Browser vs "Machine" Fingerprinting

1) Is "machine fingerprinting" just browser fingerprinting?

In most consumer/privacy discussions, yes. People often say "machine fingerprinting" when they really mean browser fingerprinting: a statistical ID built from what your browser and OS reveal through web APIs.

True hardware-serial fingerprinting (CPU serial, disk serial, MAC address, TPM ID) is generally not available to normal websites because the browser sandbox blocks it.

2) What goes into a browser fingerprint?

Basic properties

• User agent (browser + OS), language, time zone
• Screen size / resolution, color depth

Feature enumeration

• Supported features & APIs, media capabilities
• Installed fonts (or font measurements), plugins (less common now)

Rendering-based signals

• Canvas rendering differences (subtle GPU/driver/font variations)
• WebGL GPU info and rendering behavior
• AudioContext processing characteristics

Indirect "hardware-ish" values

• CPU core count (e.g., navigator.hardwareConcurrency)
• Approx device memory (e.g., navigator.deviceMemory)

Behavioral signals (more advanced systems)

• Mouse movement patterns, scroll timing, typing cadence

No single item uniquely identifies you. The fingerprint comes from the combination.

3) Is a fingerprint stored in a cookie?

Typically no. Fingerprinting exists specifically to work even when cookies are blocked or cleared. A common flow is:

1) JavaScript collects environment signals
2) Signals are hashed (or scored) into an ID
3) The ID is sent to a tracking / fraud / bot-detection service
4) Returning visits can be recognized probabilistically (even without cookies)

This is why fingerprinting can survive cookie deletion and sometimes incognito sessions.

4) What do some systems mean by "device fingerprinting"?

In banking/fraud and enterprise security contexts, "device fingerprinting" often means a broader bundle of signals, such as:

• Browser fingerprint + login history
• IP reputation / ASN patterns
• TLS handshake fingerprints (network-level signals)
• Behavioral risk scoring

Even here, it's usually still not raw hardware serial numbers—it's correlation across many weaker signals.

5) How unique is a fingerprint?

A common, "boring" setup (Windows + mainstream browser + common resolution) can blend in. Unusual combinations (rare resolution, uncommon fonts, distinctive GPU/driver quirks) can increase uniqueness.

Privacy irony: making your setup "special" can make you more fingerprintable.

6) Bob-level takeaway

In everyday use, "machine fingerprinting" usually means browser environment fingerprinting: a statistical signature built from browser/OS/rendering/behavior signals—often without cookies.

It's a probabilistic identity, not a magic hardware-serial readout.

7) Optional: check how you appear (controlled test)

Two popular test sites that show fingerprint uniqueness:

• amiunique.org
• EFF Cover Your Tracks

"Unique" there means "statistically rare," not "personally identified."