Regarding the well-meaning, but inaccurate claims in the video, we’re offering this clarification on how user agent protection works in Tor Browser. To support informed discussion, here’s what actually changed, and what hasn’t changed.
We are still protecting user agents: Tor Browser has always limited user agents to general categories: Windows, macOS, Linux, or Android in JavaScript, and Windows or Android in HTTP Headers. That means we spoof the OS version and architecture, which was always the approach in JavaScript–now it’s consistent in HTTP headers too.
Any OS info shown in the user agent does not expose any new information that wasn’t already present with JavaScript. With JavaScript disabled, entropy is already greatly reduced (self-information: e.g. the thousands of JavaScript derived metrics) and even without this change, passive methods have always existed to determine the platform. In fact, asymmetric user agent spoofing triggered anti-fraud and bot-detection scripts breaking websites without added privacy benefits.
Proposals for this change were introduced in September 2024 with
the Tor Browser 14.0a4 release, calling on the Tor community to provide feedback. We received very little feedback and implemented the change.
Tor Browser still offers one of the strongest privacy and anonymity protections for web browsing.