When you load a webpage, your browser makes hundreds of small disclosures: the fonts installed on your system, your screen resolution, the graphics card rendering the page, your time zone, the plugins you have active, the specific version of your operating system. Individually, these facts are unremarkable. Aggregated and hashed, they form a fingerprint that can identify your browser with surprising reliability across sessions, across networks, and across private browsing modes.
The Electronic Frontier Foundation's Panopticlick project (now Cover Your Tracks) demonstrated this clearly: when tested against real-world traffic, most browsers produced fingerprints unique enough to identify them within a population of hundreds of thousands. The technique has been in production use by major ad networks and fraud detection systems for over a decade.
What a Browser Fingerprint Actually Contains
A fingerprinting script running in your browser can collect:
- User-Agent string — browser name, version, and OS version
- Screen dimensions and color depth — the exact pixel dimensions of your monitor and how many colors it supports
- Installed fonts — detected by rendering text in many fonts and measuring the output size; the specific combination of fonts present on a system is highly identifying
- Canvas fingerprint — a hidden canvas element is drawn and hashed; differences in GPU hardware and driver versions produce subtly different pixel outputs
- WebGL fingerprint — similar principle, applied to 3D rendering; reveals GPU vendor and model
- Audio fingerprint — the Web Audio API processes a tone through the browser's audio stack; the exact floating-point output varies by hardware and OS
- Time zone and language settings
- Available browser plugins and MIME types
- CPU core count and memory — JavaScript can read these via the navigator API
- Touch and pointer support
Each individual attribute has limited identifying power. The combination is what makes fingerprinting effective. A browser running on a particular GPU, with a particular font stack, with a particular screen resolution and time zone, produces a hash that matches very few other browsers in the world.
Fingerprinting is inherently stateless from the tracker's side — nothing is stored on your device. You cannot block it by clearing cookies, using private browsing, or reinstalling your browser. The signal comes from your hardware and software configuration, which persists.
Why Incognito Mode Is No Defense
Private browsing modes (Chrome's Incognito, Firefox's Private Window, Safari's Private Browsing) prevent your browsing history from being written to your local device and block third-party cookies from persisting between sessions. They do not change your browser's fingerprint in any meaningful way.
Your GPU is still your GPU. Your fonts are still your fonts. Your screen is still your screen. A fingerprinting script running in a private window sees the same hardware configuration it sees in a normal window. If you visited a site in normal mode yesterday and visit it in private mode today, the fingerprint matches.
This is not a flaw in private browsing — it's outside the scope of what private browsing was designed to do. Private browsing addresses local storage; fingerprinting addresses remote identification. They're solving different problems, and only one of them is commonly misunderstood.
How Fingerprinting Is Used in Practice
The dominant use case is cross-site tracking by advertising networks. When the same fingerprinting script is embedded across thousands of sites (via a shared ad SDK or analytics platform), it can reconstruct a browsing history for your browser even without persistent cookies. GDPR and ePrivacy regulations in Europe require consent for cookie-based tracking; fingerprinting has historically occupied a legal gray zone because it doesn't set cookies.
A secondary use is fraud detection. Banks, e-commerce platforms, and financial services use fingerprinting to identify returning devices even when users clear cookies — catching users who try to exploit multiple-account bonuses, flagging unusual account access from new hardware, and detecting bot traffic. In this context, fingerprinting serves a defensive purpose, though it uses the same techniques as tracking.
A third use is identity linkage. If you log into a service on one device, that device's fingerprint is associated with your account. If you later visit competitor sites in a different browser session without logging in, the fingerprint can still link your activity to your known identity — a technique documented in academic research on cross-context tracking.
The Entropy Problem
The core challenge in defeating fingerprinting is entropy. Each attribute you reveal about your browser is a bit of information that narrows the field. The more attributes a script can read, the more precisely it can identify you.
The most effective countermeasure — used by Tor Browser — is to make every browser look identical. Tor Browser presents a standardized user-agent, disables canvas fingerprinting by default (prompting when a site tries to read canvas data), limits font enumeration, and fixes screen resolution to a standard size regardless of actual monitor dimensions. The goal is not to hide your fingerprint but to make your fingerprint identical to every other Tor Browser user's fingerprint. If 100,000 browsers produce the same fingerprint, it uniquely identifies nothing.
Firefox with the resistFingerprinting flag enabled takes a similar approach, standardizing many of the attributes scripts can read. The Brave browser applies randomization instead — slightly varying the canvas and audio fingerprint output on each page load, so that tracking scripts see inconsistent data and cannot correlate sessions.
What You Can Actually Do About It
| Approach | Effectiveness | Tradeoffs |
|---|---|---|
| Tor Browser | High | Slow, some sites broken, JS-heavy apps degrade |
| Firefox + resistFingerprinting | High | Some site breakage; loses certain language/locale features |
| Brave (randomization) | Medium | Good for casual privacy; determined trackers may adapt |
| uBlock Origin alone | Partial | Blocks known fingerprinting domains; doesn't change your fingerprint |
| Private browsing / Incognito | None | No effect on fingerprint signals |
| VPN alone | None | Hides IP address; fingerprint remains unchanged |
For most users, the practical path is: use a browser with fingerprint resistance enabled (Firefox with privacy.resistFingerprinting = true or Brave), run uBlock Origin to block the most common tracking scripts at the network level, and reserve Tor Browser for situations where you need strong anonymity.
It's also worth separating the threat models. If your concern is advertising surveillance — having your browsing behavior sold across data brokers — Firefox with resistFingerprinting meaningfully reduces the signal. If your concern is a sophisticated adversary with access to multiple data sources, you need Tor and a more comprehensive operational security posture. The metadata problem extends well beyond the browser, and fingerprinting is one layer of a larger tracking infrastructure.
Browser fingerprinting exists because browsers were designed to expose rich capability information for compatibility reasons — and that information turned out to be identifying. The fix is not to hide your browser's existence but to make it indistinguishable from others. That's an arms race, but one where the defensive tools have meaningfully improved.