INTELREAP
Privacy Guide

What Is Device Fingerprinting?
How It Works and How to Block It

Device fingerprinting tracks you without cookies by combining dozens of browser and hardware signals into a unique identifier that persists even when you clear your history, use private browsing, or switch IP addresses. This guide explains exactly how it works, who uses it, and what you can realistically do to reduce your exposure.

Loading…
4.9★satisfaction
290+ data pointsper scan
13 intelligence panelsper report
Zero data storedprivacy first
Quick Answer

Device fingerprinting identifies your browser by combining dozens of observable signals — no cookies, no storage, nothing to delete

When you visit a site that uses fingerprinting, JavaScript in your browser silently reads your GPU renderer string, screen resolution, installed fonts, canvas rendering output, audio context behaviour, browser settings, hardware concurrency, and more — then combines them into a hash that is statistically unique to your device. Unlike cookies, this identifier is not stored on your device, so clearing your browser data does not remove it. It is recalculated fresh on every visit from your device's characteristics, and the result is typically the same.

01 What Is a Device Fingerprint?

A device fingerprint is not a file stored on your computer. It is a value — a hash — calculated from observable characteristics of your browser and device configuration. Think of it as a portrait assembled from dozens of small details rather than a name badge pinned to your jacket.

When a fingerprinting system encounters your browser, it reads signals across multiple categories simultaneously: what browser and version you are using, what operating system and version, your screen dimensions and colour depth, your timezone and language, the fonts your system has installed, how your GPU renders a specific Canvas element, what your WebGL renderer reports itself as, how your audio processing stack behaves on a standard input, and many more. No single signal is unique to you. But the combination of all of them together — your specific browser version, on your specific OS version, on your specific screen, with your specific GPU, rendering fonts from your specific font collection — produces a combination that is statistically near-unique across all devices on the internet. Understanding what a GPU actually is and how it renders makes it clearer why this particular signal carries so much identifying weight.

This combination is then hashed into a short identifier string. That string is what the fingerprinting system stores on its server, not on your device. On your next visit, the system recalculates your fingerprint from your device's current characteristics and compares it to its records. If it matches, it recognises you — without ever having stored a single byte on your browser.

02 The Signals That Make Up a Device Fingerprint

Modern fingerprinting systems collect signals across five primary categories. Each category contributes entropy — statistical uniqueness — to the combined fingerprint.

Browser Signals
User agent string
Browser version
Language & locale
Do Not Track setting
Cookie enabled
JavaScript enabled
Installed plugins
Hardware Signals
Screen resolution
Colour depth
Hardware concurrency
Device memory (GB)
Touch points
Max touch points
Platform string
Graphics Signals
Canvas 2D rendering
WebGL renderer string
WebGL vendor string
WebGL extensions
GPU model (inferred)
Anti-aliasing behaviour
Font rendering output
System Signals
Timezone offset
Timezone name
OS version
Installed fonts list
System language
Battery status API
Network info API
Behaviour Signals
Audio context fingerprint
Mouse movement patterns
Keyboard timing
Scroll behaviour
Click force & timing
Sensor data (mobile)
Typing cadence
Network Signals
IP address
ISP / ASN
Connection type
RTT (round-trip time)
WebRTC local IP leak
DNS resolver identity
Proxy / VPN detection

IntelReap exposes all of this: The Device Intelligence, Graphics Intelligence, Capability, and Security panels collectively read and display the same signals that fingerprinting systems collect — giving you a complete picture of what your browser reveals. Run a free scan to see your fingerprint surface area.

03 How Device Fingerprinting Actually Works — Step by Step

Understanding the technical process demystifies why it is so effective and why simple countermeasures like clearing cookies or switching to incognito mode do not defeat it.

Step 1 — JavaScript executes on page load

When you visit a page that uses fingerprinting, a JavaScript library (typically loaded from the fingerprinting provider's CDN) executes in your browser. This happens during the normal page load process — it is indistinguishable from any other JavaScript on the page and requires no special permissions beyond what standard web pages already have.

Step 2 — Signal collection across browser APIs

The script queries browser APIs systematically: navigator.userAgent for browser and OS details, screen.width and screen.colorDepth for display properties, navigator.hardwareConcurrency for CPU thread count, navigator.deviceMemory for RAM tier, and so on. For Canvas and WebGL fingerprinting, the script draws specific shapes or text to an invisible canvas element and reads the pixel output — differences in how GPUs render identical instructions create a unique pattern, which is also why WebGL being disabled or misconfigured changes what the fingerprinting script is able to read in the first place.

Step 3 — Audio context fingerprinting

A particularly stable signal comes from the Web Audio API. The script creates an audio processing graph — an oscillator connected through a series of filters to an audio buffer — and reads the output values. Different hardware audio implementations produce numerically different outputs for the same processing graph, creating a stable hardware-level identifier that is extremely difficult to spoof without breaking audio functionality.

Step 4 — Hashing and identifier generation

All collected signals are serialised into a string and passed through a hash function (typically MurmurHash or a similar non-cryptographic hash). The output is a compact identifier — typically a 32-bit or 64-bit integer — that represents your device's entire signal set. This hash is then sent to the fingerprinting provider's server and stored against your session or account record.

Step 5 — Cross-site and cross-session matching

On any subsequent visit — to the same site or any other site using the same fingerprinting library — the same calculation runs and produces the same hash. The provider's server matches it to its records and identifies you as a returning visitor. Critically, this works across different IP addresses, across cookie clears, across private browsing windows, and across browser restarts.

04 Who Uses Device Fingerprinting and Why

Device fingerprinting serves several fundamentally different purposes across industries. Understanding the use case context matters for evaluating whether a particular deployment is protective, commercial, or invasive.

Fraud prevention and security — the protective use case

Banks, payment processors, e-commerce platforms, and online gaming companies use device fingerprinting as a security layer. When a login attempt comes from a device that does not match any fingerprint associated with the account, the system flags it for additional verification — even if the correct password was entered. This is highly effective at detecting account takeover attempts where stolen credentials are used from a new device. This use case is broadly considered legitimate and is supported by most privacy regulations under a legitimate interests or security basis.

Advertising and cross-site tracking — the commercial use case

Ad networks and data brokers use device fingerprinting to track users across websites for advertising targeting and attribution. As third-party cookies are phased out across major browsers, fingerprinting has become a replacement tracking mechanism. This is the most controversial use case from a privacy perspective and is the subject of regulatory action in the EU under GDPR and ePrivacy.

Bot detection and rate limiting — the infrastructure use case

Security platforms including Cloudflare, Akamai, and Imperva use device fingerprinting to distinguish human visitors from automated bots, scrapers, and credential stuffing attacks. Headless browsers and bot frameworks produce distinctive fingerprint signatures that differ from real user browsers — fingerprinting is one of the most reliable bot detection signals available.

Device Intelligence

See the Exact Signals Your Browser Is Exposing Right Now

IntelReap's Device Intelligence panel reads your GPU renderer, hardware concurrency, screen configuration, platform, colour depth, and the full set of device signals that fingerprinting systems collect — free, in-browser, no account required.

05 Device Fingerprinting vs Cookies — Key Differences

How device fingerprinting compares to cookie-based tracking across storage, persistence, control, and regulatory treatment
Property Cookies Device Fingerprinting
Where stored On your device (browser storage) On the server — nothing stored on device
User can delete it ✓ Yes — clear cookies ✗ No — recalculated from device characteristics
Survives incognito mode ✗ No — incognito does not share cookies ✗ Yes — same device signals in incognito
Survives browser reinstall No — cookies are deleted Often yes — hardware signals persist
Works across different browsers ✗ No — cookies are browser-specific Partially — some signals are browser-specific
Regulatory consent required (EU) ✓ Yes — ePrivacy Directive Disputed — depends on purpose and implementation
Visible to user ✓ Yes — browser dev tools show cookies ✗ No — collection is invisible by default
Blocked by ad blockers Partially — third-party cookies blocked Partially — script blocking required

06 How to Reduce Your Device Fingerprint Exposure

Complete elimination of device fingerprinting is not practically achievable for most users without unacceptable trade-offs in browsing functionality. The realistic goal is fingerprint normalisation — making your browser's fingerprint indistinguishable from millions of other users rather than trying to hide it entirely.

Option 1 — Use Firefox with resistFingerprinting

Firefox includes a built-in anti-fingerprinting mode that normalises many signals — canvas output, screen resolution, timezone, and more — to standardised values shared across all Firefox users with the setting enabled. To activate it: type about:config in the address bar, search for privacy.resistFingerprinting, and set it to true. Note that this may cause some sites to behave differently since it modifies how the browser reports its own characteristics.

Option 2 — Use Brave Browser

Brave has fingerprint randomisation built in by default. Rather than normalising all signals to fixed values, Brave introduces slight randomisation into canvas, WebGL, and audio fingerprinting outputs on a per-session basis — making your fingerprint slightly different on each visit without breaking site functionality. Go to brave://settings/shields and confirm Fingerprinting is set to "Randomise" or "Block."

Option 3 — Use Tor Browser

The Tor Browser applies the most comprehensive fingerprint normalisation available — all users share the same standardised fingerprint configuration, making individual identification within the Tor user population extremely difficult. The trade-off is significantly reduced browsing speed due to the onion routing network, and some sites actively block Tor exit node IPs.

Option 4 — Browser extensions

CanvasBlocker (Firefox) intercepts canvas and WebGL fingerprinting calls and either blocks them or returns randomised values. uBlock Origin in advanced mode can block known fingerprinting script domains. These are partial measures — they address some signal categories but not all.

What does not work

07 Device Fingerprinting Solutions for Businesses

For organisations evaluating fingerprinting platforms for fraud prevention, bot detection, or identity verification, the provider landscape falls into distinct tiers by capability and use case.

Fingerprint (formerly FingerprintJS) is the most widely deployed open-source and commercial web fingerprinting library. Its Pro tier offers 99.5% accuracy, sub-100ms latency, and a REST API for server-side integration. It is purpose-built for fraud prevention and account security in web applications.

BioCatch extends fingerprinting into behavioural biometrics — it analyses typing patterns, mouse movements, device handling, and interaction cadence continuously throughout a session, not just at login. Used primarily by financial institutions for account takeover and new account fraud detection.

Sardine combines device fingerprinting with velocity checks, network intelligence, and behavioural signals specifically for fintech and payments fraud prevention. Particularly strong for detecting synthetic identity fraud.

ThreatMetrix (LexisNexis Risk Solutions) offers enterprise-scale identity verification combining device fingerprinting with a shared global fraud intelligence network. Suited for large financial services and insurance organisations with complex compliance requirements.

Cloudflare Bot Management uses device fingerprinting as one signal among many in its bot detection engine — alongside TLS fingerprinting, behavioural analysis, and threat intelligence — to provide infrastructure-level bot protection without requiring application-layer integration.

Evaluation criteria: When comparing fingerprinting providers, prioritise accuracy (false positive rate in your specific traffic mix), privacy compliance documentation (GDPR Data Processing Agreements, CCPA compliance), SDK availability for your platform stack, latency impact on page load, and the provider's transparency about signal collection to end users.

Security Intelligence

Check Your Browser's Privacy and Security Posture

IntelReap's Security panel analyses your connection for privacy leaks, tracking exposure, VPN detection, and security signals — showing you the complete picture of what you are exposing to sites you visit. Free, no account, in-browser.

Logic

Device fingerprinting is most effective precisely because it requires no storage — the device itself is the persistent identifier, and you cannot delete your own hardware.

Methodology

This guide draws on the EFF Panopticlick research, published FingerprintJS accuracy studies, W3C browser API specifications, GDPR/ePrivacy regulatory guidance on fingerprinting, and live device signal data reviewed across multiple browser and hardware configurations.

Sources & References
Share This Guide

Frequently Asked Questions

Twelve questions on device fingerprinting — what it is, how it works, who uses it, legal status, and how to reduce your exposure.

Device fingerprinting identifies a browser or device by combining dozens of observable characteristics — browser version, OS, screen resolution, installed fonts, Canvas rendering output, WebGL renderer, timezone, language, and hardware specs — into a unique identifier without using cookies. Because this identifier is derived from device characteristics rather than stored data, it persists even when cookies are cleared, private browsing is used, or browser history is deleted.
JavaScript collects signals from your browser's APIs — user agent, screen dimensions, colour depth, timezone, installed fonts, Canvas element pixel output, WebGL renderer string, audio context processing output, and hardware concurrency. These are combined and hashed into a short identifier. On your next visit the same calculation runs, produces the same hash, and the system recognises your device without having stored anything on it.
A device fingerprint is the unique identifier produced by combining multiple browser and hardware signals. It is not a file stored on your device — it is a value calculated from observable characteristics of your configuration. Two different browsers on the same device produce different fingerprints. The same browser on the same device typically produces the same fingerprint consistently across visits and across websites that use the same fingerprinting library.
Banks and payment processors use it to detect account takeover attempts from new devices. E-commerce platforms use it to detect fraud and bot activity. Ad networks use it to track users across sites after cookie deprecation. Security platforms like Cloudflare and Akamai use it to distinguish human visitors from bots. These different use cases have very different privacy implications — security use is broadly accepted; cross-site advertising tracking is the most contested.
It depends on jurisdiction and purpose. Under GDPR in the EU and UK, device fingerprinting is personal data processing and typically requires a lawful basis — usually consent or legitimate interest. The ePrivacy Directive requires consent for accessing device information in most cases. In the US, CCPA in California treats fingerprint data as personal information. For security and fraud prevention purposes it is generally permitted; for advertising tracking it is increasingly regulated. Consult legal counsel for compliance guidance.
Use IntelReap's Device Intelligence panel — it reads and displays your GPU renderer string, hardware concurrency, screen resolution, colour depth, platform, and the other signals fingerprinting systems collect, showing you precisely what your browser exposes. You can also use the EFF's Cover Your Tracks tool at coveryourtracks.eff.org to test how unique your fingerprint is relative to other browsers in their database.
Complete blocking is not practical without degrading browser functionality. Effective mitigation: use Firefox with privacy.resistFingerprinting = true in about:config, use Brave browser with built-in fingerprint randomisation enabled, or use Tor Browser which normalises all signals across its user base. The CanvasBlocker extension for Firefox provides partial blocking of canvas and WebGL fingerprinting calls. Note that anti-fingerprinting measures can make your browser more unique if used inconsistently.
Prevention focuses on reducing signal uniqueness — making your fingerprint blend in rather than stand out. Use a mainstream browser and OS configuration to match the most common profiles. Avoid unusual fonts, plugins, or extensions. Enable Firefox's resistFingerprinting setting or use Brave. Use a VPN to mask the IP component. The goal is to make your fingerprint indistinguishable from millions of other users, not invisible — complete invisibility is not achievable while maintaining full browser functionality.
Cookies are files stored on your device that you can delete — regulations require consent for tracking cookies. Device fingerprinting stores nothing on your device — it is recalculated from your hardware and browser characteristics on every visit and cannot be deleted. Cookies are explicit and controllable; fingerprinting is implicit and harder to opt out of. Modern tracking systems increasingly combine both methods for more resilient identification as cookie-based tracking becomes more restricted.
No — private browsing and incognito mode do not prevent device fingerprinting. These modes prevent your browser from saving local session data but do not change the browser and hardware signals that fingerprinting systems collect. Your GPU renderer, screen resolution, fonts, canvas output, and hardware configuration are identical in incognito and normal mode. A fingerprinting system produces the same identifier for both sessions and can link them.
Enterprise platforms include Fingerprint (FingerprintJS) for web and mobile identity, BioCatch for behavioural biometrics combined with device signals, Sardine for fintech and payments fraud prevention, Sift for e-commerce fraud detection, and ThreatMetrix (LexisNexis) for enterprise identity verification. Evaluate providers on false positive rate, GDPR and CCPA compliance documentation, SDK availability, latency impact on page load, and transparency about signal collection to end users.
No — a VPN changes your IP address but does not affect the browser and hardware signals that fingerprinting collects. Your GPU renderer, screen resolution, canvas output, fonts, and other fingerprint signals are identical whether a VPN is active or not. A VPN addresses network-level identity; device fingerprinting addresses browser and hardware-level identity. They are complementary tracking vectors — a VPN alone does not defeat fingerprinting.

Questions About Device Fingerprinting?

Ask about fingerprinting detection, privacy exposure, fraud prevention solutions, or anything covered above. We respond within two business days.