🔍 Frequently Asked Questions

Browser fingerprinting is a sophisticated tracking technique that collects detailed information about your browser configuration, device hardware, and software environment to create a unique identifier that can track you across websites without using cookies. This technique gathers dozens of data points including your screen resolution, installed fonts, browser plugins, timezone, language settings, canvas rendering characteristics, WebGL capabilities, audio context properties, hardware specifications, and even subtle differences in how your browser renders web content. According to the EFF's Panopticlick Study, 83.6% of browsers have completely unique fingerprints, making this an extremely effective tracking method. Unlike cookies which users can delete or block, fingerprinting passively collects information your browser naturally reveals during normal operation, making it nearly impossible to detect or prevent without specialized tools. The technique has become increasingly sophisticated, with modern fingerprinting scripts analyzing hundreds of browser and device characteristics to create highly stable identifiers that persist across sessions, private browsing modes, and even after clearing cookies and cache.

Cookies and browser fingerprinting represent fundamentally different approaches to web tracking with distinct characteristics and implications. Cookies are small text files that websites store on your device with your browser's cooperation, containing explicit identifiers and preferences that you can view, delete, or block using browser settings or extensions. They require user consent in many jurisdictions under laws like GDPR and ePrivacy Directive, giving you some control over their use. Browser fingerprinting, in contrast, operates by passively reading information your browser naturally reveals during normal operation—it doesn't store anything on your device and works by analyzing your unique combination of browser characteristics, device specifications, and software configurations. This makes fingerprinting much harder to detect and prevent since it exploits standard web technologies that websites need for legitimate functionality. While users can easily clear cookies or use privacy modes that block them, these actions have no effect on browser fingerprints. The AmIUnique Project found that fingerprinting remains effective even when users employ cookie-blocking tools, with 89% of fingerprints remaining unique over time. Furthermore, fingerprinting often happens without explicit user knowledge or consent, operating in a legal gray area in many jurisdictions.

Complete prevention of browser fingerprinting is extremely difficult due to the passive nature of information collection, but you can significantly reduce your fingerprint's uniqueness and tracking effectiveness through strategic countermeasures. The most effective approach is using Tor Browser, which is specifically engineered for anonymity by standardizing all user fingerprints—Tor users share nearly identical browser characteristics, reducing uniqueness to less than 5% compared to the general population's 83.6% according to EFF research. Alternative privacy-focused browsers like Brave (with its built-in fingerprinting protection) or Firefox with Enhanced Tracking Protection and privacy extensions can also substantially reduce trackability, though not to Tor's level. The key privacy principle is "blend in with the crowd"—making your browser configuration as common as possible rather than trying to be unique. This means avoiding obscure browsers, limiting browser extensions (ironically, too many privacy extensions can make you more unique), using standard screen resolutions, and resisting browser customization. Privacy tools like uBlock Origin, Privacy Badger, and CanvasBlocker can defend against specific fingerprinting techniques by blocking tracking scripts and randomizing certain browser characteristics. However, the FP-Scanner Study found that users who block too many browser features create unusual configurations that actually make them more identifiable. Therefore, the most practical approach combines using privacy-respecting browsers with moderate fingerprinting protections.

No, private or incognito mode provides absolutely zero protection against browser fingerprinting—this is one of the most common privacy misconceptions users hold. While private browsing modes prevent your browser from storing cookies, browsing history, form data, and search history locally on your device, they do nothing to change the information your browser reveals to websites you visit. Your browser fingerprint—which includes screen resolution, installed fonts, browser version, operating system, hardware specifications, WebGL renderer information, canvas fingerprinting data, audio context properties, timezone, language settings, and dozens of other characteristics—remains identical in private mode. Research by the AmIUnique Project confirms that browsers produce the exact same fingerprint whether operating in normal or private mode. This means advertisers, trackers, and websites can identify and follow you just as effectively in incognito mode as in regular browsing. Private mode is useful for preventing other people who use your device from seeing your browsing history, but it offers no protection against external tracking by websites and third parties. The FP-Scanner Study found that 94% of users incorrectly believe private mode provides significant privacy protection against online tracking. For actual protection against fingerprinting, you need privacy-focused browsers like Tor Browser, Brave with fingerprinting protection enabled, or Firefox with Enhanced Tracking Protection and appropriate privacy extensions.

Browser fingerprinting is employed by a diverse range of organizations across multiple industries, each with different motivations and use cases. Major advertising networks including Google (via DoubleClick and AdSense), Facebook/Meta (via Facebook Pixel and third-party integrations), Amazon, and numerous smaller ad tech companies use fingerprinting extensively to track users across websites for behavioral advertising and attribution measurement, enabling them to build detailed profiles and target ads with precision even when cookies are blocked. Analytics companies like Adobe Analytics, Mixpanel, and Segment incorporate fingerprinting to track user journeys and measure engagement across properties. E-commerce platforms and financial services deploy fingerprinting as a fraud prevention tool, analyzing device characteristics and behavioral patterns to detect account takeovers, payment fraud, and suspicious transactions—this represents one of the more legitimate use cases where fingerprinting provides genuine security benefits. Content providers and media companies use fingerprinting to enforce paywalls and access restrictions. Security vendors incorporate fingerprinting into bot detection and DDoS mitigation systems. According to research, approximately 67% of popular websites implement some form of fingerprinting technology. While some applications like fraud prevention provide clear benefits to users, the pervasive use for advertising and profiling raises significant privacy concerns, particularly as this tracking often occurs without meaningful user consent or awareness.

The legality of browser fingerprinting varies significantly by jurisdiction and exists in a complex legal gray area in many countries, with regulations struggling to keep pace with technological developments. In the European Union, the ePrivacy Directive (also known as the Cookie Law) has been interpreted by data protection authorities to cover fingerprinting, requiring user consent before implementation since it involves accessing and processing information stored on user devices. The GDPR also applies when fingerprinting processes personal data or creates identifiers that can be linked to individuals, requiring legal basis (typically consent), transparency about data processing, and respecting user rights to access and deletion. However, enforcement remains inconsistent, and many websites continue fingerprinting without proper consent mechanisms. In the United States, there is no comprehensive federal law specifically addressing browser fingerprinting. The California Consumer Privacy Act (CCPA) and its successor CPRA provide some protections by giving users rights over personal information including the right to opt-out of data sales, which could apply to fingerprinting data. In most other jurisdictions worldwide, fingerprinting operates in legal uncertainty—not explicitly prohibited but not clearly permitted either. The fundamental challenge is that traditional privacy laws focused on stored data and cookies, while fingerprinting operates differently by passively observing browser characteristics, making it difficult for regulators to apply existing frameworks.

Browser fingerprinting collects an extensive array of information that collectively creates a unique identifier, far beyond what most users realize their browsers reveal. Basic system information includes your operating system type and version, browser name and version, screen resolution and color depth, timezone and language settings, and installed fonts (which can reveal hundreds of distinct fonts). Hardware characteristics captured include CPU class and cores, available memory, GPU vendor and renderer (via WebGL), battery status, and touchscreen capabilities. Network information includes your IP address, connection type, and network topology hints. Advanced fingerprinting techniques employ canvas fingerprinting (analyzing tiny rendering differences in how your browser draws graphics), WebGL fingerprinting (leveraging graphics card variations), audio context fingerprinting (exploiting subtle differences in audio processing), and font fingerprinting (detecting available fonts through rendering measurements). Behavioral characteristics analyzed include typing patterns, mouse movement trajectories, scrolling behaviors, and interaction timings. Plugin detection identifies installed browser extensions and their configurations. The FP-Scanner Study documented that modern fingerprinting scripts typically collect 50-100 distinct data points, with some sophisticated implementations gathering over 200 characteristics. The power of fingerprinting comes not from any single data point but from the unique combination—while many users might share your operating system or screen resolution individually, the specific combination of all characteristics becomes highly distinctive, making this one of the most comprehensive and invasive tracking methods available.

Browser fingerprint stability varies considerably depending on user behavior, device type, and software update patterns, but research shows fingerprints can remain trackable for extended periods even as individual characteristics change. The AmIUnique Project's longitudinal study found that 89% of browser fingerprints remained uniquely identifiable over a 90-day period despite minor variations in browser versions, installed extensions, or other characteristics. Desktop computers typically maintain more stable fingerprints than mobile devices, with some desktop fingerprints remaining consistent for 6-12 months or longer when users maintain relatively static software configurations. Mobile devices tend to have shorter fingerprint lifespans due to more frequent operating system updates, app installations/removals, and device setting changes. However, sophisticated fingerprinting systems employ evolution tracking algorithms that can recognize when a fingerprint has changed slightly, linking the old and new versions by analyzing patterns of change and correlating them with other identifying information like browsing patterns or IP address ranges. Major changes that alter your fingerprint include: operating system upgrades, browser updates that change rendering characteristics, adding or removing browser extensions, changing screen resolution, modifying system fonts, or upgrading graphics drivers. Even with these changes, trackers can often maintain continuity by using probabilistic matching—if most of your fingerprint characteristics remain the same while a few change predictably (like a browser version incrementing), algorithms can infer that you're the same user. Only major system changes like switching to a completely different browser, operating system, or device will typically create an entirely new fingerprint that can't be easily linked to your previous identity.

In the context of browser fingerprinting, entropy is a measure borrowed from information theory that quantifies how much identifying power a specific browser attribute contributes, expressed in bits. An attribute that can take one of two equally probable values carries 1 bit of entropy; one that can take 1,024 equally probable values carries 10 bits. The EFF's Panopticlick study calculated that the average browser fingerprint carries approximately 18 bits of identifying entropy — meaning it can distinguish your browser from roughly 262,144 others (2¹⁸). High-entropy attributes include the full user agent string (encoding browser version, OS, and CPU architecture), the list of installed fonts (~13 bits), the canvas rendering hash (~11 bits), and the WebGL renderer string. Low-entropy attributes like "does the browser have cookies enabled" contribute barely a fraction of a bit because almost all browsers answer "yes." Understanding entropy helps explain why fingerprinting is so effective: no single attribute uniquely identifies you, but the sum of dozens of attributes with even modest individual entropy quickly creates a globally rare combination. The practical implication for privacy is that reducing your fingerprint's entropy — by using a common browser version, avoiding rare fonts, and using a standard screen resolution — makes you less identifiable, even if it does not make you completely anonymous.

A uniqueness score measures how rare or common your browser fingerprint is within a reference population of observed fingerprints. Tools like Fingerprint Tools, AmIUnique, and the EFF's Cover Your Tracks compute this by comparing your collected fingerprint attributes against a database of previously seen fingerprints and reporting what percentage of users share an identical combination of values. A uniqueness score of 100% means no other fingerprint in the database matches yours exactly — you are, statistically, identifiable on that characteristic alone. A score of 50% means half of observed browsers share your fingerprint, providing much better anonymity. The calculation works in two ways: exact matching (does any other user share all attributes identically?) and per-attribute rarity scoring (how common is each individual value, and how does the combination of rare values compound?). The per-attribute entropy model sums bits across attributes to produce a total entropy figure. From a privacy standpoint, you want your uniqueness score to be as low as possible — ideally sharing your fingerprint with thousands of other users, which is what privacy-hardened browsers like Tor Browser achieve by standardising all user environments to look identical. A score above 90% means fewer than 1 in 10 users in the tested population share your configuration, indicating high tracking risk.

WebGL fingerprinting exploits the browser's hardware-accelerated 3D graphics API to derive a stable identifier from your GPU's specific characteristics. It works through two main approaches. The first approach uses the WEBGL_debug_renderer_info extension, which exposes plain-text strings identifying your GPU vendor (e.g., "NVIDIA Corporation") and the exact renderer model (e.g., "NVIDIA GeForce RTX 4080/PCIe/SSE2"). These strings encode the exact GPU chip, driver generation, and platform — they remain stable as long as the GPU and driver remain unchanged. The second approach renders a complex 3D scene — specific geometric shapes, lighting conditions, texture coordinates, and shader programs — and reads back the pixel values. Because GPU architectures differ in floating-point precision, shader compiler optimisations, anti-aliasing implementations, and texture filtering algorithms, the rendered pixel output varies measurably between GPU models and driver versions. Hashing this output produces a compact, stable identifier. Research by Mowery and Shacham (2012) first documented this technique, and Princeton's 2014 web measurement study found WebGL fingerprinting deployed on approximately 47% of the top 10,000 websites. Modern browsers have restricted the debug renderer info extension in some configurations, but the rendering-based approach remains largely unmitigated across all major browsers.

Font fingerprinting detects which fonts are installed on your operating system by exploiting font rendering differences measurable through JavaScript and CSS. Your installed font list is a highly personal attribute — it reflects your OS, installed software (Microsoft Office installs specific fonts, Adobe Creative Suite installs others), locale, and manual customisation, making it one of the highest-entropy fingerprinting signals available. The classical CSS-based detection method works by creating a hidden HTML element, setting it to a test font (e.g., "Helvetica"), measuring its rendered pixel dimensions, then switching to a fallback generic font ("serif") and measuring again — if the dimensions match the test font's known metrics, that font is present. A more precise canvas-based method renders text in a specific font and compares the pixel hash against a reference. Iterating across hundreds of candidate font names can precisely map your entire font catalogue in a few hundred milliseconds. The AmIUnique study (INRIA, 2016) found that font lists contribute approximately 13 bits of entropy to a fingerprint — among the highest of any individual attribute. Privacy-focused browsers like Tor Browser and Brave restrict font access to a whitelist of standard system fonts, preventing this detection method from revealing your full font library and significantly reducing fingerprint uniqueness.

Behavioral fingerprinting builds a unique identifier from how you physically interact with your device, rather than from static browser or hardware characteristics. Observable behavioral signals include mouse movement trajectories and micro-tremors, typing cadence (inter-key timing intervals and key dwell times), scroll velocity and patterns, touch pressure and swipe geometry on touchscreens, and device tilt data from accelerometers and gyroscopes on mobile devices. Because these patterns are rooted in individual neuromuscular characteristics shaped by motor habits, handedness, fatigue, and neurological factors, they are extremely difficult to mimic or mask programmatically. Machine learning classifiers trained on behavioral datasets have achieved per-user re-identification accuracy exceeding 95% in controlled research settings. Behavioral fingerprinting requires active user interaction — a passive page load doesn't capture it; you need to move your mouse, type, or scroll. Once a baseline profile is established from one session, subsequent sessions can be matched with high confidence. Commercial applications include continuous authentication systems (verifying identity throughout a banking session), online exam proctoring (detecting if a different person takes over the keyboard), fraud detection, and anti-bot systems. Unlike passive fingerprinting, behavioral signals are difficult to block without also disabling mouse events and keyboard input, which would break most web applications.

No — a VPN provides essentially zero protection against browser fingerprinting, and this is one of the most important misconceptions to understand for practical privacy. A VPN routes your traffic through an intermediary server, replacing your real IP address with the VPN server's IP and encrypting the traffic between you and the server. This effectively hides your IP from websites and prevents your ISP from seeing which sites you visit. However, your browser fingerprint — the unique combination of canvas rendering, WebGL GPU hash, installed fonts, screen resolution, navigator properties, audio processing output, language settings, timezone, and dozens of other attributes — is completely unaffected by VPN use. A tracking script running in your browser sees exactly the same fingerprint whether or not you're connected to a VPN. A company that has fingerprinted you can instantly re-identify you on a new VPN session because the fingerprint has not changed. VPNs also fail to prevent WebRTC leaks, which can expose your real IP alongside the VPN IP. For meaningful protection against fingerprinting, you need browser-level countermeasures — specifically a privacy browser like Tor Browser or Brave — not a network-layer tool like a VPN. VPNs and browser privacy measures are complementary, not interchangeable: use a VPN to hide your IP and encrypt ISP traffic; use a privacy browser to reduce your fingerprint.

Panopticlick was a landmark browser fingerprinting research project launched by the Electronic Frontier Foundation (EFF) in 2010, later rebranded as Cover Your Tracks (coveryourtracks.eff.org). It was among the first tools to demonstrate browser fingerprint uniqueness at scale: the initial study analysed over 470,000 browser fingerprints and found that 83.6% had completely unique fingerprints, and 94.2% were unique among those with Flash or Java enabled. The study introduced the bits-of-entropy methodology for measuring fingerprint identifying power, which has since become the standard metric in privacy research. Its results were widely cited in GDPR policy discussions and privacy advocacy. The rebranded Cover Your Tracks version extends the original by also testing whether a browser's tracking protections correctly block known fingerprinting scripts from a real-world tracker blocklist — providing both a fingerprint analysis and a tracker-blocking effectiveness rating. The tool shows users their fingerprint in detail, reports how many bits of identifying information it contains, and compares it against the general browsing population. The EFF has used aggregate data from Cover Your Tracks to publish longitudinal research on how browser privacy features have evolved over time.

Brave Browser implements a multi-layered fingerprinting protection strategy using a randomisation approach that differs philosophically from Tor Browser's standardisation approach. While Tor makes all users appear identical (maximising the anonymity set), Brave injects calibrated noise into fingerprinting APIs on a per-session and per-origin basis. For canvas fingerprinting, Brave adds subtle, imperceptible random noise to canvas pixel data, producing a different hash each session so that a tracker cannot build a stable cross-session identifier. For WebGL, Brave applies similar noise to shader outputs and restricts the WEBGL_debug_renderer_info extension. Audio context outputs are randomised per origin. Brave also normalises the Accept-Language header to only the primary language (removing locale sub-tags), spoofs a generic hardware concurrency value, and partitions browser storage strictly by top-level site to prevent cross-site identity correlation. In "Aggressive" fingerprinting protection mode, Brave additionally blocks known fingerprinting scripts. Independent testing by privacytests.org and the EFF Cover Your Tracks found Brave to be among the most effective fingerprinting-resistant mainstream browsers. The key advantage of Brave's approach over Tor is compatibility: by randomising rather than blocking APIs entirely, most websites continue to function normally while tracking scripts receive useless, session-unique values that cannot be cross-correlated.

Yes — this is one of the most counterintuitive findings in privacy research, often called the "privacy paradox of extensions." Installing many privacy extensions can make your browser fingerprint more unique, not less, because each extension potentially modifies your browser's behavior in distinctive ways. Extensions can alter the list of supported MIME types, add or remove navigator properties, modify how certain APIs respond, inject additional DOM elements, change canvas rendering behavior, and appear in plugin enumeration. The specific combination of extensions you have installed — for example, uBlock Origin + Privacy Badger + CanvasBlocker + a specific version of a cookie manager — creates a configuration shared by very few other users worldwide. Research by Laperdrix et al. (INRIA, 2016) found that extension-modified browsers were often more unique than unmodified ones. The practical lesson is that quality beats quantity: a few well-chosen, widely-used extensions (uBlock Origin is used by hundreds of millions of people, making its fingerprint contribution diluted in a large population) are better than a collection of niche privacy tools each used by a tiny population. The ideal approach, as implemented by Tor Browser, is to have all users run the exact same browser with the same configuration — maximising the shared anonymity set rather than trying to hide through individually blocking everything.

Passive fingerprinting collects data entirely from information the browser transmits automatically with every request, without any JavaScript execution. This includes HTTP request headers (User-Agent, Accept, Accept-Language, Accept-Encoding, and the order they appear in), TLS ClientHello parameters (cipher suites, supported extensions, elliptic curves — summarised by the JA3 hash), IP address, and network-level timing. Passive fingerprinting is completely invisible to users and cannot be blocked by script blockers, NoScript, or ad blockers because it happens at the network layer before any page content executes. Active fingerprinting requires executing JavaScript code in the browser to query APIs that reveal hardware and software characteristics — canvas rendering, WebGL GPU details, audio processing, navigator properties, screen dimensions, installed fonts, and so on. Active fingerprinting is more powerful (more data points, higher entropy) but can theoretically be blocked by script-blocking tools and privacy extensions. In practice, modern tracking deployments combine both techniques: passive TLS and HTTP fingerprinting establish a preliminary device profile before the page even loads, which is then enriched by active JavaScript fingerprinting once the page executes. This combination is particularly difficult to defend against comprehensively, because mitigating one layer leaves the other intact.

Yes — fraud detection and security is one of the most widely cited legitimate applications of browser fingerprinting, and arguably its most socially beneficial use case. Financial institutions, e-commerce platforms, gaming companies, and identity verification services deploy fingerprinting to detect account takeovers, card-not-present payment fraud, credential stuffing attacks, and multi-accounting abuse. The logic is straightforward: if you normally log into your bank account from a consistent device fingerprint and a login suddenly arrives from a different fingerprint combined with a new IP geolocation, this is a strong signal of potential account compromise requiring additional verification. Fingerprinting in fraud contexts works in a probabilistic scoring model: a returning known-good device fingerprint lowers the risk score, while an unknown fingerprint increases scrutiny and may trigger MFA challenges. Unlike advertising-oriented fingerprinting, fraud prevention creates direct value for the user whose account is being protected. Companies like Sift, Kount (Equifax), Forter, and FingerprintJS Pro specifically market device fingerprinting for fraud prevention. The legal treatment of fraud-prevention fingerprinting is generally more favourable — the GDPR's "legitimate interest" basis may apply more clearly than in advertising contexts, and several data protection authorities have acknowledged fraud prevention as a valid use case with appropriate safeguards.

TLS fingerprinting identifies a client's software from the parameters of the TLS handshake — specifically the ClientHello message sent when establishing an encrypted HTTPS connection. Every TLS library (embedded in every browser) has a characteristic way of constructing the ClientHello: it specifies supported cipher suites, TLS extensions, compression methods, elliptic curves, and signature algorithms in a specific order that differs between library implementations and versions. JA3 and JA3S are the most widely used TLS fingerprinting algorithms, created by John Althouse at Salesforce in 2017. JA3 takes the TLS version, cipher suites, extensions, elliptic curves, and curve formats from a ClientHello and hashes them into a 32-character MD5 string. A specific JA3 hash reliably identifies not just the browser family but often the exact library version — for example, Chrome 120 on Windows produces a different JA3 hash than Chrome 120 on macOS. TLS fingerprinting is entirely passive and server-side — it requires no JavaScript, leaves no browser-visible trace, and cannot be blocked by any browser extension or privacy setting. It is widely deployed by CDNs, web application firewalls (Cloudflare, Akamai, Fastly), and bot detection systems to distinguish legitimate browser traffic from automated scripts, scrapers, and malware.

A supercookie is any tracking mechanism that stores a persistent identifier in a browser storage channel that cannot be cleared through standard browser controls — typically by exploiting browser caches, security policy stores, or other persistent state that survives cookie deletion. The most notorious example is the HSTS supercookie: by setting HTTP Strict Transport Security policies on a chosen set of subdomains, a tracker can encode a binary bit pattern in the HSTS cache (a subdomain either has or doesn't have a cached HSTS policy) that persists until the policies expire. Other supercookie techniques include ETags (HTTP cache validation tokens that store arbitrary identifiers), localStorage, IndexedDB, and window.name persistence. The key characteristic is that they survive standard "delete cookies and history" browser actions because they live in storage channels users typically cannot inspect or clear easily. Samy Kamkar's EverCookie library (2010) demonstrated storing an identifier across 16 different storage mechanisms simultaneously — clearing any one simply restores the identifier from the others. Modern browsers have significantly mitigated many supercookie techniques through storage partitioning — isolating cache and storage by top-level site — implemented in Firefox (2021), Chrome (2023), and Safari (2020). However, new techniques continue to be discovered, and complete elimination of supercookie-style tracking remains an active area of browser engineering.

Detecting whether a website is actively fingerprinting you requires a combination of browser developer tools, dedicated testing services, and browser extensions. The most practical first step is to use a dedicated fingerprinting test tool: the EFF's Cover Your Tracks (coveryourtracks.eff.org), AmIUnique (amiunique.org), or this site's own fingerprint analyser show exactly what information your browser reveals. For active investigation of a specific website, open your browser's Developer Tools (F12): in the Network tab, look for requests to known fingerprinting endpoints or third-party domains; in the Sources tab, search loaded JavaScript files for keywords like canvas, WebGL, audioContext, navigator, or getClientRects — APIs commonly used in fingerprinting. The Privacy Badger extension from the EFF and uBlock Origin with privacy filter lists both detect and block many known fingerprinting scripts. EFF's Cover Your Tracks also tells you whether known tracking scripts are successfully blocked by your current setup. For scanning a site without visiting it, Blacklight (themarkup.org/blacklight) by The Markup automatically reports which tracking technologies a website deploys, including canvas and WebGL fingerprinting — a powerful tool for due-diligence privacy checks.

L'empreinte de navigateur est une technique de suivi sophistiquée qui collecte des informations détaillées sur votre navigateur, votre matériel et votre logiciel pour créer un identifiant unique permettant de vous suivre sur les sites web sans utiliser de cookies. Selon l'étude Panopticlick de l'EFF, 83,6 % des navigateurs ont des empreintes entièrement uniques. Contrairement aux cookies que les utilisateurs peuvent supprimer ou bloquer, l'empreinte collecte passivement les informations que votre navigateur révèle naturellement.

Les cookies sont de petits fichiers texte que les sites web stockent sur votre appareil — vous pouvez les voir, les supprimer ou les bloquer. L'empreinte de navigateur, en revanche, fonctionne en lisant passivement les informations que votre navigateur révèle naturellement : elle ne stocke rien sur votre appareil et exploite des technologies web standard. Le projet AmIUnique a constaté que l'empreinte reste efficace même lorsque les cookies sont bloqués, avec 89 % des empreintes restant uniques dans le temps.

La prévention complète est extrêmement difficile, mais vous pouvez réduire considérablement l'unicité de votre empreinte. L'approche la plus efficace consiste à utiliser Tor Browser, qui standardise toutes les empreintes utilisateurs. Les navigateurs Brave ou Firefox avec la protection renforcée contre le suivi peuvent également réduire considérablement le traçage. Le principe clé est de « se fondre dans la masse » — rendre la configuration de votre navigateur aussi commune que possible.

Non — le mode privé n'offre aucune protection contre l'empreinte de navigateur. Bien qu'il empêche votre navigateur de stocker les cookies et l'historique localement, votre empreinte reste identique en mode privé. La recherche d'AmIUnique confirme que les navigateurs produisent exactement la même empreinte en mode normal ou privé. Pour une protection réelle contre l'empreinte, vous avez besoin de navigateurs axés sur la confidentialité comme Tor Browser ou Brave.

L'empreinte de navigateur est utilisée par divers acteurs : les réseaux publicitaires (Google, Facebook/Meta) pour le suivi comportemental, les services d'analyse, les plateformes de commerce électronique pour la prévention de la fraude, et les fournisseurs de contenu pour appliquer les restrictions d'accès. Selon des recherches, environ 67 % des sites populaires mettent en œuvre une forme de technologie d'empreinte.

La légalité varie selon les pays. Dans l'Union européenne, la directive ePrivacy a été interprétée comme couvrant l'empreinte, nécessitant le consentement de l'utilisateur. Le RGPD s'applique également lorsque l'empreinte traite des données personnelles. Aux États-Unis, il n'existe pas de loi fédérale complète sur l'empreinte, bien que la CCPA/CPRA californienne offre certaines protections.

L'empreinte de navigateur collecte : informations système (OS, navigateur, résolution d'écran, fuseau horaire), caractéristiques matérielles (CPU, GPU, mémoire), techniques avancées (empreinte canvas, WebGL, audio, polices de caractères) et comportements de l'utilisateur. L'étude FP-Scanner a documenté que les scripts modernes collectent généralement 50 à 100 points de données distincts, certaines implémentations en recueillant plus de 200.

L'étude longitudinale d'AmIUnique a constaté que 89 % des empreintes restaient uniquement identifiables sur une période de 90 jours. Les ordinateurs de bureau maintiennent généralement des empreintes plus stables que les appareils mobiles. Les systèmes de suivi sophistiqués emploient des algorithmes de suivi d'évolution qui peuvent reconnaître quand une empreinte a légèrement changé, liant les anciennes et nouvelles versions.

L'entropie mesure le pouvoir d'identification d'un attribut de navigateur, exprimé en bits. L'étude Panopticlick de l'EFF a calculé que l'empreinte de navigateur moyenne contient environ 18 bits d'entropie identifiante — soit la capacité de distinguer votre navigateur parmi environ 262 144 autres. Plus l'entropie est élevée, plus votre empreinte est unique et traçable.

L'empreinte WebGL exploite l'API graphique 3D du navigateur pour dériver un identifiant stable à partir des caractéristiques de votre GPU. Elle fonctionne selon deux approches : l'extension WEBGL_debug_renderer_info expose les chaînes d'identification du GPU, et le rendu d'une scène 3D complexe produit des variations de pixels mesurables entre modèles de GPU et versions de pilotes. Des recherches de Princeton ont trouvé l'empreinte WebGL déployée sur environ 47 % des 10 000 principaux sites.

L'empreinte de polices détecte les polices installées sur votre système d'exploitation en exploitant les différences de rendu mesurables via JavaScript et CSS. Votre liste de polices installées reflète votre OS, les logiciels installés et vos personnalisations. L'étude AmIUnique (INRIA, 2016) a trouvé que les listes de polices contribuent environ 13 bits d'entropie — parmi les plus élevés de tous les attributs individuels.

L'empreinte comportementale construit un identifiant unique à partir de la façon dont vous interagissez physiquement avec votre appareil : trajectoires de mouvement de la souris, cadence de frappe, comportements de défilement, pression tactile. Les classifieurs d'apprentissage automatique ont atteint des précisions de ré-identification supérieures à 95 % dans des contextes de recherche contrôlés. Les applications commerciales incluent l'authentification continue, la prévention de fraude et la détection de bots.

Non — un VPN offre essentiellement zéro protection contre l'empreinte de navigateur. Un VPN remplace votre adresse IP, mais votre empreinte de navigateur (canvas, WebGL, polices, résolution d'écran, etc.) reste complètement inchangée. Pour une véritable protection contre l'empreinte, vous avez besoin de mesures au niveau du navigateur, pas d'un outil réseau comme un VPN. Les VPN et les mesures de confidentialité du navigateur sont complémentaires, non interchangeables.

Panopticlick était un projet de recherche pionnier de l'Electronic Frontier Foundation (EFF), rebaptisé Cover Your Tracks. Il a démontré l'unicité des empreintes à grande échelle : l'étude initiale a analysé plus de 470 000 empreintes de navigateur et a constaté que 83,6 % étaient entièrement uniques. Il est disponible sur coveryourtracks.eff.org.

Brave implémente une stratégie de protection multi-couches utilisant la randomisation : il injecte du bruit calibré dans les API d'empreinte sur une base par session et par origine. Pour l'empreinte canvas, Brave ajoute un bruit aléatoire subtil aux données de pixels, produisant un hash différent à chaque session. Des tests indépendants ont classé Brave parmi les navigateurs grand public les plus résistants aux empreintes.

Oui — c'est l'une des découvertes les plus contre-intuitives de la recherche sur la vie privée. Installer de nombreuses extensions de confidentialité peut rendre votre empreinte plus unique, car chaque extension modifie potentiellement le comportement de votre navigateur. La combinaison spécifique d'extensions que vous avez installées crée une configuration partagée par très peu d'autres utilisateurs. La qualité prime sur la quantité : quelques extensions bien choisies et largement utilisées valent mieux qu'une collection d'outils de niche.

L'empreinte passive collecte des données uniquement à partir des informations que le navigateur transmet automatiquement (en-têtes HTTP, paramètres TLS) — entièrement invisible et impossible à bloquer par des bloqueurs de scripts. L'empreinte active nécessite l'exécution de JavaScript pour interroger les API révélant les caractéristiques matérielles et logicielles. En pratique, les déploiements de suivi modernes combinent les deux techniques.

Oui — la détection de fraude et de sécurité est l'une des applications légitimes les plus citées de l'empreinte de navigateur. Les institutions financières, les plateformes de commerce électronique et les services de vérification d'identité déploient l'empreinte pour détecter les prises de contrôle de comptes, la fraude aux paiements et les attaques de credential stuffing. Le traitement juridique de l'empreinte à des fins de prévention de la fraude est généralement plus favorable que pour la publicité.

L'empreinte TLS identifie le logiciel client à partir des paramètres du handshake TLS — spécifiquement le message ClientHello. JA3 et JA3S sont les algorithmes d'empreinte TLS les plus utilisés, créant un hash MD5 de 32 caractères à partir des paramètres TLS. L'empreinte TLS est entièrement passive et côté serveur — impossible à bloquer par des extensions de navigateur.

Un supercookie est tout mécanisme de suivi qui stocke un identifiant persistant dans un canal de stockage du navigateur qui ne peut pas être effacé par les contrôles standard. L'exemple le plus notoire est le supercookie HSTS. Les navigateurs modernes ont considérablement atténué de nombreuses techniques de supercookies grâce au partitionnement du stockage — implémenté dans Firefox (2021), Chrome (2023) et Safari (2020).

Pour détecter l'empreinte sur un site, utilisez des outils de test dédiés : EFF's Cover Your Tracks, AmIUnique, ou l'analyseur d'empreinte de ce site. Pour une investigation active, ouvrez les Outils de développement (F12) et recherchez dans les fichiers JavaScript chargés les mots-clés comme canvas, WebGL, audioContext ou navigator. Blacklight (themarkup.org/blacklight) analyse automatiquement quelles technologies de suivi un site déploie.