We need to talk about this.
One of the most recommended browsers for privacy is Brave Browser, being featured as a good alternative for Chromium.
But… does it really protect you enough?
Sure, there needs to be a balance between a convenient browser and a privacy-protecting browser.
Hang with me for a minute and let’s see what’s going on.
What is fingerprinting?
In a simple way:
Fingerprinting is how websites detect who you are without having to actually finding out who’s behind your IP address.
It allows any site know who you are, even with a VPN and a “private” browser.
Automatically, when you access a website, it could also detect:
- Your operating system – up it’s specific kernel version.
- Your browser – and it’s specific version.
- Your device type – if you’re on mobile or desktop.
- Your timezone – to estimate what part of the world you’re in.
- Your GPU unique ID – to detect exactly what GPU card you’re using via WebGL.
- Your content filters – if you have any custom adblocking filters, it can fingerprint you.
- Client Hints – the new version of User Agents, that render fake UA’s useless.
- Other unique IDs – such as Canvas, cookies and more.
That’s why, even if you use a VPN, a website is able to know EXACTLY who you are.
Facebook, Google and Amazon don’t need to know your real IP address, or turn on your webcam to know who you are…
…they only need to know the same person that logged into your Facebook account one day, went on to read a news article in another website on the other day. And so on.
Is this a real threat?
Short answer: YES.
25% of the 10,000 of the most popular websites are using it to track you:
And more will, because doing it is easy – it’s all done through APIs like whatismybrowser, made to detect Client Hints.
This is important to understand:
Just because you’re not seeing ads, it doesn’t mean you’re not being tracked.
If a website has the reason and the willpower to correlate your activities, it’ll do so.
Brave’s claims on fingerprinting
Brave says on their own website that they do protect your fingerprint by default.
You can reduce the effectiveness of fingerprinting by using a browser, such as Brave, that has anti-fingerprinting features. Source: brave(dot)com/glossary/fingerprinting/
Unparalleled privacy - Shields against tracking and fingerprinting. Source: brave(dot)com
According to Brave’s GitHub:
“Brave includes two types of fingerprinting protections, (i) blocking, removing or modifying APIs, to make Brave instances look as similar as possible, and (ii) randomizing values from APIs, to prevent cross session and site linking (e.g. making Brave instances look different to websites each time).”
Seems pretty nice. Let’s test it.
Testing Brave’s fingerprint resistance
For this test, I used:
My Brave Browser configs:
- Aggressively block ads and trackers
- Block fingerprinting on
- Block third party cookies
- Forget site when I close it by default
For the results, I’ll use these icons:
→ means protected
→ means uniquely identifies me
→ means can’t do much about it
The results were as follows:
Browserleaks (Brave)
IP, DNS leak, etc.: safe
Canvas: randomized and changes in different tabs
WebGL: my exact GPU model (but randomized ID)
Client Hints: Brave version, Linux + Kernel version, CPU architecture
Fonts: all fonts detected, unique ID (even between sessions)
Resolution: specific to my device (no letterboxing - though it’s advanced)
Blocklists: all adblocking lists detected
Those aren’t some good results if you REALLY want to resist fingerprint.
Maybe it will stop standard tracking through ads, but definitely not the new generation of fingerprint tracking.
Let’s test Mullvad Browser for comparison.
My Mullvad Browser configs:
- Security Level: standard
- Everything is default
Browserleaks (Mullvad Browser)
IP, DNS leak, etc.: safe
Canvas: randomized with every refresh
WebGL: randomized, not showing GPU model
Client Hints: disabled
Fonts: some detected, same of all Mullvad Browser users
Resolution: letterboxxed
Blocklists: all adblocking lists detected, same of all Mullvad Browser users
This is pretty much the best you can do “out of the box” to protect your fingerprint.
The next step would be to use uBlock in hard mode, “blocking all and allowing some”.
That’s something Brave doesn’t allow you to do, and would improve your protection even further.
Example of fingerprinting tracking (even with VPN)
Let’s put this in perspective. Imagine this scenario:
You’re connected to Mullvad VPN, purchased anonymously with Monero.
You connect to a VPN server, giving you the (example) IP “123.123.123.123”.
You’re using Brave Browser with shields on and in strict mode to browse the web and access your accounts.
So far so good, right?
After all, dozens of people share that VPN IP, and they can’t link it to you directly.
The problem is: fingerprinting narrows it down a lot.
For example, let’s imagine start by making a purchase on Amazon.
This is what Amazon’s tracking system knows about you:
IP | System | Timezone | User Agent / Client Hint | GPU | Blocking Lists |
---|---|---|---|---|---|
123.123.123.123 | Linux, kernel version 6.0.1, desktop | Los Angeles | Brave Browser version 131, Linux, x64, desktop | NVIDIA GTX 1080, unique ID XXXXXX | Easylist, SponsorBlock |
Oh… well, that doesn’t look so good. That’s, like, 100% unique.
But maybe if we change our VPN servers and reopen our browser session… that helps with privacy, right?
New IP: 131.131.131.131
Cookies and cache on Brave cleared
Then, you access Wired to read some news. This is what their tracking system knows about you:
IP | System | Timezone | User Agent / Client Hint | GPU | Blocking Lists |
---|---|---|---|---|---|
131.131.131.131 (new) | Linux, kernel version 6.0.1, desktop | Los Angeles | Brave Browser version 131, Linux, x64, desktop | NVIDIA GTX 1080, unique ID XXXXXX | Easylist, SponsorBlock |
F##K! Changing the IP didn’t help. Why?
Because fingerprinting doesn’t depend on how well hidden your IP is through your VPN, or how much you clear your cookies and cache.
It depends of how many “doors” your browser leaves open to the website to track you.
Sometimes, it does so for the sake of functionality or compatibility. After all, Brave doesn’t want their users to get mad that a website isn’t working properly and go back to Chrome.
But that comes at a cost.
Now imagine all those websites sharing the same tracking system, building your profile.
They’ll have a table similar to this:
Domain | IP | System | Timezone | User Agent / Client Hint | GPU | Blocking Lists |
---|---|---|---|---|---|---|
Amazon | 123.123.123.123 | Linux, kernel version 6.0.1, desktop | Los Angeles | Brave Browser version 131, Linux, x64, desktop | NVIDIA GTX 1080, unique ID XXXXXX | Easylist, SponsorBlock |
Wired | 131.131.131.131 | Linux, kernel version 6.0.1, desktop | Los Angeles | Brave Browser version 131, Linux, x64, desktop | NVIDIA GTX 1080, unique ID XXXXXX | Easylist, SponsorBlock |
YouTube | 131.131.131.131 | Linux, kernel version 6.0.1, desktop | Los Angeles | Brave Browser version 131, Linux, x64, desktop | NVIDIA GTX 1080, unique ID XXXXXX | Easylist, SponsorBlock |
PrivacyGuides | 131.131.131.131 | Linux, kernel version 6.0.1, desktop | Los Angeles | Brave Browser version 131, Linux, x64, desktop | NVIDIA GTX 1080, unique ID XXXXXX | Easylist, SponsorBlock |
If your IP is the only thing changing, it’s easy to guess you’re the same person behind a VPN.
Now, if you were using something like Mullvad Browser, they would have less data about you.
What do I think about it
I don’t think Brave is a terrible browser, and the purpose of this isn’t to hate on it.
Everyone should be allowed to choose what browser suits them the better.
I agree that Brave comes with many great things: it’s fast, pretty, reminds you of the good part of Chromium, the extensions, etc.
But we need to be clear on what Brave accomplishes, and what it doesn’t.
Currently, Brave does not protect your fingerprint in a satisfying way against the new generation of trackers, unless you disable javascript globally.
Mullvad Browser, on the other hand, does that. It gives you the security and privacy of the Tor Browser, without Tor itself.
Anyway… this is all open to discussion!
Thank you for reading!