You open an Incognito window and you feel safer. You're logged out of everything. No cookies. No history. A clean slate. Only it isn't, and it hasn't been for years. Before you've even typed a URL, the Incognito browser has already told any site that cares exactly which operating system you're on, which GPU, your screen size down to the pixel, your installed fonts, your audio hardware, your time zone, and roughly a hundred other small signals that together are probably unique to you on the entire internet.
That's browser fingerprinting. It's how ad networks, fraud systems, and content platforms track "you" even when you've wiped every cookie, rotated every IP, and used three different browsers. This guide explains how it works, what you can actually do about it in 2026, and why Incognito mode was never going to save you.
TL;DR
- Incognito hides your history from other people on your device. That's the whole feature set — it does nothing against fingerprinting.
- Modern fingerprints combine dozens of small signals (Canvas, WebGL, fonts, audio, behavioural timing) into an ID that identifies ~98% of users uniquely.
- Real defences in 2026: Brave or Tor Browser with fingerprinting protection, strict Firefox, or accepting a tiny amount of data exposure and focusing on other privacy layers.
What Incognito actually does
Incognito is a local feature. When you close the window:
- The browser deletes cookies and localStorage from that session.
- The browser doesn't save the history.
- Form autofill suggestions don't pick up what you typed.
That's it. Every server you contacted during the session still logged every request. Every ad network that ran a script still collected your fingerprint. Every login you made is still in that site's database attached to your account. In 2024 Google lost a $5 billion class-action exactly because the company had implied Incognito did more than this.
The anatomy of a modern fingerprint
A fingerprinting script collects attributes of your browser and device, combines them, and produces a hash. Two users with the same hash get treated as the same person. Here are the main signal sources, in rough order of discriminating power:
Canvas fingerprint
The script asks the browser to render a specific snippet of text with subtle effects into an invisible canvas element. Small differences in GPU drivers, rendering settings and OS font rendering produce measurably different pixel output. Two identical-looking machines almost always produce slightly different canvas hashes. This one alone can categorise you into one of a few thousand buckets.
WebGL fingerprint
Same idea, with 3D. The browser renders a simple WebGL scene; the exact GPU, driver version, and rendering pipeline produce a unique hash. It's remarkably stable — your WebGL hash rarely changes until you update your GPU driver.
Font enumeration
Which fonts are installed on your system. Since this depends on your OS, installed software (MS Office, Adobe apps), regional settings and personal tweaks, the list is wildly specific. Modern browsers have started limiting which fonts can be detected but some leakage remains.
Audio fingerprint
The browser runs a short audio calculation through the Web Audio API. Tiny numerical differences in floating-point math between CPUs and browsers produce a stable audio hash.
Screen + timezone
Exact pixel dimensions of your monitor, available colour depth, device pixel ratio. Plus time zone, preferred language, and preferred colour scheme. Together, these narrow you further.
Hardware and battery
Your reported CPU count, device memory, and (until browsers killed the API) battery level. Battery level especially was a nasty signal because it gave a continuously-changing number that let sites re-identify you across cookie clears within minutes.
Behavioural signals
The newest and creepiest layer. Your mouse movement patterns, typing rhythm, scroll velocity, and even the way you wobble while holding a phone are now tracked by sophisticated fraud systems and identify you with surprisingly high accuracy after a few seconds of interaction.
How unique are you?
The EFF's AmIUnique and Cover Your Tracks projects have measured this in the wild for years. A typical reader of this article — standard browser, default settings, logged-in occasionally — has a fingerprint that's unique among every other user in the data set. Not rare. Unique.
Even users of privacy-hardened setups show up as 1-in-hundreds or 1-in-thousands, which still identifies them across sessions when combined with IP and browsing history.
Who uses fingerprinting in 2026
- Ad networks (less common now after regulatory action, but still present).
- Anti-fraud systems at banks, exchanges, Airbnb, ticket resellers — they actively want to track you to prevent account fraud, and this is regulator-tolerated.
- Streaming services and gaming platforms for account sharing detection.
- Big content platforms (Google, Meta, X) as a backup identity layer behind login.
- "Risk scoring" layer at sign-up flows — you'll notice this as the extra friction when you try to register from a fresh browser on a VPN.
Defences that work in 2026
Tor Browser
The only browser designed from the ground up to make every user look identical at the fingerprint layer. Same user-agent, same letterbox window size, same disabled-by-default JavaScript APIs. Tor Browser gets close to one-in-thousands fingerprint uniqueness, which is miraculous. Trade-off: everything feels slow, many sites block Tor exits, CAPTCHAs everywhere.
Brave
Brave shipped active anti-fingerprinting protections in 2020 and they've been improved every year since. The approach is farbling — randomising small noise into Canvas, WebGL and audio outputs so the hash changes between sessions. You still look like yourself across a single session, but a fresh session looks like a different person. Effective against ad networks, less so against fingerprint-savvy fraud systems.
Firefox — strict mode
Since Firefox 87 there's a built-in Resist Fingerprinting mode (about:config → `privacy.resistFingerprinting`). It's aggressive — blocks many APIs, forces a specific timezone and window size, breaks some sites. For full effect it's intended to be combined with the Tor-style user-agent standardisation. Good for users who will tolerate occasional breakage.
Safari on Apple silicon
Safari has been quietly strengthening its fingerprint resistance every year. It locks down many APIs, strips the user-agent, and enforces tight limits on the Web Audio API. For casual privacy, Safari on iPhone or Mac is a surprisingly strong default with zero configuration.
Browser extensions
uBlock Origin (advanced mode), CanvasBlocker, Chameleon and a few others can rebuild some of these defences on Chrome. Be careful — piling extensions is its own fingerprint ("user with this exact set of 11 extensions"). Less is more.
The "just accept it" approach
There's an honest position that you will never be fully fingerprint-resistant on a device you actively use. Your real goal might be to segregate identities: a default browser for ordinary logged-in life (Gmail, banking, Amazon), a separate profile or browser for work, and a third hardened setup for anything you don't want linked to the first two. Don't cross the streams. Log into your real Google account only in the default profile. Use the hardened profile for research, shopping around, politically sensitive reading.
That's often more realistic than chasing perfect fingerprint resistance, and it's how most security professionals we know actually operate.
How to test your fingerprint
Two free, well-maintained tools in 2026:
- EFF's Cover Your Tracks (coveryourtracks.eff.org) — runs a full battery of tests and gives you a plain-English summary.
- AmIUnique.org — similar, with a slightly different methodology, worth running both.
Run it once in your default browser, once in Incognito, once in Brave or Tor Browser. Seeing the same fingerprint across Incognito sessions drives the point home better than any article can.
Common misconceptions
"A VPN hides me from fingerprinting"
No. A VPN changes your IP — exactly one signal among dozens. Your fingerprint is untouched. The ad network knows it's you, just on a different IP today.
"I'll just rotate user agents"
Counterproductive in 2026. A mismatch between a reported Chrome 120 user-agent and the actual behavioural fingerprint (which is clearly Chrome 99 on Linux) actively identifies you more, because it lands you in the rare "probably trying to evade" bucket.
"Private / Incognito mode fixes this"
Already covered, but worth repeating: Incognito affects your computer, not the internet. Every site you visit still sees full fingerprint. That's by design.
FAQ
Can fingerprinting identify me across different IPs?
Yes — that's the whole point. A stable fingerprint persists through VPN switches, mobile-to-Wi-Fi transitions, and coffee-shop hopping.
Can it identify me across different browsers on the same device?
Partially. Some signals (GPU, fonts, OS-level audio) are the same across browsers. Others (user-agent, installed extensions, canvas rendering) differ. Cross-browser identification works but is less reliable.
Does clearing cookies help?
Against cookie-based tracking, yes. Against fingerprinting, no — the fingerprint doesn't live in cookies.
Is fingerprinting legal under GDPR?
Fingerprinting for essential fraud prevention is generally allowed under legitimate-interest. Fingerprinting for advertising without consent is not. Enforcement against advertising fingerprinting is slow but rising.
What about Apple's App Tracking Transparency — does that cover fingerprinting?
ATT focuses on the Apple IDFA device ID, which has been largely defanged on iOS. Fingerprinting in mobile browsers on iOS is constrained by Safari's default resistance. In apps, fingerprinting via non-IDFA signals still happens and is in ongoing regulatory conversation.
Should I use all the anti-fingerprinting tools at once?
No. Too many overlapping extensions and hardening settings produce their own unique fingerprint. Pick one stance — Brave, or strict Firefox, or Tor Browser — and stick with it.
Tools on ip-checker.pro that help
→ IP Lookup — verify your IP-layer anonymity (one signal of many)
→ Security Check — holistic check of browser and network signals
→ DNS Lookup — confirm your DNS is going where you expect