Fingerprinting

How fingerprinting works

The browser passively exposes hundreds of small details:

• Screen resolution, color depth
• Installed fonts (probed via canvas measurement)
• GPU model (via WebGL fingerprint)
• Language preferences, timezone
• User agent, platform, browser plugins
• Audio context characteristics
• TLS handshake quirks

Combine enough of these and you get a signature that’s near-unique across the browsing population. Two users with identical hardware, software, and settings happen rarely.

Fingerprinting then uses that signature as a tracking identifier, silently, without setting any cookie or asking for consent.

Why it’s a problem

Three reasons:

1. No consent mechanism. Cookies can be blocked, declined, or deleted. Fingerprints can’t, there’s nothing to delete because nothing was stored.
2. Crosses contexts the user didn’t expect. A fingerprint persists across incognito mode, across sites, across “delete browsing data” actions.
3. Disclosed in privacy law. GDPR explicitly recognises fingerprinting as personal data processing. Doing it without lawful basis is a violation.

What modern browsers do about it

Active counter-measures:

• Safari (ITP), rounds screen resolution, strips font enumeration, restricts canvas reads
• Firefox (ETP strict mode), blocks known fingerprinter domains, randomises canvas output
• Brave, aggressive randomisation across the fingerprint surface
• Tor Browser, converges all users to one identical fingerprint

The effect: the more aggressively the user protects themselves, the less unique their fingerprint becomes. Reliable fingerprinting is increasingly limited to less-protected users, which makes it both ineffective and ethically dubious.

When fingerprint signals are still used

Some legitimate uses survive:

• Fraud detection. Banks and e-commerce platforms use device characteristics to detect account-takeover attempts. Consented under terms of service for security purposes.
• Bot detection. Distinguishing automated traffic from humans. Different lawful basis than marketing tracking.
• Probabilistic identity stitching. When deterministic signals are absent, similarity across multiple low-entropy attributes can hint that two sessions belong to the same user. Used in identity graphs but with calibrated confidence scoring.

What these have in common: they’re not used as a primary tracking identifier in a marketing context.

Common mistakes

• Using fingerprinting as a fallback when cookies fail. Not lawful in the EU. Flagged by privacy tools.
• Treating fingerprinting as a workaround for ITP. Apple specifically blocks it. The fix is server-side first-party identity, not stealthier client-side IDs.
• Assuming fingerprints are stable. Browser updates, hardware changes, new fonts, all shift the fingerprint. Reliability degrades over time.

FAQ about Fingerprinting

What is browser fingerprinting?

Fingerprinting identifies users by combining many low-entropy device attributes (screen size, fonts, GPU, language, timezone) into a near-unique signature. It works without cookies or storage, entirely from passive browser characteristics.

Is fingerprinting legal under GDPR?

Fingerprinting for marketing tracking requires consent under GDPR, the regulation explicitly recognises it as personal data processing. Doing it silently is a violation.

How do browsers fight fingerprinting?

Safari rounds screen resolution and strips font enumeration. Firefox’s strict mode randomises canvas output and blocks known fingerprinter domains. Tor and Brave go further. The more users protect themselves, the less unique their fingerprints become.