How Websites Track You Without Cookies (Even in Incognito)

Wait… I’m in Incognito. How are they still tracking me?

Welcome to the sneakiest surveillance game on the internet—where no cookie doesn’t mean no tracking.
Ever felt like a site “remembers” your taste… even after clearing history, nuking cookies, and switching to incognito?
Yeah, you’re not crazy. They’re onto you.

Modern Stalking, Now With Fewer Calories

Click a link ➜ “No cookies, I’m safe!” ➜ Your device whispers everything ➜ Boom—you’re profiled anyway

image1024×559 81 KB

What’s Really Happening

Websites don’t need cookies to track you.
They use fingerprinting, IP logging, and server logs to piece together a unique little digital version of you.
It’s like putting on a fake mustache, but your shoes, walk, and laugh all still give you away.

What Is Fingerprinting?

Fingerprinting = Collecting small harmless details about your device ➜ Mashing them into a unique ID.

Here’s what they sniff out:

• IP address (static/dynamic—it still says “hi”)
• Browser + Version (Chrome 137.0… suspicious)
• Screen size and resolution
• Installed fonts and languages
• Timezone, battery level, and even your GPU quirks
• Audio rendering, how your device draws SVGs, how fast you type
• Extensions you installed
• How you scroll, move the mouse, or pause before clicking

Basically, even your indecisive clicking style is a clue.

Test yours:

• https://amiunique.org/fingerprint
• https://coveryourtracks.eff.org/

Even Weirder Tricks They Use

• Canvas fingerprinting: They make your browser draw a secret image. Every device draws it slightly differently. Boom—tracker.
• Battery info: Yup, they know you’re at 37%. That’s unique.
• JavaScript off? CSS still tells on you.
• Login cookies: Still stored in incognito while logged in? That account’s busted wide open.
• 1st-party cookies: Yes, they’re allowed in incognito until you close it. But that’s plenty of time to tag you.

Wait, What About Incognito?

Here’s the truth:

• Incognito = no history, no permanent cookies.
• BUT: 1st-party cookies still work during that session.
• AND: Fingerprinting works the same.
• ALSO: Servers still get your IP and user-agent instantly.

So no, you’re not invisible. You’re just wearing a hoodie.

“But IP changes, right?” – Not fast enough, buddy.

• Some people get new IPs every few days or weeks.
• Others (hi Comcast) stick with the same IP for years.
• Combine that with your fingerprint? You’re toast.

Bonus: They might tag you by:

• URL rewrites (unique ID in the link)
• Server-side logging (before page loads)
• Cross-site scripts and shared ad libraries

But… Is It Legal?

In the EU (GDPR says hi ):

• Tracking someone without consent (even fingerprinting) = illegal.
• Doesn’t matter if you store the data or just “process” it.
• “But it’s not personal info!” → If it can identify you when combined with other data, it is.
• “We don’t store it” → Still illegal if you use it to treat people differently.

In the US (and most other places):

• ¯\_(ツ)_/¯

So yes, the law exists, but enforcement is a mess.
Most companies break the rules and call it “essential functionality.”

Reality Check

Belief	Truth
Incognito = Private	Nope. Just no history. Still fingerprintable.
IP isn’t personal	Alone, maybe not. Combined? Super personal.
Cookies are the problem	The real threat is fingerprinting.
Session cookies are harmless	They can still track you within the session.
GDPR blocks it	Law says no. Web says yes.

How to Stay (Sorta) Private

Tool	Use
Brave or Mullvad Browser	Built-in anti-fingerprinting
VPN	Masks IP, but not fingerprint
Tor Browser	Paranoid mode ON
Canvas Defender	Spoofs your device fingerprint
NoScript / uBlock Origin	Blocks bad scripts before they sniff you
Use a second browser	For the “weird stuff”

Want to dive deeper?

• https://yongchao.li/2019/09/11/cookieless-cookies.html
• https://incogniton.com/blog/unmasking-incognito-browsing-whats-covered-and-whats-not/
• https://www.eff.org/deeplinks/2018/06/gdpr-and-browser-fingerprinting-how-it-changes-game-sneakiest-web-trackers
• https://stackoverflow.com/questions/33620706/what-does-chromes-incognito-mode-do-exactly

Simple (The Brutal Truth)

You’re not being followed by cookies.
You’re being followed by everything else.
IP + fingerprint = your digital clone, still clicking away even after you “go ghost.”

They don’t need your name to know it’s you.
They just need your screen size, your typing speed, and how long you hover over “stepmom stuck in dryer.”

Final Advice

If you’re into privacy, you’ll need more than incognito.
If you’re into “interesting tastes”, maybe… stop thinking the front page is random.
If you’re into fooling trackers, you better start acting like a digital ninja—not a tourist in private mode.

Welcome to the fingerprint era. Cookies were just the warm-up.