What Browser Fingerprinting Tracks When Cookies Are Blocked

Blocking cookies can make the web feel more private, but it does not stop every form of tracking. A website can still learn a surprising amount from the ordinary technical details your browser shares while loading a page. Those details may not look personal by themselves, but when many of them are combined, they can form a pattern that is uncommon enough to recognize again later.

That pattern is called a browser fingerprint. It is not a literal fingerprint stored on your hand or your device. It is a profile built from clues such as browser type, screen size, language settings, time zone, fonts, graphics behavior, and other signals that help websites work. The Federal Trade Commission describes device fingerprinting as a technique that uses a browser’s unique configurations and settings to track activity. MDN Web Docs, Mozilla’s developer reference, describes it as identifying a browser by collecting and combining distinguishing features of the browser and operating system.

The uncomfortable part is that fingerprinting does not depend on a single file that can be deleted. A cookie is like a name tag a site stores in the browser. A fingerprint is more like recognizing someone from a combination of height, shoes, accent, and walking style. None of those clues alone proves identity, but together they can become distinctive.

Why fingerprinting works without saving a cookie

When a browser visits a page, it has to answer technical questions. What language should the site use? How wide is the screen? Which media formats can play? What browser engine is rendering the page? Does the device support touch? What time zone should a calendar display? These signals help make the web usable across laptops, phones, tablets, assistive technologies, and many kinds of networks.

Fingerprinting turns that helpful openness into a tracking method. Instead of asking the browser to store an identifier, a script reads many small traits and compares the resulting pattern with patterns seen before. A common screen size tells little. A common browser version tells little. But a less common combination of screen dimensions, installed language preferences, graphics behavior, audio-processing quirks, and time zone may narrow the crowd.

EFF’s Cover Your Tracks project grew out of this problem. Its purpose is to show how trackers may view a browser and how identifying characteristics can remain visible even when a person has taken privacy steps. The lesson is not that every browser is uniquely identifiable all the time. It is that privacy depends on more than deleting cookies or opening a private window.

The signals that can become a fingerprint

A fingerprint usually comes from combining many signals rather than relying on one dramatic clue. Some are basic: browser version, operating system, screen resolution, color depth, preferred languages, time zone, and device memory. Others come from how the browser handles web features, such as canvas drawing, WebGL graphics, audio processing, font rendering, and supported media types.

Canvas fingerprinting is a useful example because it shows how subtle the method can be. A page can ask the browser to draw text or shapes in an invisible canvas element, then read back tiny differences in how the image was rendered. Those differences can come from the operating system, graphics card, browser engine, installed fonts, and rendering settings. The page does not need the user to type a name or press a tracking button. The rendering result itself becomes one small part of the profile.

WebGL and graphics-related signals can work in a similar way. Two devices may draw the same web object with tiny differences because of different graphics drivers or hardware. Audio-processing tests can also expose small differences in how a browser handles sound calculations. A single result is usually not enough to identify a person, but fingerprinting is a game of accumulation. The more pieces a tracker can gather, the easier it becomes to recognize the same browser later.

Some signals are being reduced by browser makers. For example, user-agent reduction limits how much exact browser and platform detail is exposed through older identification strings. But reducing one signal does not remove the whole problem. Trackers can look for other signals, and browsers have to balance privacy with compatibility so ordinary websites do not break.

How it differs from cookies and login tracking

Cookies are easier to understand because they are stored data. A shopping site may use a cookie to remember a cart. A news site may use one to keep a reader signed in. An advertising network may use third-party cookies to recognize the same browser across many sites. Because cookies are visible to browser controls, users can clear them, block some of them, or limit third-party use.

Fingerprinting is harder to manage because it can be recreated. If the browser keeps exposing the same combination of traits, the same fingerprint can be calculated again after cookies are cleared. Private browsing can help by limiting stored data from the session, but it does not automatically make the browser’s technical profile disappear. The session may be temporary while the device traits remain familiar.

Login tracking is different again. If a person signs in to the same account across devices, the service does not need a fingerprint to know who is present. The account itself identifies the user. Fingerprinting matters most in the space between obvious identity and anonymous browsing: cases where a site or ad system wants to recognize a browser without relying only on cookies, accounts, or direct identifiers.

That is why fingerprinting became more important as browsers and regulators put pressure on older tracking methods. Limiting third-party cookies solves one problem, but it can also push parts of the advertising and fraud-detection ecosystem toward other identifiers. The UK Information Commissioner’s Office warned in response to Google’s advertising-policy change that businesses do not have free rein to use fingerprinting and that it must be deployed lawfully and transparently. That warning points to the larger issue: fingerprinting is not merely a technical trick; it is also a question of consent, control, and trust.

Why some fingerprinting is useful and some is invasive

Not every use of fingerprinting-like signals has the same purpose. Banks, payment processors, and online stores may use device signals to detect suspicious behavior. If a login suddenly comes from a new device with unusual traits, the service may ask for another verification step. If hundreds of transactions appear from devices that share suspicious patterns, a fraud system may block them. In those cases, device recognition can protect accounts and reduce harm.

The privacy concern grows when the same kind of recognition is used to follow people across unrelated sites, build advertising profiles, or work around a user’s attempt to limit tracking. A person who rejects cookies or uses browser privacy controls is sending a clear preference. Fingerprinting can undermine that choice because it happens quietly and is harder to inspect. Many users do not see a fingerprinting prompt the way they see a cookie banner.

The distinction is not always simple. Fraud prevention, security, analytics, advertising, and personalization can overlap inside real systems. A technique that helps stop account abuse can also help recognize a returning visitor for less welcome reasons. That is why trustworthy use depends on narrow purpose, minimal data collection, clear disclosure, and limits on sharing. The question is not only whether the technology can identify a browser, but who uses that power and what they do with the result.

What actually reduces fingerprinting risk

The most realistic goal is not perfect invisibility. A browser has to reveal some information to function. The goal is to reduce unnecessary uniqueness and block known tracking behavior where possible. Privacy-focused browsers and stricter tracking-protection settings can help by limiting known fingerprinters, standardizing some exposed values, or adding defenses against techniques such as canvas and font probing.

Firefox, for example, describes fingerprinting protection as a way to block known fingerprinters and add broader protections for suspected ones while keeping the web usable. Other privacy-oriented browsers take different approaches, such as trying to make many users look more alike. The common idea is simple: a crowd is safer than a costume. If a browser exposes a rare, highly customized set of traits, it may stand out more. If it exposes a common, standardized set, it may be harder to separate from similar browsers.

Extensions can help, but they can also become part of the fingerprint if they make a browser behave in unusual ways. Installing many niche privacy tools, custom fonts, unusual plugins, or highly specific settings can sometimes increase uniqueness. That does not mean privacy tools are bad. It means the best setup is usually boring and consistent: a reputable browser, updated regularly, with built-in privacy controls enabled before adding a pile of extra changes.

• Use a modern browser that receives frequent security and privacy updates.
• Turn on stronger tracking protection if important sites still work properly.
• Limit unnecessary extensions, especially obscure ones with broad permissions.
• Block third-party cookies, but do not assume that cookie blocking stops all tracking.
• Be cautious about staying signed in everywhere, since account identity is stronger than any fingerprint.
• Use separate browser profiles for activities that should not be casually mixed.

Private browsing is still useful, but mainly for reducing local traces and temporary session data. It is not a cloak against every website, network, account login, or device signal. A school, employer, internet provider, app, or signed-in service may still know more than the browser window suggests.

How to think clearly about browser privacy

Browser fingerprinting matters because it shows how privacy can leak through ordinary design. The web is built to adapt: pages resize, languages change, videos choose formats, graphics render smoothly, and accounts stay secure. Those same adaptive features can also reveal enough detail to make a browser recognizable.

The best mental model is not panic. It is tradeoff awareness. Cookies, logins, IP addresses, device fingerprints, advertising identifiers, and account histories are different tools that can point toward the same person or device. Removing one tool helps, but it does not erase the whole tracking ecosystem. Strong privacy comes from layers: better browser defaults, careful settings, fewer unnecessary extensions, clear legal rules, and services that collect less data in the first place.

For everyday users, the practical takeaway is simple. Cookie controls are worth using, but they are only part of online privacy. A browser can be recognized by what it reveals while doing normal browser work. The more those signals are standardized, limited, or blocked, the less power fingerprinting has. The more unusual and exposed the browser becomes, the easier it is to pick out of the crowd.