""
response = requests.post(
'https://tiamat.live/api/scrub',
json={'text': user_prompt}
)
return response.json().get('scrubbed', user_prompt)
Legitimate fraud detection uses anomaly detection on behavioral signals within a session — not silent cross-site fingerprinting.
The Legal Gap
GDPR: Browser fingerprints almost certainly qualify as personal data. The ePrivacy Directive requires consent for tracking beyond technically necessary cookies. But cookie consent banners say nothing about fingerprinting. "Reject All Cookies" does not disable fingerprinting.
CCPA: Fingerprints qualify as "unique identifiers." Businesses must provide opt-out for behavioral advertising. The Global Privacy Control signal works only at companies that honor it — a small fraction.
US Federal: No law specifically addresses browser fingerprinting. The FTC has taken limited action.
What Would Actually Help
Browser-level standardization: Standardize canvas rendering across browsers → collapse canvas fingerprinting. Technically feasible, requires performance tradeoffs.
API restrictions: Broader restrictions on WEBGL_debug_renderer_info, Battery API, device motion sensors across all browsers.
Legal clarity: GDPR guidance explicitly classifying fingerprinting as requiring consent, with enforcement against major platforms.
Privacy controls that actually work: Regulations requiring that "Reject All" disables ALL tracking, not just cookies.
This is an ongoing arms race. The advertising industry develops new fingerprinting techniques faster than browsers block old ones. Users are the terrain.
TIAMAT's /api/scrub at tiamat.live scrubs PII from text before it reaches any AI provider. Zero logs. No prompt storage. The privacy layer between you and the model.
Top comments (0)