What Is Browser Fingerprinting?

Like cookies, browser fingerprinting or device fingerprinting is a technique that enables websites and third parties to remotely identify and track your activity across the Internet.

It works by combining lots of details about your browser, device, and software configuration to create a unique — or nearly unique — identifier.

While you can block and delete cookies, browser fingerprinting operates in secret, and is much harder to prevent.

VPN services and private browsing mode are ineffective against browser fingerprinting. However, you can use browser extensions that limit fingerprinting, or choose a browser with certain protections built-in.

We care about protecting your online privacy, even when it involves more than a VPN. That’s why we’ve produced this guide to help explain exactly what browser fingerprinting is, how it works, and how you can defend yourself.

Browser fingerprinting works by collecting lots of information about your web browser, device, and software settings as you use the Internet. These attributes are then combined to create a “hash” which can be used to identify you.

Each individual datapoint might not reveal much by itself, but the combination of dozens of data points can create a fingerprint that’s entirely unique to you. That means it’s possible for websites, data brokers, advertisers, or law enforcement to identify you and profile your activities online.

When browser fingerprinting was first developed in 2010, it identified between 83.6% and 94.2% of browsers uniquely. Similarly, research from 2020 found that between 67.6% and 93.1% of users could be tracked.

You’ve probably heard of cookies. They’re small files that a website can store on your device to recognize you when you return, or to track your activities across websites.

While most browsers have built-in features for blocking or removing cookies, browser fingerprinting is much harder to control. You can’t delete a browser fingerprint because it’s not stored on your computer.

However, browser fingerprints do change when the information they are based on changes. That means updating your browser or installing a new plug-in could change your fingerprint.

Browser fingerprints aren’t perfect for uniquely identifying someone, either. It is possible for different users to share a fingerprint, particularly on mobile devices where users are less likely to customize their settings.

Despite these limitations, browser fingerprints remain an effective way to identify and track web users.

Why Is Browser Fingerprinting Used?

The aim of browser fingerprinting is to better understand website visitors and to track them across visits, and even across websites. There are both positive and negative ways the technique can be used.

The positive uses of browser fingerprinting typically involve improving security:

The negative uses of browser fingerprinting include:

You can check your browser fingerprint online using amiunique.org or another similar tool. Click the button to see your fingerprint, and the tool will tell you how unique it is compared to other users in its dataset.

We tested our fingerprint using Microsoft Edge, Google Chrome, and Safari on both Windows and macOS. We also used an Android phone and an iPhone. In each case, our fingerprint was unique among the more than 2.4 million fingerprints the site had tested.

These tools will show the information your browser reveals for each of the attributes they check, and how unique it is amongst all of the fingerprints they have checked so far.

Data points that are shared by few others can more readily identify you. They are colored red. Those results that are shared by many are less distinctive and are colored green.

In each case, our user agent (the browser and operating system version) was shared by less than 1% of AmIUnique’s sample. On our desktop computer, we had installed some unusual fonts, so our font list was shared by no other users.

While it is surprising to see some pieces of information are shared by so few, the power of the browser fingerprint is that your combination of all the pieces of information is likely to be nearly unique. That’s true even if the individual pieces of information are shared by many.

The amount of data collected in a browser fingerprint can vary greatly. One research study collected 305 attributes, while the testing site AmIUnique used up to 64 attributes in our tests.

These attributes commonly include your browser and operating system type and version, screen resolution, installed fonts, browser extensions, permissions, and more.

There are two ways that this data is collected:

• HTTP Headers: These are sent by the browser to help the destination server understand the device that is requesting information. They may include information about the browser and operating system, or the file formats the browser can accept.
• JavaScript: JavaScript is a programming language that runs instructions inside your web browser. It’s a core part of the web that’s used for dynamically-updating content, animating images, checking you’ve filled in forms, and other similar purposes. It can also be used to discover more information about the device and browser.

Here’s a breakdown of some of the data points that can be used to create a browser fingerprint, why they’re significant, and where they’re collected from:

Type of Data	Collection Method	Significance
IP address	HTTP Header	Your IP address identifies you online. Using a VPN can change your IP address, and changing your VPN server will also change the fingerprint.
Is the Tor browser in use?	Based on the IP address	Few people use the Tor browser, so this data point is quite distinctive. However, Tor blocks many other fingerprinting data points.
User agent string (web browser and operating system versions)	HTTP Header	Browser versions change often, so this attribute can limit the life of the fingerprint. Google Chrome is gradually phasing out the user agent string to stop it being used for tracking users.
The file formats the browser accepts, including which types of compression	HTTP Header	In our tests, Chrome and Edge were only 14% similar to other users for this data point.
The user’s preferred language (e.g. English)	HTTP Header	Even though languages are widely shared, the way the header expresses them can be distinctive. In our tests, Firefox and Edge both had less than 1.5% similarity with other fingerprints tested.
Are cookies enabled?	JavaScript	Most users accept cookies. By disabling them, you can make your fingerprint more distinctive.
Time zone	JavaScript	For people who don’t travel frequently, this will be stable most of the time.
Graphics card and audio card attributes, including the model of graphics card	JavaScript	These are hardware features that are unlikely to change. See canvas fingerprinting, WebGL fingerprinting, and audio fingerprinting below.
List of fonts	JavaScript	This can become highly distinctive for users who install additional fonts, especially unusual ones such as corporate fonts.
Browser version, name, maker, and properties available	JavaScript	These attributes may not be distinctive by themselves, but they can be combined with other data points to create a more unique fingerprint.
Concurrency and device memory	JavaScript	These are hardware features that are unlikely to change. Concurrency is the number of instructions the processor can execute at the same time.
List of browser plug-ins	JavaScript	This reveals the plug-ins the user has installed to their browser. The makers of the Tor browser consider this the top privacy threat.
Is an ad blocker in use?	JavaScript	Javascript can detect ad blocking behavior.
Screen dimensions, color depth	JavaScript	These are hardware features that are unlikely to change.
Presence of accelerometer, gyroscope, proximity sensor, touch input	JavaScript	These are hardware features that are unlikely to change.
Hardware permissions	JavaScript	This reveals whether the user settings allow for geolocation or usage of the accelerometer, camera, microphone, and storage.
Audio and video formats supported	JavaScript	This depends on the browser.
Battery level, charging time, and discharge time.	JavaScript	These are hardware features that are unlikely to change, except for the battery level.
Keyboard layout	JavaScript	This is unlikely to change during the life of a fingerprint.
Browser interface size and use of location bar, menu bar, personal bar, status bar, and toolbar	JavaScript	These are software settings, but users are unlikely to change them.
Connection type	JavaScript	This is unlikely to change during the life of a fingerprint.
Connected media devices	JavaScript	These are hardware features, but the fingerprint will change if the user changes the connected devices.

There are several different techniques that are used for creating fingerprints or parts of them. Each one relates to a different type of data, or a different method of collection.

Media Device Fingerprinting

As the name suggests, this technique uses a list of connected media devices to create a fingerprint. This includes both internal devices (such as the sound or graphics cards) and external devices (such as headphones).

This technique requires users to give permission to access their camera and microphone.

HTML5 Canvas Fingerprinting

The Tor Project has described canvas fingerprinting as “the single largest fingerprinting threat browsers face”, after information provided by plugins.

Our tests with AmIUnique showed that just 0.21% of people shared our canvas fingerprint in Chrome and Firefox, and it was as low as 0.02% in Edge.

Canvas fingerprinting works by drawing some text and then creating a mathematical representation of how it looks. There will be tiny differences that result from the fonts, system colors, graphics card, and graphics drivers on the device.

Here’s the test image that AmIUnique generates:

Usually, the canvas fingerprint is created out of sight, so you don’t know fingerprinting is happening.

This technique is called canvas fingerprinting because it uses the HTML canvas element on the web page.

WebGL Fingerprinting

WebGL fingerprinting is similar to canvas fingerprinting. It uses WebGL, which is a technology for drawing 2D and 3D objects in a web browser.

Something is drawn without your knowledge, and the image will vary depending on your graphics hardware. The fingerprint is calculated from the image.

In 2022, researchers created a WebGL fingerprinting technique called DrawnApart. It times how long it takes the graphics processing unit (GPU) to draw something. The results not only change depending on the make and model of GPU, but also have variances resulting from manufacturing differences. This greatly increases the accuracy of the browser fingerprint.

Audio Fingerprinting

Browsers have a feature called the WebAudio API, which can be used to create sounds and manipulate them in the browser. Audio fingerprinting uses it to create an inaudible sound and generate a fingerprint from it. The fingerprint varies depending on the browser type, browser version, and platform.

Cross-Browser Fingerprinting

When a fingerprint uses browser information, such as the user agent, each browser has its own fingerprint. A person using multiple browsers would have several fingerprints.

To get around this, sites can create fingerprints based only on the hardware features of the user’s device. These features are discovered using canvas fingerprinting and audio fingerprinting, but can also include features of the machine such as its keyboard layout or support for touch input.

Features like these stay the same, whichever browser is being used, and are unlikely to change.

Research in 2017 found that hardware features made it possible to fingerprint 99.24% of web users. The study achieved 83.24% uniqueness of fingerprints, with a high degree of stability across browsers.

Device Fingerprinting

In addition to browser fingerprinting, mobile apps installed on a device can create fingerprints of that device.

Apps can discover the device’s characteristics, such as its MAC address (the hardware identifier for a connected device), time zone, battery health and CPU details. On Android, it’s even possible to find out the device’s serial number, which will uniquely identify that device.

Device fingerprints could be used to add an additional layer of authentication for banking apps, or to detect fraud in gambling apps where players attempt to claim multiple registration bonuses.

The best way to block browser fingerprinting is to use a private browser that restricts it. There are also plug-ins that you can add to mainstream browsers to block some fingerprinting techniques.

Privacy-Focused Browsers

Some browsers do more to block fingerprinting than others, so it’s worth considering your browser choice.

The Tor Browser

The Tor browser is designed for privacy, with its own network of server nodes that enhance your anonymity.

Tor’s strategy is to ensure all users have the same fingerprint, so they can’t be told apart.

Tor has extensive countermeasures to fight browser fingerprinting. These include:

Although everyone’s fingerprint is the same using Tor, it’s not always safe. The use of Tor itself can be detected, and it might be flagged as suspicious and blocked by some services.

Firefox

The Firefox browser claims to include fingerprinting protection. It blocks requests from companies that it knows use fingerprinting technologies.

However, we ran Firefox through AmIUnique and found that our browser fingerprint was still unique. It’s possible that the fingerprinting tool we used is not on Firefox’s list of blocked sites, and that it still offers protection against other genuine privacy threats.

Avast Secure Browser

Avast Secure Browser claims to confuse fingerprinting scripts to stop them collecting accurate information. Avast says that its browser uses a combination of generalization (so you look like others) and randomization (so your fingerprint changes often).

Our tests found that our fingerprint was still unique while using Avast Secure Browser. As with Firefox, it might perform better with some real tracking scripts, but the browser itself is highly distinctive because it’s used by so few people.

Avast AntiTrack is a commercial product (from $55 per year) that gives fingerprinting scripts fake data, so they can keep running but your real information is hidden.

Brave

The Brave browser replaces adverts and trackers with its own adverts based on your locally stored browsing history.

Brave aims to randomize fingerprint data, so that you have a consistent fingerprint within a browser session on a specific website but have a different fingerprint in other sessions or on other websites. This renders fingerprinting useless for tracking users across sites or site visits.

The developers say this is a better approach than giving everyone the same fingerprint, because some websites will break if fed inaccurate information and your browser might still look unique if a site doesn’t have many visitors like you.

Brave uses the term “farbling” to refer to slightly randomizing the output of browser features that might help to identify you. The browser applies farbling to canvas, media devices, WebGL, plug-ins, audio, and the user agent.

Browser Privacy Settings

We recommend avoiding Microsoft Edge, Chrome, and Safari if you’re really concerned about privacy.

However, if you must use them, there are some features you can enable to limit browser fingerprinting.

Enabling Fingerprint Protection in Safari

Apple’s fingerprint protection in the Safari browser blocks known fingerprinters on pages you visit. It’s enabled by default in private browsing windows, but you can turn it on for all browsing sessions:

1. Go to Settings > Safari > Advanced.
2. Select Advanced Tracking and Fingerprinting Protection.
3. Select All Browsing.

Enabling Fingerprint Protection in Microsoft Edge

Microsoft Edge aims to detect and block fingerprinting trackers. You can enable tracking prevention in Settings > Privacy, search, and services.

There are three levels:

• Basic blocks harmful trackers but allows trackers for ads and content personalization.
• Balanced blocks harmful trackers and third-party trackers from sites you haven’t visited.
• Strict blocks most trackers across websites. Some website features might not work correctly, but you can add exceptions for any sites you want to be excluded from tracking protection.

Browser Extensions

There are several extensions that help to restrict browser fingerprinting. They either block the fingerprinting technology or prohibit known fingerprinters from tracking you.

Browser Extension	What It Blocks
Canvas Blocker	Canvas, WebGL, audio, navigator properties, screen, and others.
Ghostery	Known fingerprinters and requests from unknown trackers.
Privacy Badger	Canvas fingerprinting used by advertisers and other third-parties.
NoScript	JavaScript, except where you allow it.
Canvas Fingerprint Defender	Canvas fingerprinting attempts by adding random data to images.
Disconnect	Known third-party browser fingerprinters.

It’s worth reiterating that these extensions do not offer complete protection against browser fingerprinting. Here’s a summary of what can be protected, and what may still be vulnerable:

Can Be Protected	Not Always Protected
Companies known to track users	First-party tracking i.e. fingerprinting by a website you have chosen to visit
The most invasive fingerprinting techniques	Every parameter that can be used to generate a fingerprint
	Unknown organizations engaging in fingerprinting

For the most comprehensive protection, we recommend using two extensions together:

• Canvas Blocker, to block the biggest fingerprinting techniques
• Ghostery, to block known fingerprinting companies

You can find these extensions in your browser’s extension store. Alternatively, visit their website, where they have one, linked in the table above.

VPNs and Proxy Servers

Your IP address is almost certainly unique and can be used to identify you. It makes sense, then, to use a VPN or proxy server to change your IP address, and to gain the other privacy and security benefits of using a VPN.

If you change your VPN server, you’ll partly change any fingerprint that uses your previous IP address.

However, a VPN will do nothing to prevent other fingerprinting techniques being used against you. It doesn’t stop the browser from revealing information about your graphics card, screen, or connected media devices, for example.