Browser fingerprinting: how trackers find you even with a VPN
A VPN swaps your IP. It does not change the way your browser draws a triangle, names your fonts, or pronounces a sine wave. That is the part that gives you away.
A VPN is to your IP what an envelope is to the contents of a letter. It hides the address on the outside. It does not change what is written inside. Browser fingerprinting is the writing inside — a quiet, mostly silent census your browser performs every time it loads a page, and one that happily survives an IP swap, a private window, and a fresh set of cookies.
According to the EFF's long-running Cover Your Tracks experiment, a typical desktop browser is unique among roughly 80% of visitors it shares a sample with. That uniqueness is not a moral failing on your part. It is a side effect of the web platform giving every site a generous list of capabilities to interrogate, plus the fact that you have a specific GPU, a specific font set, and a specific monitor sitting in a specific room. Trackers add it all up.
What a fingerprint actually contains
A fingerprint is not a single value. It is a bundle of around fifteen to thirty signals, hashed together into a fairly stable identifier. The most common ingredients are boring on their own and lethal in combination.
- User-Agent string and platform: which browser, which OS, which architecture.
- Screen resolution, colour depth, device pixel ratio, and the size of the viewport.
- Installed fonts — either listed directly (older APIs) or inferred by measuring text widths.
- Canvas fingerprint: the browser is asked to draw a string and a few shapes; differences in font rasterisation, antialiasing, and GPU pipeline produce a per-machine hash.
- WebGL fingerprint: the GPU vendor, renderer, supported extensions, and the result of rendering a small 3D scene.
- AudioContext fingerprint: a short sine wave is processed through the audio stack; floating-point quirks differ across CPUs.
- Timezone, language list, the order of preferred languages, and the resolved Intl date format.
- Hardware concurrency, device memory, and battery state where exposed.
No single one of those is identifying. The combination, however, is usually enough to pick you out of a crowd of millions. Worse, the fingerprint is deterministic enough that returning visitors light up even if they cleared cookies, even if they switched VPN regions, and even if they are now on someone else's Wi-Fi.
Why a VPN does not save you here
A VPN changes the routable IP address that websites see. It does nothing about the canvas your browser draws, the audio buffer it produces, or the list of fonts you happen to have installed. We say this often because it gets confused often: encryption protects what is in transit. It does not edit what your browser tells the page once that page is loaded.
There is a useful analogy. If you walk into a coffee shop wearing a Halloween mask, you have changed your face. You have not changed your gait, your shoes, your accent, or the laptop sticker peeking out of your bag. Browser fingerprinting is the laptop sticker.
Why "incognito" is the wrong tool here
A private window does two things: it forgets local history when you close it, and it isolates cookies from your normal session. It does not strip the canvas API, the WebGL renderer string, the font list, or any of the other thirty-odd signals trackers care about. From a fingerprinting perspective, an incognito tab and a normal tab on the same machine look essentially identical. We have a separate post on what private mode actually does, but the short version is: useful for shared devices, useless for trackers.
The mitigations that actually move the needle
Defences fall into two camps. The first is randomisation: lie a little to every site so that the hash is different every time. The second is uniformity: make every user of your browser look identical so the hash is shared by millions. Both work; they have different trade-offs.
- 1Brave (randomisation). Adds small per-session noise to canvas, WebGL, and audio readouts. Your fingerprint changes between sessions, which breaks long-term tracking but can occasionally trip aggressive bot detection on banking sites.
- 2Tor Browser (uniformity). Locks the window to a "letterbox" size, ships a fixed font bundle, freezes the user-agent, and disables JIT in safer modes. Every Tor user looks like every other Tor user. Slow, but extremely robust.
- 3Mozilla Firefox with resistFingerprinting. Hidden flag in about:config; ports many of Tor's anti-fingerprinting patches into mainline Firefox. Will break some sites. Pair with the arkenfox user.js if you are willing to maintain it.
- 4Safari. Apple ships its own Intelligent Tracking Prevention plus a sanitised system info report. Less aggressive than Tor or Brave but a meaningful default for casual users on macOS and iOS.
- 5Mainline Chrome. Almost no fingerprinting protection. Privacy Sandbox addresses third-party cookies, not fingerprints. Do not rely on it.
The extension trap
Counterintuitively, a wall of niche privacy extensions can make your fingerprint more unique, not less. If you are the one person on the internet running a specific combination of three obscure script blockers, two cookie scrubbers, and a custom dark-mode tool, your extension footprint is itself an identifier. We recommend a small, well-known stack — uBlock Origin plus your browser's built-in protections is usually enough — and resisting the urge to install a sixth tool that promises to fix what the first five missed.
For sensitive sessions where anonymity matters more than convenience, the cleanest move is to use Tor Browser on a stock OS profile. For day-to-day, Brave or hardened Firefox plus a VPN is the realistic compromise. We run our own Cover Your Tracks pass after every major Brave or Firefox release; it is a five-minute audit and a useful sanity check.
Where we sit
PlanetProxy is a VPN. We move your packets through a tunnel and out of a server in a country you choose. We do not run a browser, so we cannot rewrite your canvas hash for you — and we are suspicious of any VPN that claims to. What we can do is keep our exits clean, our DNS leak-free, and our audit reports public. The browser layer is your job. The network layer is ours. Both have to be honest for the picture to come out right.
Frequently asked
Does a VPN reduce my fingerprint at all?+
It removes your IP address from the picture, which is one of the easier signals to use. The browser-level fingerprint — canvas, WebGL, audio, fonts — is unchanged. Use both layers.
Is Tor Browser overkill for everyday browsing?+
For most people, yes. Tor is calibrated for high-stakes anonymity and pays a real speed cost. Brave or hardened Firefox plus a VPN gets you most of the way without the latency.
Will disabling JavaScript fix fingerprinting?+
Mostly, yes — but at the cost of breaking around 80% of the modern web. It is a reasonable choice for sensitive research sessions, not for daily browsing.
How often should I re-test my fingerprint?+
After every major browser update and after installing a new extension. EFF's Cover Your Tracks tool is free and takes under a minute.
Run PlanetProxy for seven days, on us.
Same purple tile cards you see on this page, plus the green lock and a 50 ms hop to wherever you want to be.
Start the trial →More from the dispatch
PrivacyPP · DispatchWhat a VPN actually does (and what it doesn't)Privacy · 7 minWhat a VPN actually does (and what it doesn't)
Strip away the marketing — here is what an honest VPN can promise you, and what it cannot. Spoiler: it cannot make you anonymous, and it cannot beat a court order.
- PrivacyPP · DispatchThe data broker industry: how to disappear from people-search sitesPrivacy · 9 min
The data broker industry: how to disappear from people-search sites
Your name, address, phone number, and approximate income are sitting on at least forty websites right now. Here is the supply chain that put them there, and the realistic plan for taking them down.
- PrivacyPP · DispatchIndia's DPDP Act: what it actually means for your personal dataPrivacy · 8 min
India's DPDP Act: what it actually means for your personal data
India's Digital Personal Data Protection Act began its phased rollout in 2025. Here is what is in force, what is not, where it sits between GDPR and CCPA, and why CERT-In quietly complicates everything.