By ByteBot
Cloudflare Turnstile landed on the front page of Hacker News today — not for a new feature, but because the CAPTCHA alternative Cloudflare has spent years calling “privacy-preserving” is doing exactly what it promised not to: fingerprinting users’ browsers through WebGL. If you have deployed Turnstile on your site, your visitors are being tracked in ways you likely have not disclosed to them.
What Turnstile Is Actually Doing
WebGL fingerprinting works by querying the browser’s graphics API to extract GPU-specific information — vendor name, renderer string, driver version, supported extensions, and the pixel-level output of hidden rendering operations. Every GPU and browser combination produces a slightly different result, and that result functions as a persistent device identifier. It survives cookie clearing, private browsing mode, and VPN changes. Combined with other signals, WebGL fingerprinting alone can uniquely identify more than 96% of devices.
Turnstile runs this in the background before any user interaction. The key extension involved — WEBGL_debug_renderer_info — was originally designed as a debugging tool. It exposes strings like “ANGLE (NVIDIA GeForce RTX 4090 Direct3D11 vs_5_0 ps_5_0)”. Trackers discovered long ago that this is extraordinarily useful for identifying users across sessions. Cloudflare discovered it too.
The Gap Between the Marketing and the Code
Cloudflare’s Turnstile launch post uses “privacy” as a primary selling point. “Turnstile never looks for cookies,” they wrote. “Turnstile never harvests data for ad retargeting.” The announcement positioned Turnstile as a response to the privacy failures of Google reCAPTCHA. EU privacy lawyers were recommending it as the CAPTCHA you could deploy without a consent banner.
None of that framing mentions WebGL fingerprinting. The technical analysis that sparked today’s discussion found that Turnstile requires fingerprintable WebGL APIs to function — and that browsers which protect against this fingerprinting are blocked or over-challenged as a result.
Apple’s Browser Already Said No
WebKit, Apple’s browser engine, blocked WEBGL_debug_renderer_info around 2020. Safari returns masked, generic GPU information instead of actual hardware details, specifically because Apple judged the tracking implications too invasive. Safari 26 extends this with Advanced Fingerprinting Protection across WebGL, Canvas, and Web Audio APIs. The HN discussion notes that “the tracking is so invasive that even Apple would block it” — which should tell you something about where this sits on the privacy spectrum.
The practical effect: users running Cromite, Mullvad Browser, Tor Browser, LibreWolf with hardened settings, or any WebKitGTK-based browser face higher rates of challenges or outright blocks when visiting Turnstile-protected sites. The browsers doing the right thing for user privacy are being penalized for it. The Hacker News thread — 515 points and 288 comments deep — is full of reports from people who cannot reach sites they legitimately want to access.
You Deployed It. That Makes It Your Problem.
Here is the part developers need to sit with: Cloudflare’s terms put compliance responsibility on the website operator, not on Cloudflare. If your site is fingerprinting users through Turnstile, that is happening under your domain, in your name. Under GDPR, you are the data controller. Under CCPA, you bear disclosure obligations. “I used a third-party widget” is not a defense regulators accept.
Most deployments happened because Turnstile was marketed as consent-free. That marketing was incomplete. Conducting a Data Protection Impact Assessment for a CAPTCHA widget sounds excessive until you realize what that widget is actually collecting.
Alternatives That Actually Hold the Line
The bot traffic problem is real — this is not a manufactured concern. Sites report millions of scraper requests daily in the post-AI-boom environment, and proof-of-work solutions have weaknesses against well-resourced attackers. But fingerprinting your legitimate users is not the only available response.
FriendlyCaptcha uses client-side cryptographic proof-of-work — no fingerprinting, no cross-site tracking, GDPR-compliant by default. ALTCHA is an open-source alternative with zero tracking. Neither blocks users whose only crime is protecting their own privacy.
Read what you ship. “Privacy-preserving” is a claim that costs nothing to make and requires independent verification to trust. When a vendor’s revenue comes from security tools rather than user data, they have less incentive to monetize your users — but less incentive is not no fingerprinting. Check the implementation, not the landing page.
