Learn how browser fingerprinting works through Canvas, WebGL, and audio signals, and how to detect and reduce fingerprint tracking with BrowserInsight.
What is Browser Fingerprinting?
Browser fingerprinting is a technique that identifies and tracks users by collecting various characteristics of their browser and device. Unlike traditional cookies, browser fingerprinting doesn't require storing any data on the user's device, so websites can still identify the same user even after they've cleared their browser data — see Persistent Visitor IDs: Surviving Incognito, VPNs & Cache Clears for why clearing cookies, going incognito, or switching on a VPN doesn't reset an ID built this way.
How Browser Fingerprinting Works
When you visit a website, your browser automatically sends a wealth of information to the server, including:
- User-Agent: Browser type, version, and operating system information
- Screen Resolution: Display size and color depth
- Timezone: Device's local time settings
- Installed Fonts: List of fonts available on the system
- Canvas Fingerprinting: Subtle differences in graphics rendered via HTML5 Canvas across different devices
- WebGL Fingerprinting: Graphics card and driver information
- Audio Fingerprinting: Audio processor characteristics
- Layout Geometry: Sub-pixel measurements of on-page element and text positions, read via plain DOM layout APIs rather than canvas — see ClientRects fingerprinting
- Media Devices: Counts, IDs, and (once permission is granted) model labels of connected cameras and microphones, read via
enumerateDevices()— see Media Devices Fingerprinting for what leaks before and after you grant camera/mic access - Installed Voices: The list of text-to-speech voices your OS and browser expose via
speechSynthesis.getVoices(), with no permission prompt required — see Speech Synthesis Fingerprinting for how the voice inventory varies by platform - CSS Media Queries: Preference and hardware signals like
prefers-color-schemeandpointertype, plus installed fonts, leaked through which stylesheet-referenced resource the browser fetches — with no JavaScript involved at all; see CSS Fingerprinting: Tracking Without JavaScript for why this survives script blockers - Permission States: Which of the ~15 permission names
navigator.permissions.query()recognizes, and whether each resolves togranted,denied, orprompt— checkable with no dialog ever shown; see Permissions API Fingerprinting for how the support pattern and state vector combine - Network Information: Coarse connection stats —
effectiveType,downlink,rtt,saveData— read fromnavigator.connectionwith no permission prompt, and only on Chromium; see Network Information API Fingerprinting for how the bucketed values add entropy and double as a browser-engine check
Studies of browser fingerprinting have found that combining enough of these signals makes the large majority of browsers uniquely identifiable. In practice, your browser fingerprint can be nearly as distinctive as a real-world fingerprint.
Each signal on its own is weak — plenty of people share your screen resolution or timezone. Fingerprinting works because these values are largely independent, so combining them multiplies their distinctiveness. In information-theory terms, every attribute adds a few bits of entropy, and once the combined entropy passes roughly 33 bits a browser becomes effectively unique among everyone on Earth — a threshold first demonstrated at scale by the EFF's Panopticlick study (Eckersley, 2010) and confirmed by later research such as Laperdrix et al. A common mix of user-agent, font list, canvas, and WebGL often clears that bar on its own.
WebRTC is a related but separate risk — in two different ways. Its best-known problem is a network leak that can expose your real IP address even behind a VPN; see WebRTC Leak Protection for how to test for and close it. Separately, WebRTC also exposes its own small fingerprinting surface through supported codecs and SDP structure, unrelated to your IP — see WebRTC Fingerprinting for how that signal works and why fixing the leak doesn't fix it.
These signals don't carry the same weight on every device. Mass-produced phone hardware flattens canvas, WebGL, and font entropy compared to the huge variety of desktop PC configurations — but screen geometry, touch points, and motion sensors add signals desktops mostly lack. See Mobile Browser Fingerprinting for how Android and iOS devices get tracked specifically.
Timezone and language deserve special mention because they double as region signals, not just device signals — a service that wants to know which country you're really connecting from can compare your reported timezone and language against your IP's geolocation, and a VPN that changes only the IP leaves that contradiction exposed. See How Apps Detect Your Real Region Despite a VPN for how that specific check works.
Canvas Fingerprinting in Detail
Canvas fingerprinting is one of the most powerful browser fingerprinting techniques. Here's how it works:
- The website draws specific graphics and text on a hidden Canvas element
- The Canvas content is converted to image data
- A hash value is calculated from the image data
- Due to subtle differences in graphics cards, drivers, and browser rendering engines across devices, the resulting hash values differ
Canvas Fingerprinting Example Code
// Canvas fingerprinting example
function getCanvasFingerprint() {
const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
// Draw text and graphics
ctx.textBaseline = 'top';
ctx.font = '14px Arial';
ctx.fillStyle = '#f60';
ctx.fillRect(0, 0, 100, 20);
ctx.fillStyle = '#069';
ctx.fillText('BrowserInsight', 2, 15);
// Get image data and calculate hash
return canvas.toDataURL();
}
WebGL Fingerprinting
WebGL fingerprinting uses the WebGL (Web Graphics Library) API to read details about your graphics hardware and how it renders 3D content. Because GPUs, drivers, and rendering pipelines vary enormously across devices, these details are among the highest-entropy signals a tracker can collect.
A script actually reads two distinct things:
1. Reported parameters. WebGL exposes dozens of values through getParameter() — and, via the WEBGL_debug_renderer_info extension, the unmasked GPU vendor and renderer strings:
const gl = document.createElement('canvas').getContext('webgl');
const dbg = gl.getExtension('WEBGL_debug_renderer_info');
gl.getParameter(dbg.UNMASKED_VENDOR_WEBGL); // e.g. "Google Inc. (NVIDIA)"
gl.getParameter(dbg.UNMASKED_RENDERER_WEBGL); // e.g. "ANGLE (NVIDIA, NVIDIA GeForce RTX 3060 Direct3D11 vs_5_0 ps_5_0, D3D11)"
A renderer string like that alone narrows you to a specific GPU family. Combined with the maximum texture size, the list of supported extensions, shader precision ranges, and aliased line-width limits, the parameter set is frequently unique on its own.
2. Rendered output. Just like canvas, a script can render a 3D scene off-screen and hash the resulting pixels. Tiny differences in floating-point math, anti-aliasing, and driver optimizations make that hash stable for your machine yet different from most others — even if the renderer string is masked.
WebGL fingerprinting therefore typically includes:
- Graphics card vendor and model (unmasked renderer string)
- WebGL renderer and version information
- Supported WebGL extensions
- Shader precision and numeric limits
- Maximum texture and viewport sizes
- A hash of a rendered test scene
Because these values come from hardware and drivers rather than settings you can flip, WebGL is one of the stickiest signals to defend against. For a deeper treatment, read the WebGL fingerprinting deep dive. The renderer string is also tied to your operating system at the architecture level — a Direct3D backend token, for instance, can only come from Windows — which is why certain GPU/OS pairings are not just rare but physically impossible and get flagged instantly.
How to Read Your Own Fingerprint
The best way to understand your exposure is to look at your own fingerprint. BrowserInsight's fingerprint check runs entirely in your browser — no fingerprint data is ever sent to a server (IP lookups are handled by a separate tool) — and shows you:
- Your Canvas and WebGL hash values, and whether they look common or rare
- Your full WebGL renderer string and the GPU it reveals
- Detected audio fingerprint characteristics
- The complete set of headers and JavaScript-exposed attributes a tracker can read
- An anonymity score that estimates how unique your current setup is, with concrete suggestions
Run the check once in your normal browser, then again with a privacy browser or an extension enabled, and compare the scores. That before-and-after is the fastest way to see which defenses actually move the needle for your device — because the answer differs from one machine to the next. For a structured, point-by-point way to run that comparison, see Browser Fingerprint Consistency: A Self-Check Checklist.
How to Protect Your Browser Fingerprint
No single switch makes you anonymous, and the available defenses follow two opposite philosophies: look like everyone else (uniformity) or look different every time (randomization). Understanding which one a tool uses helps you avoid combining them in ways that backfire.
1. Use Privacy-Focused Browsers
The Tor Browser takes the uniformity approach: it standardizes screen size, fonts, canvas, and WebGL output so that all Tor users look nearly identical, shrinking the crowd you stand out from. Brave takes the randomization approach — its "farbling" injects tiny noise into canvas, WebGL, and audio readings, seeded per site and per session, so each site sees a different value and those values change from one session to the next. Firefox offers privacy.resistFingerprinting (RFP), which borrows Tor's uniformity techniques and ships enabled by default in Tor Browser itself. They reduce fingerprintability in different ways, but they share the key trait of altering the high-entropy rendering signals — which is exactly where it matters most.
2. Use Browser Extensions
Several browser extensions can help defend against fingerprint tracking:
- CanvasBlocker: Blocks or spoofs Canvas fingerprints
- Privacy Badger: Automatically blocks trackers
- uBlock Origin: Blocks ads and tracking scripts
Be selective, though: extensions run with broad access to every page you visit, and a careless or malicious one can itself become a tracking vector. See Browser Extension Privacy Risks before installing anything new.
3. Disable JavaScript
While this significantly impacts web functionality, disabling JavaScript can effectively block most fingerprinting techniques. You can use extensions like NoScript to selectively enable JavaScript for trusted websites.
4. Use Virtual Machines or Containers
Using different virtual machines or browser containers for different online activities can isolate different browser fingerprints, preventing trackers from correlating your various online identities.
The Anti-Fingerprinting Paradox
There is a catch worth understanding: a rare or aggressively-customized defense can make you more identifiable, not less. If you are the only visitor running a particular spoofing extension with an unusual user-agent, that very combination becomes a distinctive fingerprint of its own. This is why uniformity tools like Tor and Firefox RFP try to place you in a large, identical crowd rather than make you exotic — and why piling on many bespoke tweaks often hurts more than it helps. As a rule, favor the well-trodden default configuration of a privacy browser over a hand-assembled stack of extensions. Anti-detect browsers — tools that substitute entire fingerprint profiles — push this paradox further: the spoofing pattern itself becomes a signature, as explored in How Sites Detect Anti-Detect Browsers and Fingerprint Spoofing. For a rundown of the specific signals — TLS, canvas noise, fonts, UA-CH, and more — that let detectors tell a spoofed profile from a real device, see Anti-Detect Browser vs Real Browser: 12 Signals Detectors See.
Legitimate Uses of Browser Fingerprinting
While browser fingerprinting is often used for advertising tracking, it also has legitimate uses:
| Use Case | Description |
|---|---|
| Security | Detecting abnormal account logins and preventing fraud |
| Anti-Bot | Identifying and blocking automated programs |
| UX Optimization | Optimizing web display based on device characteristics |
| Copyright Protection | Tracking content leak sources |
The anti-bot case is the most technically involved of these — see Bot Detection Techniques for how sites separate automated traffic from real visitors, often using the very same fingerprinting signals.
Frequently Asked Questions
Is browser fingerprinting the same as cookies?
No. Cookies are small files stored on your device that you can view, block, or delete. A fingerprint is derived from your browser and device characteristics — nothing is stored on your side, so clearing cookies or switching to a fresh browser profile does not reset it. That is exactly what makes fingerprinting harder to escape than cookie-based tracking. A separate technique, bounce tracking, sidesteps cookie blocking a different way — by briefly making a tracker's own domain first-party during a redirect — without touching any of your device's characteristics at all. Another cookie-free approach hides in the HTTP cache itself: see ETag and Cache Supercookies for how a server can turn ordinary cache revalidation into a tracking identifier.
Can incognito or private mode prevent fingerprinting?
Mostly no. Private mode stops your browser from saving history, cookies, and site data locally, but it does not change the characteristics a fingerprint is built from — your screen size, fonts, canvas output, and GPU look the same in a private window. Sites can often still recognize you across normal and private sessions. Some sites can even tell you're in a private window at all — see How Websites Detect Incognito and Private Browsing Mode for the storage-API tricks behind it.
Which part of a browser fingerprint is most identifying?
It varies, but the rendering signals — canvas and WebGL — are usually the hardest to change, because they come from your GPU and drivers rather than a setting you can flip. That makes them the highest-value targets for defenses: blocking or randomizing canvas and WebGL output removes more uniqueness than tweaking your user-agent or timezone. BrowserInsight shows which signals contribute most for your own browser, so you know where your effort is best spent.
Does a VPN stop browser fingerprinting?
No. A VPN changes your IP address and apparent location, but a fingerprint is computed from your browser and device, not your network — you still look identical from any IP. A VPN does help with the separate problems of IP-based tracking and WebRTC leaks, but it does nothing about the fingerprint itself. A related but distinct technique worth knowing is TLS fingerprinting, which identifies your client software from the TLS handshake rather than from browser APIs — and also survives a VPN tunnel.
Conclusion
Browser fingerprinting is a powerful and stealthy tracking technique that exploits the inherent characteristics of browsers and devices to identify users. Understanding how browser fingerprinting works is the first step in protecting online privacy. By using tools like BrowserInsight to detect your browser fingerprint and taking appropriate protective measures, you can better control your digital identity.
Remember, complete anonymity on the internet is difficult to achieve, but we can maximize our privacy protection by understanding the technology and taking appropriate measures.
Recommended Reading:
- resistFingerprinting Explained: Firefox and Tor Browser
- Fingerprint Consistency: Why Mismatched Signals Get You Flagged
- Mobile Browser Fingerprinting: How Android and iOS Get Tracked
- WebRTC Leak Protection: A Must-Read for VPN Users
- WebRTC Fingerprinting: How Codecs and SDP Reveal Your Browser
- ClientRects Fingerprinting: Sub-Pixel Layout as an Identifier
- Media Devices Fingerprinting: What enumerateDevices Leaks
- Speech Synthesis Fingerprinting: Installed Voices as a Signal
- CSS Fingerprinting: Tracking Without JavaScript
- Permissions API Fingerprinting: How Permission States Track You
- Canvas Fingerprint Detection: How Websites Identify Your Device
- Audio Fingerprinting: How AudioContext Identifies Your Device
- Font Fingerprinting: How Installed Fonts Expose You
- Bounce Tracking Explained: Redirects That Track Without Cookies
- Network Information API Fingerprinting: downlink & RTT

