In short

Fingerprinting is how sites build a unique device ID without using cookies. Combine 30 signals, screen, fonts, GPU, audio, language, time zone, plugins, and you usually have something unique enough to identify a single user across the entire web. It's harder to block than cookies because the signals are real things websites need (your screen size to render properly, for example), and removing them entirely breaks the web.

What signals get fingerprinted?

The classic ones, in order of how distinctive they are:

  • Canvas fingerprinting: a site asks the browser to draw a small image, then reads the pixels back. Tiny differences in graphics drivers, GPU model, and OS render the image slightly differently, different enough that the result is almost unique per device.
  • WebGL fingerprinting: similar to canvas, but using 3D graphics APIs. Reveals your GPU model and driver version pretty directly.
  • Audio fingerprinting: the browser's audio processing has tiny per-system numerical differences. A site can play a sound through the API (without you hearing it) and read the resulting waveform.
  • Font enumeration: which fonts you have installed is a surprisingly distinctive signal. A typical computer has 50–200 fonts; the specific list is rare to repeat.
  • Screen size and pixel density
  • User-Agent string and Client Hints (your browser, version, OS)
  • Time zone, language, hardware concurrency, available memory, battery API in some browsers

Any one of these is weak. Combined, they reach a uniqueness on the order of 1 in millions.

Why it works even when you block cookies

Third-party cookies are about to disappear from every major browser. Fingerprinting is the alternative the ad industry already pivoted to. The signals it uses aren't "tracking data" you can refuse to provide, they're data the browser has to send for the page to render properly. Your screen size matters because pages have to lay out for it. Your fonts matter because the page picks the best one to use. The fact that the combination is unique is a side effect of needing to send the data at all.

How browsers fight back

Two strategies, both imperfect:

  1. Uniformity (Tor's approach): make every Tor user look identical. Same fingerprint, same screen size, same fonts. The downside is the web breaks for you in lots of small ways, pages render at the "wrong" size, fonts substitute, web apps misdetect your device.
  2. Randomisation (Brave's, Dazr's approach): add small per-domain noise to the signals. Two visits to the same site see consistent results (so logins work); two different sites see different fingerprints. This is the trade-off most daily-driver privacy browsers make.

Dazr's defence is on by default and applies to canvas, WebGL, audio, and font measurements, with per-site overrides for the rare site that breaks under it.

What you can actually do about it

To reduce your fingerprint, the options are limited:

  • Use a browser with anti-fingerprinting on by default (Dazr, Tor Browser, Brave with shields strict)
  • Disable Battery API, plugins, and unnecessary browser features in advanced settings
  • Don't install fonts you don't need
  • Be aware that even disabling JavaScript still leaves passive fingerprinting (HTTP headers, IP, screen size from CSS) intact