The cookie-based tracking model that privacy advocates spent a decade fighting is already being phased out — not because the industry had a change of heart, but because they built something far more powerful to replace it. Modern tracking doesn't need cookies. It doesn't need your name, your email, or your login. It needs something you can never delete, never reset, and never hide: the unique fingerprint of your device, your browser, and the way you move through a page.
This is what's actually happening when you visit a website in 2026.
Why Cookies Are No Longer the Main Event
Cookies were always a crude instrument. A small file stored on your machine, tied to a domain, clearable with two clicks. Browsers started blocking third-party cookies. Regulators demanded consent banners. Users got trained to click "reject all." The entire cookie-based ad ecosystem began showing cracks.
So the industry moved on. Not away from tracking — toward tracking that is structurally immune to the countermeasures users had learned. The techniques that replaced cookies are invisible, persistent, and in most cases entirely legal. They operate at the browser level, the network level, the hardware level, and the behavioral level simultaneously.
Most users have no idea any of this exists.
Browser Fingerprinting: Your Device Has a Face
Every browser leaks an enormous amount of information simply by existing. When you visit a website, your browser automatically exposes: your user agent string (browser name, version, OS), your screen resolution and color depth, your timezone and language settings, the list of fonts installed on your system, your browser's supported MIME types, your CPU architecture, your installed plugins and their versions, and whether you have cookies and JavaScript enabled.
Individually, none of these is unique. Combined, they form a fingerprint that identifies your specific browser on your specific device with accuracy exceeding 99% in controlled studies. The Electronic Frontier Foundation's Panopticlick project demonstrated this over a decade ago. Modern fingerprinting has only become more precise since.
The fingerprint requires no storage on your device. Nothing is written. Nothing is set. The website simply reads what your browser broadcasts during a normal page load, hashes the combination, and ties it to a profile. You clear your cookies, switch to incognito, reset your browsing history — the fingerprint remains identical because none of those actions change your hardware or browser configuration.
Canvas Fingerprinting: How Your GPU Betrays You
Canvas fingerprinting goes a level deeper. A website uses JavaScript to instruct your browser to draw an invisible image — typically a paragraph of text in a specific font, rendered onto an HTML5 canvas element. The rendered image is then read back as pixel data and hashed.
Here is why this works as a fingerprint: the exact way that text is rendered depends on your GPU, your graphics driver version, your operating system's font rendering engine, your screen's subpixel layout, and a stack of other hardware-level variables. Two computers running identical browsers on identical operating systems will produce subtly different pixel outputs if their graphics hardware differs. That difference is measurable, consistent, and unique enough to function as a hardware identifier.
The canvas element is part of the standard HTML5 specification. Every modern browser supports it. The JavaScript required to execute a canvas fingerprint is a few lines of code. There is no prompt, no permission request, no indication to the user that it is happening.
Studies have found canvas fingerprinting deployed on a significant portion of the top 100,000 websites — often loaded through third-party analytics scripts the site owner may not even be aware are doing this.
AudioContext Fingerprinting: Your Sound Card as an ID
The same principle applied to audio. The Web Audio API, another standard browser feature, allows JavaScript to generate an audio signal, process it through the browser's audio stack, and read back the output. The slight variations in how different hardware processes that signal — rounding errors, floating point precision differences, oscillator implementation details — produce a value that is consistent per device and different across devices.
No sound is actually played. The operation happens entirely in memory. The user sees and hears nothing. The result is a numeric value that acts as a secondary hardware fingerprint, cross-referenced with the canvas fingerprint to increase identification confidence.
WebGL Fingerprinting: Renderer Strings and Shader Precision
WebGL is the browser API for 3D graphics rendering. When JavaScript queries the WebGL context, the browser exposes the renderer string — the actual name and version of your GPU and its driver. On most systems this is something like "ANGLE (Intel, Intel(R) UHD Graphics 620 Direct3D11 vs_5_0 ps_5_0, D3D11-27.20.100.8681)".
That string alone is often enough to narrow your device to a specific model and driver version. Combined with a rendered WebGL scene — which shows the same hardware-level rendering variations as canvas — it becomes a near-definitive hardware identifier. Unlike a cookie or a device ID, it cannot be changed without physically replacing the GPU or updating the driver.
Font Enumeration: The Software Layer
The fonts installed on your system reflect your software history — what applications you have installed, what operating system you are running, what language packs are present, whether you have specialty design or development software. A system with Adobe Premiere, several Google Workspace fonts, a coding font like JetBrains Mono, and a handful of language-specific fonts is substantially different from a fresh Windows install.
JavaScript can probe which fonts are installed by rendering text in a specific font and measuring the resulting dimensions. If the font is present, the dimensions match the expected values. If not, the browser falls back to a default and the dimensions differ. This probe can be run against hundreds of fonts in milliseconds, producing a binary presence/absence list that contributes substantially to the fingerprint's uniqueness.
IP Address and Network-Level Tracking
Your IP address is not a fingerprint in the traditional sense — it changes with networks, and is shared across households — but it carries more information than most users realize. IP geolocation resolves your approximate physical location to city level with high accuracy. Your IP is tied to an autonomous system number (ASN) that identifies your ISP. The combination of IP range, ISP, and geolocation creates a strong probabilistic link between browsing sessions even across different devices on the same network.
More critically: WebRTC, a browser feature designed for peer-to-peer video and audio communication, leaks your local network IP address — the 192.168.x.x address assigned by your router — even when you are using a VPN. This local IP, combined with your public IP, creates a fingerprint that can re-identify you across VPN sessions. This is the WebRTC leak, and it affects most browsers in their default configuration.
Behavioural Fingerprinting: How You Move Is Who You Are
This is where tracking becomes genuinely difficult to conceptualize, because it operates on data that feels meaningless in isolation.
Your mouse movement patterns — the curves you trace, the speed at which you accelerate and decelerate, how you approach a click target — are consistent enough across sessions to function as a biometric identifier. Your typing rhythm — the intervals between keystrokes, the time each key is held down — is similarly unique and consistent. Your scroll behaviour, your touch pressure on mobile devices, the tilt and orientation of your phone, how long you pause before clicking a link.
Machine learning models trained on these behavioural signals can identify returning users with high confidence even when every technical fingerprint has been spoofed or reset. This technique, called behavioural biometrics, is already deployed commercially — primarily for fraud detection — but the same infrastructure that detects fraudulent account access also identifies returning visitors for advertising purposes.
CNAME Cloaking: The Trick That Defeats Ad Blockers
Ad blockers work by maintaining lists of known tracking domains and blocking requests to those domains. The tracking industry's response was CNAME cloaking — a DNS-level technique that makes third-party tracking requests appear to come from first-party subdomains.
Here is how it works. A website sets up a subdomain — say, metrics.yourfavouritesite.com. In their DNS configuration, that subdomain is a CNAME record pointing to a third-party tracking server — say, data.trackingcompany.io. When your browser requests metrics.yourfavouritesite.com, it resolves to the tracking server, but the request appears in your browser as a first-party request to the website you are visiting.
Ad blockers that filter by domain name cannot block this without also blocking the legitimate site. The tracking company's cookies set under this subdomain are treated as first-party cookies by the browser, bypassing third-party cookie restrictions entirely. Safari's Intelligent Tracking Prevention added CNAME cloaking detection in 2021, but most browsers still do not block it, and most ad blockers are still catching up.
Link Decoration and Email Tracking
When you click a link in an email or on a social media platform, the URL you land on often contains parameters that were not there organically — things like ?utm_source=newsletter&utm_medium=email&fbclid=ABC123. Some of these are standard analytics markers. Others are unique identifiers generated specifically for you, allowing the destination site to know exactly who clicked, from what platform, at what time.
Facebook's fbclid parameter and Google's gclid are cross-site identifiers. When you land on a third-party website carrying one of these parameters, that site can share the identifier back to Facebook or Google, reconstructing cross-site tracking without any cookies being involved. Browsers like Brave and Firefox now strip some of these parameters automatically, but most do not.
Email tracking pixels are even simpler. A one-pixel transparent image embedded in an email, hosted on a tracking server, reports your IP address, your email client, your operating system, and the exact time you opened the message — simply by loading the image. Disabling automatic image loading in your email client is the only reliable defence.
Server-Side Tracking: The Invisible Layer
All of the techniques above operate at the browser level — and therefore can, in principle, be blocked or spoofed by browser extensions. Server-side tracking operates before the browser is involved at all.
When your ISP routes your traffic, every DNS query, every IP connection, every unencrypted packet is visible to them. ISPs in multiple jurisdictions are legally permitted to log and monetise this data. Your browsing history at the DNS level is a near-complete record of every site you visit, even if those sites use HTTPS and even if you use private browsing.
Separately, large platforms — Google, Meta, Amazon — operate infrastructure that underlies a significant fraction of the web. Google Analytics is present on over half of all websites. Meta Pixel fires on millions of sites. Amazon's ad network, its CDN, and AWS power vast portions of the internet. Even if you never visit Google.com, Google sees your traffic through the analytics scripts embedded on every other site you visit.
What Actually Works Against This
The honest answer is that no single tool eliminates all of this. But a layered approach reduces your trackable surface substantially.
Use Firefox with uBlock Origin. Firefox's Enhanced Tracking Protection blocks known fingerprinting scripts at the network level. uBlock Origin in medium or hard mode blocks third-party scripts entirely, which eliminates most fingerprinting vectors before they execute. This combination is still the most effective general-purpose defence available.
Disable WebRTC or use a browser that restricts it. Brave blocks WebRTC leaks by default. In Firefox, set media.peerconnection.enabled to false in about:config if you do not need video calling in the browser.
Use a reputable DNS-over-HTTPS provider. Routing DNS queries over HTTPS (DoH) encrypts them from your ISP. Cloudflare's 1.1.1.1 and NextDNS both support DoH and can be configured at the browser or OS level. This removes ISP-level DNS visibility.
Understand that Tor is the only real anonymity tool. Tor Browser is specifically engineered to make all users look identical to fingerprinting scripts — same window size, same fonts, same canvas output, same everything. It is slow and breaks many sites, but it is the only tool that substantively addresses fingerprinting rather than just reducing it.
Strip tracking parameters from URLs. Brave does this automatically. Firefox users can install the ClearURLs extension. This breaks link decoration re-identification.
Block email images by default. In Gmail, go to Settings → Images → Ask before displaying. In Outlook, this is the default for external senders. This eliminates tracking pixel telemetry.
The Fundamental Asymmetry
Every countermeasure described above requires deliberate technical effort from the user. Every tracking technique described in this post is deployed automatically, silently, and by default on a significant fraction of the web. The asymmetry is structural: the industry has infinite incentive to track, near-zero friction in deploying new techniques, and legal cover in most jurisdictions. The user has to actively seek out tools, configure them correctly, and stay current as the techniques evolve.
Cookies were always a decoy. The fight against them was real, and it mattered — but while regulators were drafting GDPR consent requirements and browsers were blocking third-party cookies, the industry had already moved the game to a layer that regulations do not yet reach and that most users cannot see.
The web knows who you are. It knew before you accepted or rejected a single cookie banner.
){kind=link}