> case file · what they already know

the dossier your browser hands out for free

Q: What is browser fingerprinting?

Browser fingerprinting is a tracking technique that combines dozens of technical details a browser voluntarily reports (screen size, timezone, fonts, GPU, audio stack, TLS signature, and many more) into a single identifier that is unique to most individual browsers. Unlike cookies, a fingerprint cannot be deleted because it follows the hardware and browser, not the storage.

Q: What is canvas fingerprinting?

Canvas fingerprinting is a technique where a page asks the browser to draw a small image using HTML canvas, then hashes the pixel data. Different combinations of GPU, driver, OS, and browser produce subtly different pixel output. The hash is unique to the machine and survives clearing cookies or switching to incognito mode.

Q: What actually stops browser fingerprinting?

Enabling browser-level fingerprint protection (Firefox privacy.resistFingerprinting, or Brave Shields with Strict fingerprinting), installing uBlock Origin to block third-party scripts, and blocking WebRTC peer discovery. For the strongest anonymity, Tor Browser makes every user look identical but costs speed and site compatibility.

You close the curtains. You shred the junk mail. You buy the VPN. Then you open a browser and walk into every website you visit with a nametag, a driver's license, and a short biography pinned to your jacket. Here's what's actually on the nametag, why that thing you just did to hide doesn't hide it, and what to do about it.

published 2026-04-19 · ~8 min read · case notes

01you were never anonymous

The default mental model of "browsing the web privately" is built on two assumptions. First: websites see your IP address, and nothing else useful. Second: incognito mode or a VPN flips you to anonymous. Both are wrong by a very wide margin.

Every time a page loads, your browser voluntarily hands the site a long list of technical details it needs to render properly: your screen resolution, your time zone, the fonts you have installed, the graphics card your OS is using, the exact version string of every browser extension's behavior, the pixel noise pattern produced by your GPU when it draws a standard image. Together those details form a fingerprint — a number that, for most real users, is unique. The site then logs that number next to an identifier cookie, and the next time it sees that fingerprint, it knows it's you, cookie or no cookie.

Your IP address is one line of the file. The VPN hides that one line. The rest of the file is still stapled to the front.

A fingerprint isn't a cookie. You can't delete it. It follows your hardware, not your browser window.

02what's actually in the file

Here's the short list of what any page you load can read about you, using nothing more exotic than the standard Web APIs that exist so sites can, for example, render correctly on a phone. Every one of these is sent silently, with no permission prompt.

data point	how it leaks	what it tells them
public IP	TCP connection	city-level location, ISP, sometimes employer
user agent	HTTP header	browser, version, OS, CPU arch
language + timezone	JS + headers	country, waking hours, travel patterns
screen + viewport	JS `screen.*` API	display model, multi-monitor, device class
installed fonts	canvas enumeration	OS + localized app set (Office, Adobe, etc)
canvas hash	GPU draws a shape	unique to your GPU + driver + OS + browser build
audio hash	silent `AudioContext` render	unique to your audio stack + CPU math
WebGL renderer	JS `getParameter`	exact GPU make + model string
hardware concurrency	JS `navigator.*`	CPU core count
device memory	JS `navigator.*`	RAM tier (2/4/8/etc GB)
battery state	Battery Status API	laptop vs desktop, rough uptime
local IPs via WebRTC	STUN candidate leak	your LAN IP even behind a VPN
TLS fingerprint (JA3/JA4)	TLS ClientHello order	your exact browser build, even on HTTPS

Any single entry in that list is mostly harmless. The problem is the combination. Researchers at the EFF's Panopticlick project and successors have shown for over a decade that the combined fingerprint is unique for >95% of browsers in the wild. A unique ID that your browser volunteers to every site is the entire ballgame for tracking.

03the canvas trick

Canvas fingerprinting is the cleanest illustration of how this works. The site asks your browser to draw a small image — some text, a background, maybe a curve — then reads back the pixels and hashes them. The text rendering uses your OS's font files. The anti-aliasing uses your graphics driver. The color blending uses your GPU's floating-point quirks. Two different machines almost never produce the same pixels.

That hash is then stored next to you. Clear your cookies, close your browser, switch to incognito — the same hardware produces the same hash. You're still you.

Audio fingerprinting does the same thing with an AudioContext that renders a silent, inaudible signal and reads back the tiny floating-point differences. The user never hears anything. The site gets another unique-per-machine hash to combine with the canvas one.

04webrtc: the worst-behaved api on the web

WebRTC is the browser API built for video calls. Its job includes figuring out every possible network path the call might take, which means asking your operating system for all your network interfaces and their IPs, then offering those to the other side of the call in something called "ICE candidates."

Done correctly, that's fine. Done by a random webpage with no call in progress, that's a leak. The page quietly opens a PeerConnection it never intends to complete, asks for candidates, and receives back: your LAN IP, your VPN's internal IP, your physical NIC's IP, and in many configurations your real public IP even while a VPN is active.

Most commercial VPNs don't stop this because they can't — it's not traffic that flows through their tunnel, it's your OS talking to your browser. Browser-level defenses (the force-relay setting in Chrome, uBlock Origin's "Prevent WebRTC from leaking local IP addresses") actually work, but most users never touch them and most VPN apps don't set them.

If your VPN's marketing promises privacy and your browser still leaks your real IP via WebRTC, the VPN is shipping the privacy part as your problem to solve.

05tls fingerprinting is invisible and unfixable

TLS (the S in HTTPS) opens every secure connection with a message called the ClientHello. It contains the cipher suites your browser supports, in the order your browser prefers them, plus a handful of extensions. That list is so distinctive that each major browser version has its own recognizable signature. Researchers give those signatures names: JA3 and the newer JA4.

Unlike most of the tracking surface, TLS fingerprinting works server-side, with no JavaScript required, on the very first packet of the connection. Even sites you block scripts on can log your JA4. Tor and some hardened browsers deliberately mimic a common fingerprint to blend in; most users never think about it.

This is why the "I use Brave / LibreWolf / Mullvad Browser" crowd still gets fingerprinted. Swapping browsers shifts your JA4 into a different bucket but doesn't empty the bucket. If your browser choice is rare enough, it makes you easier to track, not harder.

06what VPNs and incognito actually do

A VPN hides the TCP-layer public IP your ISP assigned you. That's it. That's one field out of thirteen in the dossier above. Everything else — canvas hash, WebGL renderer, installed fonts, TLS JA4, WebRTC-leaked LAN IP — a VPN does nothing about. A reputable VPN does make it harder to correlate your activity with your physical location. That's real. It also means the marketing that says "privacy" instead of "IP-layer unlinkability" is doing heavy lifting.

Incognito mode is even narrower. It stops the browser from writing cookies and history to disk on this machine. It does nothing on the network. Every request you send looks identical to a non-incognito request from the same browser. Fingerprinting works exactly the same.

tool	hides IP?	hides fingerprint?	hides TLS signature?
incognito mode	no	no	no
commercial VPN	yes	no	no
uBlock Origin + medium mode	no	partial	no
Brave / LibreWolf	no	reduces uniqueness	shifts bucket
Tor Browser	yes	yes (standardized)	yes (standardized)

07what actually moves the needle

If you want to reduce the dossier, the interventions that work — roughly in order of effort vs. payoff — are:

Turn on your browser's fingerprinting defense. Firefox has privacy.resistFingerprinting. Brave ships with "strict" fingerprint protection. These lie to sites about canvas, WebGL, and fonts — not perfectly, but enough to collapse your uniqueness meaningfully.
Disable WebRTC peer discovery or set the force-relay policy. Chrome extensions like WebRTC Network Limiter do this. uBlock Origin has a one-checkbox version.
Use uBlock Origin in medium mode. It blocks third-party scripts and frames by default, which stops most fingerprinting libraries from loading at all.
Tor Browser, for the sessions that matter. Its whole design philosophy is to make every Tor user look identical. You pay for this in speed and some site breakage. For the subset of your life that actually needs anonymity, that tradeoff is usually worth it.
Accept that you will still be fingerprinted by state-level actors. These defenses raise cost. They don't make you invisible to anyone with real resources. The useful goal is not being cheap to track at scale, not zero information leakage.

08how to read your snitchtest result

SNITCHTEST runs 18 live tests in parallel when you click the button. Each row shows the data point, the value the test extracted from your browser, and a factual note. Red rows are leaks that expose you. Amber rows are neutral telemetry. Green rows are tests you passed — defenses in place, a signal blocked, a request refused.

What to scan for first:

WebRTC local IP row. If it shows your LAN IP while you're on a VPN, that's a leak, full stop. Fix it before you fix anything else.
Canvas + audio + WebGL rows. If all three show unique values, you're a fingerprinting bullseye. Installing a fingerprint-defense extension or switching to Brave will visibly change those values on your next run.
Timezone + language vs. IP country. A mismatch (IP in Frankfurt, timezone America/New_York, language en-US) is a signal you're on a VPN — not a leak, but a classification signal advertisers use.
DNT / GPC rows. These are privacy-signal standards your browser can send. Most sites ignore them, but the laws pointing at some of them (CCPA, Colorado Privacy Act) are starting to treat them as opt-out. Turning them on costs nothing.

09faq

What is browser fingerprinting?

A tracking technique that combines dozens of technical details a browser voluntarily reports (screen size, timezone, fonts, GPU, audio stack, TLS signature, and many more) into a single identifier that is unique to most individual browsers. Unlike cookies, a fingerprint cannot be deleted because it follows the hardware and browser, not the storage.

Can a VPN stop browser fingerprinting?

No. A VPN hides your public IP address only. Everything else a fingerprinting script reads (canvas hash, WebGL renderer, installed fonts, TLS JA4, language, timezone, hardware details) is untouched by a VPN. Your fingerprint is identical with or without the VPN connected.

Does incognito or private browsing stop tracking?

No. Incognito mode prevents the browser from writing cookies and history to local disk on your computer. It does nothing on the network side. Every request from an incognito tab carries exactly the same fingerprint as a normal tab.

What is a WebRTC leak?

WebRTC is the browser API for video calls. It enumerates all of your operating system's network interfaces to find call routes, which means it can expose your LAN IP and often your real public IP even while a VPN is active. A WebRTC leak happens when a website silently opens a WebRTC connection it never completes, just to collect the IPs it returns.

What is canvas fingerprinting?

A technique where a page asks the browser to draw a small image using HTML canvas, then hashes the pixel data. Different combinations of GPU, driver, OS, and browser produce subtly different pixel output. The hash is unique to the machine and survives clearing cookies or switching to incognito mode.

What is TLS fingerprinting (JA3 / JA4)?

TLS fingerprinting identifies the software making an HTTPS connection by inspecting the TLS ClientHello packet's cipher suite list and extension order. Every browser version has a recognizable signature. JA3 is the older format, JA4 is the newer. Unlike JavaScript-based fingerprinting, TLS fingerprinting works server-side on the first packet and cannot be blocked by an extension.

What actually stops browser fingerprinting?

Enabling browser-level fingerprint protection (Firefox privacy.resistFingerprinting, or Brave Shields with Strict fingerprinting), installing uBlock Origin to block third-party scripts, and blocking WebRTC peer discovery. For the strongest anonymity, Tor Browser makes every user look identical but costs speed and site compatibility. Full walkthrough: How to Actually Stop Fingerprinting.

10the short version

The web was not designed to be private. It was designed to let pages render correctly across an impossible diversity of machines, and the APIs that enable that correctness are also the APIs that turn your machine into a uniquely shaped key. Hiding your IP without hiding anything else is the online equivalent of putting a hat on before a fingerprint scan.

The goal isn't paranoia. The goal is knowing what's actually leaking so you can decide what to patch, what to accept, and when to stop trusting tools whose marketing is writing checks their engineering doesn't cash.

> run the audit

see your own file

SNITCHTEST runs all of the tests above live in your browser. Nothing is sent to a server. Click, watch the data come back, and decide what to do about it.

> RUN SNITCHTEST →