Cookieless is not determinist
Clearing cookies used to feel like a reset.
It is not.
Modern tracking increasingly relies on measurement (fingerprinting) and side-channels (caches and protocols people rarely think about). To make this concrete, I tested my own browser with the EFF’s Cover Your Tracks tool. The result was a unique fingerprint among 303,650 browsers tested over 45 days, conveying at least 18.21 bits of identifying information.
This article is split into two parts:
Part 1: A detailed, practical catalog of the signals that can be used to track (or at least link) a browser and device.
Part 2: Documented real-world use cases where these techniques have been used in advertising, fraud prevention, and bot detection.
Part 1 — The Full Technical Surface of Browser Tracking (Detailed)
0) The mental model: storage vs measurement vs network behavior
Before listing signals, it helps to classify them:
- Storage-based persistence
Cookies and “cookie-like” storage that can persist an identifier. - Measurement-based fingerprinting
Signals derived from how your device/browser behaves when asked to render, compute, or report capabilities. - Network/protocol fingerprinting
Signals derived from how your client negotiates and speaks over network protocols (TLS, HTTP/2, QUIC/HTTP/3).
A key point:
Fingerprinting often does not “identify you as a person” by itself. It creates a stable handle that becomes powerful when it touches a login, checkout, email click, or any account-linked event.
1) Web Headers (sent on every request)
These are transmitted with every page load. They are “free” for trackers because they arrive without any JavaScript.
1.1 User-Agent (UA)
What it is:
A header that reports your browser family, rendering engine, OS, and often a detailed browser version.
Why it matters:
UA strings can be very specific and can heavily narrow the population. Even when UA reduction is deployed, other signals often compensate.
How it’s used:
- Quick coarse segmentation (browser/OS buckets)
- Linkability when combined with other stable signals
- Consistency checks (does your JS-reported platform match your UA?)
Limitations:
- Can be spoofed, but inconsistently spoofing can make you more unique.
- Some ecosystems are moving away from granular UA, but not all.
1.2 Accept / Accept-Encoding / Accept-Language (often summarized as “HTTP_ACCEPT headers”)
What it is:
- Accept: content types the browser can handle (HTML, JSON, images, etc.)
- Accept-Encoding: compression formats supported (gzip, br, zstd…)
- Accept-Language: preferred content languages
Why it matters:
These values are surprisingly stable over time and vary between browsers and platforms.
How it’s used:
- Stability makes it a good long-lived signal
- Unusual combinations (language vs timezone) add entropy
- Used to detect automation stacks that “speak wrong”
Limitations:
- It is low-ish entropy alone. The strength comes from stacking.
1.3 Do Not Track (DNT) header
What it is:
A header indicating a preference not to be tracked.
Why it matters:
Paradoxically, because it is relatively rare in some populations, it can add entropy.
How it’s used:
- As a minor fingerprint component
- Sometimes as a policy/behavior branching signal
Limitations:
- Many sites ignore it. Its privacy value is limited if not honored.
2) Time & Locale Signals
2.1 Timezone (IANA name) and timezone offset
What it is:
Your timezone expressed as an offset and/or a named timezone (e.g., Europe/Paris).
Why it matters:
- Helps infer rough geography
- Adds entropy when uncommon
- Creates mismatch entropy when paired with an unexpected language
How it’s used:
- Geo inference for fraud/risk scoring
- Fingerprinting stack enrichment
- Consistency checks (timezone vs IP geolocation vs language)
Limitations:
- Timezone is spoofable, but spoofing can break usability (calendar, scheduling, localization).
2.2 Language / Locale
What it is:
Your preferred language for content.
Why it matters:
Hard to change without breaking UX, and it adds entropy—especially when uncommon for your timezone.
How it’s used:
- Basic content localization
- Entropy stacking
- Automation detection (common bot stacks forget to align locale)
Limitations:
- Low entropy in common locales, but still useful when stacked.
3) Screen, Window, and Pixel Geometry
3.1 Screen size, window size, and color depth
What it is:
Dimensions of your current browser window (or screen), plus pixel depth.
Why it matters:
It can be highly discriminating, but can be brittle because users resize windows.
How it’s used:
- Stacking entropy with other stable signals
- Uniqueness spikes when combined with unusual zoom or multi-monitor setups
- Detection of headless/automation environments (odd dimensions)
Limitations:
- Resizing changes it, which can reduce persistence
- Still valuable in probabilistic linking
3.2 Device Pixel Ratio (DPR), zoom level, font scaling
What it is:
How CSS pixels map to physical pixels; user zoom and scaling preferences.
Why it matters:
Subtle differences here can be surprisingly identifying.
How it’s used:
- Geometry-based fingerprinting
- Consistency checks (does DPR match device class?)
- Helps differentiate “same UA” devices
Limitations:
- Can change with settings and window movement between monitors.
4) Installed Fonts (Font Fingerprinting)
What it is:
A site infers which fonts are installed by rendering text in many candidate fonts and measuring layout changes (width/height differences).
Why it matters:
Font sets can be very unique, especially if you install niche fonts (design tools, brand fonts, language packs).
How it’s used:
- Strong entropy signal in fingerprint stacks
- Creative workstation environments are often extremely unique
- Stable until fonts change
Limitations:
- Some browsers reduce font enumeration or standardize exposures.
- Aggressive defenses may cause site rendering quirks.
Practical note:
If you want a low-entropy everyday browsing profile, the best move is often to keep fonts boring and separate “creative” browsing from “privacy-sensitive” browsing.
5) Canvas Fingerprinting (2D Graphics)
What it is:
A site draws shapes/text to an invisible HTML5 canvas, reads back pixel data, serializes it, and hashes the result.
Why it matters:
The final pixels depend on a complex intersection of:
- OS rendering
- font rasterization
- GPU behavior and drivers
- browser implementation details
How it’s used:
- Session linking when cookies are blocked
- Strengthening probabilistic identity
- Detecting automation (canvas output differs in headless stacks)
Limitations:
- Can be destabilized by updates and defenses
- Some browsers ask permission or randomize/standardize outputs
6) WebGL Fingerprinting (3D Graphics) + GPU Exposure
6.1 WebGL fingerprint hash
What it is:
Similar to canvas, but using WebGL rendering, which brings GPU and 3D pipeline characteristics into the signature.
Why it matters:
WebGL often provides even richer entropy than canvas alone.
How it’s used:
- Entropy stacking with canvas and fonts
- Differentiating devices with similar “header identity”
- Bot and automation detection (WebGL quirks)
Limitations:
- Disabling WebGL can break maps, 3D, and many common experiences
- Better approach is often a hardened profile that normalizes rather than disabling everything
6.2 WebGL Vendor & Renderer
What it is:
Strings that can expose the GPU vendor and renderer path.
Why it matters:
Hardware-level uniqueness becomes visible.
How it’s used:
- Hardware classification
- Risk scoring and bot detection
- Fingerprint enrichment
Limitations:
- Some browsers reduce detail or provide standardized values.
7) WebGPU (Newer GPU Surface)
What it is:
A modern API for high-performance GPU access in browsers.
Why it matters:
More capability often means more measurable traits (unless browsers proactively reduce exposed entropy). It is a new measurement surface as deployment grows.
How it’s used (emerging):
- Capability probing
- Performance profiling
- Potential fingerprint entropy expansion if unmitigated
Limitations:
- Still evolving; mitigation strategies may differ across browsers.
8) Audio Fingerprinting (AudioContext / WebAudio)
What it is:
A script generates an audio signal internally, processes it, and hashes the computed output.
Important clarification:
This is typically about internal audio computation behavior, not recording microphone input.
Why it matters:
Audio pipelines differ subtly due to:
- hardware
- drivers
- floating point behaviors
- implementation details
How it’s used:
- Fingerprinting stack enrichment
- Automation detection
- Stable handle across sessions even with IP changes
Why VPN/incognito doesn’t help:
It is neither storage nor network identity. It is local computation behavior.
Limitations:
- Anti-fingerprinting modes can reduce or randomize it
- Some audio-heavy apps may break under aggressive defenses
9) Hardware Signals (Low Alone, Strong in Aggregate)
9.1 Platform / architecture
What it is:
A JS-exposed label indicating platform family (e.g., MacIntel).
How it’s used:
- Coarse classification
- Consistency checks (UA vs platform)
9.2 Hardware concurrency (CPU cores)
What it is:
Reported number of logical CPU cores available.
How it’s used:
- Weak alone, helpful stacked
- Risk scoring (device class inference)
9.3 Device memory
What it is:
Reported RAM (often rounded).
How it’s used:
- Weak alone, helpful stacked
- Detecting automation environments that report unrealistic values
Limitations:
- Many devices share these values; they become useful only in combination.
10) Touch Support and Input Capabilities
What it is:
Reported touchpoints and whether certain touch events are supported.
How it’s used:
- Device class inference (desktop vs mobile vs hybrid)
- Entropy stacking
- Automation detection (touch claims inconsistent with UA/platform)
Limitations:
- Common values are not identifying; odd combinations can be.
11) Cookies Enabled (Binary but Still Useful)
What it is:
Whether the browser allows cookies.
Why it matters:
Alone, it’s minimal information. Combined, it helps cluster your configuration and detect hardened modes.
12) “Supercookie” Storage Surfaces (Beyond Cookies)
Even when cookies are cleared, other storage may persist:
- localStorage
- sessionStorage
- indexedDB
- older/legacy mechanisms in some environments
Why it matters:
A tracker can store identifiers in places users don’t intuitively clear.
13) Cache Supercookies (Favicon-based tracking)
What it is:
A site encodes an identifier into cache state (e.g., favicon requests), then “reads” the identifier later by checking which requests are missing because resources were cached.
Why it matters:
It exploits a gap between:
- what users think they cleared (cookies),
and - what actually persisted (cache state)
Mitigations:
- Clear full site data, not only cookies
- Use separate browser profiles for separate identities (work vs personal vs research)
- Prefer browsers with storage isolation defaults
14) Client Hints (Optimization Signal That Can Over-Disclose)
What it is:
Structured hints browsers can send to help servers optimize content delivery (device class, platform info, etc.).
Why it matters:
If over-detailed and not constrained, it expands fingerprint surface even as UA is reduced.
Mitigations:
- Prefer mainstream browsers with conservative defaults
- Avoid enterprise policies/extensions that expose extra hints
15) Layout Measurement (ClientRects / Subpixel Geometry)
What it is:
Scripts measure how elements render down to subpixel differences. Layout depends on fonts, OS rendering, zoom, pixel ratio, and compositing behavior.
Why it matters:
Small differences add up when a tracker takes many measurements.
Mitigations:
- Hardened modes that normalize geometry
- Avoid unusual zoom and window setups in privacy-sensitive browsing profiles
16) WebRTC and DNS Leak Surfaces (Identity Adjacent)
These are not always “fingerprints,” but they can leak metadata that undermines privacy expectations:
- WebRTC can expose network candidate behaviors depending on configuration
- DNS handling can reveal lookups outside the expected path
Mitigations:
- Test leak surfaces periodically
- Use hardened profiles for sensitive contexts
17) TLS / HTTP/2 / QUIC Fingerprinting (Network Layer)
What it is:
Even below browser APIs, clients have distinctive “handshakes” and protocol behaviors.
Examples:
- TLS ClientHello fingerprints (JA3/JA4-style)
- HTTP/2 settings and frame behavior
- QUIC/HTTP/3 negotiation traits
Why it matters:
Changing IP does not necessarily change how your client negotiates protocols. Protocol behavior can become a stable handle and is heavily used in bot detection and security analytics.
Mitigation reality:
You often cannot fully eliminate protocol fingerprints as an end user. The pragmatic approach is:
- stay mainstream and up-to-date,
- avoid exotic “privacy tweak piles,”
- isolate identities so entropy cannot accumulate across contexts.
Part 1 — Sources
- EFF — Cover Your Tracks (results, metric definitions, and entropy framing): https://coveryourtracks.eff.org
- Ronni K. Gothard Christiansen — “Beyond cookies: the quiet tracking techniques hiding in your browser”: https://www.linkedin.com/pulse/beyond-cookies-quiet-tracking-techniques-hiding-your-christiansen-k5hqc/
Part 2 — Documented Use Cases: Where These Techniques Are Actually Used
Advanced tracking techniques show up in multiple domains. The same mechanism can serve different intentions:
- advertising and measurement,
- fraud prevention and account protection,
- bot detection and abuse mitigation.
Below are documented cases and “where it happens in practice.”
A) Advertising and Cross-Site Measurement
A1) AddThis and canvas fingerprinting (2014 backlash)
What happened:
EFF documented that AddThis began using canvas fingerprinting in 2014 and faced a strong negative reaction, after which the practice was reportedly stopped.
Why it matters:
This is a canonical example showing canvas fingerprinting was not merely theoretical—major widget/ad-tech providers experimented with it at scale.
A2) Canvas fingerprinting at scale (research + reporting)
What happened:
Investigations reported canvas fingerprinting being used across thousands of sites (including high-profile domains).
Why it matters:
It supports the broader claim: fingerprinting techniques have been deployed widely enough to trigger major public reporting and policy discussion.
B) ISP / Network-Level Identifier Injection
B1) Verizon UIDH “supercookie” header injection (2012–2016 era)
What happened:
Verizon injected a Unique Identifier Header (UIDH) into customer HTTP requests, enabling tracking beyond what users could control locally. The practice led to FCC action/settlement and public documentation.
Why it matters:
This demonstrates tracking can happen below the browser—even perfect cookie hygiene is insufficient if identifiers are injected at the network layer.
C) Fraud Prevention and Risk Scoring (Device Intelligence)
This is one of the most common real-world contexts for device fingerprinting.
C1) ThreatMetrix device fingerprinting (LexisNexis Risk)
What it is used for:
Device intelligence and risk scoring—detecting suspicious activity even when cookies are deleted or private browsing is used.
Why it matters:
It shows fingerprinting is an explicit commercial feature in fraud stacks (often positioned as security, not ads).
C2) TransUnion iovation (device reputation / intelligence)
What it is used for:
Online fraud and cybercrime detection services (device intelligence and reputation).
Why it matters:
It is a large-scale, long-lived category of “device intelligence” products used by many businesses for account security and abuse prevention.
D) Bot Detection and Anti-Abuse Infrastructure
In bot management, fingerprinting is often framed as “distinguishing humans from automation.”
D1) Cloudflare Bot Management — JA3/JA4 fingerprints
What it is used for:
Profiling SSL/TLS clients (JA3/JA4) for bot detection and request scoring.
Why it matters:
It is an explicit, documented example of protocol-level fingerprinting being part of an enterprise bot product.
D2) Akamai Bot Manager — browser fingerprinting and TLS observations
What it is used for:
Bot detection using behavior analysis and browser fingerprinting, with additional technical discussion around TLS fingerprinting and bot evasion.
Why it matters:
It shows two things:
- browser fingerprinting is an advertised capability in bot products,
- protocol-level fingerprints are actively monitored and operationalized at scale.
E) TLS Fingerprinting in Security Analytics (JA3)
E1) JA3 / JA3S in practice
What it is used for:
Security teams use JA3/JA3S to fingerprint TLS clients/servers for detection and correlation.
Why it matters:
This is a “beyond the browser” fingerprint layer: even if you block JS and clear storage, your TLS client behavior can still be profiled by network observers and defense systems.
F) Cross-Device / Cross-Screen Device Graph Products
F1) BlueCava (cross-device / cross-screen identity products)
What happened:
BlueCava operated in cross-screen marketing and device identification, and later merged with Qualia (2016), with coverage describing cross-screen conversion/identity use cases.
Why it matters:
It illustrates an industry category built around probabilistic device identity—often positioned for marketing outcomes (cross-device linkage).
Part 2 — Sources (by case cluster)
- AddThis / canvas fingerprinting backlash: https://www.eff.org/deeplinks/2018/06/gdpr-and-browser-fingerprinting-how-it-changes-game-sneakiest-web-trackers
- Canvas fingerprinting at scale: https://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block and https://www.eff.org/deeplinks/2014/07/white-house-website-includes-unique-non-cookie-tracker-despite-privacy-policy
- Verizon UIDH header injection / FCC action: https://www.eff.org/deeplinks/2016/03/victory-verizon-will-stop-tagging-customers-tracking-without-consent
- ThreatMetrix device intelligence: https://risk.lexisnexis.com/global/en/products/threatmetrix and https://docs.worldpay.com/apis/fraudsight/device-and-behavioral
- TransUnion iovation: https://newsroom.transunion.com/transunion-announces-agreement-to-acquire-iovation-to-strengthen-fraud-and-identity-solutions/ and https://www.transunion.com/privacy/iovation
- Cloudflare JA3/JA4 fingerprint docs: https://developers.cloudflare.com/bots/additional-configurations/ja3-ja4-fingerprint/
- Akamai Bot Manager and TLS fingerprint discussion: https://www.akamai.com/products/bot-