For years now, the cookie banner has been the universal symbol of online surveillance. It’s a pop-up most of us dismiss without reading, but it’s a silent acknowledgment that someone, somewhere, is watching. The privacy-conscious among you may even have started to control what cookies a site saves on your system, but trackers have now evolved beyond that.
While you’ve been rejecting all cookies with righteous satisfaction, clearing cookies is useless, and the actual tracking infrastructure has moved on, making cookies increasingly irrelevant. The industry has built something far more persistent, far more invisible, and far harder to fight back against.
I stopped using “Incognito Mode” for privacy after learning about fingerprinting
It’s just not doing what you think it is.
Cookies are no longer the main privacy problem
Websites are moving beyond traditional tracking methods
Third-party cookies, the kind that let an ad network follow you from a shoe store to a news site, are being phased out across major browsers. Safari and Firefox have blocked them for years, and while Google Chrome’s deprecation has been slower and messier than expected, the direction is clear. Advertisers and data brokers knew this was coming, so they spent the last decade building alternatives.
The result is an ecosystem of cookieless tracking that doesn’t need your browser’s permission to store anything because it doesn’t store anything on your device at all. You no longer need to leave a file on someone’s computer to identify them. You just need to ask their browser a few questions. And combined together, the answers are enough to pick you out of millions.
Your browser reveals more than you think
Fonts, screen size, hardware, and dozens of tiny details create a unique fingerprint
Welcome to the era of browser fingerprinting. It’s been here for a while, but it’s starting to steal the limelight from cookies now. Every time you visit a website, your browser involuntarily broadcasts a torrent of signals. Everything from your OS, screen resolution, installed fonts, timezone, language settings, browser version, and dozens of other attributes gets sent to whatever server you’re visiting.
Individually taken these data points don’t seem like much. After all, what damage can someone do to you if they know your screen resolution, right? But when you put them together, you get a combination that can tell your particular browser apart from millions of others on the internet.
The Electronic Frontier Foundation’s (EFF) Panopticlick project found that the average browser fingerprint carries more than 18 bits of entropy, enough to single out one device in roughly 280,000. Sophisticated commercial solutions like FingerprintJS claim 99.5% fingerprint uniqueness across their dataset. Real-world accuracy for stable cross-session identification varies between 60 to 75%, but that’s still remarkably high for something that requires zero storage or interaction on your end.
Speaking of which, what makes fingerprinting particularly invasive is that nothing is stored. There’s no file you can delete, no cache you can clear. When you delete your browsing data, the fingerprint persists. It’s derived from your hardware and software configuration, which aren’t going anywhere, and can’t be deleted by clicking a single button.
The most powerful trackers are completely invisible
Canvas, WebGL, and Audio fingerprinting identify you without storing a single cookie
The most powerful fingerprinting signals come from three browser APIs that were designed for otherwise legitimate purposes: Canvas, WebGL, and the Web Audio API.
Canvas fingerprinting tells your browser to draw a hidden image, usually some text in a specific font, with overlapping shapes and colors. The way that image renders depends on your GPU, your graphics driver, your OS’s font engine, and the anti-aliasing algorithms your system uses. The rendered pixel data gets converted into a hash, and that hash is your canvas fingerprint. It’s stable across sessions, across incognito mode, and across VPNs. The HTML5 canvas is single-handedly one of the largest fingerprinting threats browsers have to deal with.
WebGL fingerprinting goes even deeper. It asks your browser to render a 3D scene and read back the output. Since the result depends on your specific GPU model, driver version, and the browser’s graphics stack, it reveals details that a simple browser string never can. Even two machines with the same GPU can produce significantly different outputs based on driver variations.
Last but not least, Audio fingerprinting is on the more elegant side. A script creates something called an AudioContext, generates a sine wave through an OscillatorNode, passes it through a DynamicsCompressorNode, and reads the resulting waveform data. Since audio hardware from different manufacturers like Realtek, Intel, and others processes floating-point math slightly differently, the output becomes a signature that says nothing about what you’re listening to, but everything about the physical chip processing the sound.
Tracking doesn’t stop at the browser
Email pixels quietly report when, where, and how you open your messages
Cookies and browser fingerprinting are browser-based concerns, but there are even more invasive methods hiding on the internet. Marketers have been embedding tracking pixels in HTML emails for years, and when you consider just how many of these emails get sent out, the scale is staggering.
When your email client loads one of these pixels, it makes an HTTP request to a remote server. That single request logs your IP address (which can give away your approximate location), the exact timestamp, your device type, operating system, and email client. You don’t need to click anything, and there’s no consent pop-up to dismiss. If you’re using a preview pane, you may have triggered this data collection without even reading the email at all.
Your IP address isn’t an abstract technical detail in this context. IP addresses constitute personal data under GDPR because they can be linked to a subscriber by an ISP. It’s one of the biggest giveaways anyone on the internet can get from you, and a lot of bad actors almost exclusively go for your IP address first.
Privacy takes more than clearing cookies
The practical steps that actually reduce fingerprinting and online tracking today
Clawing back your privacy is an uphill battle, and realistically speaking, you can’t make yourself invisible online, but you can make yourself a less stable, less valuable target. Some browsers like Brave, randomize fingerprinting outputs by default, injecting noise into canvas and WebGL responses, so that each session looks a little different. Firefox also has privacy.resistFingerprinting flag that standardizes many outputs. The Tor Browser goes the furthest, but at the cost of significant browsing friction.
Chrome and Firefox are tracking you by default — these alternatives don’t
This is why I won’t ever use Chrome and Firefox again.
Then there are extensions like uBlock Origin and CanvasBlocker that can interrupt specific fingerprinting scripts, though they work best when the tracker is loaded from a third-party domain. For email, disabling remote image loading in your email client can stop pixel tracking at the source.
The privacy conversation has been fixating on the wrong thing. Cookies were always just one tool, and not the most powerful one. The tracking ecosystem evolved while most users — and much of the regulation — were still focused on that accept cookies button.

