Except for your internet provider’s bill, surfing the web is free, but as with most things you get for free, there’s a hidden price. Advertisers and data brokers can monetize their knowledge about your online habits and activities. They know where you go, how you behave, and what you buy. How? By using data that your browser freely supplies to create a fingerprint that uniquely identifies you. Unlike other tracking techniques, browser fingerprinting leaves no traces. How can you protect your privacy and avoid being fingerprinted?

It’s important to explain what cookies are right from the outset, if only to help people what browser fingerprinting isn’t. Cookies have been around almost as long as web browsers have existed. The purpose of a cookie is to let a website remember things about you without having to maintain a monster database of everyone who ever visited. Each cookie is a simple text file that lives on your computer, not on the site. The site can put information into the cookie, such as your preferred address, things you’ve bought, or which page you were reading in an online novel. When you revisit that site, it can pull out its own cookie (but nobody else’s) and read back that info.

However, modern websites aren’t simply monolithic entities. They contain links and content from advertisers and other third-party sites. These third parties can save their own cookies to your PC, containing whatever data they have available, including the site that’s hosting the ad. If an advertiser has a presence on multiple sites, its cookie data now lets it link your presence on each of those sites you visit. Suddenly cookies don’t seem so tasty.

Internet experts proposed reining in this abuse by letting browsers add a Do Not Track header to page requests. This effort fizzled because sites were free to ignore the header. Security companies responded by devising Do Not Track technology that actively prevented tracking. Trackers responded with new technologies such as supercookies, evercookies, Flash cookies, and more.

All these tracking technologies involve placing something (a text file, a script, a file) on the victim’s computer. And all of them have been foiled in various ways.

Fingerprinting is different. It doesn’t change anything on your computer; it just takes advantage of normal browser functions.

Hello, I Know You

When you’re surfing the web, it really feels like you have a direct, continuous connection with the site you’re perusing. In truth, your experience is made up of many small interactions between your browser and the website’s server. The browser sends a request, and the server sends a response. That request necessarily includes your IP address—without it, the server wouldn’t know where to send the response. But over time, browsers have come to send more and more information.

Compatibility isn’t much of an issue these days, but if you go back far enough, you’ll find a time when websites had to tune their responses to the requesting browser, perhaps sending a different page to Netscape Navigator than they did to Internet Explorer. Requests to a server identify the browser making the request, right down to the precise version and build number. That’s a simple enough need, but it’s the start of a slippery slope.

To render a design-rich page from a website, your browser needs access to the right fonts. Just what fonts are available depends on the operating system. Your browser queries the OS for a list of fonts and passes that list along to the website. If a needed font is missing, the site might choose to display a simplified page. Yes, we all have the same basic set of fonts that come with Windows, but installation of other programs often adds new fonts, and uninstallation doesn’t remove them. After a while, our font collections start to diverge.

Too Much Information

Modern browsers reveal a huge amount of information not just about themselves, but also about the operating system in which they reside. Sites can run simple scripts to learn even more: things like the screen resolution in use, and which plugins are installed. A crazy string of text called User Agent reveals a lot about your browser. Here’s a User Agent string from Chrome: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36”. And here’s one from Edge: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.67”.

Websites can query and receive tons of other information about your system’s settings and configuration. This massive dump of available information can be boiled down to a single, simple value called a fingerprint. The chance of any two PCs having the same fingerprint is low, and the consequences for a tracker who did encounter such a duplication are likewise low. Yes, your fingerprint might change based on changes to your system, but that doesn’t happen often. When it does, it’s not all that important to the tracker, either. Trackers don’t care about losing track of you temporarily. As long as they can track plenty of others, no problem! And they don’t need cookies.

Put Your Fingerprint Under the Microscope

For a quick look at the many arcane bits and bobs that make up your browser fingerprint, pay a visit to the Electronic Frontier Foundation’s Cover Your Tracks page (formerly called Panopticlick). With your permission, this page gathers the information used to generate a fingerprint, along with some useful stats. I learned, for example, that my fingerprint is unique among more than 250,000 fingerprints tested by the site in the last 45 days.

Browser Fingerprinting University Study

Taking a more long-term view, security and privacy researchers at Friedrich-Alexander University Erlangen-Nürnberg, Germany have been running a study on browser fingerprinting since 2016. I’ve participated since the beginning. Participation is simple; once a week you get an email with a link to check your fingerprint. You can review the stats of your own participation at any time. For example, I know that I had the same unique and trackable fingerprint for 263 days in 2017. You don’t have to register if you just want to view the aggregate statistics.

There are plenty of other pages that can show you the components of your browser fingerprint, with varying degrees of detail. Reporting from the open-source AmIUnique site helpfully color-codes the components that are the farthest from the norm, the ones that contribute the most to making your fingerprint different from the rest. Device Info lists a near-overwhelming collection of information revealed to any website through your browser.

Fingerprinting Device Info Report

Hide Your Fingerprint

After a lifetime of working with clay, potters may find their fingerprints have simply abraded away. What can you do to wear away your browser fingerprint and keep it from giving away your identity?

As with any other topic, the internet offers endless how-to advice for hiding your fingerprint. Using a VPN is a frequent suggestion, since doing so masks your IP address. Sticking with your browser’s privacy mode, whether it’s called Incognito, InPrivate, or something else, eliminates other elements that go into the fingerprint. Make no mistake, using a VPN is smart, but these simple fixes aren’t sufficient to mask your fingerprint.

One simple possibility is to switch to a browser with protection built in or take advantage of existing browser-based protection. The security-focused Brave browser, for one, offers a feature called Shields that can protect your privacy in a variety of ways. Shields protection includes blocking ads, cookies, and scripts, but in a fine-tuned fashion that lets you retain the benefits of these features. It can block fingerprinting at several levels, too. Standard blocking just randomizes the data returned by your browser sufficiently to foil trackers. Strict blocking suppresses all fingerprinting attempts but may cause compatibility problems.

Fingerprint Blocking in Brave Browser

After a goodly period of development, Firefox now includes built-in fingerprinting protection, and turns it on by default. It works by “blocking third-party requests to companies that are known to participate in fingerprinting,” which means you still might be tracked by companies not yet known to Mozilla.

When you use the TOR Browser, it routes all your web traffic through the TOR network. TOR is short for The Onion Router, so-called because your connection is hidden behind many layers. Your traffic goes into the network, bounces around from server to server, and comes out from a server with no connection to you. This tangled route can foil fingerprinters, but TOR is notorious for slowing down connections. You probably don’t want to use it as your go-to browser.

If you’d prefer to keep using your familiar browser, no problem! You can enlist help to obfuscate your fingerprint. For example, Avast AntiTrack and Norton AntiTrack both inject false information into the elements of your digital fingerprint, focusing on the items that do the most to make your fingerprint unique. Your faked-up fingerprint may still be unique, but it keeps changing, so trackers get nothing useful. Iolo Privacy Guardian, which once was a licensed version of TrackOFF, is now an in-house product that clears cookies, configures privacy settings in Windows, and attempts to foil fingerprinters (though we couldn’t confirm its effectiveness). Other tools, such as the Electronic Frontier Foundation’s Privacy Badger, watch for sites gathering fingerprint data and block their access.

White Glove Web Browsing

Now you know how browser fingerprinting works: If you just surf the web willy-nilly, you leave fingerprints everywhere. Advertisers and others can track you based on your browser fingerprint. To continue enjoying the internet without leaving traces, you have two main choices. You can choose a browser designed to foil fingerprinting, or you can add an app dedicated to that purpose. Whatever you choose, your privacy is in your own hands.

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

Sign up for other newsletters


“Tech Bargains Galore: Where Innovation Meets Affordability!”