Dark Mode browser vs Privacy (indeed a trade-off? solutions?)

It seems Tor and Mullvad Browser do not actually allow Dark Mode. It can be enabled, but that goes against the strong advice of privacy guides to not change anything. And even when enabled, webpages are automatically in light mode - including when I search in Duckduckgo or visit Privacy Guides.

As for Brave, Dark Mode only works as it should if block fingerprinting is set to standard. When set to strict as recommended, Dark Mode does next to nothing, just like Tor & Mullvad.

For the Dark Mode people out there, what do you do? Must I choose between manually hitting dark mode on every single site visit if using Tor/Mullvad, and using Brave with standard fingerprint block? Another option would be great - I did come across something about extensions, but privacyguides seems very strong in recommending against these in conjunction with Tor/Mullvad.

1 Like

The dark mode preference doesn’t get transmitted to the website as its another setting that can be fingerprinted. If you require strong fingerprinting protection in your threat model, it’s best to leave it the way it is.

1 Like

As a privacy protecting work around, I guess you could lower your screen brightness to its very minimum.

You also can take a screenshot from there and pass it to something like GIMP/Krita/what have you and invert the colors to make it dark. you will get a dark background from a white background web page. Interacting with it is bothersome and now you have to go back to the bright white page. Web pages with funny colors like a grey back ground and white foreground will also make it worse.

Another admittedly *bad* work around

is to use CLI web browsers (W3M, Lynx, Links2), especially in Linux but I do not know if they actually adhere to modern good practices as they’re obscure and extremely niche software. I’ve read online that at the very least, Lynx has the option to reject cookies and that its and works for most sites. Do note that you will be fingerprinted because of your pretty much unique useragent. Also, AFAIK they do not render images at all. just texts.

For regular browsing I actually use Dark Reader since most websites don’t support dark mode. It’s not great in regards to privacy/security, but even without dark mode, I doubt I’d be much better off. For anything sensitive, there doesn’t seem to be a solution. You either risk de-anonymizing yourself or you suffer with the blinding bright light that the web has to offer. I guess we can only hope that native client-side dark mode gets added to browsers.

I think I might have thought of decent solution. Something like this:
-Find out how to to toggle dark mode in browser website through a terminal command.
-Create keyboard shortcut for such command.
-Each time I visit a new website which I know I will return to, and which has a dark mode toggle button, I create a new custom shortcut, using the same keyboard input but modified command.
-Then on each following occasion I visit the same website and am blinded by the light, I can just hit the keyboard shortcut before my eyes burn.

The question is, can the Linux terminal do point-click-within-browser style behaviors? And if so, would the website I am using know I just changed to dark mode in a very unusual manner, i.e., would I be leaving a very unique fingerprint compared to everyone else who just clicks (even if so it’d be worth doing in many cases)

I don’t disagree with the comment. But can you clarify what you mean by it not being “transmitted to the website”? AFAIK, the dark mode preference can actually be read by websites. I’m a web developer, so this stood out to me, and wanted to make sure I understood what you meant.

I tried to paraphrase a little to make it easier for non-webdevs to understand

essentially, browsers will always report prefers-color-scheme as light no matter what, as this can be fingerprinted otherwise. More people will have this set to light because it’s the default, which is why you blend in better.

This isn’t true though. If a user has dark mode set in the OS settings, the browser will respect that and return whatever it is. I know because I use it :slight_smile:

1 Like

According to many sources when you search “how many people use dark mode”, nearly all the people (80%+) use dark mode on mobile, which is by far the majority of internet users. Therefore, I think if you want to blend in with other people, the way is to use dark mode, not the other way around.

However, I can understand why the most strictest of the anti-fingerprint setting would set you to light mode. This could be due to the fact that all OS is set to light mode by default. So, it might assume that most people are on light mode, which is not true.

I am extremely skeptical of those statistics. Do you know where they came from / what the methodology is? I have a feeling those numbers are the result of flawed methodology (i.e. comparing users who explicitly choose dark mode, vs those that explicitly choose light mode, would not count the vast majority of users who just go with whatever the default is which is almost always going to be light mode).

Assuming the statistic is accurate, I think then it becomes a question of who are you trying to blend in with. If (its a big if) 80% of Mobile users use Dark Mode, setting your mobile browser to dark mode could help you blend in with the crowd, but if we are talking about a desktop browser, doing what Mobile is common among mobile users could make you stand out more, if it is not also common among desktop users. In the case of something like the Tor Browser and to some degree Mullvad Browser, I think what is most important is blending in with other TB/MB users.

1 Like

Ive seen regular user on desktops. They dont know how to set things in dark mode. Only a few knows how to actually switch to it. Even fewer could install an addon to enable dark mode on non-dark mode sites.

Therefore, light mode may be better for privacy/fingerprinting.

I don’t know whether those statistics are creditable. Most sources/statistics say that users use dark mode. For example, 83% of Reddit users on the app have enabled dark mode as of 2021, and Apple iOS users, the adoption rates for dark mode range between 55% and 70%.

There’s only one exception, though, on Chrome Platform Status that reports around 30% of the users load pages (which pages/URLs?) with PreferredColorSchemeDarkSetting.

However, people preference can be seen from Google Trends search query worldwide from the past 5 years, see here. It’s no contest between dark mode and light mode. However, from the search query, the only scenario where people actually prefer light mode is when they use MS Word.

I am not sure about that, though. One of the sources says, 79% of MacOS users switched to dark mode within three months of its release. Like I have pointed out earlier, most sources say people use dark mode. It’s almost certain that dark mode dominants light mode among users.

This could be true among Windows users, as that’s the user group representing the general public. However, MacOS? Linux? Especially Linux users, I believe that this group should able to turn on dark mode (it’s actually on by default in GNOME with the exception on Ubuntu).

1 Like

You know what I dont think using darkmode will significantly add to fingerprinting. Can someone prove me wrong? It may be just literally an added bit of identifier.

1 Like

I think it’s hard to tell. It’s just one of many other factors, and not a major one at that, that can be used to identify a user (assuming the probability that most people are in either dark or light mode).

But will this information be sent to the server? What @TGRush refers to is part of the media queries specification, but is not clear whether this is reported to the server with every request, it’s just the default value.

However, user agents converged on expressing the “default” behavior as a light preference, and never matching no-preference.

1 2

In any case, it’s possible to use CSS rules to create connections to different endpoints based on the user’s preference (or lack thereof), though media queries. Pages like GitHub already do this to server a favicon with a light/dark background.

From a privacy perspective, I think the best solution would be to inject your own styles manually based on the domain. On Firefox, you can create a new file inside your profile folder ~/.mozilla/firefox/<profile_name>/chrome/userContent.css and add your own styles using the following rule:

@-moz-document url-prefix("https://duckduckgo.com") {}

You can even specify specific routes so that it only applies on some pages instead of the entire site.

@prosperina A media query is a value that can be sent to a server just like anything else on a web page. Websites can store it or they may choose not to. I’m not too sure how that’s relevant to what we were originally discussing though. Can you clarify?

What I mean is if this sort of setting is sent automatically with every request, as opposed to being something that the developer’s would have to actively look for. If it’s the latter, disabling JavaScript or using uBlockOrigin could be used to avoid detection of those settings.

The aggressive anti-fingerprinting features prevent that from happening, that’s the point

The biggest problem arises when you use automatic dark mode (I suspect this is the case for most “dark mode users” nowadays), because the act of switching from light mode to dark mode while you have a website open can reveal a lot of information about yourself, down to even a somewhat precise location if your automatic switch is based on the sunrise/sunset time at your location rather than a fixed time (as is the default on some operating systems).