No single detail is rare. Stacked together, the bar shrinks from “everyone” down to one person, usually you. Figures are illustrative.
Fingerprinting combines many non-secrets until the set is unique. That is what makes it both clever and hard to escape.
The idea: a combination, not a secret
Think of twenty questions. “Is your timezone in Europe?” rules out most of the planet but still leaves millions. “Is your language English?” cuts it again. Add your exact screen size, your installed fonts, your graphics card, the quirks of how your browser draws a line of text, and within a couple of dozen questions the only person who answers all of them the same way is you.
Each answer is harmless and shared with countless others. The power is multiplicative: every independent detail multiplies the rarity of the whole. A site does not need anything secret about you, only enough ordinary details, read silently in the background as the page loads.
Each signal is measured, then folded into a single hash. Change one input and the whole signature changes, which is also how a site notices it is still you.
What the browser actually hands over
| Signal | Example | How identifying |
|---|---|---|
| Canvas | 9F3A1C20 | High · GPU, driver and font rendering combined |
| WebGL | ANGLE (NVIDIA …) | High · exact graphics renderer |
| AudioContext | 124.0434 | High · tiny audio-stack differences |
| Installed fonts | 47 detected | Med-high · your software set |
| Screen + DPR | 2560×1440 @2x | Medium · display setup |
| Hardware | 8 cores, 8 GB | Medium · CPU and memory class |
| Timezone + language | Europe/Helsinki, en | Low-med · coarse but stacks |
| Client Hints | Chrome 137, Windows, x86 | Low-med · brand, version, platform sent in headers |
| Device sensors | accelerometer, gyroscope | Low · presence and calibration, mostly mobile |
| WebRTC | local + public IPs | High · can leak your real address |
All of these are read in the browser with ordinary JavaScript, no permission prompt and no cookie required. The IP and fingerprint check reads exactly these on your own browser and shows you the hashes.
Recognition, not proof
The closest familiar cousin is the anti-fraud system behind online banking and card payments. When a bank decides whether a login or a purchase is really you, it does not stop at your password. In the background it profiles the device and how it behaves, the same kind of small signals listed above, and scores how likely the session is genuine. It does this silently, without asking, because asking would tip off a fraudster and slow everyone else down.
Web fingerprinting is the same technique aimed at a different target. There is no login, no prompt, no moment where you agree to it. A site reads the ordinary details as the page loads and compares the combination against what it has seen before. The fraud engine asks “is this the real account holder?” The tracker asks “is this the same visitor?” The machinery is the same.
And like a fraud score, it is only a probability. A fingerprint proves nothing, can be wrong, and drifts when you update your browser or change a setting. It never needs to be perfect. To follow you from page to page, or to recognise a returning visitor, “almost certainly the same browser” is enough. That is why it is everywhere: it costs the site nothing, asks you for nothing, and works well enough to matter.
Why canvas and audio are so sharp
The strongest signals come from asking your browser to make something rather than report something. Tell it to draw a line of text onto a hidden canvas, and the exact pixels that come out depend on your graphics card, its driver, the operating system's font smoothing, and the browser's rendering code. Two machines that look identical on paper still produce subtly different pixels, and hashing those pixels turns the difference into a stable number.
The same trick works with sound: generate a tone through the audio engine and measure the output, and the minute differences in how each system processes it form another hash. Neither plays anything or shows anything. They are pure measurements of how your specific stack behaves.
How the rest are read
The other signals need no drawing tricks; the browser simply answers when asked. Each takes a line or two of JavaScript, runs in milliseconds, and triggers no prompt.
WebGL. The 3D graphics interface names its own hardware: ask for the renderer string and back comes something like ANGLE (NVIDIA GeForce RTX 3060). That one string separates laptops from desktops, integrated from dedicated graphics, one driver generation from the next. A sharper variant renders a small 3D scene and hashes the pixels, canvas-style.
Fonts. There is no “list my fonts” function, so the reading is indirect: render a test string in a font the machine might have, measure its width, and compare against a fallback font. A different width means the font is installed. Checked against a few hundred candidates, your software history, office suites, design tools, games, regional packs, becomes a yes/no vector.
Screen and pixel ratio. Resolution, available height (which quietly encodes your taskbar or dock), colour depth and devicePixelRatio are plain properties. The common values are shared by millions; an unusual monitor, scaling factor or docked-laptop setup narrows the crowd fast.
Hardware class. hardwareConcurrency reports CPU threads, deviceMemory reports RAM in coarse steps. Weak on their own, but they anchor the fingerprint to the physical machine, which is part of what lets it survive a browser reinstall.
Client hints and headers. Browser brand and version, platform, architecture, mobile or not: these travel in the request headers themselves, before any script runs. This is the half of the fingerprint that needs no JavaScript at all. Timezone and language are the plainest of the lot, read straight from the settings.
Sensors. On phones, the presence and precision of the accelerometer, gyroscope and touch support separate device families, and published research has shown that tiny factory calibration offsets can distinguish even two phones of the same model.
Six quieter vectors
Beyond the well-known signals there is a second shelf: readouts most people have never heard of, that cost a tracker nothing to collect and that no privacy checklist mentions. Each one runs live on our IP and fingerprint page under “Advanced Vectors”, so you can watch your own browser answer.
CSS media features. Dark or light theme, reduced motion, contrast preference, whether your pointer is a mouse or a finger, whether the screen can show HDR: all of it is exposed so pages can adapt their layout. Preferences are personal by definition, which is exactly what makes them distinguishing. This vector does not even need JavaScript; plain CSS can report the answers by choosing which background images to request.
Media codecs. Ask canPlayType() which audio and video formats the machine can decode and the yes/no pattern encodes your operating system, browser licensing deals and hardware generation at once: HEVC support splits Safari from Chrome, hardware AV1 decoding marks a recent GPU, Dolby formats mark particular platforms. Nobody ever changes this, because nobody knows it is readable.
The language list. Sites read navigator.languages, not just your first language: the full ordered list, regional variants included. “en-US” is shared by hundreds of millions; “lv, ru, en-US” in that exact order is a very small crowd, and cross-checked against your timezone it gets smaller still.
WebGPU. The successor to WebGL answers in more detail than its parent: the adapter names the GPU vendor and architecture, and alongside it come dozens of precise numeric limits, buffer sizes, workgroup counts, texture dimensions, that vary by graphics card and driver. A fresh, sharper hardware readout, present in current Chrome and Edge and spreading.
Math precision. The strangest of the lot: feed the math engine edge cases, extreme tangents, hyperbolic functions, values near the limits of floating point, and the last few digits of the results differ between math libraries, CPUs and browser builds. It is pure arithmetic. There is no permission to deny and no setting to change, because nothing about it looks like tracking.
The TLS handshake. All of the above at least happens on the page. This one happens before the page exists: the order of ciphers and extensions your browser offers when it opens the HTTPS connection forms a stable signature of its network stack, hashed server-side in schemes known as JA3 and JA4. No script reads it, no extension sees it, and no browser setting touches it. It is the clearest proof that a fingerprint is not one thing you can switch off, it is the sum of how your software behaves.
The one that leaks more than a fingerprint
Most signals only describe your device. WebRTC, the technology behind in-browser calls, is different: to set up a connection it can reveal your local network addresses and sometimes your real public IP, even when a VPN is hiding everything else. So it is both a fingerprinting input and a genuine address leak. If you use a VPN, this is worth checking directly, the guide on whether your VPN leaks DNS and the leak test cover the related ground.
The hash changes, the device does not. Signal-by-signal comparison quietly stitches the three “different” visitors back into one profile. Figures are illustrative.
A fingerprint that changes still gives you away
Follow one laptop for six weeks. On day one a site reads 32 signals, folds them into a hash, and files it. Three weeks later the browser updates itself: the version string changes, the rendering code changes a few canvas pixels, and the hash comes out completely different. On paper, a new visitor.
Except the tracker never threw away the ingredients. Compared signal by signal, 30 of the 32 answers are identical, including the rare ones: the same 47 fonts, the same GPU string, the same unusual screen setup. The odds that a genuinely different person shares exactly that combination are tiny, so the two profiles are merged and the new hash simply replaces the old. Week six, a design tool installs a font, the hash moves again, and the same arithmetic re-links it again.
This is the anti-fraud engine doing exactly what it was built for. A bank does not lock you out because you updated your browser; it recognises that everything else still matches. The hash is only shorthand. What is actually matched is the whole vector of answers, and drifting out of it would take many signals changing at once, which normal use never does.
Why it is hard to escape
A fingerprint stores nothing on your machine, so clearing cookies or opening a private window does not remove it; the same signals are read again and produce the same signature. And here is the twist that catches people out: the more you customise your browser to feel private, the rarer you often become. A pile of extensions, an unusual font, a niche setting, each one is another distinguishing answer. Standing out is the opposite of hiding.
That is why the approaches that actually work aim at uniformity, not concealment: making your answers common instead of trying to hide them. Turning JavaScript off removes most of the surface but breaks much of the web, so the practical versions of the idea live inside the browsers themselves, compared below. There is no perfect setting; the realistic goal is to blend into a crowd rather than to vanish.
What the major defenses actually do
| Browser | Strategy | What it does | The cost |
|---|---|---|---|
| Tor Browser | Uniformity | Every user reports the same values: fixed window sizes (letterboxing), one bundled font list, patched canvas and WebGL, UTC timezone. The crowd itself is the defense. | Sites break more often and the network is slow; you no longer stand out as you, but you do stand out as Tor. |
| Brave | Randomisation | Adds small per-site, per-session noise (“farbling”) to canvas, audio and WebGL readouts, so the hash a site stores today will not match tomorrow. | Occasional breakage in canvas-heavy tools and games; a determined script can detect that noise is present. |
| Firefox (RFP) | Normalisation | The resistFingerprinting setting reports fixed values: UTC timezone, a generic user agent, standard screen sizes, and canvas reads require an explicit prompt. | Off by default and strict when on: clocks look wrong to sites, prompts appear, some layouts misrender. |
| Safari | Reduced surface | Exposes fewer readable values in the first place, and Apple hardware is uniform to begin with: two MacBooks of the same model look far more alike than two Windows PCs. | The protection is strongest inside the Apple crowd, and there are few knobs to harden it further. |
Two working philosophies: look like everyone (uniformity) or look like no one twice (randomisation). Both beat trying to hide. A regular browser with an ad blocker still fingerprints cleanly; what changes the picture is choosing one of the crowds above.
Three separate exposures
Your IP
Your network and rough area. Covered in what your IP reveals.
Your DNS
The names you visit, seen by your resolver.
Your fingerprint
The device and browser themselves, this page. Independent of the other two.
See your own signature
Read the exact signals your browser is handing over right now, canvas, audio, WebGL, WebRTC, and the rest, with their hashes.
Run the fingerprint checkOzy-666 builds and operates dnsdoh.art, an encrypted DNS resolver serving DoH, DoH3, DoT and DoQ. He maintains its Edge-optimised AdGuardHome and dnscrypt-proxy forks and the custom resolver, TLS and firewall stack these guides document. They are written from running that infrastructure day to day.