Operator guide to website tracking: 22 vectors and what stops them.

The cookie banner is theater. By the time you click anything on a webpage, the server already has your IP, your approximate physical location, your ISP, your hardware fingerprint, your screen layout, your installed fonts, your timezone, and a behavioral profile of how your mouse moved across the page. None of that data triggers a privacy notice. None of it is covered by GDPR consent. It is collected by default, on every page load, by every site that uses standard analytics or ad-tech.

We built a live fingerprint analyzer that shows you the exact 22 vectors your browser is leaking right now. This guide explains what each vector reveals, why your existing protection probably misses it, and what you can actually do about it. The countermeasures below assume you have already built a clear threat model. If you have not, start with our guide on how to build a threat model before choosing tools.

The three families of tracking vectors

Modern web tracking does not rely on cookies. Cookies are the part of tracking that you can see and refuse. Everything else is invisible, runs without consent, and survives most consumer privacy tools. The 22 vectors fall into three operational families: network, hardware, and behavior.

Network signals are sent automatically with every HTTP request. Your public IP, ISP, autonomous system number, approximate city, and any VPN or proxy signature attached to your connection. These cannot be hidden by browser configuration alone. They are a property of your network connection.

Hardware signals are the way your specific device renders pixels, processes audio, runs WebGL, and exposes graphics card details. Combined into a hash, they produce a biometric ID stable across IP changes, VPN switches, private windows, and cookie wipes. The same hash follows you to every site that uses the same fingerprinting library, and most major analytics platforms do.

Behavioral signals are how you actually use a page. Mouse movement distance and trajectory. Time before first click. Number of tab switches. Scroll velocity. Reading patterns. These signals identify you across visits even when every other vector has been suppressed, because the way you operate a device is itself a signature.

Network layer: what your IP gives away

Your public IP is the first thing every server sees. IP geolocation databases place most home connections within a 1 to 10 km radius. ISP and ASN are recorded with the lookup. With a court order, your ISP can produce the billing address tied to that connection on a specific date and time.

Mobile carrier connections are worse. They sell location data in real time, in legal grey zones that have already cost them tens of millions in regulatory fines. The fines did not stop the practice. We covered this in our analysis of how phone carriers sell location data.

The countermeasure most people reach for first is a VPN. A VPN works for hiding your IP from the destination server, but it has limits. It does not hide your IP from your VPN provider. It does not change your hardware fingerprint. It does not match your browser configuration to the country your VPN exit is in. If your IP says Romania but your timezone says Paris and your accept-language says fr-FR, that mismatch is itself a signal that pre-trained fingerprinting models flag as VPN traffic.

WebRTC is the second network leak most users miss. It establishes peer connections that bypass the VPN tunnel entirely, exposing the local IP address on your home network. We documented several real cases of this failure mode in our piece on tracked through a VPN: documented cases.

The operational fix at the network layer is layered. Choose a VPN that has been audited and that does not log, and pair it with a browser hardened against WebRTC leaks. Coherence matters more than the choice of provider. We compared the two providers we trust in Proton vs Mullvad in 2026.

Hardware layer: the fingerprint that survives everything

The hardware fingerprint is the part of the dossier that most users do not know exists. It is built from three independent measurements your browser performs every time it loads a tracking script.

Canvas fingerprint. The browser is asked to draw a small piece of text using a specific font and color. The way the GPU renders the anti-aliased pixels of that drawing depends on the graphics driver, the operating system rendering pipeline, and the GPU itself. The drawing is then hashed. The same browser on the same machine produces the same hash. A different machine, even running the same browser version, produces a different hash.

WebGL fingerprint. WebGL exposes the unmasked vendor and renderer of your graphics card through a debug extension. Combined with the GPU memory limits, the supported texture sizes, and the maximum vertex attribute counts, the result is a hash that identifies your hardware to a level of precision most users would expect to require explicit consent.

Audio fingerprint. The browser runs a small audio rendering operation through an offline audio context, with a known input. The output, hashed, depends on the floating-point implementation of the audio subsystem. Different hardware produces different hashes. The result is stable.

Combined, these three hashes produce an identifier shared by fewer than one in 100,000 devices. Switching VPN does not change it. Clearing cookies does not change it. Private browsing does not change it. It changes when you change device, or when you update your graphics drivers significantly. That is the only way.

The countermeasure here is narrow. Tor Browser modifies canvas, WebGL, and audio APIs to return uniform values across all Tor users, which makes you blend into a crowd of identical hashes. Brave applies similar randomization on a per-session basis. Firefox with resistFingerprinting enabled does the same in a more conservative way. Hardened Chromium variants like Mullvad Browser apply the Tor Browser approach without the Tor network. None of the standard mainstream browsers, Safari, Chrome, Edge, address this vector by default.

Locale and screen: the passive geolocation

Without asking for any permission, your browser hands over the timezone your operating system is set to, the language preferences in your accept-language header, the resolution of your screen, the size of your browser window, the device pixel ratio, the color depth, the number of touch points your input device exposes, and your visual preferences for dark mode, reduced motion, and high contrast.

Each signal alone is weak. Combined, they place you geographically with high confidence even when your IP is masked. Timezone Europe/Paris with accept-language fr-FR-fr-FR-en-US and screen 1512×982 with devicePixelRatio 2 narrows you to a French Mac user on a Retina display before any cookie or fingerprint enters the picture.

Coherence is the only defense. If you mask your IP with a Romanian VPN exit and leave your system locale set to Europe/Paris with French language preferences, you have not hidden anything. You have signaled that you are using a VPN. The hardened browser approach matches all locale, language, and screen signals to a common default, so users blend into the same generic profile.

Behavior: the signal you cannot turn off

Every page you visit can record how you behave on it. JavaScript event listeners track every mouse coordinate, every scroll movement, every keystroke timing. The browser exposes the visibility state of the tab, allowing the page to count exactly how many times you switched away. The result is a behavioral profile that is almost as identifying as a hardware fingerprint, and impossible to spoof without breaking the page entirely.

The data goes further than identity. Behavioral analytics platforms infer attention, hesitation, decision quality, and emotional state from movement patterns. Marketing teams use this to time interstitials and promotions. Surveillance platforms use the same techniques to flag patterns they consider suspicious. The output of the same library serves both buyers without any modification.

There is no clean technical countermeasure. Disabling JavaScript breaks most of the modern web. Browser extensions that block analytics cover only the largest commercial trackers. The discipline that works is structural: do not perform sensitive operations on devices or browsers you also use casually. Maintain a separate operator profile, a separate device when the threat model demands it, and a separate behavioral baseline through actual usage discipline. We covered the principle in detail in our guide on building a threat model and operationalized it in the operator protocol for journalists.

Battery, connection, fonts, adblock: the second-order signals

The Battery Status API was introduced for legitimate use cases and immediately weaponized for tracking. It exposes your battery level and charging state without requiring permission. A site can tell whether you are plugged in, on battery, low on charge. Combined with timing, this reveals whether you are at home, on the move, or in transit. Most browsers have since restricted or removed this API, but legacy implementations still expose it.

The Network Information API exposes your effective connection type and downlink bandwidth. The font enumeration probe measures the rendering width of strings in dozens of typefaces to detect which fonts are installed on your system. The adblocker detection runs a fake ad element and checks whether it survives, identifying you as a privacy-conscious user, which is itself a profiling signal. Do Not Track, when enabled, is ignored by every commercial tracker and adds entropy to your fingerprint by virtue of being a minority configuration.

None of these signals individually identifies you. Together they reduce the anonymity set significantly. The Tor Browser philosophy treats every minority configuration as a leak: same fonts, same window size, same accept-language, same connection type reported, regardless of what the actual underlying machine looks like. Most users are not willing to accept the friction. The compromise that works for non-Tor users is a hardened Firefox or Mullvad Browser, used on a dedicated device or profile, with a coherent VPN configuration matching the locale.

The operator protocol: how the layers fit together

None of the countermeasures work in isolation. A VPN without a hardened browser leaks via WebRTC and fingerprinting. A hardened browser without a VPN leaks via IP. A locked-down configuration on a device you also use for casual browsing leaks via behavioral correlation across sessions. The protocol that actually works treats privacy as an operational discipline, not a tool stack.

For most readers, the operator protocol is a four-layer stack. A coherent network layer, with a no-log VPN matching the locale of your hardened browser. A hardened browser layer, with fingerprinting countermeasures enabled and the JavaScript surface trimmed where possible. A device discipline layer, separating sensitive activity from casual activity, ideally on a dedicated machine or at minimum a dedicated profile. A behavioral discipline layer, where the operator profile is used only for operator activity, never logged into a personal account, never used for shopping or social media.

The protocol is detailed for journalists in our complete operational guide on digital security for journalists in 2026. The principles transfer to lawyers, NGO field workers, military families, and people in conflict-divorce situations. The threat models differ. The vectors are the same.

Frequently asked questions

Does private browsing or incognito mode protect against fingerprinting?

No. Private browsing prevents your browser from saving local history, cookies, and cache. It does nothing about the 22 vectors covered above. Your IP, your hardware fingerprint, your behavioral profile, and your locale are all visible to every site you visit in private mode, identical to a normal session.

Will a VPN hide my fingerprint?

A VPN hides your IP address from the destination server. It does not change your canvas hash, your WebGL hash, your audio hash, your screen size, your installed fonts, or your behavioral profile. A VPN without a hardened browser leaves most of the dossier intact and adds an inconsistency between the IP location and the rest of your profile, which is itself a tracking signal.

Is Tor Browser the only real solution?

Tor Browser is the strongest defense available, because it routes traffic through the Tor network and applies aggressive fingerprint normalization. The trade-off is speed and the fact that some sites block or challenge Tor exits. Mullvad Browser provides the same fingerprint normalization without Tor routing, designed for use with a regular VPN. Hardened Firefox with resistFingerprinting and uBlock Origin is a reasonable middle ground for everyday use.

If I clear my cookies and switch VPN, am I anonymous?

No. Your hardware fingerprint stays the same. Most major analytics and ad-tech platforms recognize you across cookie wipes and VPN changes by the canvas, WebGL, and audio hash combination. Cookie clearing is operationally useful for resetting site-specific identifiers. It does nothing about cross-session tracking based on hardware fingerprint.

Can I check my own fingerprint?

Yes. We built a live fingerprint analyzer that runs in your browser and shows you the exact 22 vectors leaking on your current configuration, with an exposure score weighted across each. The result gives you a concrete starting point for hardening, and it changes only when you change something operational.

---

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.