By the Brave Privacy Team
This is the seventeenth post in an ongoing series describing new and upcoming privacy features in Brave. This post describes work done by Senior Software Engineer Mark Pilgrim, with help from Principal Engineer Brian Johnson, and was written by Senior Privacy Director Peter Snyder.
Brave has further strengthened its fingerprinting protections by preventing users from being identified based on preferred browser language. Starting with version 1.39, Brave randomizes how your browser informs sites of what language(s) you’ve set as default, and what fonts you have installed on your system. This expands Brave’s existing fingerprinting protections, already the strongest of any popular browser.
When you visit a website, your browser needs to tell that site your default language(s). This helps the site present content in a language you can understand. Browsers do this both explicitly (for example, with the Accept-Language header, and the navigator.language and navigator.languages Web APIs) and implicitly (for example with the fonts you have installed on your system).
However, as with so much online, features meant to improve your experience often just expose you to more risk. In this case, trackers can use your language preferences (both implicit and explicit) to fingerprint you, identifying you across sites and browsing sessions.
Brave’s unique “farbling” features already provide the best fingerprinting protections of any popular browser. These add small amounts of randomization into identifying browser features—enough to confuse and defeat trackers, but not so much that they break sites.
With this latest release, Brave has expanded “farbling” protections to language preferences, too.
The Accept-Language HTTP header tells websites your preferred language(s). If you’ve configured your computer or browser to prefer multiple languages, the header typically conveys all of those preferences, in the order you’ve selected. The browser also includes a “weight” with each preference, which expresses how much you prefer one language over another.
For example, if you’ve set your browser to say “I prefer to read websites in English, but if that’s not available, Spanish is fine too,” your browser might express this in the header as:
Accept-Language: en;q=.7,es;q=.5
This information is then sent with every request your browser makes on the Web. The browser exposes similar information to JavaScript running on pages through the navigator.language and navigator.languages properties.
With these new protections against browser-language fingerprinting, Brave now reduces and randomizes the information available in these APIs. And we’ve incorporated these as default protections, via Brave Shields.
By default, Brave will only report your most preferred language. So, if your language preferences are “English (United States)” first, and Korean second, the browser will only report “en-US,en.”1 Brave will also randomize the reported weight (i.e., “q”) within a certain range.
If fingerprinting protections have been set to Strict, Brave will instead always report the language preference as “English,” which ensures the largest available anonymity set2. And here, too, Brave will randomize the reported weight (i.e., “q”) within a certain range.
In general, fonts can be split into three categories:
Web Fonts: Fonts included by a website, for use on that website. Since they don’t come from the user, web fonts aren’t useful as a method of fingerprinting.
OS Fonts: Fonts installed by the operating system, and common to all users of that operating system. Since trackers can already learn what operating system you’re using (e.g. user agent string, JS APIs, etc.), exposing these fonts usually doesn’t impact privacy (though installing multiple sets of fonts for different languages can increase the likelihood of fingerprinting).
User Fonts: Additional fonts installed by the user, either directly (downloading and installing a font from a website) or indirectly (because other software on your computer has installed fonts, e.g. office suites, presentation editing tools, or image editing software). These are most useful for fingerprinting.
Trackers also identify users by checking for uncommon fonts, or fonts that aren’t commonly paired together. These distinguishing fonts may be installed because of language preference—either as something you’ve installed directly, or something your operating system installed.
For example, if you tell Windows you prefer Hebrew and Malaysian, Windows will install additional fonts for those languages. A tracker could then use these data points to identify you, because only a fraction of Web users will have that combination of fonts.
Currently Brave applies font fingerprinting protections on Android, macOS, and Windows versions. Brave does not apply these protections to iOS versions for two reasons: platform restrictions prevent us from doing so; and WKWebView already includes similar, although not quite as strong, protections3. Brave does not apply these protections on Linux because of difficulties in determining which fonts are “OS fonts” for each distro.
Note that it’s also possible to have uncommon fonts installed for reasons unrelated to language preference. For example, some software packages (e.g. office suites, slide and photo editing tools, etc.) will add additional fonts to the system. And sometimes people install additional fonts on their own.
In both default and aggressive configurations, Brave will allow websites to access all Web fonts, OS fonts for your current top language preference, and a randomly selected (i.e. farbled) set of user fonts. As with all of Brave’s fingerprint randomization protections, the set of user fonts the page can access is randomly determined for each site and for each browser session; a site will always be able to access the same fonts during the same browser session.
While we expect the above protections to serve the vast majority of users, we appreciate that some users will need to share more detailed information with sites about their language preferences. For example, you may speak a language that’s not well supported by standard operating systems fonts, and so may be part of a linguistic community that relies on additional, user-installed fonts to browse the Web.
In cases like this, the benefits of sharing additional language preferences with websites may outweigh the privacy risk. To support these users, and to ensure everyone can use Brave for safe, private browsing, we’ve also taken the following steps:
Increased User-Controls: Brave users who wish to share more information about their language preferences with websites can easily configure Brave to do so. Users can disable the font / language protections by visiting brave://settings/shields and toggling off Reduce the identifiability of my language preferences.
Flexibility: Brave will monitor the rollout of these new protections, first for Nightly, then Beta, and eventually stable users. If we learn of compatibility issues on sites, we may modify these features, to make sure Brave’s protections don’t break sites.
Though Brave has the strongest privacy protections of any popular browser, other browsers are also taking important and laudable steps to protect user privacy. Below is a brief summary of the protections other browsers provide against language-targeting fingerprinting.
Safari: Provides protections most similar to Brave’s. Safari will report only a user’s top language preference to websites in Accept-Language and navigator.languages, and will allow sites to access only OS provided fonts for the user’s current language preference. The main differences between Brave and Safari are: Brave also slightly randomizes data sources to further confuse trackers; and Brave includes the ability to disable these protections.
Firefox: Provides some protections against browser-language fingerprinting, though these are disabled by default. If a user enables Firefox’s resist fingerprinting feature, Firefox will similarly restrict the fonts a website can access.
Chrome and Edge: Provide no protections against browser-language fingerprinting, though both are considering including such fingerprinting efforts as part of the Privacy Budget proposal (a proposal about which Brave has serious concerns).
New versions of Brave will hide—and, where possible, completely block—cookie consent notifications. Brave's approach is distinct and more privacy-preserving than similar systems used in other browsers.
Read this article →Recent versions of Brave on iOS include many new privacy features, ensuring that Brave iOS users have the strongest available protections of any iOS browser.
Read this article →Brave's new system STAR protects user privacy by ensuring the data users contribute are never unique to that user. This property, sometimes called k-anonymity, ensures that the data collector can only see a submitted value if the same value has also been submitted by some number of other users.
Read this article →
If your download didn’t start automatically, click here.
Click “Save” in the window that pops up, and wait for the download to complete.
Wait for the download to complete (you may need to click “Save” in a window that pops up).
Click the downloaded file at the top right of your screen, and follow the instructions to install Brave.
Click the downloaded file, and follow the instructions to install Brave.
During setup, import bookmarks, extensions, & passwords from your old browser.
Download Brave mobile for privacy on the go.
Click this file to install Brave
Click this file to install Brave
Click this file to install Brave
Click this file to install Brave