Clycyo
Glossary4 min read

What Is Browser Fingerprinting? Why Ethical Tools Refuse It

Fingerprinting explained: how device traits become identifiers, why regulators treat it as tracking, and the cookieless alternative.

Browser fingerprinting identifies a device by combining traits that are individually innocent — screen size, fonts, GPU, timezone, language list, canvas rendering quirks — into a combination unique enough to track without storing anything. No cookie to delete, no consent prompt triggered by storage access: identification by physics rather than by file.

Why it is worse than cookies, not better

Cookies, whatever their sins, are visible and deletable — the user has agency. A fingerprint is involuntary and persistent: you cannot clear your GPU. That inversion of control is why regulators treat fingerprinting as more invasive than the cookies it replaces: ePrivacy guidance covers it explicitly (storage-or-access rules apply to reading device characteristics for identification), and 'we use fingerprinting instead of cookies so no banner needed' is a compliance theory that survives until the first regulator reads it.

The analytics industry's quiet temptation

When third-party cookies died, some tools reached for fingerprint-flavored 'cookieless' tracking — same cross-visit identification, new mechanism, marketed with the privacy vocabulary. The tell: any tool claiming to recognize returning visitors across weeks without cookies or login is doing identifier reconstruction somehow, and the somehow matters.

The honest alternative: rotating salts

Genuine privacy-first analytics solves the same-day session problem without the cross-time identity: a daily-rotating salted hash groups today's hits, then the salt rotates and yesterday's visitor is unrecoverable — the architecture in detail. You trade long-window unique-visitor precision for actual privacy; the commercially important identities come from voluntary identify() at signup instead. Clycyo's position is this architecture exactly: no fingerprinting, no fingerprint-adjacent 'probabilistic matching', rotation by design.

Questions to ask any vendor

  1. How do you count returning visitors across days? (The only honest cookieless answer involves not being able to.)
  2. What device traits do you read, and do any feed an identifier?
  3. Is your method documented publicly — or described only with the word 'proprietary'?