I don’t know who Sam Bent is, some of his concerns seem reasonable, but it appears he has a somewhat limited understanding of the topic he is discussing and is misunderstanding some fundamentals aspects.
I’d encourage you to read the thread that @GorujoCY linked to, but I’ll highlight a few relevant comments from that thread here, since I know not everyone will click through:
fdb_hiroshima's comment (click)
I see why he is getting worried, but he’s missing what the change actually is. Before, js and http headers were reporting different user agents, now they are reporting the same, with the OS taken from a list of 4 possible values (the part he’s missing). So all the QubeOS, OpenBSD and exotic distro getting trivially fingerprinting, that’s not actually right. All Windows are W10, all Android are Android 10, all MacOS are OS X 10.15, and everything else (including BSD) is a Linux running X11.
Jonah's comment (click)
YouTubers not understanding browser fingerprinting (among many, many other things) is a scourge in the privacy space. Thorin is perhaps the expert when it comes to browser fingerprinting, and Bent doesn’t even know his name in this video.
Around 6:34 Bent’s claim that Tor developers wanting to encourage consistency is “in no way […] some kind of security argument” is beyond ridiculous, when consistency is the entire point of the Tor Browser. Giving “experienced users” (8:42) the option to decide what they want to do in this situation would place them in significant danger because their spoofing would ensure their browser is no longer aligned with anyone else’s.
The operating system is essentially always detectable in Tor Browser. Even with JS disabled, you can detect it through CSS, it’s impossible to solve unless you completely break websites in the process. If this guy had his way then there would be “experienced users” on Linux spoofing their user agent to look like Windows, meaning that malicious website operators could narrow down on them as the only people in the Tor ecosystem on Linux (because again, it’s detectable!) with a Windows user agent.
Anyways, I will +1 @fdb_hiroshima’s response above. This change does not meaningfully impact fingerprinting in Tor Browser, don’t let random internet creators tell you otherwise.
Tor Project's comment (click)
Regarding the well-meaning, but inaccurate claims in the video, we’re offering this clarification on how user agent protection works in Tor Browser. To support informed discussion, here’s what actually changed, and what hasn’t changed.
We are still protecting user agents: Tor Browser has always limited user agents to general categories: Windows, macOS, Linux, or Android in JavaScript, and Windows or Android in HTTP Headers. That means we spoof the OS version and architecture, which was always the approach in JavaScript–now it’s consistent in HTTP headers too.
Any OS info shown in the user agent does not expose any new information that wasn’t already present with JavaScript. With JavaScript disabled, entropy is already greatly reduced (self-information: e.g. the thousands of JavaScript derived metrics) and even without this change, passive methods have always existed to determine the platform. In fact, asymmetric user agent spoofing triggered anti-fraud and bot-detection scripts breaking websites without added privacy benefits.
Proposals for this change were introduced in September 2024 with the Tor Browser 14.0a4 release, calling on the Tor community to provide feedback. We received very little feedback and implemented the change.
Tor Browser still offers one of the strongest privacy and anonymity protections for web browsing.