Revealing too much WebGL vendor information

Today, while I was doing comparison between browsers, I have noticed that Brave fully reveals information about users’ WebGL vendor information. My vendor was fully found by the website. I think, it is a good idea to make it private because none of other browsers revealed this data. The comparison was made between Google Chrome, Safari, Tor and Brave by using https://coveryourtracks.eff.org/.

Good to know. @Mattches probably can pass that info along. Thank you.

This is outrageous. How is a privacy focused browser letting this slip? I need to cancel my subscription…

@shivan last year you spoke on this where you said WebGL would randomize on strict fingerprinting. But now that strict fingerprinting has been removed, it doesn’t seem randomized anymore. Is this one of the things that has been decided not to really matter much on privacy and not handled?

I see Hash of WebGL fingerprint is randomized but WebGL Vendor & Renderer isn’t.

@ghost842 despite me tagging them on that to get your question through, I doubt it’s used often “in the wild” and isn’t doing much on us being unique. Don’t forget that when we test on EFF and it provides statistics on One in x browsers have this value that it’s only comparing those who have run the test.

For example, I ran the test three times. Notice how the value changed despite everything being the same? One in 990, one in 985, one in 974. That shows how limited of a scope it is and how the accuracy is down a bit.

Final Thought:

Most things are random and you would seem unique in all the places we visit. Unless you have an explicitly unique WebGL Vender & Renderer, it’s not going to be much of anything that will identify you and I don’t see it being much of a privacy concern.

However, I will be interested to see what Shivan mentions if he will swing by to answer.

My vendor was fully found by the website. I think, it is a good idea to make it private because none of other browsers revealed this data.

“none of other browsers revealed this data” sounds incorrect. I visited coveryourtracks.eff.org on Safari, Chrome, Firefox and Brave. Only Brave got “strong protection against Web tracking” AND “your browser has a randomized fingerprint” with default settings.

About WebGL vendor and renderer debug strings specifically: we’ve experimented with farbling them by default, but this deviation from what every other browser is doing causes too much website breakage for not much privacy advantage. Fingerprinting protection is always a balance between website breakage (or webcompat) and privacy protection. Brave’s fingeprinting protections are already best-in-class.

1 Like

@ghost842 just wanted to give a heads up. I went back to try to test things out. Originally when I opened Chrome and Firefox, I was seeing that it did not actually share what graphics card and all I was using. So it had me thinking something weird was going on.

But then I researched and realized that I had Use graphics acceleration when available enabled in Brave but it was disabled in Chrome. Toggling this off on Brave changed the WebGL Vendor & Renderer. Then toggling it on in Chrome did the reverse, revealing my graphics card.

As mentioned before, I don’t think this is going to be as much for tracking as we may think, but at least is to give info that if we have that disabled then it would just show the default browser which is more widely used than specific graphics cards. Though may see a hit to performance as it won’t use the GPU as much to render everything.

Chrome (graphics acceleration off)

Brave: (graphics acceleration on)

Chrome: (graphics acceleration on)

Brave: (graphics acceleration off)

So at least that’s one potential “mystery” determined. I especially wanted to dive in deeper when I knew you had said results seemed different for you on these different browsers. My assumption is you’ll find it the same, that it’s because the settings around graphics/hardware acceleration in those browsers are set differently.

Most important of all though, is seeing this:

Brave:

Chrome (even with uBlock Origin installed, so guess it’s killed already, I need to get other version, lol):

Vivaldi (default)

Edge (default)

Firefox (default, not hardened)