Website Tracking Beyond Cookies: Fingerprinting and Friends

Third-party cookies are being phased out, and that sounds like a privacy victory. The uncomfortable truth: the tracking industry saw it coming years ago and quietly moved to techniques that are harder to see and harder to block.

Why killing cookies didn't kill tracking

Third-party cookies were the backbone of cross-site tracking for two decades. Now browsers block them and regulators scrutinise them — but the advertising and analytics industry adapted long ago. The replacements are cookieless by design: they don't store an identifier you can find and delete, they derive one from things you can't easily change. Understanding them is the first step to defending against them.

Browser fingerprinting: the big one

Fingerprinting builds an identifier from the configuration your browser reveals: screen size and pixel ratio, time zone, language, installed fonts, graphics hardware (via WebGL), how your device renders an invisible canvas image, audio-stack quirks, and dozens more signals. No single value is unique, but combine 20–30 of them and most browsers become distinguishable. Crucially, the identifier lives on the tracker's server, so clearing cookies or going incognito does nothing. See exactly what your browser exposes with our fingerprint test.

Canvas and WebGL fingerprinting

Ask a browser to draw the same text and shapes to a hidden <canvas> and the exact pixels differ slightly between devices because of GPU, drivers and font rendering. Hash those pixels and you get a stable identifier. WebGL fingerprinting goes further, probing the 3D rendering pipeline for hardware-specific results. Both are silent and require no permission.

Supercookies and storage abuse

• Evercookies stash the same ID in many places at once — localStorage, IndexedDB, cache, Flash (historically) — and quietly restore it if you delete any one copy.
• ETag and cache tracking abuses HTTP caching: the server tags a resource with a unique identifier, then reads it back on your next visit straight out of your cache.
• HSTS supercookies exploit the browser's record of which sites require HTTPS to encode bits of an identifier.

You can see (and wipe) much of this local storage with our cookie & storage scanner.

Network-level signals

• IP address — still a coarse identifier, especially combined with everything else. A WebRTC leak can even expose the real one behind a VPN.
• TLS and HTTP/2 fingerprinting — the precise way your client negotiates a secure connection (cipher order, extensions) forms a “JA3”-style signature visible server-side, before any JavaScript runs.

First-party identity stitching

As third-party cookies fade, trackers lean on first-party data: when you log in or hand over an email anywhere, that email (hashed) becomes a durable cross-site key shared through “data clean rooms” and identity networks. This is why a single newsletter signup can follow you across unrelated sites.

How to actually defend yourself

• Use an anti-fingerprinting browser. Tor Browser is the gold standard (it makes everyone look identical); Brave and Firefox (with “Enhanced Tracking Protection” on Strict) actively resist fingerprinting.
• Don't over-customise. Exotic fonts, rare extensions and unusual window sizes make you more unique. Blending in beats standing out.
• Block trackers at the source. uBlock Origin and similar block the scripts that do the fingerprinting before they run.
• Compartmentalise identity. Separate browsers or profiles for logged-in vs anonymous browsing limit first-party stitching.
• Layer a VPN with encrypted DNS to neutralise the network-level signals.

The goal isn't to be invisible — that's nearly impossible. It's to be indistinguishable: one of millions of identical-looking browsers, leaving as few stable signals as possible.