Learn how browsers track you without cookies, the science behind fingerprinting, and practical defenses you can deploy today.
Fingerprinting Unmasked: Browsers Tracking You Without Cookies (and How to Fight Back)
Published by Brav
Table of Contents
TL;DR
- Browsers can track you even when cookies are blocked or incognito mode is on.
- The technique blends in with normal scripts and is almost impossible to spot.
- Fingerprinting can identify you across devices with >99 % accuracy.
- Most privacy-focused browsers now have built-in defenses, but they’re not perfect.
- Practical steps—browser choice, randomization, extensions, VPNs—give you real control.
Why this matters
When I started working as a privacy researcher, I was shocked to find that a single page load could reveal my exact browser model, the fonts installed on my machine, and the exact version of my graphics driver—all without a single cookie being set Panopticlick — Measuring Browser Fingerprinting (2017). Every time I used an incognito window or toggled Block third-party cookies, I still got tracked. The scripts that perform fingerprinting are often embedded in the same ad network that serves the page, so they run silently in the background Panopticlick — Measuring Browser Fingerprinting (2017). I learned that a digital trail that follows me across sites, browsers, and even devices is the new norm. The stakes are high: advertisers use the data for dynamic pricing, banks for conditional access, and data brokers sell it for profit—yet users never see how their data is used after the sale Panopticlick — Measuring Browser Fingerprinting (2017).
Core concepts
Think of a fingerprint as a unique ID card built from dozens of small clues: the screen size, the exact set of fonts, the graphics-card model, the OS version, the time zone, the list of plugins, the audio drivers, the WebGL rendering quirks, and even how you scroll. By combining 15 or more of these traits, a fingerprint is unique for almost every user—Panopticlick reported that 1 in 216,000 browsers had an identical fingerprint, and a 15-trait set can re-identify 99.98 % of users Panopticlick — Measuring Browser Fingerprinting (2017). Canvas fingerprinting forces a browser to render a hidden image, revealing the fonts you have installed and the graphics driver’s quirks. WebGL fingerprinting reads the GPU’s model and driver, while an audio test can expose the exact sound driver stack. All of this is done in milliseconds and with zero user interaction Panopticlick — Measuring Browser Fingerprinting (2017). Because the data is unique and persistent, fingerprinting works even when cookies are blocked or when you switch to a new device on the same Wi-Fi network. Cross-device tracking leverages shared Wi-Fi IPs and hardware IDs to stitch together a user’s multiple gadgets. The result is a single, long-lived profile that advertisers and data brokers can monetize Cybersafety — Cross-Device Tracking with Device Fingerprinting (2024).
Who’s doing it?
Ad tech giants, social platforms, and even some security firms use fingerprinting. Browsers that are considered privacy-friendly—Firefox and Brave—have built-in defenses that block many known fingerprinting scripts Firefox — Browser Fingerprinting Protection (2024), and Brave takes it further by randomizing many fingerprintable values to throw off trackers Brave — Fingerprint randomization (2024).
How to apply it
| Defense Technique | Use Case | Limitation |
|---|---|---|
| Cookie blockers | Stop third-party cookie placement | Does not stop fingerprinting |
| Browser randomization (Firefox, Brave) | Makes fingerprint less stable | Can break some sites, limited to certain attributes |
| Extensions (uBlock, Privacy Badger) | Blocks trackers and some fingerprint scripts | Requires user configuration, may be bypassed |
| Data-broker monitoring | Allows oversight of sold data | Often opaque, limited enforcement |
Practical steps
- Choose a privacy-friendly browser. Install the latest version of Firefox or Brave. Firefox — Browser Fingerprinting Protection (2024) Brave — Fingerprint randomization (2024).
- Enable the Resist fingerprinting flag in Firefox (about:config, privacy.resistFingerprinting → true). Firefox — Browser Fingerprinting Protection (2024).
- Turn on Brave’s fingerprinting protection under Shields → Fingerprinting. Brave — Fingerprint randomization (2024).
- Use a reputable VPN or Tor to hide your IP and break cross-device linkages.
- Disable or limit WebGL if you don’t need it (about:config, webgl.disabled → true).
- Install a blocker extension like uBlock Origin, which blocks known fingerprinting scripts, and Privacy Badger, which learns to block trackers.
- Check your fingerprint with Panopticlick or AmIUnique after applying the settings to see how close you are to a “unique” score. Panopticlick — Measuring Browser Fingerprinting (2017).
- Keep your browser and OS patched.
Metrics that matter
- Accuracy: 99 %–99.98 % re-identification with 15 traits.
- Unique count: 1 in 216 k browsers share the same fingerprint (Panopticlick).
- Coverage: About 70 % of sites use at least one fingerprinting technique (Panopticlick).
Pitfalls & edge cases
Browser updates may roll back randomization. When a new Firefox version comes out, the privacy.resistFingerprinting flag can be reset to default. Firefox — Browser Fingerprinting Protection (2024). Some sites break when critical data (like GPU info) is hidden. Extensions can be bypassed by sophisticated trackers that detect the presence of a blocker. Cross-device tracking is not fully stopped by VPNs; if you use the same Wi-Fi network, the shared IP can still link devices. Cybersafety — Cross-Device Tracking with Device Fingerprinting (2024). Data brokers still sell aggregated fingerprint data, often with weak encryption and no clear audit trail (Panopticlick). Dynamic pricing can still react to the limited data that leaks through, e.g., the user’s device type or screen size (Panopticlick). Security uses: banks and payment systems sometimes rely on fingerprints for two-factor authentication, which can be a double-edged sword.
Quick FAQ
| Q | A |
|---|---|
| What is canvas fingerprinting? | Canvas fingerprinting forces a browser to render a hidden image on an HTML5 canvas and reads back the pixel data to discover installed fonts and graphics driver quirks. |
| Does incognito mode protect against fingerprinting? | No—fingerprinting uses the browser’s own APIs and works in all modes, including incognito. |
| Can I see which fingerprint data is being sold to data brokers? | Rarely. Most brokers provide no transparency; you can only guess from the data they claim to collect. |
| How does a browser block fingerprinting scripts? | By intercepting calls to the WebGL, Canvas, and Audio APIs and returning randomized or empty data. |
| Is Brave’s fingerprinting protection the best? | Brave is currently the most aggressive, but Firefox offers strong default protection as well. |
| What if a site breaks after I enable anti-fingerprinting? | Disable the feature for that site via the browser’s Allow list or use a site-specific profile. |
| Can a VPN fully prevent cross-device tracking? | A VPN hides your IP but cannot stop tracking based on shared Wi-Fi or hardware IDs. |
Conclusion
I’ve spent months testing different browsers and extensions. The lesson: there is no single silver bullet, but a layered defense strategy works best.
- Privacy researchers should run fingerprint tests regularly and share metrics.
- Browser developers must continue to randomize as many attributes as possible and make the settings user-friendly.
- Ad-tech professionals should recognize that cookie-only targeting is dying and move toward consent-based data.
- Data brokers need transparent data-use policies and secure storage.
If you care about privacy, start with Firefox or Brave, block known fingerprinting scripts, and never rely on incognito mode alone. For those who run data-intensive services, consider a privacy-first architecture that respects users’ anonymity.
By combining the right tools and knowledge, you can keep your browsing activity private—even when the web is built to watch.
