Browser Fingerprint Uniqueness: How Rare Are You, Really?
Every browser leaks around twenty attributes on every page load. Those attributes combine into a signature that is individually identifying for 94 percent of Chrome users worldwide. This is the math behind that number — what entropy is, what it actually measures, and why "unique" is both more and less alarming than it sounds.
What entropy is, in one paragraph
Entropy is a measurement of identifying information, expressed in bits. One bit of entropy means an attribute eliminates half of the candidate population. Two bits eliminates three-quarters. Twenty bits eliminates 99.9999 percent of a million-person population. The formula is straightforward: a fingerprint's entropy is the sum of the individual attributes' entropies, minus the correlations between them.
A real browser's fingerprint typically carries between 17 and 22 bits of entropy. That range is the difference between "one of 130,000 matching users" and "one of 4.2 million." The entire distinction between a browser that is trackable and a browser that is not fits inside that five-bit window. This is why fingerprint defenses focus on specific high-entropy attributes rather than trying to strip identification from the whole request.
The attributes that actually contribute
The 2023 EFF Cover Your Tracks dataset, Panopticlick's earlier corpus, and AmIUnique's rolling statistics converge on a consistent ranking. These are the top contributors measured across millions of real browser visits:
| Attribute | Entropy (bits) | Notes |
|---|---|---|
| Canvas rendering | 8–10 | GPU + driver + OS rasterization differences |
| Font list | 6–9 | Installed fonts enumerable via CSS measurement |
| WebGL renderer string | 5–7 | GPU model and driver version |
| Audio fingerprint | 5–7 | FFT rendering of a synthetic waveform |
| User agent + platform | 3–5 | Narrower in 2026 due to UA reduction |
| Screen + viewport | 3–5 | Resolution, color depth, DPR, window size |
| Timezone + language | 3–4 | Often leakable even behind VPN |
| Plugin list (legacy) | 2–3 | Mostly empty in modern Chrome/Safari |
| Hardware concurrency | 1–2 | Number of logical cores |
| Device memory | 1–2 | Rounded to 0.25/0.5/1/2/4/8 GB |
These are not independent: the user agent correlates with the platform, the screen resolution correlates with the device class, the GPU correlates with the OS. Correlations discount the naive entropy sum by 3 to 6 bits. The net figure for a stock Chrome install lands between 17 and 22 bits, which is why EFF's dataset found roughly 94 percent of Chrome visitors were globally unique within their 3.5-million-visit sample.
Why canvas is the single most identifying attribute
The Canvas 2D API draws shapes and text into a pixel buffer. That rendering happens on the GPU with driver-specific anti-aliasing, sub-pixel positioning, and font rasterization. Two machines with the same browser version but different GPUs will render the exact same draw commands into subtly different pixel outputs. Those differences are stable across page loads and consistent across browser restarts, which makes canvas the single highest-entropy attribute a site can read.
A canvas fingerprint is typically produced by drawing a specific string in a specific font at a specific size, then hashing the resulting pixel buffer. The resulting hash is roughly 9 bits of entropy on its own — a single page-load read of that hash distinguishes you from 99.8 percent of the population. Combined with the other attributes, it is the largest single contributor to a browser's identifying signature.
The canvas fingerprinting deep-dive covers this in more detail. The short summary is that the 2017 patch to Tor Browser and the 2019 patch to Safari's ITP both explicitly target canvas as the highest-priority defense.
What uniqueness actually protects against
A unique fingerprint is not automatically tracking. Tracking requires that the fingerprint be stable enough to match the same user across multiple sessions. Three things weaken that stability in practice:
- Browser updates: a Chrome auto-update changes the user agent, the JS engine version, sometimes the GPU driver interface. Each update moves the fingerprint by several bits.
- Device changes: a new monitor, a docked laptop, an external GPU, a screen rotation — any of these shifts screen metadata.
- Anti-fingerprinting noise: Brave's per-session canvas noise, Firefox's resistFingerprinting audio clamping, and Safari's ITP each change fingerprint hash values between sessions.
The practical consequence is that a fingerprint is usually stable for hours or days, not months. This is enough for cross-site tracking within a browsing session (connecting your activity on Site A to Site B within the same afternoon) but generally not for long-term identity binding. Fingerprinting is primarily a session-linkage tool, not a replacement for the third-party cookies it is often sold to advertisers as replacing.
The defenses, ranked
Entropy reduction is a scale, not a binary. In decreasing order of effectiveness:
- Tor Browser: standardized letterboxed resolution, identical font list, canvas noise, blocked WebGL. Fingerprint entropy drops to roughly 10 bits across the entire Tor population, which by design is all other Tor Browser users.
- Firefox with privacy.resistFingerprinting: imports several Tor Browser protections. Canvas returns a generic white image, timezone is spoofed to UTC, font list is truncated. Not a complete defense but a meaningful entropy reduction.
- Brave's farbling: adds per-session pseudo-random noise to canvas, audio, and enumerable font lists. Fingerprint appears different on each new session, which breaks cross-session linking at the cost of being visibly Brave.
- Safari + ITP: reduces some attributes (no canvas noise, but plugin list is empty and font enumeration is capped). Partial defense.
- Stock Chrome: no meaningful defense. Client Hints phase-in has reduced user-agent entropy but added new high-entropy endpoints. Net change is roughly neutral.
You can measure your own browser's fingerprint with the Snitchtest dossier, which reads the same attributes a tracker would read and reports the per-attribute entropy it estimates. The combined entropy estimate at the bottom of the report is the single most useful number for understanding how identifying your current browser actually is.
Frequently asked questions
- What does "bits of entropy" mean in fingerprinting?
- Entropy measures how much identifying information a fingerprint carries. One bit halves the set of matching users; twenty bits reduces a population of one million to one. Most stock Chrome browsers carry 17 to 22 bits.
- Are most browsers actually unique?
- Yes. The EFF's 2023 dataset found roughly 94 percent of Chrome users were globally unique across 3.5 million visitors. Safari was around 67 percent. Tor Browser users are indistinguishable from other Tor Browser users by design.
- Does Tor Browser really protect against fingerprinting?
- Yes. Tor Browser reduces entropy to roughly 10 bits by standardizing every user to identical configurations. The trade-off is that the browser is visibly Tor Browser, which creates a different kind of distinctiveness at the network layer.
- What single attribute is most identifying?
- Canvas rendering. The same text in the same font rasterizes to different pixel patterns on different GPUs, producing 8 to 10 bits of entropy by itself. Audio fingerprinting adds another 5 to 7 bits.
- Can I reduce my fingerprint uniqueness without switching to Tor?
- Partially. Firefox with privacy.resistFingerprinting enabled reduces entropy meaningfully. Brave's fingerprint randomization adds per-session noise. Neither matches Tor Browser.