What Is Browser Fingerprinting? How Sites Track You Even in Incognito

You cleared your cookies. You opened incognito mode. You even connected to a VPN. Then you opened your favorite shopping site and there it was: the exact product you looked at yesterday, displayed in a "recommended for you" section. No cookies. No login. No obvious connection to your previous session.

That is browser fingerprinting. It does not need cookies. It does not need your login. It does not care about incognito mode. Your browser itself is the identifier, and unless you actively break that identifier, it follows you everywhere.

What Browser Fingerprinting Is

The power of fingerprinting is in the combination. Any single data point (your screen resolution, for example) is shared by millions of devices. But when you combine your screen resolution with your GPU model, installed fonts, timezone, language settings, browser version, and dozens of other signals, the resulting combination becomes unique to your specific device.

What Data Makes Up a Browser Fingerprint

A browser fingerprint is assembled from data that your browser willingly provides to every website you visit. None of this requires special permissions or user consent.

• User agent string. Your browser type, version, and operating system. Chrome 124 on Windows 11 vs Safari 17.4 on macOS 14.
• Screen resolution and color depth. The pixel dimensions of your display and how many colors it can render.
• Installed fonts. The list of fonts available on your system. Every application you install can add fonts, making this list highly variable across devices.
• GPU and graphics rendering. Your specific graphics hardware produces subtly different rendering outputs in Canvas and WebGL, creating a hardware-specific signature.
• Timezone and language settings. Your configured timezone and preferred language narrow the population of matching devices.
• CPU core count. The number of logical processor cores reported by the browser through the Navigator API.
• Audio processing characteristics. The AudioContext API processes audio slightly differently depending on hardware and driver configurations, creating an audio fingerprint.
• Browser plugins and extensions. While modern browsers have reduced plugin enumeration, certain extensions modify page behavior in detectable ways.
• Platform and architecture. Whether you are running on x86, ARM, or another architecture. Whether the OS is 32-bit or 64-bit.
• Do Not Track setting. Ironically, enabling Do Not Track adds another distinguishing signal to your fingerprint, since most users leave it at the default setting.

How Unique Is Your Fingerprint?

More unique than most people expect. The Electronic Frontier Foundation (EFF) developed a tool called Panopticlick (now Cover Your Tracks) that analyzes browser fingerprints for uniqueness. Their research found that the vast majority of browsers produce a fingerprint that is unique among hundreds of thousands of samples.

A 2010 EFF study of over 470,000 browsers found that 83.6% were uniquely identifiable based on their fingerprint alone. For browsers with Flash or Java enabled (common at the time), uniqueness rose to 94.2%. More recent studies have confirmed similar results: a 2020 study published in the IEEE Symposium on Security and Privacy found that fingerprinting accuracy remained high even with the reduced API surface of modern browsers.

The math is simple. If your fingerprint contains 20 independent attributes and each attribute has at least a few common values, the total combination space is enormous. Even with millions of browsers, your specific combination of screen resolution + GPU + fonts + timezone + language + audio processing characteristics is likely unique.

How Fingerprinting Works in Practice

Canvas Fingerprinting

A website draws a hidden image or renders text using the HTML5 Canvas API. Because different GPUs, drivers, operating systems, and font rendering engines produce subtly different pixel-level output, the resulting image is unique to the device. The website hashes the image data into a compact identifier. The user sees nothing. The entire process is invisible.

WebGL Fingerprinting

WebGL allows websites to render 3D graphics using your GPU. Different GPUs handle floating-point arithmetic, shading, and rendering pipeline operations in slightly different ways. A website can request specific rendering tasks and use the output to identify your GPU and driver combination.

AudioContext Fingerprinting

The Web Audio API processes audio signals. A website generates a silent audio signal, processes it through the AudioContext, and measures the output. Differences in audio hardware, drivers, and OS-level audio processing produce device-specific results. Like canvas fingerprinting, this happens invisibly.

Font Fingerprinting

Websites can detect which fonts are installed on your system by rendering text in various fonts and measuring the resulting dimensions. If a specific font is installed, the rendered text will have predictable dimensions. If it is not installed, the browser will fall back to a default font with different measurements. By testing hundreds of font names, a website can build a list of your installed fonts.

Who Uses Browser Fingerprinting (And Why)

Browser fingerprinting is not exclusively used for invasive tracking. Several industries use it for legitimate purposes.

• Advertising networks. Cross-site tracking to serve targeted ads. This is the use case most people object to. Fingerprinting allows ad networks to recognize you across websites even after you clear cookies.
• Fraud detection. Banks and payment processors use fingerprinting to detect when a login attempt comes from an unrecognized device. If the fingerprint does not match previous sessions, additional authentication may be required.
• Bot detection. Services like Cloudflare, reCAPTCHA, and Akamai use fingerprinting to distinguish human users from automated bots. Bots often have distinctive fingerprints (headless browsers, missing APIs, inconsistent user agents).
• Analytics platforms. Some analytics services use fingerprinting as a fallback when cookies are blocked, to maintain session continuity and visitor counts.
• Content licensing. Streaming services and digital content platforms use fingerprinting as one signal in device authentication and content access controls.

Why Incognito Mode Does Not Stop Fingerprinting

Incognito mode (and equivalent private browsing modes in Safari and Firefox) clears local data when you close the window: browsing history, cookies, and form data. It does not change your browser fingerprint.

Your fingerprint is derived from your hardware and software configuration. Opening incognito mode does not change your screen resolution, your GPU, your installed fonts, or your timezone. The fingerprint in an incognito session is identical to the fingerprint in a normal session. Websites that track you via fingerprinting cannot tell the difference.

Google explicitly acknowledged this in its 2024 Incognito mode disclaimer update, stating that incognito does not change how data is collected by the websites you visit. For the full breakdown of what incognito mode does and does not do, see Stop Using Incognito Mode for Security. For the three-way comparison with browser isolation, see Browser Isolation vs Incognito Mode vs Private Browsing.

What Actually Reduces Fingerprinting

If incognito mode does not help, what does? There are three approaches with meaningful impact.

Tor Browser: Fingerprint Homogenization

Tor Browser takes the approach of making every user look identical. It standardizes the screen size, disables WebGL and Canvas by default, restricts font enumeration, and blocks most fingerprinting vectors. The tradeoff is significant: browsing speed is slower (traffic routes through multiple relays), and many websites block or degrade the Tor Browser experience.

Anti-Detect Browsers: Fingerprint Spoofing

Tools like Multilogin and GoLogin generate synthetic browser fingerprints. Each browser profile presents a different (but internally consistent) set of hardware and software signals. These are primarily used in marketing, e-commerce, and account management workflows where operating multiple distinct browser identities is the goal. They are effective for fingerprint diversity but do not provide security isolation.

Browser Isolation: Fingerprint Per Session

Browser isolation addresses fingerprinting through disposable environments. Each isolated session runs in its own environment with its own fingerprint. When you close the session, the fingerprint is destroyed with the environment. The next session gets a new fingerprint. There is no persistence and no cross-session tracking.

Unlike Tor (which slows browsing) or anti-detect browsers (which require manual profile management), browser isolation provides ephemeral fingerprints as a byproduct of its core security architecture. You get fingerprint isolation automatically because the session environment is disposable.

For a deeper look at how cookie-based tracking and behavioral profiling work alongside fingerprinting, see The Cookie Conspiracy. For the full explanation of browser isolation technology, see What Is Browser Isolation? The Complete 2026 Guide.

How Browser Isolation Solves Fingerprinting

The reason browser isolation is effective against fingerprinting is architectural. The fingerprint is generated from the environment in which the browser runs. If that environment is disposable and changes with every session, the fingerprint changes too.

• Each session runs in its own environment. The GPU, font list, Canvas rendering, and AudioContext characteristics of the isolated environment are different from your local device.
• No fingerprint persistence. When you close the session, the environment and its fingerprint are destroyed. The next session generates a new fingerprint from a fresh environment.
• No cross-session correlation. Without a persistent fingerprint, websites cannot link your activity across sessions. Each visit looks like a different device.
• No user effort required. You do not need to configure profiles, install font blockers, or manage browser extensions. The fingerprint isolation is a byproduct of the ephemeral session model.

Where Legba Fits

Legba provides ephemeral browsing sessions through a Chrome extension. Every session runs in an isolated environment with its own fingerprint. Close the tab and the fingerprint is destroyed. The next session is a clean slate.

No fingerprint management. No profile configuration. No separate browser. Just a Chrome extension that makes every session disposable, with fingerprint isolation as a built-in feature. $10 per month.

For context on how data exposure reaches even security professionals, see Your Data Is Already Out There.