Potential Threat to Brave Browser Fingerprint Protection?

Fingerprint protection built into Brave browser’s nightly build in part relies on randomized API values that are imperceivable to humans, but distinguishing to computers / fingerprinters.

I am wondering whether this strategy for fingerprint protection could be defeated by a process that works something long the lines shown in the image below:

Since randomization of API parameters is limited to ranges beyond human perception, could a fingerprinter map values within ranges to just one value within the range, the same value regardless of browser, session etc?

I guess this strategy could be described as making the random values look the same, by, in effect, rounding the api values.

It is sort of as if 10.499958743459 is randomized by picking random numbers between
10.500000000000
10.499950000000

In this scenario, Brave fingerprint protection relies on the fingerprinter calculating 50,000,000 different fingerprints depending on which value comes in from the browser between 10.499950000000 and 10.500000000000 For sake of discussion, imagine humans can perceive differences in this parameter only to two decimal places. That would imply the random value sent by Brave to the fingerprinter will be a random number between 10.499950000000 and 10.500000000000 inclusive. If the webserver knows that parameter is perceptible to two decimal places, could the web server translate all values received from within that range to one value of the web server’s choosing. Randomness gone?

That’s an excellent question. A fingerprinter could definitely try to normalize values in this way and then end up with a more stable fingerprint for Brave users.

That said, the value of a fingerprint is based on two components:

  1. it is as stable as possible
  2. it is as unique as possible

If a fingerprinter implemented the technique you describe, they would be trading uniqueness for more stability and so the fingerprint would not be as useful.

In fact, in some cases the fingerprint uniqueness relies on very small imperceptible differences specific to hardware devices, and so normalizing the values would make it impossible to get a distinct fingerprint in that case.

1 Like

Now I get it. Normalizing the fingerprint parameters defeats the purpose of fingerprinting, making fingerprints appear the same when they are different.

Thank you.

1 Like

Here’s one which relies on the sound card:

1 Like

Thank you for taking time to respond.

I am very pleased to see my Brave browser could not be fingerprinted at the demo linked from that article.

I have one additional comment: browser privacy is a complicated issue.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.