Skip to main content

Top10VPN is editorially independent. We may earn commissions if you buy a VPN via our links.

What Is Browser Fingerprinting?

JP Jone's profile image
JP Jones

JP Jones is our CTO. He has over 25 years of software engineering and networking experience, and oversees all technical aspects of our VPN testing process.

  2. Guides
  3. Privacy & Anonymity
  4. What Is Browser Fingerprinting?

Our Verdict

Browser fingerprinting is a sophisticated technique used to identify and track people online. It involves remotely gathering and analyzing attributes from a user’s web browser, device, and software settings when they’re online. This combination of characteristics is used to create a unique identity or ‘fingerprint’ for that individual. Browser fingerprinting is hard to prevent, but there are some tools that help.

criminal spying on someone through a window shaped like a phone

Like cookies, browser fingerprinting or device fingerprinting is a technique that enables websites and third parties to remotely identify and track your activity across the Internet.

It works by combining lots of details about your browser, device, and software configuration to create a unique — or nearly unique — identifier.

While you can block and delete cookies, browser fingerprinting operates in secret, and is much harder to prevent.

VPN services and private browsing mode are ineffective against browser fingerprinting. However, you can use browser extensions that limit fingerprinting, or choose a browser with certain protections built-in.

We care about protecting your online privacy, even when it involves more than a VPN. That’s why we’ve produced this guide to help explain exactly what browser fingerprinting is, how it works, and how you can defend yourself.

What Is Browser Fingerprinting?

Browser fingerprinting works by collecting lots of information about your web browser, device, and software settings as you use the Internet. These attributes are then combined to create a “hash” which can be used to identify you.

Each individual datapoint might not reveal much by itself, but the combination of dozens of data points can create a fingerprint that’s entirely unique to you. That means it’s possible for websites, data brokers, advertisers, or law enforcement to identify you and profile your activities online.

When browser fingerprinting was first developed in 2010, it identified between 83.6% and 94.2% of browsers uniquely. Similarly, research from 2020 found that between 67.6% and 93.1% of users could be tracked.

Illustration of a thumbprint, demonstrating browser fingerprinting.

You’ve probably heard of cookies. They’re small files that a website can store on your device to recognize you when you return, or to track your activities across websites.

While most browsers have built-in features for blocking or removing cookies, browser fingerprinting is much harder to control. You can’t delete a browser fingerprint because it’s not stored on your computer.

However, browser fingerprints do change when the information they are based on changes. That means updating your browser or installing a new plug-in could change your fingerprint.

Browser fingerprints aren’t perfect for uniquely identifying someone, either. It is possible for different users to share a fingerprint, particularly on mobile devices where users are less likely to customize their settings.

Despite these limitations, browser fingerprints remain an effective way to identify and track web users.

Why Is Browser Fingerprinting Used?

The aim of browser fingerprinting is to better understand website visitors and to track them across visits, and even across websites. There are both positive and negative ways the technique can be used.

The positive uses of browser fingerprinting typically involve improving security:

  • Adding authentication: A website can identify your usual browser and use it to simplify your login process. For example, if you use an unfamiliar device, a bank might challenge you with more security questions to make sure it’s really you.
  • Detecting suspicious activity: A browser fingerprint can help to identify bots or fraudulent users. For example, it can identify one person who is trying to impersonate many, or can spot a small screen resolution that suggests someone is simulating multiple devices on a single monitor.
  • Banning users: Fingerprinting can be used to ban users who break the rules on gambling sites. Fingerprinting can detect users who try to claim multiple registration bonuses, or who pretend to be several independent players in the same game.

The negative uses of browser fingerprinting include:

  • Targeted advertising: An advertiser could use browser fingerprinting to build a profile of your interests based on the sites you visit. That information could be used to target ads at you, or it could be sold to other companies.
  • Dynamic pricing: An online shop might charge more to customers who appear to be richer, for example by having more expensive devices or living in a wealthier area.
  • Data harvesting: Browser fingerprinting enables data brokers and advertisers to collect information about web users even if they block cookies, use a VPN, or use private browsing mode. It’s unclear how this data is collected and traded, but the privacy and ethical risks are clear.

How to Check Your Browser Fingerprint

You can check your browser fingerprint online using amiunique.org or another similar tool. Click the button to see your fingerprint, and the tool will tell you how unique it is compared to other users in its dataset.

We tested our fingerprint using Microsoft Edge, Google Chrome, and Safari on both Windows and macOS. We also used an Android phone and an iPhone. In each case, our fingerprint was unique among the more than 2.4 million fingerprints the site had tested.

AmIUnique Browser Fingerprinting Tool

AmIUnique tells you how unique your browser fingerprint is.

These tools will show the information your browser reveals for each of the attributes they check, and how unique it is amongst all of the fingerprints they have checked so far.

Data points that are shared by few others can more readily identify you. They are colored red. Those results that are shared by many are less distinctive and are colored green.

In each case, our user agent (the browser and operating system version) was shared by less than 1% of AmIUnique’s sample. On our desktop computer, we had installed some unusual fonts, so our font list was shared by no other users.

While it is surprising to see some pieces of information are shared by so few, the power of the browser fingerprint is that your combination of all the pieces of information is likely to be nearly unique. That’s true even if the individual pieces of information are shared by many.

Types of Data Collected in Browser Fingerprinting

The amount of data collected in a browser fingerprint can vary greatly. One research study collected 305 attributes, while the testing site AmIUnique used up to 64 attributes in our tests.

These attributes commonly include your browser and operating system type and version, screen resolution, installed fonts, browser extensions, permissions, and more.

There are two ways that this data is collected:

  • HTTP Headers: These are sent by the browser to help the destination server understand the device that is requesting information. They may include information about the browser and operating system, or the file formats the browser can accept.
  • JavaScript: JavaScript is a programming language that runs instructions inside your web browser. It’s a core part of the web that’s used for dynamically-updating content, animating images, checking you’ve filled in forms, and other similar purposes. It can also be used to discover more information about the device and browser.

Here’s a breakdown of some of the data points that can be used to create a browser fingerprint, why they’re significant, and where they’re collected from:

Type of Data Collection Method Significance
IP address HTTP Header Your IP address identifies you online. Using a VPN can change your IP address, and changing your VPN server will also change the fingerprint.
Is the Tor browser in use? Based on the IP address Few people use the Tor browser, so this data point is quite distinctive. However, Tor blocks many other fingerprinting data points.
User agent string (web browser and operating system versions) HTTP Header Browser versions change often, so this attribute can limit the life of the fingerprint.

Google Chrome is gradually phasing out the user agent string to stop it being used for tracking users.
The file formats the browser accepts, including which types of compression HTTP Header In our tests, Chrome and Edge were only 14% similar to other users for this data point.
The user’s preferred language (e.g. English) HTTP Header Even though languages are widely shared, the way the header expresses them can be distinctive. In our tests, Firefox and Edge both had less than 1.5% similarity with other fingerprints tested.
Are cookies enabled? JavaScript Most users accept cookies. By disabling them, you can make your fingerprint more distinctive.
Time zone JavaScript For people who don’t travel frequently, this will be stable most of the time.
Graphics card and audio card attributes, including the model of graphics card JavaScript These are hardware features that are unlikely to change. See canvas fingerprinting, WebGL fingerprinting, and audio fingerprinting below.
List of fonts JavaScript This can become highly distinctive for users who install additional fonts, especially unusual ones such as corporate fonts.
Browser version, name, maker, and properties available JavaScript These attributes may not be distinctive by themselves, but they can be combined with other data points to create a more unique fingerprint.
Concurrency and device memory JavaScript These are hardware features that are unlikely to change. Concurrency is the number of instructions the processor can execute at the same time.
List of browser plug-ins JavaScript This reveals the plug-ins the user has installed to their browser. The makers of the Tor browser consider this the top privacy threat.
Is an ad blocker in use? JavaScript Javascript can detect ad blocking behavior.
Screen dimensions, color depth JavaScript These are hardware features that are unlikely to change.
Presence of accelerometer, gyroscope, proximity sensor, touch input JavaScript These are hardware features that are unlikely to change.
Hardware permissions JavaScript This reveals whether the user settings allow for geolocation or usage of the accelerometer, camera, microphone, and storage.
Audio and video formats supported JavaScript This depends on the browser.
Battery level, charging time, and discharge time. JavaScript These are hardware features that are unlikely to change, except for the battery level.
Keyboard layout JavaScript This is unlikely to change during the life of a fingerprint.
Browser interface size and use of location bar, menu bar, personal bar, status bar, and toolbar JavaScript These are software settings, but users are unlikely to change them.
Connection type JavaScript This is unlikely to change during the life of a fingerprint.
Connected media devices JavaScript These are hardware features, but the fingerprint will change if the user changes the connected devices.

EXPERT TIP: You can stop a lot of this data being gathered by disabling JavaScript, but many websites won’t work well without it.

Types of Browser Fingerprinting Techniques

There are several different techniques that are used for creating fingerprints or parts of them. Each one relates to a different type of data, or a different method of collection.

Media Device Fingerprinting

As the name suggests, this technique uses a list of connected media devices to create a fingerprint. This includes both internal devices (such as the sound or graphics cards) and external devices (such as headphones).

This technique requires users to give permission to access their camera and microphone.

HTML5 Canvas Fingerprinting

The Tor Project has described canvas fingerprinting as “the single largest fingerprinting threat browsers face”, after information provided by plugins.

Our tests with AmIUnique showed that just 0.21% of people shared our canvas fingerprint in Chrome and Firefox, and it was as low as 0.02% in Edge.

Canvas fingerprinting works by drawing some text and then creating a mathematical representation of how it looks. There will be tiny differences that result from the fonts, system colors, graphics card, and graphics drivers on the device.

Here’s the test image that AmIUnique generates:

Canvas Fingerprinting Test Image

Usually, the canvas fingerprint is created out of sight, so you don’t know fingerprinting is happening.

This technique is called canvas fingerprinting because it uses the HTML canvas element on the web page.

WebGL Fingerprinting

WebGL fingerprinting is similar to canvas fingerprinting. It uses WebGL, which is a technology for drawing 2D and 3D objects in a web browser.

Something is drawn without your knowledge, and the image will vary depending on your graphics hardware. The fingerprint is calculated from the image.

In 2022, researchers created a WebGL fingerprinting technique called DrawnApart. It times how long it takes the graphics processing unit (GPU) to draw something. The results not only change depending on the make and model of GPU, but also have variances resulting from manufacturing differences. This greatly increases the accuracy of the browser fingerprint.

Audio Fingerprinting

Browsers have a feature called the WebAudio API, which can be used to create sounds and manipulate them in the browser. Audio fingerprinting uses it to create an inaudible sound and generate a fingerprint from it. The fingerprint varies depending on the browser type, browser version, and platform.

Cross-Browser Fingerprinting

When a fingerprint uses browser information, such as the user agent, each browser has its own fingerprint. A person using multiple browsers would have several fingerprints.

To get around this, sites can create fingerprints based only on the hardware features of the user’s device. These features are discovered using canvas fingerprinting and audio fingerprinting, but can also include features of the machine such as its keyboard layout or support for touch input.

Features like these stay the same, whichever browser is being used, and are unlikely to change.

Research in 2017 found that hardware features made it possible to fingerprint 99.24% of web users. The study achieved 83.24% uniqueness of fingerprints, with a high degree of stability across browsers.

Device Fingerprinting

In addition to browser fingerprinting, mobile apps installed on a device can create fingerprints of that device.

Apps can discover the device’s characteristics, such as its MAC address (the hardware identifier for a connected device), time zone, battery health and CPU details. On Android, it’s even possible to find out the device’s serial number, which will uniquely identify that device.

Device fingerprints could be used to add an additional layer of authentication for banking apps, or to detect fraud in gambling apps where players attempt to claim multiple registration bonuses.

How to Protect Yourself Against Browser Fingerprinting

The best way to block browser fingerprinting is to use a private browser that restricts it. There are also plug-ins that you can add to mainstream browsers to block some fingerprinting techniques.

Privacy-Focused Browsers

Some browsers do more to block fingerprinting than others, so it’s worth considering your browser choice.

The Tor Browser

The Tor browser is designed for privacy, with its own network of server nodes that enhance your anonymity.

Tor’s strategy is to ensure all users have the same fingerprint, so they can’t be told apart.

Tor has extensive countermeasures to fight browser fingerprinting. These include:

  • Disabling all plug-ins.
  • Requiring permission for the canvas feature to be used correctly. Otherwise, a pure white image is drawn.
  • Ensuring WebGL does not run unless authorized by the user.
  • Providing a set of fonts and hiding the installed fonts on the device.
  • Setting the browser window to a multiple of 200×100 pixels, and a maximum of 1000×1000 pixels.
  • Disabling access to connected media devices like cameras and microphones.
  • Disabling the battery status features.
  • Delivering the same time zone for everyone
  • Disabling the WebAudio API used for audio fingerprinting.

Although everyone’s fingerprint is the same using Tor, it’s not always safe. The use of Tor itself can be detected, and it might be flagged as suspicious and blocked by some services.

Firefox

The Firefox browser claims to include fingerprinting protection. It blocks requests from companies that it knows use fingerprinting technologies.

Firefox Browser Fingerprinting Protection

However, we ran Firefox through AmIUnique and found that our browser fingerprint was still unique. It’s possible that the fingerprinting tool we used is not on Firefox’s list of blocked sites, and that it still offers protection against other genuine privacy threats.

EXPERT TIP: LibreWolf is a version of Firefox with additional privacy settings enabled. However, it is updated less often, which arguably weakens its security. IceCat for Linux is another version of Firefox with additional fingerprinting countermeasures.

Avast Secure Browser

Avast Secure Browser claims to confuse fingerprinting scripts to stop them collecting accurate information. Avast says that its browser uses a combination of generalization (so you look like others) and randomization (so your fingerprint changes often).

Our tests found that our fingerprint was still unique while using Avast Secure Browser. As with Firefox, it might perform better with some real tracking scripts, but the browser itself is highly distinctive because it’s used by so few people.

Avast AntiTrack is a commercial product (from $55 per year) that gives fingerprinting scripts fake data, so they can keep running but your real information is hidden.

Brave

The Brave browser replaces adverts and trackers with its own adverts based on your locally stored browsing history.

Brave aims to randomize fingerprint data, so that you have a consistent fingerprint within a browser session on a specific website but have a different fingerprint in other sessions or on other websites. This renders fingerprinting useless for tracking users across sites or site visits.

The developers say this is a better approach than giving everyone the same fingerprint, because some websites will break if fed inaccurate information and your browser might still look unique if a site doesn’t have many visitors like you.

Brave uses the term “farbling” to refer to slightly randomizing the output of browser features that might help to identify you. The browser applies farbling to canvas, media devices, WebGL, plug-ins, audio, and the user agent.

Browser Privacy Settings

We recommend avoiding Microsoft Edge, Chrome, and Safari if you’re really concerned about privacy.

However, if you must use them, there are some features you can enable to limit browser fingerprinting.

Enabling Fingerprint Protection in Safari

Apple’s fingerprint protection in the Safari browser blocks known fingerprinters on pages you visit. It’s enabled by default in private browsing windows, but you can turn it on for all browsing sessions:

  1. Go to Settings > Safari > Advanced.
  2. Select Advanced Tracking and Fingerprinting Protection.
  3. Select All Browsing.

Enabling Fingerprint Protection in Microsoft Edge

Microsoft Edge aims to detect and block fingerprinting trackers. You can enable tracking prevention in Settings > Privacy, search, and services.

There are three levels:

  • Basic blocks harmful trackers but allows trackers for ads and content personalization.
  • Balanced blocks harmful trackers and third-party trackers from sites you haven’t visited.
  • Strict blocks most trackers across websites. Some website features might not work correctly, but you can add exceptions for any sites you want to be excluded from tracking protection.

Browser Extensions

There are several extensions that help to restrict browser fingerprinting. They either block the fingerprinting technology or prohibit known fingerprinters from tracking you.

Browser Extension What It Blocks
Canvas Blocker Canvas, WebGL, audio, navigator properties, screen, and others.
Ghostery Known fingerprinters and requests from unknown trackers.
Privacy Badger Canvas fingerprinting used by advertisers and other third-parties.
NoScript JavaScript, except where you allow it.
Canvas Fingerprint Defender Canvas fingerprinting attempts by adding random data to images.
Disconnect Known third-party browser fingerprinters.

It’s worth reiterating that these extensions do not offer complete protection against browser fingerprinting. Here’s a summary of what can be protected, and what may still be vulnerable:

Can Be Protected Not Always Protected
Companies known to track users First-party tracking i.e. fingerprinting by a website you have chosen to visit
The most invasive fingerprinting techniques Every parameter that can be used to generate a fingerprint
Unknown organizations engaging in fingerprinting

For the most comprehensive protection, we recommend using two extensions together:

  • Canvas Blocker, to block the biggest fingerprinting techniques
  • Ghostery, to block known fingerprinting companies

You can find these extensions in your browser’s extension store. Alternatively, visit their website, where they have one, linked in the table above.

VPNs and Proxy Servers

Your IP address is almost certainly unique and can be used to identify you. It makes sense, then, to use a VPN or proxy server to change your IP address, and to gain the other privacy and security benefits of using a VPN.

If you change your VPN server, you’ll partly change any fingerprint that uses your previous IP address.

However, a VPN will do nothing to prevent other fingerprinting techniques being used against you. It doesn’t stop the browser from revealing information about your graphics card, screen, or connected media devices, for example.

FAQs

Is browser fingerprinting legal?

Browser fingerprinting is legal. While the EU’s General Data Protection Regulation (GDPR) regulates cookies, it doesn’t control browser fingerprinting. In the US, state laws such as the California Consumer Privacy Act (CCPA) and Vermont’s Data Broker Law don’t cover browser fingerprinting, either.

Does incognito mode protect me from browser fingerprinting?

Private browsing or incognito mode stops sites from using cookies to track you across visits. However, it does nothing to stop browser fingerprinting, because it’s a technique that can work without cookies.

Does a VPN stop browser fingerprinting?

A VPN can change your IP address, which will hide your true location from most websites. However, browser fingerprinting can still identify you even without the use of an IP address. In fact, using a VPN may be an additional characteristic that makes your fingerprint more unique.

Related guides

  1. The Best Private and Secure Web Browsers

    Illustration of two characters choosing a private and secure web browser.

  2. Can Someone See Your Internet History If You Use Their WiFi?

    Can the WiFi Owner See Your Internet History?

  3. Can Your ISP See Your Browsing, Search & Mobile Data History?

    Graphical illustration of archaeologists looking at someone's browsing history