This is part two of a blog post summarizing the state of browser fingerprinting in 2025. You can read part one here), where I went over the what, who, why, and how of browser fingerprinting. In this post, we’ll discuss how browsers protect against fingerprinting, and how you can protect yourself.

Protecting against fingerprinting

Trackers doing browser fingerprinting are essentially trying to divide users into buckets that are:

  1. diverse. If every user is in the same bucket (“uses an iPhone”), you haven’t learned much about the user.
  2. stable. If the user changes their fingerprint every time they visit your site, it’s not much of a fingerprint.

Browsers apply fingerprinting protections that are aimed at defeating this bucketing.

Consider the butterfly

Let’s imagine you’re a beautiful and unique butterfly, trying to avoid capture and identification by malicious lepidopterists who are looking for you (apologies in advance to worthy lepidopterists). You have two main strategies to avoid a future that involves being pinned up on a wall:

  1. hide in a crowd
  2. fly randomly

This is much like being a user on the Web, where you’re trying to avoid being fingerprinted by trackers.

Hiding in a crowd (avoid diverse buckets)

As a butterfly, you can evade capture by hiding your unique beauty in a crowd of other butterflies. The goal of “hiding in a crowd” (or herd immunity) is to make every browser look the same. This is the strategy used by Tor Browser and Mullvad. The way this works is that you remove APIs and capabilities that reveal a lot of information about the browser. Unfortunately, this often means that powerful APIs end up getting removed from the Tor Browser, which limits its widespread use. This might be fine for Tor Browser, which targets users with a higher-than-usual risk profile who typically care more about privacy than usability. But mainstream browsers with hundreds of millions of (mostly non-technical) users cannot afford to remove useful Web APIs. Having said that, major browsers frequently do remove APIs that are low-utility and high-fingerprintability such as the Topics API being removed by Brave, Safari and Firefox.

It’s worth noting that browsers that always run on similar hardware and software, like Apple’s Safari, benefit from the lack of diversity because individual users stand out less.

Fly randomly (avoid stable buckets)

As a butterfly, instead of trying to be the same as everyone else, you can zig-zag across the sky, evading capture. You can try to be as different as possible, every time.

This is Brave browser’s approach for many Web APIs: randomize the fingerprint per-session and per-site. This effectively means that your fingerprint will be unique for a website but different across every website (which defeats cross-site tracking), and will reset after every browsing session (which defeats cross-session tracking), similar to how cookies and state is cleared after a Private browsing session.

Safari 17 introduced advanced fingerprinting protection (though only in Private Browsing mode) largely modeled on Brave’s fingerprinting approach of adding random noise to API output. Encouragingly, Safari 26 will enable advanced fingerprinting protection by default.

When this strategy of randomizing Web APIs works, you get both powerful Web APIs and privacy. In practice, this is very tricky to get right and can lead to web dev frustration and website breakage, when the injected randomness interferes with website functionality. Brave had to change their screen fingerprinting protection to report “one-of-few” outputs so as to place users in large buckets instead of purely randomizing.

Bonus: block known trackers

As a butterfly, you can also start a list containing photographs of lepidopterists so that you can distinguish them from harmless human friends, and you can share that with your butterfly friends, so you all know to stay away from the bad guys. This “crowdsourced blocklist of known bad actors” approach is surprisingly effective in Web privacy. You might (as a concerned butterfly) ask: What if a blocked lepidopterist just puts on a disguise? What if a new lepidopterist appears? And why are we still continuing with this butterfly analogy when it has clearly broken down several paragraphs ago and was probably broken to begin with? These are all valid questions.

A blocklist to block advertisers and trackers might not seem like a robust approach. But the truth is that most tracking on the Web is done by a few well-known companies, and if you block them, you protect yourself against most of the harms. Also, community lists are surprisingly well-maintained, with new rules being added (to counter new tracking scripts and requests) and removed (to counter website breakage) on the order of minutes.

Every browser uses blocklists in some way to block content: Firefox’s Enhanced Tracking Protection based on Disconnect and Brave’s ad & tracker blocking based on various community-maintained lists are good examples of this. Safari blocks known trackers in Private Browsing mode using a combination of EasyPrivacy and DuckDuckGo’s Tracker Radar. Chrome interestingly also uses this strategy to block “bad ads” using a modified form of EasyList.

How do I protect myself?

Turn fingerprinting protections on!

In practice, browsers apply a mix of the above strategies, depending on the Web API or source of variance they’re trying to minimize. However, not every browser applies fingerprinting protection by default:

Safari

Enable Settings → Advanced → “Use advanced tracking and fingerprinting protection.” → “in all browsing”.
The current default is “in Private Browsing”, though this will change in Safari 26.

Firefox

Turn on Resist Fingerprinting in about:config. See instructions.

Brave

Fingerprinting protections applied automatically and by default.

Chrome

Chrome doesn’t currently do much against fingerprinters. They’re exploring blocking known third-party fingerprinting scripts in Incognito Mode.

Block trackers

If you don’t use a browser with an in-built ad and tracker blocker like Brave, use a good adblocking extension like uBlock Origin. On Chromium-based browsers, unfortunately, the use of adblocking extensions is becoming increasingly harder given Google’s move to phase out Manifest V2 extensions.

Hide your IP address

IP addresses are stable network-level identifiers that browsers need to actually connect to websites. This is unfortunate, because it means that trackers can simply fingerprint your IP address and there’s not much browsers can do about it. IP address hiding operates on the principle of not connecting directly to the website and instead routing your connection through an intermediary server. The website then sees the intermediary’s IP address, not yours. On the other hand, the intermediary server now knows both your IP address and the website you’re visiting. So what do you do? You add more intermediaries! All of this raises sticky questions about who you trust on the Internet, and you can read more about this topic in an essay I wrote (available here) for the book “Eaten by the Internet”.

The more the number of intermediaries or hops between you and the website, the better the privacy, but worse the network speed. You have some options to hide your IP address:

  1. A trustworthy VPN (1 hop): most VPNs are privacy nightmares. The Open Technology Fund (OTF) has sponsored great research into shady VPN practices (disclosure: I’m on the Advisory Council for OTF). Some good ones are bundled into the browser such as Mozilla VPN, Brave VPN or Mullvad. Since it’s just one hop, the VPN knows your IP address and which websites you’re visiting, so you better trust them to not sell your browsing history to advertisers. Given that it’s also expensive to operate a VPN, you should never trust free VPNs.
  2. Private Relay (2 hops): Apple’s 2-hop iCloud Private Relay hides your IP address from both Apple and the website, but requires an iCloud+ subscription and an Apple device.
  3. Tor (3 or more hops): for the highest privacy guarantees (but worst performance), use the Tor network to hide your IP address and network metadata, either via Tor Browser or another browser’s implementation such as Brave’s Tor mode. Always prefer Tor Browser if your safety depends on it.

Lastly, test!

You can check your browser’s vulnerability to fingerprinters by using a good fingerprinting testing website like EFF’s CoverYourTracks.

I put together a simple demo website to give a visual example of how browsers apply anti-fingerprinting measures. The demo website writes and reads data using Canvas API, a widely-used Web API that is also sadly commonly used by fingerprinters. Canvas fingerprinting draws hidden graphics using the Canvas API and re-reads the raw pixels. These pixels encode subtle details about your GPU, driver, fonts and sub-pixel rendering which can then be hashed by a tracker into a stable identifier which survives anything you can do (short of getting a new computer). To combat this, many browsers inject noise into the pixels when they are read back. The demo website helps visualize that noise. To not break website functionality, the noise injected by the browser (if it does) is ordinarily invisible to the human eye; the demo deliberately amplifies the distortion to show how different browsers use different noise-injection strategies.

Brave in default mode. Random noise throughout the canvas. As tested on https://shivankaul.com/brave/canvas-noise at time of publication
Brave in default mode. Random noise throughout the canvas. As tested on https://shivankaul.com/brave/canvas-noise at time of publication

Brave in default mode. Random noise throughout the canvas. As tested on https://shivankaul.com/brave/canvas-noise at time of publication
Safari in Private Browsing. Notice the subtle random noise at the four corners of the image. As tested on https://shivankaul.com/brave/canvas-noise at time of publication

For a fun exercise, try out the demo website on Mozilla Firefox with Resist Fingerprinting turned on and see what you get!

Acknowledgements

Thanks to Juliana Guerra, Rohan Dandavati, Aakash Japi and Gurshabad Grover for proofreading my ramblings and giving fantastic feedback.

Relevant reading

  1. Fingerprinting, web.dev
  2. Firefox’s protection against fingerprinting
  3. Brave’s fingerprinting philosophy: https://github.com/brave/brave-browser/wiki/Fingerprinting-Protections
  4. Apple’s one-pager on their tracking prevention mechanisms: Tracking Prevention in WebKit
  5. [Private Browsing 2.0 WebKit](https://webkit.org/blog/15697/private-browsing-2-0/)
  6. Open source privacy tests for browsers by Arthur Edelstein: PrivacyTests.org
  7. DuckDuckGo’s tracker radar, used by Safari: https://github.com/duckduckgo/tracker-radar
  8. Test your browser to see how well you are protected from tracking and fingerprinting: EFF’s Cover Your Tracks
  9. Fraud, Abuse, Fingerprinting, Privacy, and Openness by Martin Thomson
  10. Old but comprehensive writeup by Chromium on client identification mechanisms: Technical analysis of client identification mechanisms
  11. Study examining trackers across the Web: Online tracking: A 1-million-site measurement and analysis
  12. Mullvad, IVPN, and Mozilla Top Consumer Reports’ VPN Privacy