TRACIO's identification system generates a stable visitor identifier from 130+ browser signals. The identifier persists across sessions, incognito mode, VPN changes, and cookie clearing. This page explains the complete identification pipeline.
The client collects 130+ distinct browser signals across 10 categories. Each signal probes a different aspect of the browser and device, from hardware characteristics to rendering behavior.
| Group | Signals | Stability | Examples |
|---|---|---|---|
| Hardware | 12 | Very High | Screen resolution, device memory, hardware concurrency, touch support |
| Rendering | 9 | High | Canvas fingerprint (text + geometry), WebGL renderer, audio processing |
| Fonts | 5 | High | Available system fonts (69 families tested), font preferences, MathML rendering |
| Platform | 25 | Medium | User-Agent, navigator properties, timezone, language, vendor |
| CSS Engine | 10 | Medium | Media query responses (color scheme, HDR, reduced motion, forced colors) |
| Storage | 10 | Medium | Cookie support, localStorage, sessionStorage, storage quota |
| WebGL | 9 | High | GPU vendor, renderer (unmasked), shader precision, extension support |
| Network | 3 | Low | Connection RTT, TURN probe, app version |
| Bot Indicators | 15 | N/A | Webdriver flag, automation frameworks, eval length, headless markers |
| Custom | 14 | Varies | Math fingerprint, WASM features, architecture detection |
Not all signals are equally useful for identification. Signals are classified by stability:
Tier 1 (Frozen): Hardware and rendering signals that almost never change. Canvas fingerprint, WebGL renderer, audio fingerprint, GPU parameters, font enumeration, math operations, architecture byte.
Tier 2 (Semi-stable): Signals that change with browser updates or configuration changes. User-Agent, Client Hints, plugins, CSS media queries, storage capabilities.
Tier 3 (Volatile): Signals that change frequently. Screen resolution (monitor changes), timezone (travel), language preferences, connection properties.
The visitor ID is computed using a three-tier hashing system that balances stability with extensibility:
Visitor ID = [Tier1Hash][Tier2Hash][Tier3Hash] 20 chars 10 chars 10 chars ──────── ──────── ──────── base62 base62 base62Tier 1 uses only frozen signals that are inherent to the hardware and rendering engine. These signals change only when the user switches to a different physical device or makes significant hardware changes.
Signals included: Canvas fingerprint hash, WebGL renderer (unmasked), WebGL vendor (unmasked), audio fingerprint, font enumeration hash, WebGL parameters hash, math operations hash, architecture byte (ARM vs x86).
Algorithm:
key1=value1|key2=value2|... (keys sorted alphabetically)Tier 1 is intentionally frozen. New signals are never added to Tier 1, ensuring that the identity core remains stable across server updates.
Tier 2 captures the browser and OS environment. These signals change when the user updates their browser, installs extensions, or modifies system settings.
Signals included: User-Agent data, Client Hints (brands, platform, architecture), navigator properties (vendor, platform, languages), plugin list, screen color depth, device memory, hardware concurrency.
Tier 3 captures volatile signals that may change between sessions. These are used for confidence scoring and fuzzy matching but do not affect the core identity.
Signals included: Screen resolution, timezone, language, DOM blockers, storage capabilities, CSS media query responses, connection properties.
Each tier is hashed using MurmurHash3-x64-128, a fast, non-cryptographic hash function that produces 128-bit output. The algorithm:
MurmurHash3 provides excellent distribution (every bit of input affects every bit of output) and is fast enough for real-time computation. It is not cryptographically secure, but that is not required for fingerprint hashing.
Input: "canvas=abc123|webgl_renderer=ANGLE|audio=0.04852" ↓ MurmurHash3-x64-128Output: 0x7f4a8c2d1e3b5f6a 0x9d8c7b6a5e4f3d2c ↓ base62 encodeResult: "X7fh2Hg9LkMn3pQr5tBv"The confidence score (0.0 to 1.0) represents how certain the system is about the visitor identification:
When the encrypted _tcid cookie matches a known visitor, confidence is set to 1.0. The cookie contains an AES-GCM encrypted visitor token that is verified server-side. This is the fastest and most reliable identification path.
New visitors with no prior record receive a confidence score of 0.90. There is no risk of false matching since there are no existing records to compare against.
For returning visitors without a cookie match, the system computes confidence from:
Signal frequency weighting (IDF): Signals that are more unique across the global population receive higher weight. A rare WebGL renderer is more identifying than a common screen resolution.
Fuzzy matching: The system compares the current fingerprint against stored fingerprints using bit-level Hamming distance. Signals are grouped by tier, and each tier's match score is weighted independently.
Historical consistency: If a visitor's signals have been stable across multiple visits, confidence increases. If signals fluctuate frequently, confidence decreases.
| Scenario | Typical Score | Explanation |
|---|---|---|
| Cookie match | 1.000 | Encrypted cookie verified server-side |
| First visit | 0.900 | No prior records to compare |
| Strong fingerprint match | 0.990-0.999 | All Tier 1 signals match, most Tier 2 match |
| Partial match (browser update) | 0.950-0.989 | Tier 1 matches, Tier 2 changed (new UA) |
| Weak match (significant changes) | 0.850-0.949 | Some Tier 1 signals changed |
| Ambiguous | 0.500-0.849 | Multiple possible matches in database |
TRACIO uses a first-party cookie (_tcid) to maintain visitor identity across sessions:
_tcid (configurable via storageKeyPrefix)SameSite=Lax, HttpOnly, SecureThe cookie is set server-side via the Set-Cookie response header. The visitor token is also stored in localStorage as a fallback when cookies are blocked.
The server attempts to set the cookie on progressively broader domain scopes:
app.example.com → example.com → comThe broadest domain that successfully sets the cookie is used. This ensures the cookie persists across subdomains.
TRACIO can identify the same person across different browsers on the same device when Tier 1 signals produce matching hashes. Since Tier 1 relies on hardware and rendering characteristics (canvas, WebGL, audio, fonts), these signals are often identical across browsers on the same machine.
Cross-browser match rates (approximate):
| Browser Pair | Match Rate |
|---|---|
| Chrome ↔ Edge (same device) | ~95% |
| Chrome ↔ Firefox (same device) | ~80% |
| Chrome ↔ Safari (same device) | ~60% |
| Desktop ↔ Mobile (same person) | ~5% |
Cross-browser matching is a lower-confidence operation and is flagged accordingly in the response.