This is nice post with details about recent and upcoming developments
Brave, Fingerprinting, and Privacy Budgets
Here is an excerpt:
Fingerprinting Protections in Brave (Present, Planned, and Under Consideration)
The previous sections described why Brave is skeptical of budget-based approaches to fingerprinting protections. This section presents Brave’s approach, a mixture of removing differences between browsers we don’t expect to be useful for users, adding noise to fingerprinting vectors, and improving our ability to determine which script should have access to fingerprinting functionality, and which scripts to block.
Current Fingerprinting Protections in Brave
Currently Brave protects against fingerprinting by preventing third party sites from accessing functionality frequently used to fingerprint users. This includes highly identifying parts of the Canvas, Web Audio and WebGL APIs, among others. These default settings can be changed through Brave’s Shields interface, where users can disable these protections if needed, or also extend them to the first party.
Brave prevents known fingerprinting scripts from being loaded, through the browser’s
Shields protections. Brave both uses, and
contributes to the development of, privacy-protecting filter lists like
EasyList and EasyPrivacy.
More information about current
Brave fingerprinting and privacy protections are available
on our Wiki.
Upcoming Fingerprinting Protections
While Brave’s fingerprinting protections are strong and do a good job of protecting user privacy (especially when combined with Brave’s blocking of cross-site tracking scripts and frames), we have plans to do even better, to keep ahead of even the most determined adversaries. We plan to implement protections against
font–based fingerprinting, and identifying users based on hardware capabilities (e.g. hardware concurrency, device memory, etc.). Additionally, we will soon begin adding noise to values used in fingerprinting, such as varying OS version numbers in the user agent string.
Brave is also working with Web standards bodies to pursue privacy protections at a cross-browser level. Currently browser vendors need to
deviate from standards to protect user privacy, a situation which is both a condemnation of the state of privacy on the Web, and puts privacy-focused browsers at a constant disadvantage. Through our work in the W3C, including co-chairing
PING (the W3C’s primary privacy body) and reviewing specs for privacy issues, Brave is working to improve fingerprinting protections for all Web users.
Ongoing Research on Fingerprinting Protections
Brave is also exploring longer term approaches to fingerprinting protections. We have projects to better
identify (and block) additional fingerprinting scripts, especially as used by adversaries
targeting people who speak languages underserved by existing filter lists. We are also building a unique system of V8 JavaScript engine and Blink rendering engine instrumentation called
PageGraph, currently being used to detect when trackers evade detection by renaming resources, bundling tracking script with benign script, or other common evasion tactics. We’ll be sharing more about the progress of these, and other, privacy protections in the upcoming months.
Conclusion
Browser fingerprinting is a difficult threat for the privacy community to defend against, and one that’s likely to get ever more challenging as browsers deploy protections against traditional, cookie-based tracking systems. Because there is so much privacy-harming technical debt in the Web platform, successful defenses will require addressing the problem at every level: resource blocking, fingerprint randomization, restricting which sites have access to risky functionality, and improving privacy in Web standards.
Approaches that attempt to maintain an “acceptable” amount of identification and tracking online, however well-meaning, are antithetical to the goal of a truly privacy-respecting Web. We expect that “budget”-based approaches to Web privacy will not be effective privacy protections, and that the steps described above will be far more effective at protecting user privacy. We’re excited to work with others in the privacy community to continue to improve privacy on the Web.
