Brave's anti-fingerprinting technology is flawed

A few years ago, I made a comment on Reddit that was interpreted as offensive. I’m not exactly sure what I said but I do know that my comment was reported and I was permanently banned from Reddit. Whenever I would try to create a new account, the account would already be shadow banned before even posting a first comment. I am aware that Reddit, among many other social media sites, use advanced 3rd party fingerprinting technology to identify users, or more specifically, devices. They generate unique fingerprints from things like the model of the GPU or CPU, or whatever else they can probe.

I have tried creating a new Reddit account using Brave’s private window, and the account was again shadow banned. I have tested this from several different networks to rule out network level fingerprinting. So I know that they can still identify my device when I use Brave in private mode, and can therefore conclude that Brave’s anti-fingerprinting technology is flawed, and Reddit, among all major social media companies are using this same technology to track devices.

Set anti finger printing to agressive an try again

I already did. My shields setting for Reddit is already set to: Fingerprinting blocked (strict, may break sites).

When running a test at

I get the following result for WebGL:




WebGL is a library that allows browsers to render 3D graphics. As with other graphics-based tracking methods, trackers look for any tiny differences between how your device displays 3D on the web compared to other users.


This metric provides some level of granularity, depending on how unique your video card is. The WebGL Vendor and renderer is directly searchable using JavaScript, so trackers can access it without issue.

Bits of identifying information: 18.09

One in x browsers have this value: 278314.0

I think this is where the problem lies. 1 in 278314 is very unique. Is it not possible for Brave to override this data with something random?

Are there any core developers here who can comment on this or should I raise this on GitHub?

The easiest way to avoid that kind of tracking altogether is disabling JavaScript, in which case WebGL will be disabled as well.
In Brave, turn on “Block scripts” from the Shields menu.

You can also use, which is faster.

1 Like

Useful link, thanks.

My point is that WebGL seems to be the weak spot in Brave’s fingerprinting protection. I guess it’s not so simple to solve or Brave would have done something about this.

It concerns me for 2 reasons.

First, if I want to participate on Reddit, I’m going to have to buy a new laptop.

Second, it has occured to me that most likely ALL major social media sites, and probably big tech companies like Google and Amazon, are tracking our devices even in private browsing mode, and there’s nothing we can do about it.

1 Like

How about creating a virtual machine with VMWare Player or Virtual Box or similar. The browser in the VM would be different from the one on the host machine.



Came here to say the same thing (RE: virtual machine).

what bout those option

  1. create new profile use brave with tor then create new account
  2. also as @taylorkh said using vm but also use something to shiled your ip like tor or vpn

I aleady use Hyper-V on Windows to run some dev machines. It’s a good suggestion and I will try this, thanks.

An update on this, for anyone interested.

I launched a web browser inside a Hyper-V virtual machine, and using the tools in the previous posts within this thread, I verified that the fingerprint, including WebGL, was indeed different to the one from a browser on my host OS. I tethered my laptop through the 3G connection on my phone, to ensure that I come from a dynamic IP address, as my static home IP address is likely blacklisted. Then I created a Reddit account from the browser inside the virtual machine. This account was automatically shadow banned.

I can only guess at how they identify me. Maybe the fingerprint inside the virtual machine has previously been tainted by other users. Or maybe the other day I tainted my phone provider’s network when I tried to create an account from the blacklisted fingerpint on my laptop. The heuristics they use are clearly advanced. I imagine they have some kind of scoring system that involves machine learning or AI.

I read an interesting comment on Hacker News a while back. There is an established anti-spam and anti-bot industry that provide services to the major social media websites. These companies have been doing this for years and are good at it. If they want to fingerprint us, there’s really not much we can do about it.

The takeaway is that if you have a controversial opinion about something, it’s better just to keep it to yourself. Because if it doesn’t fit the prevailing narrative, you can be silenced permanently by the big tech companies. It’s sad that the internet has come to this.

1 Like

I totally agree with this and that’s the reason I’m using Brave… Hoping for a change.
Is it possible you are using an throw away email for verifying your account? Those addresses might be the cause of you getting shadowbanned.

1 Like

I am, yes. But I have seen people on Reddit posting from throwaway accounts that have used disposable email addresses, so they don’t shadow ban specifically on this, but it could be another heuristic they use.

Maybe you should use a (dont judge me) gmail account next, it might work?

I always get instantly banned on those platforms when I use a throwaway email address (from like and, etc.). Try using Anon Addy when it asks for your email.

I’m curious to know whether the problem is indeed Brave, or if it’s the email detection.
EDIT: If you don’t know what Anon Addy is, it’s this.

1 Like

Anon Addy looks really useful. Thanks.

What browser?

A web server doesn’t know whether or not you’re using a virtual machine. They can fingerprint your browser+OS, but not the virtual machine proper.

Reddit is a centralized, private, censored version of the old Usenet.
Other social networks may be different but their business model is basically the same: tracking you as much as possible. If you don’t agree, you just have to avoid them and/or actively boycott them.

I used Edge, since it was installed by default in the VM. I checked the fingerprint of the virtualized browser and the data was not particularly unique:

Google Inc.~Google SwiftShader

Bits of identifying information: 5.21
One in x browsers have this value: 37.06

I don’t like Reddit, but they have the attention of the masses. I run a crypto-friendly music streaming service and I would like to be able to promote it to some crypto communities on Reddit. As a last resort, I can always hire someone to post the topics for me. I am eagerly awaiting Brave’s self-serve ad platform to launch, because running ads on Google has been a complete waste of time and money.


what about that using tor or any vpn

your ip address from phone could be already on the database of reddit

the dynamic and static ip related more to country for example my country does not use static ip so each time i restart my router i get new one unless i was lucky to get same one again

1 Like

The IP from my phone is dynamic I think. I don’t think using Tor or VPN would help, these would be the first IP address to be blacklisted because they are common tools used by spammers. I have used a paid VPN subscription for years because I’m paranoid about privacy, and annoyingly I find that as the years pass, I need to deactivate it more and more to do things like log into online banking. Even some IRC channels I frequent have started banning the use of VPNs now.