Browser Fingerprinting: How Tracking Works and How to Defend Against It

Browser Fingerprinting as a Tracking Technology

Browser fingerprinting is a technique that uniquely identifies users based on the combination of settings and characteristics of their web browser and device. Because it does not require storing any data on the device - unlike cookies - it is sometimes called a "stateless tracking technology."

Screen resolution, installed fonts, browser version - each piece of information individually is shared by many users. However, when combined, they can identify individual browsers with remarkable accuracy. This type of metadata may seem harmless on its own, but in aggregate it becomes a powerful identifier. Research by the EFF (Electronic Frontier Foundation) suggests that browser fingerprints achieve a uniqueness rate of 80–90% or higher, with recent studies reporting identification accuracy as high as 99.5%.

In February 2025, Google reversed its ban on fingerprinting within its advertising platforms, significantly raising the profile of this technology. As an alternative to cookies, fingerprinting is poised to become even more prevalent.

What Information Is Collected?

Basic Browser Information

• User-Agent string (browser type, version, and OS information)
• Language settings and language priority order
• Time zone
• Do Not Track setting
• Cookie enabled/disabled status
• Client Hints (UA-CH) providing detailed browser and OS information

Screen and Display Information

• Screen resolution and color depth
• Device pixel ratio (used to detect Retina displays, etc.)
• Available screen size (effective area excluding taskbars, etc.)
• Screen orientation (landscape/portrait) and aspect ratio

Hardware Information

• Number of logical CPU cores
• Device memory capacity
• GPU type (obtained via WebGL)
• Touchscreen availability and number of touch points
• Battery status (via Battery Status API, restricted in some browsers)

Advanced Fingerprinting Techniques

• Canvas fingerprinting: Generates a unique hash from pixel data rendered on an HTML5 Canvas element. Subtle differences in GPU, drivers, and rendering engines produce device-specific output
• AudioContext fingerprinting: Uses the Web Audio API to detect subtle differences in audio processing. Variations in the audio stack implementation create unique values per device
• WebGL fingerprinting: Identifies GPU-specific characteristics from 3D graphics rendering results. Differences in shader precision and the rendering pipeline serve as identifiers

Entropy and Uniqueness

The discriminating power of a fingerprint is measured by "entropy," an information theory metric expressed in bits - the higher the value, the greater the identifying power. One bit of entropy means the subject can be divided into two groups. For a thorough exploration of these concepts, consider reading a guide to web tracking and privacy.

For example, users with a screen resolution of "1920×1080" make up roughly 30% of all users, so this attribute alone has relatively low entropy. In contrast, GPU renderer strings are extremely diverse and carry high entropy. Canvas fingerprinting alone can yield over 10 bits of entropy, theoretically distinguishing more than 1,000 users.

When multiple attributes are combined, entropy increases additively. With more than 30 bits of entropy, it becomes theoretically possible to identify an individual among over one billion users.

The IP Check-san fingerprint uniqueness score visually displays the entropy contribution of each attribute, giving you a numerical measure of how unique your browser is.

How Fingerprinting Is Used

Ad Tracking

Advertising networks use fingerprinting as an alternative to cookies for tracking user behavior across websites. Because fingerprint-based tracking persists even after cookies are deleted, it is a more tenacious form of surveillance. This is one of the key reasons the same ads follow you across the web. Google's 2025 decision to allow fingerprinting on its ad platforms has further expanded this use case. For those interested in the technical details, books on online tracking technology provide valuable insight.

Fraud Detection

Financial institutions and e-commerce sites use fingerprinting to detect unauthorized access and account takeovers. When access from an unusual fingerprint is detected, additional authentication may be required. This use case demonstrates that fingerprinting can contribute to improved security, and the technology is not inherently malicious.

Bot Detection

Fingerprinting is also used to distinguish automated access (bots) from human visitors. Bots typically exhibit distinctive fingerprint patterns, such as headless browser-specific attribute values or unnatural API responses.

How to Protect Yourself from Fingerprinting

Complete protection is difficult, but the following measures can significantly reduce tracking risk. Those looking to deepen their understanding may find books on browser security fundamentals helpful.

Choose a Privacy-Focused Browser

The Tor Browser is designed so that all users share an identical fingerprint, making it the most effective countermeasure. The Brave browser also includes built-in fingerprint attribute randomization. Firefox, starting with version 145 in 2025, has significantly strengthened its fingerprint protections, reportedly reducing the number of trackable users by up to 70%.

Use Browser Extensions

• Canvas Blocker: Randomizes or blocks Canvas fingerprinting
• User-Agent Switcher: Spoofs the User-Agent string to a common value
• Privacy Badger: Automatically learns and blocks trackers
• uBlock Origin: Comprehensive ad and tracker blocking, also effective at blocking fingerprinting scripts

Review Your Browser Settings

• In Firefox, enable privacy.resistFingerprinting to normalize many fingerprint attributes to standard values
• Disable WebGL (may affect rendering on some sites)
• Restrict JavaScript execution (many fingerprinting techniques depend on JS)
• Block third-party cookies

Switching to a privacy-focused search engine further reduces the data collected about your browsing habits.

Combine with a VPN

A VPN can hide your IP address and time zone information, but it cannot prevent fingerprinting itself. Combining a VPN with fingerprint countermeasures provides more robust privacy protection. Note that WebRTC leaks can expose your IP address even while using a VPN, so additional measures are needed.

Do Not Track and Cookie Management

Enabling your browser's Do Not Track (DNT) setting communicates your preference to opt out of tracking to websites. However, since DNT is not legally binding, it is important to combine it with cookie management and ad tracking protection tools.

Latest Trends in 2025–2026

Fingerprinting technology and its countermeasures have reached a major turning point in recent years.

Google's Fingerprinting Policy Reversal

In 2019, Google criticized fingerprinting as a practice that "subverts user choice and is wrong." However, in December 2024, the company reversed this stance. Since February 16, 2025, companies using Google's advertising platforms have been permitted to employ fingerprinting techniques for user tracking. The UK's Information Commissioner's Office (ICO) called this decision "irresponsible," sparking significant debate from a privacy perspective.

The End of Privacy Sandbox

Google effectively shut down its Privacy Sandbox project in October 2025. Major APIs including Topics, Protected Audience, and Attribution Reporting were retired, and plans to deprecate third-party cookies in Chrome were also abandoned. Both cookies and fingerprinting are expected to continue being used for ad tracking for the foreseeable future.

Firefox's Enhanced Fingerprint Protections

Mozilla introduced major fingerprint countermeasures in Firefox 145. A new phase of Enhanced Tracking Protection adds the ability to detect and restrict fingerprinting scripts not listed in known tracker databases, significantly reducing the number of trackable users. These protections are initially available in Private Browsing Mode and ETP Strict mode, with plans for gradual rollout to default settings.

Regulatory Developments

In the EU, the proposed ePrivacy Regulation was formally withdrawn in February 2025. However, the existing ePrivacy Directive remains in effect, and the European Data Protection Board (EDPB) has updated its guidelines to address emerging tracking technologies including fingerprinting. In Japan, the amended Telecommunications Business Act of 2024 has strengthened external data transmission rules, advancing regulation of tracking technologies including fingerprinting. Reviewing your mobile device privacy settings is especially important given these evolving regulations.

Practical Checklist You Can Start Today

To reduce the risk of tracking through fingerprinting, work through the following items in order:

1. Check your fingerprint uniqueness score on IP Check-san to understand how identifiable your browser is
2. Review your browser's privacy settings and enable third-party cookie blocking
3. Install extensions such as Canvas Blocker or Privacy Badger
4. Check for WebRTC leaks and take countermeasures if necessary
5. Verify the security header configuration of the sites you visit
6. Confirm that HTTPS/TLS connections are properly established
7. Review your overall digital footprint and minimize your online exposure

Summary

Browser fingerprinting is a powerful tracking technology that serves as an alternative to cookies, and Google's policy reversal means its use is expected to expand further. At the same time, browser-side countermeasures led by Firefox are evolving rapidly. Knowing how unique your browser is represents the first step toward protecting your privacy. Check your IP Check-san fingerprint uniqueness score right now.