What Is Browser Fingerprinting and How to Stop It
How websites build a unique identifier from your browser's configuration — and the practical tools that defeat fingerprinting-based tracking without breaking your browsing experience.
How websites build a unique identifier from your browser's configuration — and the practical tools that defeat fingerprinting-based tracking without breaking your browsing experience.
Browser fingerprinting is a tracking technique that identifies users by collecting and combining a large number of attributes from their browser and device. Unlike cookies, fingerprinting does not store any data on your device and cannot be cleared by deleting your browser history. The fingerprint is assembled in real time every time you visit a site that runs fingerprinting scripts, by querying dozens of browser APIs for data points including your screen resolution and colour depth, installed fonts, browser version and plugins, operating system, timezone, language settings, WebGL rendering data, canvas rendering, CPU and memory configuration, and battery status.
Each individual data point may not be unique, but the combination of 20–30 such attributes creates a fingerprint that is highly specific to your particular device and browser configuration. Research by the EFF's Panopticlick project found that over 83% of browsers had a fingerprint unique among their test population of millions. Even if you clear all cookies, use incognito mode, change your IP address with a VPN, or switch between networks, the fingerprint assembled from your browser configuration remains largely consistent and allows tracking services to re-identify you across sessions.
Canvas fingerprinting is one of the most widely deployed techniques. It works by rendering a hidden image or text using the HTML5 Canvas API and measuring subtle differences in the pixel values produced by your specific GPU, driver, and graphics settings. Even two identical computers with different driver versions or hardware revisions will produce slightly different canvas outputs, creating a highly discriminating identifier. AudioContext fingerprinting uses a similar approach with the Web Audio API, generating a signal and measuring the tiny variations produced by your audio hardware and software stack.
Browser fingerprinting is used by advertising networks, analytics companies, and data brokers to track users across websites without their knowledge or consent. The largest advertising platforms — including Google's DoubleClick, Meta's pixel, and dozens of smaller ad networks — deploy fingerprinting alongside cookies to maintain identity continuity even when users take steps to limit cookie-based tracking. As regulatory pressure and browser changes have reduced the effectiveness of traditional third-party cookies, fingerprinting has become a more important component of the commercial tracking ecosystem.
Fingerprinting is also used legitimately for fraud detection and security purposes. Banks and payment processors use it to identify returning customers and flag accounts that are suddenly accessed from a very different browser fingerprint, which can indicate account takeover. E-commerce platforms use it to track shopping cart sessions and detect automated scraping bots. This dual-use nature makes fingerprinting more difficult to completely eliminate without also disrupting legitimate security features — though privacy tools attempt to strike a balance that blocks advertising tracking while preserving functional security uses.
In Hong Kong, fingerprinting is of particular concern for users who rely on anonymity for professional or personal reasons. A journalist communicating with sources through different networks and browsers may believe they have taken steps to be anonymous, but fingerprinting may still link their browsing sessions together. A whistleblower Hong Kong?">using a VPN to access a news organisation's secure drop box may still be identifiable if their browser's fingerprint is consistent across sessions. Understanding fingerprinting is therefore not just a matter of advertising privacy but can be relevant to physical safety in high-stakes contexts.
Brave Browser provides the most accessible and effective defence against fingerprinting for everyday users. Brave's approach is to slightly randomise the data it exposes through fingerprinting APIs — canvas, WebGL, AudioContext, fonts — on each website and session. Instead of blocking these APIs entirely (which would break many websites), Brave introduces small, random noise into the values returned, making each fingerprint session slightly different. This prevents trackers from building a consistent fingerprint over time, even though any single fingerprint reading is still internally consistent and does not trigger site-breaking errors.
Firefox with the `privacy.resistFingerprinting` setting enabled in about:config provides a different approach: it standardises many fingerprint values to fixed defaults, attempting to make Firefox users appear more similar to each other. When this setting is enabled, Firefox reports a fixed screen resolution, disables timezone leakage, spoofs user-agent details, and restricts canvas API access. This can occasionally cause site compatibility issues but significantly reduces the uniqueness of your Firefox fingerprint. The arkenfox user.js configuration enables this and dozens of other privacy settings for users who want a comprehensively hardened Firefox.
The Tor Browser provides the strongest fingerprinting defence by making all users present an identical fingerprint to websites — the same browser version, the same window size, the same set of exposed APIs with the same values. Because millions of Tor users appear identical, fingerprinting cannot distinguish individual users within the Tor network. However, Tor's requirement that all windows be the same size (which defeats resolution fingerprinting) and its blocking of certain browser features means it is not suitable for all browsing. For high-sensitivity tasks requiring true anonymity, Tor Browser remains the strongest available tool against fingerprinting.
You can test your browser's current fingerprint using several freely available online tools. EFF's Cover Your Tracks (coveryourtracks.eff.org) is the most established — it tests your browser against a database of millions of previous visitors and reports whether your fingerprint is "unique" or part of a common group. It also tests specific fingerprinting techniques including canvas fingerprinting and whether your browser successfully blocks known tracking scripts. Running this test before and after enabling fingerprinting protections shows clearly how much your exposure changes.
BrowserLeaks.com offers a more technical deep-dive into the individual components of your fingerprint — WebGL renderer, canvas hash, AudioContext fingerprint, WebRTC IP leak status, font list, and much more. This is valuable for understanding exactly which data points are contributing to your fingerprint's uniqueness and for identifying which protections are working. Running BrowserLeaks in Brave with Shields aggressive mode enabled versus in default Chrome demonstrates the dramatic difference in exposed data between the two configurations.
AmIUnique.org provides historical tracking of your fingerprint over time, showing how it changes (or doesn't) as you update your browser, add extensions, or change your hardware configuration. Understanding the stability of your fingerprint is important: a fingerprint that changes frequently is harder to use for long-term tracking, while a stable fingerprint enables tracking across many months. The practical takeaway from fingerprint testing is almost always the same: switch to Brave or hardened Firefox, minimise your extension count, and avoid highly unusual configurations that make your fingerprint more distinctive rather than less.
