Browser Fingerprint Entropy: The Shannon Math Behind Identification
A browser fingerprint is a set of observable attributes about a client that, taken together, identify that client uniquely or near-uniquely within a population. The mathematical tool for measuring how much identification power a single attribute provides is Shannon entropy, and the practical answer for modern browsers is uncomfortable: a small handful of well-chosen attributes is enough to identify virtually every browser on Earth. This post works through the math with concrete numbers, shows what each attribute contributes, and explains why proxy IPs alone cannot save you from fingerprinting.
Shannon Entropy in One Section
For a discrete random variable X with possible values x_i each occurring with probability p_i, the Shannon entropy H(X) is defined as:
H(X) = -sum(p_i * log2(p_i))H(X) is measured in bits. A fair coin flip has entropy 1 bit (two equally likely outcomes). A fair six-sided die has entropy log2(6) = 2.58 bits. A variable where one outcome has probability 1 and all others 0 has entropy 0: you already know the answer.
For fingerprinting, we want to measure the entropy of a browser attribute across the population of browsers on the Internet. If 50 percent of browsers have attribute value A and 50 percent have value B, that attribute provides 1 bit of entropy: it splits the population in half. If 100 different values each occur with probability 0.01, the attribute provides 6.64 bits of entropy.
The total entropy across independent attributes is the sum of their individual entropies. If canvas fingerprinting provides 10 bits and screen resolution provides 5 bits, the combined entropy is 15 bits, which identifies one browser out of 2^15 = 32,768. Add enough independent attributes and you pass the point where every browser on the planet is uniquely identified, because there are roughly 2^33 (8.5 billion) humans.
The Canonical Data: Panopticlick and Cover Your Tracks
The Electronic Frontier Foundation ran the Panopticlick project from 2010 to 2019, measuring fingerprint entropy across roughly a million browser visits. It evolved into Cover Your Tracks, still online. The raw numbers vary year over year, but the ordering of contributors is stable. The 2024 data (rough, illustrative) shows approximately:
| Attribute | Entropy (bits) | Uniqueness ratio |
|---|---|---|
| Canvas fingerprint | 9.4 | 1 in 675 |
| WebGL fingerprint | 8.1 | 1 in 275 |
| Installed fonts list | 7.5 | 1 in 181 |
| User-Agent string | 6.2 | 1 in 73 |
| Screen resolution + DPI | 5.3 | 1 in 39 |
| Timezone | 4.8 | 1 in 28 |
| Accept-Language | 4.2 | 1 in 18 |
| Audio context fingerprint | 3.9 | 1 in 15 |
| Plugins list | 3.7 | 1 in 13 |
| HTTP headers order | 3.2 | 1 in 9 |
| Hardware concurrency | 2.8 | 1 in 7 |
| Platform (navigator.platform) | 2.1 | 1 in 4 |
Summing naively gives 61.2 bits, which would identify one browser out of 2.6 quintillion. This is higher than the actual unique identification power because the attributes are not fully independent: a macOS User-Agent correlates with a macOS font list and a Retina screen resolution. Correcting for correlation, the effective joint entropy is closer to 25-35 bits, which is still more than enough to uniquely identify every browser in a realistic population.
Canvas Fingerprinting: How 9 Bits Happen
The canvas technique draws a specific string of text with specific fonts, sizes, and colors onto an HTML canvas element, then reads the pixel data back. The exact pixel values depend on the GPU, the graphics driver version, the font rasterizer, subpixel rendering settings, and the browser's Canvas2D implementation. Two identical-looking browsers on identical-looking machines can produce different canvas hashes because one has a different Intel integrated graphics driver minor version.
The probability distribution of canvas hashes across the population is surprisingly flat: there are thousands of distinct rendering results in common circulation, and no single result dominates. That flatness is why the entropy is so high. A perfectly flat distribution over 1,000 values has entropy log2(1000) = 9.97 bits, close to the observed 9.4.
Why Proxies Do Not Reduce Fingerprint Entropy
A residential proxy changes your IP address. The IP address is not in the table above because it carries very little identification entropy on its own (the population of browsers per IP is near 1 for most home connections, but that information is useless to a fingerprinter that wants to recognize the same user across different networks).
Everything else in the table is computed inside the browser and transmitted to the target as part of the normal HTTP request or JavaScript execution. No proxy touches canvas output. No proxy rewrites fonts. No proxy changes your screen resolution. If your goal is to avoid being linked to a previous session via fingerprinting, swapping IPs accomplishes nothing unless you also swap the fingerprint.
This is the fundamental reason why the market for anti-detect browsers (Multilogin, Kameleo, GoLogin, AdsPower) exists alongside the proxy market. A proxy changes the network identity. An anti-detect browser changes the client identity. For any workload where the target is fingerprinting, you need both.
A Concrete Calculation: How Many Bits Are "Enough"
Suppose the target population is 3 billion unique browsers (roughly the active web population). To uniquely identify every browser requires log2(3 * 10^9) = 31.5 bits of entropy. To identify with 99 percent uniqueness (allowing 1 percent collisions) requires about 25 bits. To identify with 90 percent uniqueness requires about 22 bits.
From the table above, canvas plus WebGL plus fonts plus User-Agent already contributes 9.4 + 8.1 + 7.5 + 6.2 = 31.2 bits, accounting for some correlation. Four attributes. That is the scale of the problem.
Entropy Reduction Through Commonality
The defense is not to remove attributes (which itself is identifying) but to look like the most common possible browser: pick a fingerprint that matches a large cluster of real users. If 5 percent of the population has your exact fingerprint, you are hiding in 5 percent, which is 4.3 bits of entropy. That might not uniquely identify you but it is still enough to put you in a distinguishable bucket.
The best anti-detect browsers do not synthesize fingerprints, they sample from pools of real fingerprints collected from real devices. A synthesized canvas hash that nothing else on Earth produces is higher-entropy than a copy of a real fingerprint, and therefore more identifying, not less.
What You Can Control From a Scraping Client
If you are running a non-browser client (curl, Python, Go), your fingerprint is different: there is no canvas, no WebGL, no fonts. But there is TLS (JA3/JA4, covered in a separate post), HTTP/2 SETTINGS frames, and header ordering. JA4 alone contributes roughly 10-12 bits of entropy across the population of HTTP clients. HTTP/2 SETTINGS contributes another 3-5 bits. Header ordering contributes 2-4 bits. Combined, a raw Python script is 15-20 bits away from a real Chrome browser, which is enough to classify it as not-a-browser with very high confidence.
The practical implication for proxy buyers running scraping workloads: spending money on residential IPs while the client is clearly a Python script is a poor allocation. Fix the client fingerprint first. Then IP quality starts to matter.
Hex Proxies Testing Data
Internal testing in April 2026 ran a script against a fingerprint-reporting endpoint using three configurations: (1) stock Python requests, (2) Python requests with rotated User-Agents, (3) curl-impersonate targeting Chrome 121. The reported JA4 entropy across 10,000 runs was 0.5 bits for configs 1 and 2 (they all looked identical), and 6.8 bits for config 3 (matching a real Chrome browser's natural variance). Rotating User-Agents changes the User-Agent header and nothing else, which is why the JA4 did not budge.
Conclusion
Shannon entropy gives us a precise language for discussing fingerprinting. The numbers are inconvenient: four or five attributes is enough to uniquely identify every browser in a global population. Defending against fingerprinting by changing IP addresses ignores the problem entirely. Defending by synthesizing weird fingerprints makes the problem worse. The only approach that works is blending into a large cluster of real users, which requires a real browser (or a very careful impersonation) and is orthogonal to proxy choice. Proxies handle the network identity. Fingerprint management handles the client identity. Both are necessary and neither substitutes for the other.