Back to guides
Privacy

What Your Browser Tells About You

You can clear cookies and change your IP, but your browser keeps quietly handing every site a long list of small, ordinary details. No single one identifies you. Put thirty of them together and the combination is often yours alone, with nothing stored on your device at all. That combination is a fingerprint.

EACH SIGNAL NARROWS THE CROWD Everyone the crowd + locale, timezone, screen ~1 in 1,000 + fonts, GPU, cores ~1 in 100,000 + canvas, audio just you

No single detail is rare. Stacked together, the bar shrinks from “everyone” down to one person, usually you. Figures are illustrative.

Fingerprinting is not about finding one secret. It is about combining many non-secrets until the set is unique. That is what makes it both clever and hard to escape.

The idea: a combination, not a secret

Think of twenty questions. “Is your timezone in Europe?” rules out most of the planet but still leaves millions. “Is your language English?” cuts it again. Add your exact screen size, your installed fonts, your graphics card, the quirks of how your browser draws a line of text, and within a couple of dozen questions the only person who answers all of them the same way is you.

Each answer is harmless and shared with countless others. The power is multiplicative: every independent detail multiplies the rarity of the whole. A site does not need anything secret about you, only enough ordinary details, read silently in the background as the page loads.

Canvas WebGL / GPU AudioContext Fonts WebRTC + more 9F3A·C21D·A8 ONE SIGNATURE

Each signal is measured, then folded into a single hash. Change one input and the whole signature changes, which is also how a site notices it is still you.

What the browser actually hands over

SignalExampleHow identifying
Canvas9F3A1C20High · GPU, driver and font rendering combined
WebGLANGLE (NVIDIA …)High · exact graphics renderer
AudioContext124.0434High · tiny audio-stack differences
Installed fonts47 detectedMed-high · your software set
Screen + DPR2560×1440 @2xMedium · display setup
Hardware8 cores, 8 GBMedium · CPU and memory class
Timezone + languageEurope/Helsinki, enLow-med · coarse but stacks
WebRTClocal + public IPsHigh · can leak your real address

All of these are read in the browser with ordinary JavaScript, no permission prompt and no cookie required. The IP and fingerprint check reads exactly these on your own browser and shows you the hashes.

Why canvas and audio are so sharp

The strongest signals come from asking your browser to make something rather than report something. Tell it to draw a line of text onto a hidden canvas, and the exact pixels that come out depend on your graphics card, its driver, the operating system's font smoothing, and the browser's rendering code. Two machines that look identical on paper still produce subtly different pixels, and hashing those pixels turns the difference into a stable number.

The same trick works with sound: generate a tone through the audio engine and measure the output, and the minute differences in how each system processes it form another hash. Neither plays anything or shows anything. They are pure measurements of how your specific stack behaves.

The one that leaks more than a fingerprint

Most signals only describe your device. WebRTC, the technology behind in-browser calls, is different: to set up a connection it can reveal your local network addresses and sometimes your real public IP, even when a VPN is hiding everything else. So it is both a fingerprinting input and a genuine address leak. If you use a VPN, this is worth checking directly, the guide on whether your VPN leaks DNS and the leak test cover the related ground.

Why it is hard to escape

A fingerprint stores nothing on your machine, so clearing cookies or opening a private window does not remove it; the same signals are read again and produce the same signature. And here is the twist that catches people out: the more you customise your browser to feel private, the rarer you often become. A pile of extensions, an unusual font, a niche setting, each one is another distinguishing answer. Standing out is the opposite of hiding.

That is why the approaches that actually work aim at uniformity, not concealment. The Tor Browser makes every user look the same on purpose. Firefox's resist-fingerprinting mode normalises or spoofs the sharpest signals. Brave randomises some of them per session so the hash will not stick. Safari deliberately exposes less. Turning JavaScript off removes most of the surface but breaks much of the web. There is no perfect setting; the realistic goal is to blend into a crowd rather than to vanish.

Three separate exposures

Your IP

Your network and rough area. Covered in what your IP reveals.

Your DNS

The names you visit, seen by your resolver.

Your fingerprint

The device and browser themselves, this page. Independent of the other two.

See your own signature

Read the exact signals your browser is handing over right now, canvas, audio, WebGL, WebRTC, and the rest, with their hashes.

Run the fingerprint check
Back to all guides