Forem: Hafiz Khurram Javid

What Is Browser Fingerprinting? How Websites Track You Without Cookies (2026)

Hafiz Khurram Javid — Tue, 07 Apr 2026 19:34:43 +0000

You cleared your cookies. You switched to private browsing. You even tried a VPN. And yet the website still knew it was you.

Browser fingerprinting is why - and it works by reading signals from your device that you cannot delete, clear, or turn off.

What Is Browser Fingerprinting?

Browser fingerprinting identifies you by combining technical details about your browser and device into a unique profile. Your GPU model, installed fonts, screen resolution, audio hardware, timezone, and language settings are all read silently - no permission prompt, no cookie banner, no storage on your device.

Each individual signal is not unique. Millions of people have a 1920×1080 screen. Millions use Chrome on Windows. But when you combine 13 or more signals together, the resulting fingerprint is statistically unique for 83–90% of users, according to research from AmIUnique.org and the EFF's Panopticlick project.

Unlike cookies, fingerprinting leaves no trace on your device. There is nothing to clear, nothing to block with standard privacy settings, and nothing that resets when you close your browser.

Cookies vs. Fingerprinting: The Key Difference

	Cookies	Fingerprinting
Stored on your device?	Yes	No
Can you delete it?	Yes	No
Blocked by incognito?	Partially	No
Blocked by cookie banners?	Yes (if compliant)	Rarely
Requires GDPR consent?	Yes	Yes - but often ignored
Survives browser reset?	No	Yes

The 13 Signals That Make Up Your Fingerprint

Here are the main vectors websites use, ranked by how much identifying information each contributes (measured in entropy bits):

🔖 User Agent String - 10.5 bits (High)

Your browser's identity card. Reports your exact browser name, version, OS, and CPU architecture. A single string that narrows you to a very small group.

🎨 Canvas Fingerprint - 8.5 bits (High)

The website draws invisible shapes on a hidden canvas element and reads back the pixel data. Your GPU and OS render these slightly differently, creating a hash unique to your hardware.

🔤 Installed Fonts - 7.5 bits (High)

The exact set of fonts on your system is surprisingly unique. Design tools, games, and work applications all install custom fonts. The combination is often one-of-a-kind.

🔺 WebGL / GPU Renderer - 7.2 bits (High)

WebGL exposes your exact GPU model and driver version to every website without any permission required. Your graphics card is effectively signing every page you visit.

🔊 Audio Fingerprint - 5.4 bits (High)

A silent tone is processed through your audio hardware using the Web Audio API. The tiny differences in how your chip handles it create a unique signature - completely invisible and inaudible.

📐 Screen Resolution - 4.8 bits (Medium)

Your screen width, height, color depth, and device pixel ratio. Multi-monitor and high-DPI configurations are especially distinctive.

🌍 Browser Language - 4.2 bits (Medium)

The languages your browser is configured to use. Multilingual users with uncommon language pairs can be nearly uniquely identified from this single vector.

⚙️ Hardware Profile - 3.1 bits (Medium)

CPU core count and RAM. Combined with other signals, this narrows your device to a small group.

🕐 Timezone - 3.8 bits (Medium)

Your browser reports your real timezone even behind a VPN. A mismatch between your IP geolocation and timezone is a classic VPN detection signal.

How Websites Actually Use Your Fingerprint

The most common uses are ad tracking, fraud detection, and paywall enforcement.

Ad networks build profiles of your browsing behavior across thousands of sites and use fingerprinting to link those sessions together even when you clear cookies. Banks use fingerprinting as a fraud signal - a sudden change in fingerprint triggers verification challenges.

News sites and streaming platforms use fingerprinting to enforce article limits and free trial periods. Clearing cookies resets the counter; fingerprinting does not.

More troublingly, data brokers purchase fingerprint-linked browsing profiles and combine them with offline data. A 2025 investigation found that some brokers could link anonymous browsing sessions to real names and addresses through fingerprint data alone.

Is Browser Fingerprinting Legal?

Under GDPR, fingerprinting constitutes processing of personal data because it creates a unique identifier. This means it requires a lawful basis - almost always consent - and must be disclosed. In practice, most websites outside the EU fingerprint without consent.

Under CCPA and CPRA, browser fingerprints qualify as unique personal identifiers, giving California residents the right to opt out of their sale. Most US state privacy laws passed since 2023 include similar provisions.

The EU's ePrivacy Directive specifically covers fingerprinting and requires consent, but enforcement has been inconsistent.

How to Reduce Your Browser Fingerprint

→ Switch to Brave Browser (highest impact)

Brave actively randomizes canvas, WebGL, audio, and font fingerprinting vectors on every page load. The only mainstream browser with built-in fingerprint randomization that changes per session.

→ Use the Tor Browser (maximum anonymity)

Tor makes every user appear identical by standardizing all fingerprinting vectors. Trade-off: significantly slower browsing.

→ Firefox with Strict Mode (good balance)

Firefox's Enhanced Tracking Protection in strict mode blocks known fingerprinting scripts and restricts font enumeration.

→ Install CanvasBlocker (partial)

A Firefox extension that randomizes canvas fingerprinting output. Effective against canvas tracking but leaves WebGL and audio untouched.

The Paradox of Anti-Fingerprinting

There is a cruel irony at the heart of fingerprinting defense: some protective measures can make you more distinctive.

Enabling Do Not Track, for example, is set by only about 12% of users - meaning having it on is itself a fingerprinting signal. Using an uncommon browser or heavily customizing privacy settings can make your fingerprint more unique rather than less.

The most effective defense is not customization but standardization - using browsers designed to make all users appear identical, like Tor.

Test Your Own Fingerprint

The best way to understand your exposure is to see it directly.

TrustScan's Browser Fingerprint Analyzer runs 13 tracking vectors against your browser, calculates your entropy score, and shows exactly which signals are most identifying - with specific reduction steps.

It runs entirely in your browser. Nothing is collected or transmitted. Free, no account required.

The Bottom Line

Browser fingerprinting is the tracking technique that works after everything else fails. It does not use cookies. It cannot be cleared by standard browser settings. It is not defeated by a VPN alone. And it is used by thousands of advertising networks and data brokers right now.

Understanding what it is - and testing your own exposure - is the first step to making informed decisions about your browser and your privacy.

Originally published at trustscan.dev. TrustScan is a free privacy and security toolkit - 100% client-side, no data collected.

I Built a Free Privacy Toolkit with Next.js - 6 Tools, Zero Data Collection

Hafiz Khurram Javid — Sat, 14 Mar 2026 19:14:08 +0000

I spent the last few months building TrustScan - a free privacy and security toolkit with 6 tools. No accounts, no tracking, no data stored. Here's what I built, the tech decisions I made, and what I learned.

What It Does

TrustScan has 6 free tools:

Privacy Policy Simplifier - paste any privacy policy URL, get an AI-powered risk report with red flags, data collection breakdown, and a downloadable PDF
Website Privacy Audit - scan any URL for HTTPS, security headers, trackers, cookie consent, and privacy policy presence
Privacy Law Checker - answer 7 questions, find out which of 30+ privacy laws apply to your business
PDF Metadata Stripper - deep scan and strip hidden metadata from PDFs, 100% client-side
AI Training Opt-Out Hub - opt-out links for 30+ AI platforms in one place
Extension Security Auditor - analyze browser extension permissions and risks to identify potential security threats

Tech Stack

Next.js 14 with App Router and TypeScript
Tailwind CSS for styling with a custom dark/light theme system
Groq API (free tier) for the Privacy Policy Simplifier AI analysis
pdf-lib for client-side PDF metadata stripping
jsPDF for generating branded PDF reports
Netlify for deployment
JSON-LD structured data on every page for SEO

Key Architecture Decision: Client-Side First

The biggest design decision was making the PDF Metadata Stripper run entirely in the browser. Most "free" PDF tools upload your file to a server, process it, and send it back. That's a privacy risk - you're trusting a random server with your sensitive documents.

With pdf-lib, the entire stripping process happens in your browser tab. Zero network requests. You can verify this yourself by opening DevTools while using the tool.

This became a genuine differentiator. Users in the privacy community immediately noticed and appreciated it.

AI Without Breaking the Bank

The Privacy Policy Simplifier needed an LLM to analyze policies. I started with Anthropic's API, then tried Google's Gemini free tier. Problem: Gemini's free tier is blocked in the EU, and I'm based in Finland.

Switched to Groq (free tier, uses Llama models). It's fast, works globally, and the free tier is generous enough for a tool like this. The prompt engineering was the real challenge - getting consistent structured JSON output (company name, risk level, data collected, third parties, etc.) took many iterations.

SEO Strategy That's Starting to Work

Every tool page has:

10-15 targeted keywords in metadata
JSON-LD structured data (WebApplication + FAQPage + BreadcrumbList)
6 FAQ items with schema markup
Open Graph and Twitter card meta tags
Canonical URLs

I also wrote 12 blog posts targeting specific keywords like "how to remove metadata from PDF," "GDPR vs CCPA," and "best privacy policy summarizers." Each post links to a relevant tool, creating internal link loops.

The comparison posts ("Best Free PDF Metadata Removers" and "Best Free Privacy Policy Summarizers") are designed to capture "best X" searches where buying intent is high.

PDF Report Generation with jsPDF

The Privacy Policy Simplifier generates downloadable branded PDF reports. Built with jsPDF:

Risk-colored header banner (green/amber/red based on score)
Structured sections for data collected, third parties, rights, red flags
Footer on every page with date, disclaimer, and branding
Auto page breaks with footer preservation

One gotcha: splitTextToSize() calculates line wraps based on the current font size. If you set the font size after calling it, your text wrapping will be wrong. Set the font before measuring.

What I'd Do Differently

Start with SEO keyword research before naming tools. I called it "Privacy Policy Simplifier" but people search for "privacy policy summarizer." Same tool, wrong keyword. Had to fix this retroactively.
Build backlinks from day one. Great content with zero domain authority means Google won't rank you. I should have started directory submissions and community engagement alongside development, not after.
Ship fewer tools, promote more. 6 tools is a lot to maintain. I could have shipped 2-3 and spent the extra time on distribution.

What's Next

More comparison blog posts for SEO
Backlink building through directories, Quora, and community engagement
Additional tools covering AI disclosure scanning and digital identity exposure

If you work with privacy policies, PDFs, browser extensions, or compliance, give it a try at trustscan.dev. Everything is free. I'd love feedback from the dev community on the tools or the tech stack.

I'm a Wazuh Cybersecurity Ambassador and experienced Full Stack developer. TrustScan is my indie project built at the intersection of web development, AI, and privacy.