Hey guys! I recently found something I would like to share out. I had been using ProtonVPN and using Brave as my browser for browsing anonymously for a while. But now I realized it doesn’t stop Google from fingerprinting me. Here is how I figured out.
I notice that the first time you open YouTube on your browser, it wouldn’t recommend you videos. After you search and watch 1 video, it would start recommending videos on the homepage. To enhance my anonymity, I used ProtonVPN, enabled Cookie AutoDelete extension with all cleaning options enabled (cache, IndexedDB, Local Storage, Plugins, Service Worker), and automatically clean. Regardless of how many times I clean (I even manually triggered the clean), once I watch a video, YouTube would recommend me the same video and related videos on the homepage. Google know it is me again!!! Brave cannot prevent Google from fingerprinting me.
I did the same experiment with Mullvad browser and this time Google is unable to identify me once everything is cleared. Once everything is cleared, it will no longer recommend video. I tested both browsers using the browserleak website and found that Mullvad give me a new fingerprint on every refresh for everything, but Brave have certain fingerprint that stay pretty consistent (or switch between multiple fingerprint repeately). That’s probably how Google is able to track me.
I’m not saying you shouldn’t use Brave, I’m just saying it is not suitable for people who want more anonymity like me. I still love Brave and use it as a replacement for Chrome. But I think it is important to know its limitation so we’re aware of it and not making the wrong decision for our threat model because we are not aware of this. My current approach is to use Mullvad Browser whenever possible. I use it for daily browsing and set it as my default browser. At the same time, I use a secondary browser (i.e Brave) for stuff where I need to stay log in, so there is no way to be anonymous, and convenience win. In another word, I’m maximizing my anonymity whenever possible, and maximizing the other factors (convenience, security, and privacy) when it is not possible.
That’s strange I find the opposite. As soon as I leave that session and come back to it I have to start from scratch. It flashes the consent page at me briefly before it auto declines for me and then my homepage is empty. That is on iOS, Mac and android tablet
I foolishly though that with my method and tricked fingerprint(dot)com I thought I was away but checking browserleaks then, yeah brave leaves crumbs behind on the fingerprinting method and therefore why we recommend browsers like Tor and Mullvad as Disposable Browsers or like an Anonymous/Private way to browse the web.
Also shows why generally we would recommend YouTube Frontends where relevant and so yeah.
This raises a red flag for me. Extensions are known to make your browser stand out more. Afaik Brave Browser supports deleting all data, including cache, cookies, history etc. on exit. You can configure Brave to be ephemeral.
I think this depend on what extension and browser you’re using. Website doesn’t have god-like access to everything in your browser. For firefox-based browser, I think as long as your extension doesn’t change anything network-wise (i.e. blocking stuff) or change the website itself (add/remove/edit element or style), it cannot be detected. But this is not the case for Chromium-based browser. Your extension can be exactly identified due to the way Chrome manage resources used by the extension, which can be tested by browserleak. This is a big minus for Chrome.
This is why I only use chromium-based browser for things where I am already identified (i.e. logged in to my school / bank account), so fingerprinting is no longer a concern since there is no way for me to not get identified. In that case, installing more extensions that can improve your privacy, such as by reducing or faking the information website can collect about you, would actually be better. At that point, it no longer matter how much they can fingerprint you, it matter how much real information they can collect about you.
My philosophy is, either maximize anonymity or privacy. If you’re not identified, maximize anonymity. If you’re identified, maximize privacy so they know as little real information about you as possible.
Yes, but I have a bad habbit which is I rarely close my browser. If the deletion only happen when I close the browser, that is not enough lol. I prefer deleting them once they’re no longer needed, which Cookies AutoDelete let me do. Everything is deleted 15 seconds after I closed the tab, except for sites that I whitelisted.
Brave Shield has a “Forget me when I close this site” feature. I wonder if you’d get better results following Privacy Guides’ recommended Brave configuration? As others have said, I don’t think it could reach the level of Mullvad Browser or Tor Browser so it might always fall short. But I’m curious if it’d be good enough to defeat YouTube’s fingerprinting techniques.
I might try out the recommende brave configuration you mentioned from Privacy Guides. I didn’t know there is this before, thanks for letting me know! I guess I’m just too used to using Cookies AutoDelete, kind of hard to switch away. Cookies AutoDelete also let you set a delay before clearing, meaning you can reopen a tab if you closed it accidently, without losing everything just yet.
It’s worth trying. But if anonymity is desired, Mullvad is probably much better and it can be configured to be as user friendly / convenient as Brave without sacrificing much or any anonymity at all (see here).
My hypothesis is going to be no becuase of the article @gorujocy linked above. It seems that even with the recommended setup you mentioned, it still leak a lot of unique things about your system (i.e. fonts, GPU, screen resolution, and most importantly WebGL fingerprint stay consistent), let along it’s Chromium based so all your installed extensions can be identified.
I think the YouTube test is such a good test because Google probably have the best tracking technologies out there, and whether it fingerprinted you can be so easily telled. It’s like an am-i-fingerprinted-by-google API straight from Google. We should make people more aware of it. If YouTube is unable to track me on a specific setup, I believe 99.99% of the website is unable to track me.
Your broader point (that Mullvad Browser is not a suitable daily driver for some (many) people) is valid. But I’m almost positive that browser history does not depend on cookies, and is stored locally.
What are the thread’s thoughts on running without JavaScript? I noticed these browser testing sites need JS to do much of anything. In my experience, most sites display enough content to be useful without JS.
uBO in medium mode (3rd party scripts and other scripts are blocked, 1st party scripts allowed)
Keyboard shortcut to temporarily relax those settings on a per domain basis, making it effortless to easily downgrade protection when needed.
And an allow list of domains or specific subdomains I trust, or must begrudgingly trust.
This is the closest I’ve found to being able to “have my cake and eat it too.” I’d guestimate I downgrade between 10-30% of the time.
Note, I primarily use Firefox, I don’t know how applicable this would be to Brave w/out uBO. The concepts should be similar but the specific capabilities may differ. Brave + uBO medium mode is an option as well.
Amiunique, browser audit, browser leaks, deviceinfo, privacy net, and webbrowsertools all seem to either not function at all or at a reduce capacity with javascript blocked.
I assume this will hold true for the majority of sites I visit.
browserleaks can intentionally work without JavaScript, in fact not using JavaScript where possible does dramatically help with fingerprinting among other things.
I say if you’re okay with this, where you can have JavaScript off by default, then if a website (for some reason or another) really needs it then you can turn it off then yeah it’s a good option.
otherwise what xe3 mentioned tbh