Beyond cookies: browser fingerprinting in 2025

Robot with four eyes does not know where to connect wires

Cookies are optional. Fingerprinting isn’t. In 2025, the easiest way for trackers and third-party advertisers to follow you across the Web is to read the traits your browser can’t help revealing (screen, fonts, GPU quirks) and stitch them into a stable ID. The third-party advertising and tracking ecosystem has metastasized to a point that even US intelligence agencies use ad blockers internally for security reasons. The connection between real-time bidding and personal data leaks is well-established. This personal data often ends up with data brokers and subsequently leads to users experiencing financial fraud.

This blog post gives an overview of browser fingerprinting as a means of tracking users, how browsers protect users, and how users can protect themselves. This latter part is important, because most browsers (even the privacy-respectful ones) don’t always automatically enable anti-fingerprinting measures.

What is a browser fingerprint?

A browser fingerprint is much like a human fingerprint: a unique identifier that is hard to change. The more ways in which you’re different from other users, the more uniquely-identifiable your browser fingerprint, and the easier you are to track across the Web. If all a website comes to know is that you’re on an iPhone 16, that’s not particularly identifying, since you are far (far, far) from the only iPhone 16 user. But websites also need to know things like your screen size (to properly display the website for your screen), your timezone (to show you your calendar), whether or not you have dark mode enabled (for accessibility as well as general hacker vibes), etc. In combination, all of these small differences contribute to making your browser look unique.

For a browser, this presents a dilemma: break the ability for websites to detect dark mode and you incur the wrath of your most vocal users whose hacker aesthetics you just committed photocide against (ask me how I know). Don’t, and that’s yet another bit of information exposed to malicious tracking scripts. It gets even more complicated with more advanced fingerprinting techniques that rely on subtle differences between how different computers render pixels, or how sound cards process sound. We’ll come back to this point when discussing anti-fingerprinting strategies, but generally, the more modded and customized your computer setup, the more identifiable it is.

This majorly sucks, because the power of the Web is in its dynamism and diversity. JavaScript and other Web technologies let developers design immersive experiences and power the Web economy. Also, the same Wikipedia.org website can work across different operating systems, device manufacturers, form factors and hardware capabilities, ranging from my Apple device to my colleague’s bespoke Sailfish-flashed handset, and I think that’s beautiful. Powerful browsers and adaptive websites are a good thing!

Who does browser fingerprinting?

Advertisers

Advertisers want to know very legal and very cool things like whether that Nike ad you saw on Instagram ended up being responsible for a purchase you made on Nike’s website later that week. Without this kind of tracking data, they have no idea if the billions of dollars they pay advertising platforms like Meta is paying off. Advertising networks also want to know who you are in order to increase the chances you click on an ad. There is an overwhelming financial incentive to get any kind of user tracking they can. Interestingly, browser fingerprinting is controversial even within the advertising industry, though it happens anyway.

Anti-fraud and anti-bot vendors

Anti-fraud and bot-mitigation companies aim to identify unwanted clients by fingerprinting their browsers. “Unwanted” typically means “could be a security threat” or “is a bot”. Identifying non-human traffic is a growing concern, especially as LLMs get better at solving CAPTCHAs. NYTimes and other news websites were caught harvesting local IP addresses as an anti-bot strategy a few years ago.

Law enforcement and nation states

Government agencies frequently use whatever data collection mechanism they can get their hands on. NSA used XKEYSCORE to hoover up Internet traffic directly from fiber optic cables around the world, and extracted browser fingerprints to assess exploitability of their targets. The UK tax revenue agency (HMRC) recently asked around for fingerprinting solutions to detect tax fraud.

After much back-and-forth, Google Chrome announced in April 2025 that they will be rolling back their latest already-watered-down proposal to bring third-party cookie blocking to users (basically just ask them), and will now be doing (checks notes) absolutely nothing. The working title of this post was “tracking in a post-cookie world”, but it looks like that world is still far away, given Chrome’s reluctance to touch third-party cookies and their dominant browser market share. More than half the Web’s traffic comes from Chrome (exact numbers vary depending on who you ask for interesting reasons that deserve their own blog post).

Other major browsers, thankfully, do block and partition third-party cookies. Even so, browser fingerprinting is still widely used by trackers and third-party advertisers to overcome the limitations of cookie-based tracking.

Cookies can be isolated (e.g. Private Browsing)

Users can use dedicated browsing sessions, isolating cookies and other storage. The classic example is Private or Incognito windows which also clear storage when users exit them, but Firefox’s Containers or Chromium’s Profiles serve the same purpose of making sure that whatever state the user picks up in the course of their browsing is isolated to that session.

Browser fingerprinters try to pierce session isolation in order to re-identify users. The NSA used Evercookie to unmask Tor users by recreating cookies even after they were deleted.

Cookies can be cleared

Cookies and other kinds of storage can be proactively cleared by the user even within the same session. Brave and DuckDuckGo offer ways to automatically clear storage when a tab/site/app is closed. Several browsers use heuristics to figure out when it’s safe to clear a website’s storage so as to prevent tracking while preserving benign use-cases. Bounce tracking mitigations is one category of this work that is implemented by most browsers, with varying degrees of aggressiveness. Again, Chrome lags behind other browsers by not applying bounce tracking mitigations by default.

A browser fingerprint is a lot more pernicious and hard to clear, since it relies on inherent characteristics of your machine.

Fingerprinting is invisible

Browser fingerprinting is often passive: the malicious website or script doesn’t need to do anything observable in order to fingerprint you. This is unlike cookies, where the user can see that a tracking script left some state. But if a website is using your User-Agent string to create a fingerprint for your browser, there’s not much you can do about it since you won’t even know that the website is doing it. Brave has a way for users to see if a website invoked a Web API that has fingerprinting protections applied.

Harder for regulators to enforce

Regulators have mostly enforced laws against storage-based tracking, since violations are much easier to detect. Cookie consent notices are a very visible example of this: you’re inundated with them as websites try to comply with laws that require explicit consent for storage on the user’s device. This leaves fingerprint-related profiling under-enforced since it happens by websites and trackers on the backend.

Google announced in 2024 that they will no longer prohibit their advertising customers from fingerprinting users, which was (thankfully) sharply rebuked by the UK ICO.

Protecting against fingerprinting

Trackers doing browser fingerprinting are essentially trying to divide users into buckets that are:

diverse. If every user is in the same bucket (“uses an iPhone”), you haven’t learned much about the user.
stable. If the user changes their fingerprint every time they visit your site, it’s not much of a fingerprint.

Browsers apply fingerprinting protections that are aimed at defeating this bucketing.

Consider the butterfly

Let’s imagine you’re a beautiful and unique butterfly, trying to avoid capture and identification by malicious lepidopterists (apologies in advance to worthy lepidopterists). You have two main strategies to avoid a future that involves being pinned up on a wall:

hide in a crowd
fly randomly

This is much like being a user on the Web, where you’re trying to avoid being fingerprinted by trackers.

Hiding in a crowd (avoid diverse buckets)

As a butterfly, you can evade capture by hiding your unique beauty in a crowd of other butterflies. The goal of “hiding in a crowd” (or herd immunity) is to make every browser look the same. This is the strategy used by Tor browser and Mullvad. The way this works is that you remove APIs and capabilities that reveal a lot of information about the browser. Unfortunately, this often means that powerful APIs end up getting removed from the Tor browser, which limits its widespread use (WebRTC, for example). This might be fine for a browser like Tor, which targets users with a higher-than-usual risk profile and whose users tend to be more concerned about privacy than usability. But more mainstream browsers cannot afford to do this. Having said that, major browsers frequently remove APIs that are low-utility and high-fingerprintability such as the Topics API being removed by Brave, Safari and Firefox.

It’s worth noting that browsers that always run on similar hardware and software, like Apple’s Safari, benefit from the lack of diversity.

Fly randomly (avoid stable buckets)

As a butterfly, instead of trying to be the same as everyone else, you can zig-zag across the sky, evading capture. You can try to be as different as possible, every time.

This is Brave browser’s approach for many Web APIs: randomize the fingerprint per-session and per-site. This effectively means that your fingerprint will be unique for a website but different across every website (which defeats cross-site tracking), and will reset after every browsing session (which defeats cross-session tracking), similar to how cookies and state is cleared after a Private browsing session.

Safari 17 introduced advanced fingerprinting protection (though only in Private Browsing mode) largely modeled on Brave’s fingerprinting approach of adding random noise to API output. Encouragingly, Safari 26 will enable advanced fingerprinting protection by default.

When this strategy of randomizing Web APIs works, you get both powerful Web APIs and privacy. In practice, this can be tricky to get right and can lead to web dev frustration and website breakage, when the injected randomness interferes with benign use-cases. Brave had to change their screen fingerprinting protection to report “one-of-few” outputs to bucket users instead of purely randomizing.

Bonus: block known trackers

As a butterfly, you can also start a list containing photographs of lepidopterists so that you can distinguish them from harmless human visitors, and you can share that with your butterfly friends, so you all know to stay away from the bad guys. This “crowdsourced blocklist of known bad actors” approach is surprisingly effective in Web privacy. You might (as a concerned butterfly) ask: What if a blocked lepidopterist just puts on a disguise? What if a new lepidopterist appears? And why are we still continuing with this butterfly analogy when it has clearly broken down several paragraphs ago and was probably broken to begin with? These are all valid questions.

A blocklist to block advertisers and trackers might not seem like a robust approach. But the truth is that most tracking on the Web is done by a few well-known companies, and if you block them, you protect yourself against most of the harms. Also, community lists are surprisingly well-maintained, with new rules being added (to counter new tracking scripts and requests) and removed (to counter website breakage) on the order of minutes.

Every browser uses blocklists in some way to block content: Firefox’s Enhanced Tracking Protection based on Disconnect and Brave’s ad & tracker blocking based on various community-maintained lists are good examples of this. Safari blocks known trackers in Private Browsing mode using a combination of EasyPrivacy and DuckDuckGo’s Tracker Radar. Chrome interestingly also uses this strategy to block “bad ads” as defined by Better Ads Standards using a modified form of EasyList.

How do I protect myself?

Turn fingerprinting protections on!

In practice, every browser applies some mix of the above strategies, depending on the Web API or source of variance they’re trying to minimize. However, not every browser applies fingerprinting protection by default:

Safari

Enable Settings → Advanced → “Use advanced tracking and fingerprinting protection.” → “in all browsing”.
The current default is “in Private Browsing”, though this will change in Safari 26.

Firefox

Turn on Resist Fingerprinting in about:config. See instructions.

Brave

Fingerprinting protections applied automatically and by default.

Chrome

Chrome doesn’t currently do much against fingerprinters. They’re exploring blocking known third-party fingerprinting scripts in Incognito Mode.

Block trackers

If you don’t use a browser with an in-built ad and tracker blocker like Brave, use a good adblocking extension like uBlock Origin. On Chromium-based browsers, unfortunately, the use of adblocking extensions is becoming increasingly harder given Google’s move to phase out Manifest V2 extensions.

Hide your IP address

When possible, try to hide your IP address. IP addresses are fairly stable network-level identifiers that browsers can’t hide easily. Use the following to get around IP address-based tracking:

Apple’s 2-hop iCloud Private Relay: requires an iCloud+ subscription.
A trustworthy VPN: most VPNs are privacy nightmares. Some good ones are bundled into the browser such as Mozilla VPN, Brave VPN or Mullvad.
The Tor network: either via Tor Browser or another browser’s implementation such as Brave’s Tor mode, though always prefer Tor Browser if your safety depends on it.

Lastly, test!

You can check your browser’s vulnerability to fingerprinters by using a good fingerprinting testing website like https://coveryourtracks.eff.org/.

I put together a simple demo website to give a visual example of how browsers apply anti-fingerprinting measures. The website writes and reads data using Canvas API, a widely-used and useful Web API that is also sadly commonly used by fingerprinters. Canvas fingerprinting draws hidden graphics using the Canvas API and re-reads the raw pixels. These pixels encode subtle details about your GPU, driver, fonts and sub-pixel rendering which can then be hashed by a tracker into a stable identifier which survives anything you can do (short of getting a new computer). To combat this, many browsers inject noise into the pixels when they are read back. The demo website shows that the noise injected by the browser (if it does) is ordinarily invisible to the human eye. The test deliberately amplifies the distortion to show how different browsers use different noise-injection strategies.

For a fun exercise, try out the demo website on Mozilla Firefox with Resist Fingerprinting turned on and see the surprising result you get!