IRCNF
Privacy & Data

Browser Fingerprinting Tracks You After You Delete Every Cookie

Share:
Browser Fingerprinting Tracks You After You Delete Every Cookie

In 2010, the Electronic Frontier Foundation launched Panopticlick, a tool that tested whether a browser could be uniquely identified from its technical characteristics without using cookies. Their finding: 94.2% of JavaScript-enabled browsers had a fingerprint unique enough to track across websites. The tool, now called Cover Your Tracks, ran the same test in 2023 and found the numbers had improved only marginally — roughly 85% of tested browsers remained uniquely identifiable despite years of privacy awareness campaigns and cookie-blocking browser extensions.

Browser fingerprinting is not a niche technique. It's deployed by virtually every major advertising network, integrated into fraud detection systems at banks and payment processors, and built into anti-bot tools used by e-commerce platforms. Unlike cookies, it requires no storage on your device, leaves no artifact you can inspect or delete, and cannot be blocked by clearing your browsing data. The reason cookies dominate privacy discourse is that they are visible and regulatable. Fingerprinting is neither.

What a Fingerprint Is Actually Made Of

A browser fingerprint is a composite hash derived from dozens of individual attributes. No single attribute is unique on its own, but their combination becomes statistically identifying very quickly. The key components:

Canvas fingerprinting exploits the fact that different hardware and software combinations render the same HTML5 canvas drawing instruction differently at the pixel level. A fingerprinting script draws an invisible canvas element — typically a string of text with specific Unicode characters and emoji — and reads back the pixel data. The differences are sub-pixel, invisible to humans, but highly consistent per device. A 2014 study by researchers at Princeton University found canvas fingerprinting present on 5% of the top 100,000 websites; a 2022 follow-up by the same group (now running as the Princeton Web Transparency and Accountability Project) found it on over 30%.

WebGL fingerprinting works similarly, using the GPU to render a 3D scene and reading back rendering artifacts. Because GPUs from different manufacturers render identical scenes with subtly different floating-point arithmetic, the output is highly hardware-specific. A 2018 paper by Cao et al. demonstrated that WebGL fingerprinting alone could distinguish 99.2% of devices in a sample of 3,615 users.

AudioContext fingerprinting uses the Web Audio API to process a brief audio signal through the device's audio stack. Different hardware and OS audio implementations produce measurably different floating-point outputs for identical inputs. This technique was documented in detail by Mowery and Shacham at UC San Diego in 2012 and remains in widespread commercial use.

Font enumeration detects which fonts are installed by measuring how the browser renders text in fonts it does and doesn't have. An attacker tries to measure hundreds of fonts; a unique set of installed fonts is highly identifying because font installation patterns are driven by which software is installed, which is specific to each user's machine.

Beyond rendering-based techniques, fingerprinting scripts also harvest: screen resolution and color depth, timezone and language settings, browser plugin list, hardware concurrency (CPU core count), device memory size, HTTP Accept-Language and User-Agent headers, touch capability, network connection type via the Network Information API, and battery charge level (until browsers began restricting the Battery Status API around 2015-2016 specifically because of fingerprinting abuse).

Commercial Deployment at Scale

FingerprintJS (now Fingerprint Inc.) offers a commercial JavaScript fingerprinting library used by over 6,000 businesses as of 2024. Its open-source version has over 21,000 GitHub stars. The company's pitch is primarily fraud prevention — identifying whether multiple fraudulent accounts are coming from the same device — but its technology is architecturally identical to what ad networks use for cross-site tracking.

ThreatMetrix, acquired by LexisNexis Risk Solutions, runs a network of device intelligence used by financial institutions, insurance companies, and e-commerce platforms to assess transaction risk. Its network has processed over 60 billion transactions and enrolled over 4 billion devices, according to the company's 2023 materials. When you apply for a bank account online and the form asks you to wait a moment while it "verifies your information," the device fingerprinting network is running in the background.

The ad network deployment is harder to quantify precisely, but the Princeton Web Transparency and Accountability Project's 2022 crawl of the top 100,000 websites found fingerprinting scripts on over 30% of pages — with the highest concentration on news sites, retail, and adult content. Google's DoubleClick, Meta's Pixel, and several dozen smaller ad-tech companies all use canvas and WebGL techniques as part of their cross-site identity graphs, supplementing (and increasingly replacing) third-party cookies as those are phased out.

The Privacy Regulatory Gap

GDPR covers fingerprinting explicitly: Article 4(1) defines personal data to include any information that can identify a person "directly or indirectly," and recital 30 specifically names "online identifiers" including device fingerprints. Under GDPR, processing a browser fingerprint for tracking purposes requires either consent or a legitimate interest that survives a balancing test — and several national data protection authorities have ruled that fingerprinting for ad targeting does not meet the legitimate interest threshold without consent.

In practice, enforcement is patchy. The Irish DPC, which supervises Meta and Google in the EU, issued its first GDPR fine against a company specifically for fingerprinting-based tracking in 2023 (against a Belgian ad network, not one of the major platforms). France's CNIL has been the most aggressive enforcer, fining Microsoft €60 million in 2023 for placing analytics cookies without consent on bing.com, though that case focused on cookies rather than fingerprinting specifically.

The US has no federal equivalent to GDPR that covers fingerprinting. California's CPRA (successor to CCPA) defines "personal information" broadly enough to include fingerprints, but enforcement requires consumers to exercise opt-out rights they are largely unaware exist, and the California Privacy Protection Agency's enforcement capacity has been stretched thin by higher-profile investigations.

What Browsers Are Doing About It

The browser vendors have responded unevenly. Firefox's Enhanced Tracking Protection, enabled by default since version 70, blocks fingerprinting scripts from domains on its disconnect.me blocklist — but this is a denylist approach that requires constant maintenance and misses novel or first-party fingerprinting deployments. Firefox also has a "Resist Fingerprinting" mode (enabled via privacy.resistFingerprinting in about:config) that systematically returns generalized values for many fingerprinting-vulnerable APIs: Canvas API calls return blank data, AudioContext returns uniform output, and the User-Agent string is standardized. The tradeoff is that this also breaks some legitimate functionality.

Brave Browser takes the most aggressive approach of any major browser: it randomizes canvas, WebGL, and AudioContext outputs per session by adding subtle noise that makes the returned values unique per origin per session. An attacker who reads the canvas twice gets different values each time, destroying the fingerprint's utility without completely blocking the API. This approach — called "farbling" — was proposed in academic literature and Brave implemented it in 2020. It is currently the technically strongest fingerprinting defense in a major consumer browser.

Chrome's Privacy Sandbox program, which includes the Privacy Budget proposal, aims to limit the total entropy available from fingerprinting APIs across a session. The concept is to track how much fingerprinting information a site has consumed and degrade API responses once a budget is exhausted. Privacy Budget remains in early development and has no committed ship date as of mid-2025. Google's incentive to deploy it aggressively is limited by the fact that its own ad business benefits from fingerprinting — a conflict of interest that privacy researchers have noted publicly.

What Actually Reduces Your Exposure

No consumer-grade solution eliminates fingerprinting entirely. The goal is increasing the cost of accurate identification, not achieving zero-information disclosure. In roughly decreasing order of effectiveness:

  • Brave with fingerprinting shields enabled is currently the strongest mainstream option. Its farbling approach is specifically designed to defeat the canvas/WebGL/AudioContext techniques that make fingerprinting effective.
  • Firefox with Resist Fingerprinting enabled (privacy.resistFingerprinting = true) is the best alternative, though it breaks more sites than Brave's approach.
  • The Tor Browser is the strongest available option and achieves near-theoretical minimum fingerprint distinctiveness by standardizing all browser parameters to match every other Tor Browser user. It is impractical as a daily driver for most users due to speed and site compatibility issues.
  • uBlock Origin with the "Block cname-cloaked first-party trackers" option enabled blocks many fingerprinting scripts at the network level, including those served via first-party domain disguises.
  • Using a standard screen resolution (1920x1080, 1440x900) reduces the identifying power of that dimension. A 4K display at native resolution is statistically rare and identifying.
  • Clearing cookies and browsing data has minimal effect on fingerprinting exposure. This is the most commonly recommended privacy action and the least effective one for this specific threat.

Actionable Takeaways

  • If you run a website that serves third-party ad scripts or uses commercial fraud prevention tools, your users are being fingerprinted whether you've explicitly consented to that or not. Audit your third-party JavaScript loads against known fingerprinting libraries — the EFF's Cover Your Tracks tool and Fingerprint's own documentation describe which API calls to look for.
  • GDPR-compliant fingerprinting requires a consent mechanism equivalent to cookie consent. If you're serving EU users with ad-tech that uses canvas/WebGL fingerprinting, consent banners that only cover cookies are likely non-compliant.
  • For high-sensitivity browsing (financial accounts, health information, political research), Brave or Firefox with Resist Fingerprinting is a meaningful protection upgrade, not just a comfort measure. The entropy reduction these browsers provide raises the cost of accurate cross-site tracking from near-zero to economically significant.
  • The ad-tech industry's migration from third-party cookies to fingerprinting is accelerating in response to Chrome's cookie deprecation plans. The privacy calculus of switching to a privacy-protective browser is getting better every year, not worse.
privacygdprdata-privacybrowser fingerprintingtrackingcanvas-fingerprinting
Share:
Browser Fingerprinting: How It Works and How to Reduce It | IRCNF - Intelligent Reliable Custom Next-gen Frameworks