Online Privacy13 min readPublished: January 1, 2026| Updated: February 9, 2026

Browser Fingerprinting Explained

Technical explanation of browser fingerprinting methods used to identify and track users through device and browser characteristics.

Browser Fingerprinting Explained

Browser fingerprinting is a technique that identifies browsers and devices by collecting and analyzing characteristics exposed through browser APIs and standard web technologies. Unlike cookies or stored identifiers, fingerprinting creates identifiers from information that browsers naturally reveal when loading web pages, such as screen resolution, installed fonts, timezone, browser version, and hardware capabilities. These characteristics are collected through JavaScript code and combined to create fingerprints that are often unique or nearly unique. Fingerprinting can identify browsers without storing data on devices and functions even when cookies are blocked or private browsing modes are used. The technique is increasingly used as an alternative to cookies for tracking, particularly as third-party cookie restrictions become more common.

What Is Browser Fingerprinting

Browser fingerprinting is the process of collecting browser and device attributes through JavaScript APIs to create identifiers for tracking and identification purposes. The collected attributes include browser type and version, operating system, screen characteristics, installed fonts, timezone, language settings, hardware capabilities, rendering differences, and other configuration details. These attributes are combined into hash values or fingerprints that serve as identifiers. Because the combination of attributes is often unique or rare, fingerprints can distinguish individual browsers from large populations. Fingerprinting does not require storing data on user devices, making it resistant to cookie deletion and privacy modes. The technique relies on subtle differences in how browsers and devices implement web standards, rendering engines, and hardware capabilities.

How Browser Fingerprinting Works

Fingerprinting operates through JavaScript code that queries browser APIs and analyzes rendered content. When web pages load, JavaScript executes code that collects information about browser configuration, device characteristics, and rendering behavior. Basic attributes are collected through standard JavaScript properties like navigator.userAgent, navigator.language, screen.width, screen.height, and Date.getTimezoneOffset(). Advanced techniques involve rendering content (text, images, 3D graphics, audio) and analyzing the output for device-specific variations. These variations arise from differences in graphics drivers, font rendering engines, audio processing, hardware capabilities, and software implementations. The collected attributes are concatenated or hashed to create fingerprint values. These fingerprints are transmitted to tracking servers and compared against stored fingerprints to identify returning users or link activities across sessions.

Who Uses Browser Fingerprinting

Multiple entities implement fingerprinting for various purposes. Advertising networks use fingerprinting to identify users and build profiles for targeted advertising, particularly when cookies are unavailable. Analytics services employ fingerprinting to count unique visitors and analyze user behavior. Fraud prevention systems use fingerprints to detect suspicious activity patterns, account takeover attempts, and bot traffic. Website operators may use fingerprinting for security monitoring, user authentication, and preventing abuse. Some services use fingerprints to personalize content or comply with geographic restrictions. Fingerprinting is also used by security researchers studying web tracking and by privacy advocates demonstrating tracking prevalence. The technique has become more widespread as browser restrictions on cookies increase, making fingerprinting an attractive alternative for identification purposes.

Why Fingerprinting Is Used

Fingerprinting addresses limitations of traditional tracking methods. Cookies can be deleted, blocked, or expire, and third-party cookies face increasing browser restrictions. Fingerprinting provides persistent identification without requiring stored data, making it resistant to privacy controls that block cookies. The technique works across different browsing contexts, including private browsing modes, though effectiveness may vary. Fingerprinting enables tracking when cookies are unavailable or unreliable, providing fallback identification mechanisms. For advertising and analytics purposes, fingerprinting helps maintain user profiles and measurement capabilities as cookie restrictions increase. Fraud prevention systems use fingerprints because they are difficult for attackers to spoof compared to cookies or account credentials. The technique is particularly valuable for cross-device tracking, where deterministic identifiers like account logins may not be available.

Fingerprinting Attributes

Basic Browser Information

Standard JavaScript APIs expose basic browser and system information:

  • User Agent String: Browser type, version, and operating system information
  • Language Settings: Preferred languages and regional settings (navigator.language, navigator.languages)
  • Timezone: Local timezone offset from UTC (Date.getTimezoneOffset())
  • Cookie Settings: Whether cookies are enabled (navigator.cookieEnabled)
  • Do Not Track: Whether Do Not Track header is set (navigator.doNotTrack)
  • Platform: Operating system platform information (navigator.platform)

Screen and Display Characteristics

Screen properties provide device-specific information:

  • Screen Resolution: Width and height in pixels (screen.width, screen.height)
  • Color Depth: Number of bits per color component (screen.colorDepth)
  • Pixel Depth: Total bits per pixel (screen.pixelDepth)
  • Device Pixel Ratio: Ratio of physical to CSS pixels (window.devicePixelRatio)
  • Screen Orientation: Current orientation and available orientations (screen.orientation)
  • Available Screen Space: Available width and height excluding taskbars and docks

Hardware Characteristics

Hardware information reveals device capabilities:

  • CPU Cores: Number of processor cores (navigator.hardwareConcurrency)
  • Device Memory: Amount of RAM (navigator.deviceMemory, when available)
  • Touch Support: Whether device supports touch input (touch events, navigator.maxTouchPoints)
  • Battery API: Battery level and charging status (navigator.getBattery(), when available)

Installed Fonts

Font fingerprinting tests which fonts are installed on systems by measuring text dimensions when rendering with different font families. Different operating systems, versions, and user installations result in varying font availability. Scripts measure text width and height using specific font families and compare results against known measurements to determine which fonts are present. The combination of available fonts creates unique fingerprints, as font collections vary significantly between systems and users. This technique works across different browsers on the same system, as fonts are system-level resources.

Advanced Fingerprinting Techniques

Canvas Fingerprinting

Canvas fingerprinting uses the HTML5 Canvas API to render text, shapes, or images and then analyzes the rendered output for device-specific variations. JavaScript code instructs browsers to draw content onto canvas elements using specific fonts, colors, and shapes. The rendered canvas contains subtle differences based on operating system, graphics drivers, font rendering engines, anti-aliasing algorithms, and subpixel rendering. These differences are extracted by converting canvas content to data URLs or pixel data, which are then hashed to create unique identifiers. Canvas fingerprints are consistent across sessions on the same device and browser configuration but vary between different systems. This technique is effective because rendering differences are inherent to hardware and software implementations.

WebGL Fingerprinting

WebGL fingerprinting uses 3D graphics rendering capabilities to identify devices. JavaScript code creates WebGL contexts and renders 3D objects, textures, and shaders. The technique queries WebGL parameters such as vendor strings (WebGLRenderingContext.getParameter for VENDOR and RENDERER), supported extensions, maximum texture sizes, shader precision, and rendering behavior. It can also analyze rendered output by reading pixels from framebuffers. Graphics card vendors, models, and driver versions produce different WebGL implementations and parameter values. Like canvas fingerprinting, WebGL fingerprints are consistent for the same hardware and software configuration but vary between systems. Some research suggests WebGL can provide more precise identification than canvas alone.

AudioContext Fingerprinting

AudioContext fingerprinting uses the Web Audio API to generate audio signals and measure how audio processing creates device-specific variations. JavaScript code creates AudioContext objects, generates oscillators or audio buffers, processes them through audio nodes, and analyzes the output. The technique measures differences in audio processing introduced by hardware, drivers, and software implementations. These differences manifest in frequency response, noise characteristics, and processing artifacts. AudioContext fingerprints are consistent across sessions on the same system and work even when audio output is muted, as the processing occurs in software. The technique can identify devices through audio hardware and processing characteristics.

Media Device Enumeration

The MediaDevices API allows enumeration of audio and video input/output devices. Fingerprinting scripts can list available microphones, cameras, speakers, and other media devices along with their labels and capabilities. While permission is typically required for device access, the mere enumeration of available devices (device IDs, labels, group IDs) can provide identifying information. The combination of available media devices can be unique to systems, particularly when users have multiple or specialized devices connected.

Fingerprint Uniqueness

Research has investigated the uniqueness of browser fingerprints in large populations. Studies by the Electronic Frontier Foundation and academic researchers have found that significant percentages of browsers can be uniquely identified when sufficient attributes are collected. Uniqueness rates vary based on the number and type of attributes collected, the diversity of the user population, and browser configurations. More unique fingerprints are created when uncommon attribute combinations are present, such as specific font installations, unusual screen resolutions, or rare hardware configurations. However, uniqueness is not guaranteed, and fingerprints can change when users update browsers, change device configurations, or modify system settings. Some attributes are more stable than others: screen resolution may change frequently on mobile devices, while font collections remain relatively stable on desktop systems.

Limitations and Constraints

Browser fingerprinting faces various limitations. Fingerprints can change when users update browsers, modify system settings, install or uninstall fonts, change screen resolutions, or update graphics drivers. Mobile devices present additional challenges due to frequent screen rotation, varying network conditions, and battery state changes. Different browsers on the same device produce different fingerprints, limiting cross-browser tracking. Some fingerprinting techniques require JavaScript execution, making them ineffective when JavaScript is disabled. Privacy tools and browser extensions can block fingerprinting APIs, inject noise into fingerprint data, or randomize attributes. Tor Browser specifically designs against fingerprinting by making all users appear identical. Browser vendors are implementing privacy protections that restrict or obfuscate fingerprinting APIs. The effectiveness of fingerprinting decreases when applied to large, diverse user populations with common configurations, as uniqueness requires distinguishing attributes.

Protection Against Fingerprinting

Several approaches can reduce fingerprinting effectiveness, though complete protection is difficult:

Browser-Based Protection

  • Tor Browser: Designed to make all users appear identical by standardizing fingerprints and blocking fingerprinting APIs. Provides the strongest protection but with significant performance tradeoffs
  • Firefox Enhanced Tracking Protection: When set to Strict mode, blocks known fingerprinting scripts and restricts access to fingerprinting APIs
  • Brave Browser: Randomizes fingerprint data by default and blocks known fingerprinting scripts while maintaining website compatibility
  • Safari Intelligent Tracking Prevention: Includes protections against fingerprinting through API restrictions and script blocking

Browser Extensions

  • Privacy-focused extensions like Privacy Badger, uBlock Origin, or CanvasBlocker can block fingerprinting scripts or inject noise into fingerprint data
  • Extensions specifically designed for fingerprinting protection can randomize attributes, block API access, or modify fingerprint values
  • Note that some extensions may themselves be detectable and could contribute to fingerprint uniqueness

Configuration Changes

  • Disabling JavaScript reduces fingerprinting effectiveness but significantly impacts website functionality
  • Using common browser and system configurations reduces fingerprint uniqueness
  • Regularly updating browsers and systems may change fingerprints, though this also impacts user experience
  • Limiting installed fonts to common system fonts reduces font-based fingerprinting effectiveness

Related Topics