Cookies emerged in the 1990s as a way for websites to remember returning users. They are small text files containing a unique ID, which your browser downloads when you visit a site.
When you return, the website can read that file to keep you logged in or remember what’s in your shopping basket. These so-called first-party cookies remain a basic part of how the web functions.
Then there are third-party cookies: similar files that share your ID with a host of trackers, from advertisers to data brokers. They're usually bundled into free widgets and plugins that developers rely on to build sites.
That’s what cookie banners are really asking you about: are you okay with Google Ads knowing you visited quickrecipes.yum, briefly opened UberEats, and then returned to the first page? And if yes, would you be interested in this pop-up about healthy burgers in your area?
For all their flaws, cookies are at least visible. They are files stored on your device, which you can delete or block in your browser settings. Other forms of tracking are far harder to see – and virtually impossible to avoid.
Enter fingerprinting
Fingerprinting is another tracking technique that exploits information browsers were designed to share. To display pages correctly, websites have long relied on knowing details about your device, such as screen resolution, installed fonts and hardware characteristics.
Combined, these signals can form a surprisingly detailed and often unique “fingerprint” of a single user, one that runs in the background and can’t be stopped by browsing incognito.
Tom Ritter, principal security engineer at the Mozilla Foundation, told The European Correspondent that fingerprinting was first exposed in a 2010 paper by the Electronic Frontier Foundation. It found that up to 83% of users could be uniquely identified.
“The first shock to the system came in 2014, though,” Ritter continued. Investigations revealed that AddThis, a hugely popular social media button, had sneaked into its code a fingerprinting script that was running all across the web, from the White House to YouPorn.
“Ultimately, the goal of fingerprinting is to re-identify you in different contexts,” Ritter explained. Tracking scripts are often paired with others that record how people interact with a page: how long they stay, how far they scroll, where they click.
That data is then fed into proprietary algorithms designed to predict your interests and future behaviour. The result is not just a record of where you have been, but a probabilistic portrait of who you might be.
Studies have found that fingerprinting is less stable than cookie-based tracking, as browser updates frequently change the technical signals used to identify users. But algorithms can be trained to link different fingerprints together. Overall, it’s hard to know exactly how widespread or precise these techniques are.
“Not only are trackers not incentivised to tell us that,” Ritter explained, “they’re not incentivised to tell each other that, because they are competitors.”
The deeper problem is that users cannot consent to fingerprinting – nor opt out of it. That sits uneasily with European law. The ePrivacy Directive requires consent before data is gathered from a device, while the GDPR establishes it as a prerequisite for most data processing.
So, is it illegal?
“That’s the million-dollar question,” said Tasos Stampelos, a senior policy specialist at Mozilla. In short, “The framework is there but the problem starts with enforcement,” he continued. Data protection authorities often lack the time, funding and technical expertise to investigate and pursue breaches. “It also comes down to how easy it is for individuals to bring a complaint,” Stampelos added.
“Deceptive cookie banners are pretty easy for a user to detect. But for fingerprinting, you don’t see it, it’s hiding in the backend.”
So now that you're properly spooked, let's talk about what you can do.
Shockingly, the Mozilla team would actually recommend their browser, Firefox, which indeed offers strong anti-fingerprinting protections – from auto-blocking known scripts, to adjusting and randomising some of the data browsers share with websites.
Other privacy-focused browsers, like DuckDuckGo, Brave, Tor, and Mullvad, also have ways to partly blur your fingerprint. But no option is completely tracking-proof.
Unfortunately, Google Chrome – by far the most popular browser – seems to be the worst offender when it comes to privacy protections and privacy washing. Surely the fact that the company also runs its own extremely lucrative advertising and analytics businesses has nothing to do with that.
If you are not ready to switch your main browser, though (I feel you!), there are still some things you can do. Many browser extensions offer anti-fingerprinting services, but paradoxically, installing a bunch of them would make you look particularly unique to fingerprinters. So actually, go to your extensions tab right now and try clearing out anything that’s not absolutely necessary.
Also, make your browser preferences as general as possible, and try to run updates as soon as they come out. Finally, VPNs can help by changing your IP address, an important part of the mix that can further confuse your enemies.