What Is Browser Fingerprinting? Canvas, Fonts, WebGL, WebGPU

Introduction

Browser fingerprinting identifies a browser by reading signals that normal websites can access: canvas rendering, installed fonts, timezone, language, WebGL, WebGPU, audio behavior, screen size, hardware concurrency, device memory, and timing behavior. Unlike cookies, these signals do not require storage on the device. A page can read them during a normal visit and combine them into a browser identity.

VPNs and private windows can change storage or network state, but they do not change the browser behavior underneath. Privacy validation starts by understanding which browser signals remain visible and how profile-based consistency reduces tracking risk.

At a glance:

• Canvas and fonts reveal rendering behavior shaped by the operating system, font catalog, graphics stack, and locale.
• WebGL and WebGPU expose GPU family, capability limits, rendering behavior, and browser graphics configuration.
• Timezone, language, and locale connect the browser identity to geography and proxy alignment.
• Audio, screen, timing, CPU, and memory add hardware-shaped signals that cookies cannot clear.
• Profile consistency keeps these surfaces aligned so one browser identity does not expose conflicting signals.

Privacy Impact

Browser fingerprinting has grown from an academic curiosity into a mainstream tracking technology. Several large-scale studies document its prevalence and effectiveness.

Princeton's Web Transparency Project (2016) crawled the top 1 million websites and found fingerprinting scripts on 5.5% of them. By 2020, follow-up studies showed that number had grown to over 10%. The most common fingerprinting libraries target canvas, WebGL, audio, and font signals.

The EFF's Panopticlick/Cover Your Tracks project tested over 200,000 browser configurations and found that 83.6% were uniquely identifiable. Even among users who had taken privacy precautions (blocking cookies, using VPNs), the majority could still be tracked through fingerprinting alone.

AmIUnique, a fingerprinting research project from INRIA, found that the median browser in their dataset was distinguishable from 99.1% of all others. Only 0.9% of browsers shared an identical fingerprint with at least one other browser.

The commercial fingerprinting industry is substantial. Multiple companies sell fingerprinting-as-a-service products to advertisers, risk review services, and analytics platforms. These services combine dozens of signals into a single identifier that persists across sessions and sites.

For individual users, browser fingerprinting means that clearing cookies, using incognito mode, or switching networks does not prevent tracking. Your device's combination of properties follows you across the web.

Technical Background: The Fingerprint Signal Categories

Browser fingerprinting collects signals from multiple categories. Each category contributes entropy (bits of identifying information) to the overall fingerprint. The following diagram shows the major signal categories and their approximate entropy contributions.

Navigator and Browser Identity

The navigator object is the first stop for any fingerprinting script. It exposes:

• User agent string with browser name, version, and OS details
• Platform identifying the OS ("Win32", "MacIntel", "Linux x86_64")
• Hardware concurrency revealing CPU core count
• Device memory exposing RAM tier (Chromium only)
• Languages showing locale preferences
• User Agent Client Hints providing structured browser and platform data

These properties are universally available, require no permissions, and combined can identify thousands of unique configurations. See Navigator Property Protection for details.

Canvas and 2D Rendering

The HTML5 Canvas API produces device-specific output when drawing text, shapes, and images. The pixel-level rendering depends on the GPU, font rendering engine, anti-aliasing implementation, and color management. The result varies between devices but is stable for a given device. Canvas fingerprinting is one of the most widely deployed tracking techniques after cookies. See Canvas Fingerprinting for details.

WebGL and WebGPU

WebGL exposes GPU identity through renderer strings, capability parameters, and rendering output. WebGPU adds structured adapter info, feature sets, and detailed capability limits. Together, these GPU APIs provide one of the highest-entropy fingerprint signals available. See WebGL Fingerprint Protection and WebGPU Fingerprint Protection.

Audio Processing

The Web Audio API produces platform-specific output when processing audio through oscillators, compressors, and analyzers. No sound is played, no permissions are needed. The output depends on the audio hardware, OS audio stack, and browser engine. See Audio Fingerprint Protection.

Fonts

Font enumeration reveals which fonts are installed, and text metrics (glyph widths, bounding boxes) vary by platform rendering engine. The combination of installed fonts and text metrics provides 8-10+ bits of entropy. See Font Fingerprint Protection.

Screen and Window

Screen resolution, color depth, device pixel ratio, available screen area, and window dimensions all vary across hardware and OS configurations. The margins between inner/outer window dimensions and screen/available-screen dimensions reveal the operating system's UI chrome. See Screen and Window Protection.

CSS Media Features

CSS media queries expose display capabilities, user preferences (dark mode, reduced motion), pointer type, and color gamut. These values can be extracted without JavaScript through conditional CSS resource loading. See CSS Signal Consistency.

Performance and Timing

performance.now() resolution, navigation timing, resource timing, and execution speed vary by hardware and browser. Timing signals are difficult to control because they emerge from actual execution behavior. See Performance Timing Fingerprinting.

Engine Internals

JavaScript stack depth (maximum recursion depth) varies between browsers, platforms, and execution contexts. This low-level signal reflects engine implementation details that cannot be changed from JavaScript. See Stack Depth Control.

Common Protection Approaches and Their Limitations

VPNs

VPNs change your IP address but have zero effect on browser fingerprinting. Every fingerprint signal listed above is generated locally by the browser. Your fingerprint is identical whether you connect through a VPN or directly.

Incognito / Private Browsing

Private browsing clears cookies and local storage but does not modify any fingerprint signal. Your canvas output, WebGL renderer, audio processing, font list, and screen resolution are all identical in private mode.

Browser Extensions

Extensions that claim to protect fingerprints operate at the JavaScript level. They intercept API calls and modify returned values. This approach has fundamental limitations:

• Incomplete coverage. Extensions must hook every relevant API. Missing one (e.g., OffscreenCanvas, AudioWorklet, CSS media queries) creates a gap.
• Visible modification. JavaScript property overrides can become visible through prototype inspection, timing analysis, and cross-check validation.
• CSS blind spot. Extensions cannot modify CSS media query evaluation, which operates at the rendering engine level.
• Inconsistency. Changing one value without adjusting correlated values creates mismatches. Reporting a macOS user agent while canvas rendering shows Windows-style text antialiasing is inconsistent.

Randomization

Randomizing fingerprint values on each page load creates instability that is itself a tracking signal. Legitimate devices produce stable fingerprints. Unstable fingerprints identify users who are actively trying to prevent tracking.

Tor Browser

Tor Browser takes the most principled approach: standardizing all fingerprint values across all users. Every Tor Browser reports the same screen resolution, font list, canvas output, and user agent. The limitation is that "Tor Browser" itself becomes the identity. The standardized fingerprint identifies you as a Tor user, which is a very small population.

BotBrowser's Engine-Level Approach

BotBrowser takes a fundamentally different approach: it controls fingerprint signals at the Chromium rendering engine level through complete device profiles. Rather than blocking, randomizing, or intercepting individual signals, BotBrowser configures the browser engine to behave as if it were running on the profiled device.

Complete Device Profiles

A BotBrowser profile describes an entire device: the operating system, browser version, GPU, audio hardware, screen configuration, installed fonts, CPU, memory, and more. When loaded, the profile configures every engine subsystem simultaneously. All signals align because they all come from the same profile.

Engine-Level Control

BotBrowser modifies Chromium at the source code level. Canvas rendering, WebGL parameters, audio processing, font enumeration, navigator properties, screen dimensions, and timing behavior are all controlled internally. This means:

• No JavaScript-visible property overrides
• No prototype modifications exposed to web content
• CSS and JavaScript APIs return the same values
• Worker contexts and main thread are consistent
• iframes receive consistent values

Cross-Platform Operation

Running on Linux, you can load a Windows profile. Running on macOS, you can load an Android profile. The engine-level control is deep enough to produce platform-specific rendering behavior regardless of the host operating system. Canvas text renders with Windows-style antialiasing on a Linux machine when a Windows profile is loaded.

Deterministic Noise

The --bot-noise-seed flag provides deterministic variation. Each seed produces a unique, stable fingerprint. The same profile and seed always produce the same fingerprint, across sessions, across machines, across operating systems. Different seeds produce different fingerprints. This gives you explicit control over identity: same seed equals same identity, different seed equals different identity.

Comprehensive Signal Coverage

BotBrowser covers all major fingerprint categories:

Signal Category	Protection Mechanism
Navigator properties	Profile-driven values for all properties
Canvas 2D	Engine-level rendering control + noise
WebGL	GPU identity, parameters, and rendering
WebGPU	Adapter info, features, limits, and rendering
Audio	Audio processing pipeline control + noise
Fonts	Controlled font list and text metrics
Screen/Window	Profile-driven dimensions and margins
CSS media features	Engine-level media evaluation
Performance timing	Timing seed for deterministic performance
Stack depth	Engine-level recursion limit control
Network info	Profile-driven connection properties

Configuration and Usage

Basic Usage

The simplest configuration loads a profile:

chrome --bot-profile="path/to/profile.enc" \
       --user-data-dir="$(mktemp -d)"

This single flag activates protection across all signal categories.

Full Deterministic Configuration

For complete deterministic behavior:

chrome --bot-profile="path/to/profile.enc" \
       --bot-noise-seed=42 \
       --bot-time-seed=42 \
       --bot-stack-seed=profile \
       --user-data-dir="$(mktemp -d)"

With Proxy and Auto-Detected Locale

chrome --bot-profile="path/to/profile.enc" \
       --proxy-server=http://user:pass@proxy.example.com:8080 \
       --bot-config-timezone=auto \
       --bot-config-locale=auto \
       --bot-config-languages=auto \
       --bot-noise-seed=42 \
       --user-data-dir="$(mktemp -d)"

Playwright Integration

const { chromium } = require('playwright');

const browser = await chromium.launch({
  executablePath: 'path/to/botbrowser/chrome',
  args: [
    '--bot-profile=path/to/profile.enc',
    '--bot-noise-seed=42',
    '--bot-time-seed=42',
    '--bot-stack-seed=profile'
  ]
});

const page = await browser.newPage();
await page.goto('https://example.com');

// All fingerprint signals are now controlled by the profile
const info = await page.evaluate(() => ({
  userAgent: navigator.userAgent,
  platform: navigator.platform,
  cores: navigator.hardwareConcurrency,
  screenWidth: screen.width,
  colorDepth: screen.colorDepth,
  devicePixelRatio: window.devicePixelRatio
}));
console.log(info);

Puppeteer Integration

const puppeteer = require('puppeteer');

const browser = await puppeteer.launch({
  executablePath: 'path/to/botbrowser/chrome',
  defaultViewport: null,
  args: [
    '--bot-profile=path/to/profile.enc',
    '--bot-noise-seed=42',
    '--bot-time-seed=42',
    '--bot-stack-seed=profile'
  ]
});

const page = await browser.newPage();
await page.goto('https://example.com');

Multiple Profile Directory

For automatic profile rotation across instances:

chrome --bot-profile-dir="path/to/profiles/" \
       --bot-noise-seed=42 \
       --user-data-dir="$(mktemp -d)"

BotBrowser randomly selects a profile from the directory on each startup.

Verification

Fingerprint consistency. Visit a fingerprint testing site (BrowserLeaks, CreepJS, AmIUnique) with the same profile and seed in two separate sessions. The reported fingerprint should be identical.

Cross-machine test. Run the same profile and seed on two different machines. The fingerprint should match.

Signal category verification. Check each major signal category individually:

• Navigator properties match the profile
• Canvas behavior is stable across sessions
• WebGL renderer matches the profile's GPU
• Audio fingerprint is stable with the same seed
• Font list matches the profile's OS
• Screen dimensions match the profile

Headless/headed consistency. Run the same test in headless and headed mode with --bot-config-window=profile. The fingerprint should be identical.

Best Practices

• Always use a profile. Running BotBrowser without --bot-profile provides no fingerprint protection. The profile is the foundation.
• Use --bot-noise-seed for stable identities. Without a seed, rendering noise varies between sessions. A seed ensures reproducibility.
• Use defaultViewport: null in Puppeteer. This prevents Puppeteer from overriding profile display settings.
• Let BotBrowser auto-detect locale. --bot-config-timezone=auto, --bot-config-locale=auto, and --bot-config-languages=auto derive locale from your proxy IP for geographic consistency.
• Keep profiles updated. Browser user agents and capabilities change with each version. Use current profiles from the BotBrowser profiles repository.
• Do not override individual properties manually. The profile ensures internal consistency. Overriding one property without adjusting others creates mismatches.
• Combine with appropriate proxy. Fingerprint protection addresses device identity. Network identity (IP address, geolocation) requires a proxy.

FAQ

Q: What is the difference between browser fingerprinting and cookies? A: Cookies are explicit identifiers stored on your device. You can see, block, and delete them. Fingerprinting reads properties that already exist (screen size, GPU model, etc.) and does not store anything. You cannot "clear" a fingerprint because there is nothing to clear.

Q: Can fingerprinting track me across different websites? A: Yes. If two websites use the same fingerprinting library, or if a third-party tracking script is embedded on both sites, your fingerprint can be matched across them. This works even without cookies.

Q: How unique is my browser fingerprint? A: According to research studies, over 80% of browsers have a unique fingerprint. The combination of screen resolution, GPU, fonts, audio processing, and other signals is sufficient to distinguish most users.

Q: Which browser fingerprinting signals matter most? A: The strongest signals usually come from canvas rendering, WebGL or WebGPU behavior, fonts and text metrics, timezone, language, screen configuration, audio processing, CPU core count, device memory, and timing behavior. Each signal may look ordinary by itself, but together they describe a detailed browser and device profile.

Q: Why do timezone and language affect browser fingerprinting? A: Timezone, locale, and language preferences connect the browser to an expected geography. If a browser uses a US proxy but exposes a different timezone or language set, the identity becomes inconsistent. Good profile consistency keeps geography, browser language, and network location aligned.

Q: Are WebGL and WebGPU different fingerprinting surfaces? A: Yes. WebGL exposes graphics renderer behavior, parameters, and rendering output. WebGPU adds a newer capability model with adapter behavior, feature support, and limits. Both surfaces should match the selected browser profile and device class.

Q: Does BotBrowser block fingerprinting scripts? A: No. BotBrowser does not block scripts. Instead, it controls what scripts see. When a fingerprinting script collects canvas, WebGL, and audio signals, it gets values from the loaded profile, not from your actual hardware.

Q: Can I use BotBrowser for normal browsing? A: Yes. BotBrowser is a full Chromium browser. All web functionality (including extensions, developer tools, and media playback) works normally. The fingerprint protection operates transparently in the background.

Q: How do I keep a browser profile stable across sessions? A: Use a complete profile and a consistent seed strategy for sessions that should represent the same browser identity. The profile keeps broad browser signals aligned, while deterministic settings keep repeatable behavior stable across launches.

Q: Is browser fingerprinting legal? A: Legality varies by jurisdiction. The EU's GDPR and ePrivacy Directive consider fingerprinting a form of tracking that requires consent. In practice, enforcement is limited and most fingerprinting occurs without explicit user consent. BotBrowser gives you the ability to control what information your browser reveals.

Q: Does BotBrowser work with Selenium? A: BotBrowser works with any automation framework that can launch Chromium with custom arguments, including Selenium, Playwright, and Puppeteer.

Summary

Browser fingerprinting is a pervasive tracking technique that identifies users through their device and browser configuration. It operates without cookies, without permissions, and without user awareness. Traditional protections like VPNs, incognito mode, and browser extensions address only fragments of the problem or introduce visible inconsistencies.

BotBrowser provides comprehensive fingerprint protection by controlling all signal categories at the Chromium engine level. Complete device profiles ensure that every API surface, from navigator properties to canvas rendering to audio processing, returns values from a single coherent device identity. The --bot-noise-seed flag makes fingerprints deterministic and reproducible. The result is a browser that presents a consistent, realistic device identity regardless of the actual underlying hardware. Explore the full feature set or download BotBrowser to start protecting your browser fingerprint today.

For detailed coverage of specific fingerprint categories, see:

• Audio Fingerprint Protection
• WebGL Fingerprint Protection
• WebGPU Fingerprint Protection
• Font Fingerprint Protection
• Navigator Property Protection
• CPU Core Count Control
• Screen and Window Protection
• CSS Signal Consistency
• Stack Depth Control
• Deterministic Browser Behavior