What They Know About Your Device
Browser Fingerprinting and the Identification Gap Your Legal Team Hasn't Accounted For
Picture this scenario. A PE firm is three weeks into buy-side due diligence on a mid-market technology target. The lead analyst has been researching the target company extensively reviewing their public filings, pulling infrastructure data, monitoring their executive team’s digital footprint. Standard work. All of it done from a corporate laptop, sometimes through the firm’s VPN, sometimes not, occasionally from a hotel on the road.
What the analyst doesn’t know: the target company’s website is running a fingerprinting script. Every visit from that analyst’s device regardless of VPN, regardless of incognito mode, regardless of which browser has been logged against a consistent device profile. By the time the deal closes, the target has a record showing repeated, methodical visits to specific sections of their investor relations pages, their engineering job postings, and their terms of service from a device that later appears in the acquirer’s own infrastructure.
That scenario is not hypothetical in its mechanics. The technical capability exists, is widely deployed, and is almost never part of due diligence operational security conversations.
This series is about the tracking infrastructure that operates below the level where most privacy tools intervene and what it means for the professionals whose work depends on information advantage.
The Consent Banner Is Not the Disclosure
Every website you visit shows you the same dialog. Cookies. Accept or decline. You click through it in two seconds and move on.
That dialog exists because regulators spent years building consent frameworks around cookies small text files stored on your device that websites read on return visits to identify you. Cookies are real, cookies are trackable, and cookies can be deleted. The entire framework of digital privacy regulation is largely built around them.
What the consent dialog doesn’t mention is the identification system that was being built in parallel, one that doesn’t store anything on your device, can’t be deleted, and operates whether you click accept or decline.
Browser fingerprinting works by reading technical parameters your browser reports automatically during every web connection: your browser version and operating system, your screen resolution, your installed fonts, how your graphics card renders certain operations, how your audio hardware processes certain signals, your time zone, your language settings. No single parameter identifies you. The combination of all of them, across dozens of attributes, creates a profile that is often unique enough to identify your specific device reliably across sessions without cookies, without a login, without any stored data on your end.
Early research from the EFF’s Panopticlick study suggested over 90% of desktop browsers were uniquely identifiable this way. More recent analysis, accounting for mobile devices and modern browser mitigations, puts real-world uniqueness closer to 60–75% for unprotected desktop configurations. For a corporate laptop running a standard browser without specific anti-fingerprinting configuration — the device your analysts, attorneys, and executives work from every day that number is conservative.
How the Technical Stack Works
For the purposes of business risk assessment, the specific mechanisms matter less than understanding that fingerprinting is not one technique but a layered system in which each component compensates for the limitations of others.
Canvas and WebGL fingerprinting exploit the fact that different combinations of graphics hardware, drivers, operating systems, and fonts produce slightly different rendering outputs when asked to draw the same thing. A website creates an invisible drawing element, runs a rendering operation, and hashes the output. The hash is consistent across sessions for the same device and largely unaffected by anything the user does. This runs silently in the background on most major ad-supported websites.
Network fingerprinting operates entirely below the browser. Every encrypted connection begins with a TLS handshake in which your software announces a characteristic set of supported ciphers, protocol versions, and extension ordering. This sequence captured in frameworks like JA3 and the more recent JA4, developed by Cloudflare in 2024 to resist spoofing — functions as a fingerprint of your connection stack. It’s generated before any web page loads and is unaffected by VPN routing.
Behavioral fingerprinting layers on top of everything else. Mouse movement patterns, typing rhythms, scroll behavior, and interaction timing create signals that anti-fraud systems use both to distinguish human users from automated tools and to link sessions when device parameters change.
The composite profile created by these overlapping methods is stable enough for session linking, consistent enough for attribution across weeks or months, and difficult enough to manipulate that it operates as a persistent identifier for most users who haven’t taken specific, technical countermeasures.
Why Standard Operational Security Doesn’t Address This
This is the gap worth understanding in detail, because the tools professionals rely on for privacy don’t engage with fingerprinting at the level where it operates.
A VPN changes your IP address. Against fingerprinting, that’s irrelevant. Your Canvas hash doesn’t change when traffic routes through a different server. Your TLS fingerprint doesn’t change. Your font set, your screen resolution, your GPU behavior none of it is affected by the VPN layer. Per the research underlying JA4’s development, VPN traffic is identifiable as VPN traffic through its own characteristic network signatures, meaning a VPN can actually reduce rather than increase the anonymity set a device fingerprint belongs to.
Incognito mode is a local session tool. It clears cookies, history, and cached data at session close. It does not change what your browser reports to servers. Every fingerprinting vector operates identically in a private window as in a normal one. This is documented behavior, not a limitation — incognito was designed to protect local session privacy, not network-level identification.
Clearing browser history addresses nothing in the fingerprinting stack. There is no user-facing action analogous to clearing cookies that removes a browser fingerprint, because the fingerprint isn’t stored anywhere you can access.
For corporate environments specifically: the assumption that a VPN plus browser hygiene constitutes meaningful operational security for sensitive research activity is, in 2025, no longer accurate. The tracking infrastructure has moved to a layer where those tools don’t reach.
The Business Risk Applications
Understanding where fingerprinting is deployed matters for assessing where exposure exists.
Adversarial due diligence. The scenario in the opening of this article is realistic. Companies running fingerprinting scripts — which includes most large organizations using standard analytics and anti-fraud tools — accumulate device profiles of repeat visitors. A PE firm or strategic acquirer conducting extended pre-announcement research against a target may be generating a trackable pattern against that target’s own logging infrastructure. Whether that data is ever examined depends on the target’s sophistication, but the record exists.
Litigation and investigation contexts. Device fingerprints appear in legal proceedings more often than most practitioners realize, primarily through the anti-fraud logs of financial platforms and large digital services. A party’s device fingerprint history can establish session attribution, link accounts, or contradict claims about who accessed what and when. For attorneys managing digital evidence in commercial litigation, understanding what fingerprinting logs capture — and what they don’t — is increasingly relevant.
Executive and VIP exposure. Corporate executives conducting sensitive communications or research from personal devices on corporate matters are operating outside most IT security oversight. The fingerprinting exposure on a personal laptop running a default browser configuration is the same as on any other unprotected device. The sensitivity of the activity doesn’t reduce the technical exposure.
Vendor and third-party risk. Due diligence on acquisition targets and third-party partners increasingly includes review of their tracking and data collection practices. A target that has been aggressively fingerprinting its own customers without adequate consent or disclosure carries regulatory exposure particularly under GDPR frameworks where fingerprinting data constitutes personal data requiring lawful basis for collection. The UK’s ICO has stated this position directly in response to Google’s 2025 advertising fingerprinting announcement.
What Actually Moves the Risk Needle
Browser vendors have been adding anti-fingerprinting measures, with meaningful variation in how aggressively they’ve pursued it. Firefox’s 2025 updates added canvas output randomization, limited font list reporting, masked CPU core counts, and adjusted screen resolution reporting. Mozilla estimates these measures reduce unique fingerprint rates by roughly half among Firefox users. Safari applies tracking prevention and adds noise to Canvas and audio API outputs. Chrome has been slower, constrained by the advertising economics that make aggressive fingerprinting reduction commercially complicated for Google.
For organizations with specific operational security requirements around sensitive research activity, the practical countermeasures are Firefox with privacy.resistFingerprinting enabled, combined with script blocking through uBlock Origin which prevents the JavaScript-dependent active fingerprinting methods from executing at all. For the highest-sensitivity activities, Tor Browser standardizes all parameters across its user base, making every Tor user present an identical fingerprint profile. The trade-off is meaningful compatibility and performance overhead.
The honest assessment is that no configuration provides complete protection. Fingerprinting systems using similarity analysis rather than exact hash matching which is where anti-fraud applications have moved, specifically because device profiles drift over time with updates and hardware changes — can maintain session linkage even through partial countermeasures. The goal for most professional contexts is raising the difficulty of attribution, not achieving theoretical anonymity.
What This Means for Your Practice
The consent banner is real. The cookie dialog addresses something. It just addresses the most visible layer of a tracking infrastructure that extends considerably further down.
For M&A practitioners, the operational implication is that pre-announcement research activity against targets the kind of extended, methodical investigation that characterizes serious due diligence — may be generating a fingerprint record against the target’s own infrastructure. Whether that record is ever recovered, examined, or acted on is a separate question. The record’s existence is a function of standard analytics deployment, not adversarial intent.
For litigation practitioners, device fingerprint attribution is an emerging evidence category that doesn’t yet have the established case law that cookie-based tracking does, which means both opportunity and uncertainty in how courts will treat it.
For security practitioners advising executives and high-value targets: the privacy tools most people rely on were designed for the threat model of ten years ago. The tracking infrastructure has moved.
That’s the argument this series makes, across the specific technical layers where the gap exists.
Next in this series: The connection record that exists before your browser loads a page how TLS fingerprinting works, what JA4 captures, and what it means for network-level attribution.