Brave fingerprinting protection not entirely foolproof

I just installed Brave today and decided to test it out. However, as reported in this 2021 thread, Brave still fails to escape browser fingerprinting tracking, which can be tested here: https://fingerprint.com/demo/

This occurs even while using Proton VPN in private mode, and after restarting the browser. I read around and realize that this might not be the most accurate site to test fingerprinting, so I tried it out with another site below, including Cover Your Tracks.

Before restarting (with VPN on)

After restarting (with VPN off)

Browser version visible

I also used this website: amiunique.org/fingerprint. The user agent is not randomized (0.06% similarity), despite Brave claiming so in the Brave Shields panel. My exact GPU model can be seen under the WebGL information, which creates a strong fingerprinting vector.

It would be nice if users who want more privacy could choose to randomize/set their user agent, and also their time-zone, as these are quite revealing as well, when combined with other attributes. As seen above, websites can detect you’re Brave. It would be better to mask as Chrome.

In addition, websites can detect if you’re using a VPN due to the time-zone mismatch, which could cause geo-lock protections to trigger (see demo here: https://demo.fingerprint.com/vpn-detection).

As seen in the screenshots, there are multiple unique attributes that Brave currently reveals, which when combined could be used to create a unique fingerprint like the first website did. The largest privacy issue seems to be the hardware information revealed by the WebGL renderer.

@Overall6815 you really don’t seem to understand fingerprinting and fingerprint protection.

I have gone into big explanation about fingerprint.com before at Test browser fingerprint - #4 by Saoiray as well as other posts.

Nope, overall it’s not. They do randomize it and it’s not straight up announcing it’s Brave. You’ll notice it just has a generic string. Also if you click to see your fingerprint protections, User Agent is listed.

But overall there’s no reason to hide user agent. They used to do that all the time but it broke websites and all. So now they have the nice balance here to where they aren’t able to track but enough information gets shared so as not to have breakage of websites.

Brave actually has some blog posts and official responses on this, such as:

Uniqueness does not mean recognition. Brave constantly changes lots of little details that gets reported to sites.

Also as long has been said by one of the heads of the privacy team at Brave:

The guts of useful fingerprinting defenses are not to make everyone look the same, or to make everyone looking different; both of those are fundamentally not possible without massive breakage. What makes Brave’s defenses uniquely strong is that for naive fingerprinters, we feed them enough randomization that they can’t reidentify people (everyone looks different). And for sophisticated fingerprinters, the randomization forces those fingerprinters to ignore the random-but-high-entropy inputs, and only consume a much smaller number of inputs, reducing identifiability and putting users into large anonymity sets for sites with non-trival numbers of visitors. All that is to say, fingerprint.js is doing a crummy job on their unpopular site (again, see the false positive); if they tried to do the same from popular, real-world sites like the ones they advertise at the bottom, their success rate would be even worse.

b. additionally, we block requests from sites when they call back to fingerprint.js’s servers to try and use their identification-classifier-as-a-service service. In the absence of being able to talk to fingerprint js’s servers, sites fall back on using the fingerprint.js library, which again Brave provides extremely strong protections against (as the fingerprint.js product conceeds).

@Saoiray Thanks for your informative reply. I have a few follow up questions, if you don’t mind. Anyone else feel free to reply too.

I read your linked post which explains that the website checks the (1) browser used, (2) the IP address, (3) the time-zone, (4) the OS used and (5) the cookies and cache.

In the first test, I was using private mode with a VPN (first two screenshots), so that should have disabled the website’s ability to track (2) and (5). However, it was still able to track me nonetheless. In addition, I saw that it was also able to get my specific GPU version, which is quite rare according to Cover My Tracks.

Interestingly enough, using it with Tor mode does seem to cause a different ID to be returned, although I’m not sure why, since the only difference seems to be the IP address. When I using VPN, I tried to 2-3 different countries, but it was still able to track me.

In regards to the user-agent, as you mentioned, it does seem to be using the same string each time, even though it is generic. Other fingerprinting websites have been able to detect that I’m using Brave. Since Brave uses the Chromium engine, is there any reason why a Chrome user agent would break sites? Most modern websites don’t rely on the user-agent nowadays.

The quote seems to support the idea that certain users with a subset of low-entropy (unique) inputs might benefit from additional randomization (e.g., time-zone with low population + uncommon GPU + low number of Brave users in that time-zone → high population time-zone + common GPU + mask as Chrome browser):

And for sophisticated fingerprinters, the randomization forces those fingerprinters to ignore the random-but-high-entropy inputs, and only consume a much smaller number of inputs, reducing identifiability and putting users into large anonymity sets for sites with non-trival numbers of visitors.

Overall, I understand that it seems enough for real world use-cases, but it would be appealing to advanced users if Brave had settings to change or randomize additional attributes such as:

  • the time-zone
  • the GPU version in the WebGL Renderer output
  • the user-agent

The time zone option would be particularly valuable for evading geo-blocking systems that verify browser time zone against IP location. Given Brave’s commitment to advanced privacy protections, these additions seem relatively straightforward to implement compared to existing randomization features.

In terms of feature requests, can tag in @shivan to see if he has more on it.