Skip to main content
Back to all posts

Your Browser is Leaking: A Guide to Fingerprinting

โ€ขSnapSend Team

Most people think avoiding tracking is as simple as clearing cookies or opening an Incognito window. That worked a decade ago. Today, ad-tech and analytics companies barely need cookies โ€” they can re-identify you on your next visit without storing a single byte on your device.

The technique is browser fingerprinting, and understanding it changes how you think about online privacy.

Fingerprinting vs. cookies: why deleting cookies doesn't help

A cookie is stateful. It's a small file the site writes to your machine, and you can inspect it, block it, or delete it. When you clear cookies, the tracker's identifier for you is genuinely gone.

Fingerprinting is stateless. The tracker stores nothing on your device. Instead, it re-derives your identity on every visit by measuring characteristics your browser reveals in the normal course of rendering a page. Delete your cookies, switch to a fresh profile, or open a private window, and the fingerprint is unchanged โ€” because it's computed from your hardware and configuration, not from a token you can throw away.

That's the uncomfortable part: the thing being tracked isn't something you have. It's something you are.

The signals that make up a fingerprint

When your browser loads a page, JavaScript can read dozens of properties that exist to help sites render correctly. Collected together, they describe a machine with surprising precision:

  • User agent and platform โ€” browser name, version, OS
  • Screen โ€” resolution, color depth, and devicePixelRatio
  • Timezone and language โ€” via Intl.DateTimeFormat and navigator.language
  • Hardware hints โ€” navigator.hardwareConcurrency (CPU cores) and deviceMemory
  • Installed fonts โ€” enumerated by measuring how test strings render
  • GPU details โ€” the WebGL UNMASKED_RENDERER string often names your exact graphics chip
  • Audio stack โ€” a hash derived from how your machine processes a synthetic audio signal
  • Canvas rendering โ€” the single most powerful signal (more below)

Any one of these is shared by millions of people. The combination is often unique.

Canvas fingerprinting: a concrete example

Canvas fingerprinting is the classic technique, and it's worth understanding in detail because it shows how "harmless" APIs leak identity.

The site draws text and shapes to an off-screen <canvas>, then reads the pixels back:

const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
ctx.textBaseline = 'top';
ctx.font = '14px Arial';
ctx.fillText('SnapSend fingerprint test ๐Ÿ˜€', 2, 2);
// The pixel data differs subtly per machine:
const signature = canvas.toDataURL();

The text looks identical to you on screen. But the pixel output differs slightly between machines because of GPU model, graphics drivers, font rasterization, anti-aliasing, and even the OS emoji set. Those differences are invisible to the eye but perfectly stable for your machine. Hash the pixels and you get a value that survives cookie clears and private windows.

The same trick works with WebGL (rendering a 3D scene) and with the AudioContext API (processing a tone). None of these APIs were designed for tracking. They leak identity as a side effect of exposing real hardware.

Entropy: how a handful of "innocent" details identifies you

The right way to think about a fingerprint is in bits of entropy โ€” how much a value narrows down the population.

If half the web uses Chrome, learning "this person uses Chrome" gives roughly one bit โ€” it cuts the crowd in half. Add the OS, screen resolution, timezone, font list, and canvas hash, and each attribute slices the remaining population further. Twenty or so bits is enough to single out one person among millions.

The lesson: no single data point is sensitive, but privacy dies by a thousand cuts. The EFF's Cover Your Tracks project (formerly Panopticlick) lets you measure your own fingerprint's uniqueness in a couple of minutes.

Why Incognito and a VPN aren't enough

Two common defenses miss the point of fingerprinting:

  • Incognito / private mode clears cookies and history when you close the window. It does nothing to the fingerprint surface โ€” your GPU, fonts, and screen are identical in a private window. We cover this in more detail in Incognito Mode: What It Actually Hides.
  • A VPN changes your IP address, which genuinely helps. But your fingerprint travels with you regardless of which exit node you use, so a VPN alone won't stop a tracker from stitching your sessions together.

Both are worth using. Neither is a fingerprinting defense.

Defending against fingerprinting (and the paradox)

Here's the counterintuitive part: the harder you try to look unusual, the easier you are to track. A browser stuffed with a dozen niche privacy extensions, a spoofed user agent, and a custom font stack is far more unique than a stock install. The goal is not to be invisible โ€” it's to look like everyone else.

1. Blend in with the herd. The Tor Browser is the gold standard: it deliberately makes every user's fingerprint look identical, down to a fixed window size. Firefox offers a lighter version via privacy.resistFingerprinting in about:config, which normalizes many of the signals above.

2. Use a browser that fights back. Brave randomizes canvas and audio outputs each session, so the tracker gets a different value every time and can't lock onto you. Firefox with Enhanced Tracking Protection blocks many known fingerprinting scripts outright.

3. Keep your setup boring. Avoid rare extensions that inject detectable markup, plus exotic fonts and themes. Stock-standard is anonymous.

4. Disable JavaScript (the nuclear option). Most fingerprinting needs JavaScript. Turning it off breaks the modern web but offers the strongest anonymity for pure reading.

Common mistakes

  • Spoofing your user agent by hand. If your user agent says "Safari on Mac" but your WebGL string names an Nvidia GPU, you've created a contradiction that exists on almost no real machine. Inconsistency is a fingerprint.
  • Stacking privacy extensions. Three anti-tracking extensions don't add up to three times the protection; they add up to a rare, distinctive configuration.
  • Assuming one tool solves it. A VPN, an ad blocker, and private mode each address a different layer. None of them, alone, defeats fingerprinting.

A quick self-audit checklist

  • [ ] Run the EFF Cover Your Tracks test to see how unique you look
  • [ ] Pick one hardened browser (Tor, Brave, or Firefox with RFP) and commit to it
  • [ ] Remove extensions you don't actually use
  • [ ] Stop manually spoofing your user agent
  • [ ] Treat a VPN and private mode as complements, not solutions
  • [ ] Check what else you leak day to day with our privacy check tool

FAQ

Can I ever be truly un-fingerprintable? Not with a mainstream browser doing everyday things. Realistically, you're aiming to raise the cost of tracking and shrink your uniqueness, not to disappear.

Does fingerprinting identify me by name? Not directly. It links your sessions under a pseudonymous identifier. But combined with a single login or purchase, that pseudonym gets a name attached fast โ€” which is why your broader digital footprint matters as much as any single site.

Is fingerprinting legal? It varies by jurisdiction and sits in a gray area. Regulation lags well behind the technology, so don't count on the law here.

Where SnapSend fits

Fingerprinting is what happens when a service is built to remember you. SnapSend is built to forget. We don't profile the machines that create or open links, we don't log user agents for analytics, and the content is encrypted in your browser before it ever reaches us โ€” the model we describe in zero-knowledge encryption and on our security page. We connect sender to recipient, then the link self-destructs.

If you want a five-minute look at what your own browser gives away before you share anything sensitive, start with the privacy check tool. It's free, needs no account, and it's a better first step than any extension.