Fingerprinting Protections

What is Fingerprinting Protection?

Fingerprinting Protection is a privacy feature that makes it harder for sites to track you while you browse.

Technical details

Brave includes best-effort defense against browser fingerprinting. Broadly speaking, browser fingerprinting is the detection of browser and operating system features that differ between users for the purpose of covertly identifying users and tracking them across the web. Although fingerprinting attacks will always be possible, it is worthwhile for us to make these attacks as slow / costly / difficult as possible.

Brave includes two types of fingerprinting protections, (i) blocking, removing or modifying APIs, to make Brave instances look as similar as possible, and (ii) randomizing values from APIs, to prevent cross session and site linking (e.g. making Brave instances look different to websites each time).

In cases where we block, remove or modify API behavior, we attempt to return empty, or non-identifying values, that have the "shape" of expected values, to minimize web compatibility issues.

In cases where we randomize API values, we attempt to make modifications that are imperceivable to humans, but distinguishing to computers / fingerprinters. These randomization values are derived from a seed that changes per session, per site (eTLD+1) and per storage area. Third party frames and script share the seed value of the top level, eTLD+1 domain. This approach is especially useful in fingerprinters that hash together a large number of semi-identifiers into a single identifier, since randomizing just one value "poisons" the entire fingerprint.

More information about Brave's "privacy through randomization" systems can be found in the following blog posts:

• What’s Brave Done For My Privacy Lately? Episode #3: Fingerprint Randomization
• What’s Brave Done For My Privacy Lately? Episode #4: Fingerprinting Defenses 2.0

Why does fingerprint.com or some other site say that I am fingerprintable?

TBD

How to check that Brave's fingerprinting protections are working

Visit a site like https://browserleaks.com/canvas, note the fingerprint, and then visit the same site in:

1. Private Window
2. Private Window with Tor
3. After restarting the browser
4. In a different profile
5. (In Brave Nightly) After clearing storage for the site

You should get a different fingerprint each time. For a comprehensive test suite for all the APIs we protect, see the test website we maintain.

Fingerprinting methods randomized

You can see a complete list of completed anti-fingerprinting work here.

Further reading

• W3C note in progress on browser fingerprinting
• Chromium security page on client-identification mechanisms
• Recent study on fingerprinting methods observed in the wild
• Study on Web API methods used in the wild and their relation to tracking