• WANTED: Happy members who like to discuss audio and other topics related to our interest. Desire to learn and share knowledge of science required. There are many reviews of audio hardware and expert members to help answer your questions. Click here to have your audio equipment measured for free!

Stop browser trackers once and for all

sweetchaos

Major Contributor
The Curator
Joined
Nov 29, 2019
Messages
3,896
Likes
11,842
Location
BC, Canada
Intro:
In this guide I'm comparing various browser settings and configurations, to see how well they protect your privacy/security.

Inspiration for this thread:
1. After my thread about 'Stop YouTube ads once and for all', I had another idea about comparing browser's privacy/security
2. Then, I saw this article on Dec 14, 2023... Google has announced that they will be disabling 3rd-party cookies for all Chrome users in 2nd half of 2024, by default.
Seeing how Chrome has 62% Market Share for desktop/mobile/tablet, this is massive news since it's the majority user base.
In this guide, instead of waiting for 2nd half of 2024 until Google implements this change, I'll guide everyone on how to do this right now, regardless of your browser.

Mobile Browser Links
Table 1: iOS Browsers
iOS BrowsersApple Store Link
Safari (default browser)Link
FirefoxLink
ChromeLink
EdgeLink
BraveLink
DuckDuckGoLink
Firefox FocusLink
ArcLink
OperaLink
VivaldiLink
-All iOS browers use Web Kit technology, due to Apple restriction

Table 2: Android Browsers
Android BrowsersGoogle Play LinkDownloadsBased on Chromium
FirefoxLink100 M+
Chrome (default browser)Link10 B+Yes
EdgeLink50 M+Yes
BraveLink100 M+Yes
Firefox FocusLink10 M+
DuckDuckGoLink50 M+
OperaLink100 M+Yes
Opera MiniLink500 M+
Samsung InternetLink1 B+Yes
VivaldiLink5 M+Yes
OrionsLink100 K+
GhosteryLink1 M+

Disable 3rd-party cookies (for desktop browsers)
What's the difference between 1st-party and 3rd-party cookies?
-When you first visit a website, like cnn.com, your browser receives a 1st-party cookie from cnn.com and saves it into your browser. If you wish to login to cnn.com, this credential information is stored in your cookie. When you close the browser and re-open it, and visit cnn.com, your previously logged in state is restored. 1st-party cookies are required for much of today's internet experience. Blocking 1st-party cookies is not a good idea, since it will break the internet. So browsers always allow 1st-party cookies.
-At the same time, by going to cnn.com, the developers of this 1st-party domain have allowed 3rd-party advertisers and 3rd-party addons/scripts. By going to cnn.com, all browsers (from the earliest days of internet) store 3rd-party cookies in your browser. This allows the 3rd-parties to track your activity, even across 1st-party domains. So for example, if you go to cnn.com and it has a Facebook addon/script, that addon/script will save a 3rd-party cookie for Facebook. Then when you go to cbc.ca and if the second domain has a Facebook addon/script as well, the script will try to save a Facebook cookie. If your browser has this cookie, it will use that cookie. As you can see, this allows 3rd-parties to effectively track you online, across multiple 1st-party domains.
-Over time, browsers added the ability to either sandbox and/or block 3rd-party cookies. This has been a long-time battle between privacy and advertisers. Every browser is different, so I'll explain how each browser handles 3rd-party cookies.
-For a much more in-depth explanation, see GRC's page.
-In this guide, I will guide you on how to disable 3rd-party cookies for all browsers. Don't worry, your websites won't break.

Browsers already protected by default:
BrowserNotes
Brave- Default behavior is "Block 3rd-party cookies"
- Nothing needs to be changed
Safari for MacOS- Default behavior is blocking 3rd-party cookies, since March 2020
- Nothing needs to changed
- Actually, you can't disable this functionality since there's no option for it
DuckDuckGo- Default behavior is "Block 3rd-party cookies"
- Nothing needs to be changed
- Actually, you can't disable this functionality since there's no option for it
Arc for MacOS- Default behavior is "Block 3rd-party cookies"
- Nothing needs to be changed

Browsers partly protected by default:
BrowserNotes
Firefox- Default behavior is "Block cross-site tracking cookies and isolate other cross-site cookies" (which is part of "standard" protection)
- This effectively means it's doing a hybrid job, of either blocking 3rd party cookies (that Firefox classified and kept on a maintained list) or sandboxing 3rd-party cookies (which means the cookie is still set in your browser, but just can't be accessed across multiple 1st-party domains, and is only isolated to one 1st-party domain).
- This is a useful change that Firefox has implemented since April 2023.
- From my perspective, this default setting offers partial protection since some cookies are stored in your browser (sandboxed by Firefox)
- In order to block all 3rd-party cookies from being saved in your browser, we need to get to settings, privacy and security, change from "standard" to "custom", and then change "cookies" from "Block cross-site tracking cookies and isolate other cross-site cookies" to "block all cross-site cookies".

Browsers unprotected by default:
BrowserNotes
Chrome- Default behavior is "Block 3rd-party cookies in Incognito Mode".
- This effectively means allow all 3rd-party cookies, since people don't use incognito/private mode all the time.
- This needs to be changed. Go to settings, privacy and security" and change "Block 3rd-party cookies in Incognito Mode" to "Block 3rd-party cookies" first.
- Then disable this option (which is on by default) "allow related sites to see your activity in the group". According to Google documentation, related sites are websites like "brandx.com and fly-brandx.com—or domains for different countries such as example.com, example.rs, example.co.uk and so on."
- As of December 2023, Google has announced that they will change the current behavior to "Block 3rd-party cookies" for everyone in 2nd half of 2024.
Edge- Default behavior is "Allow 3rd-party cookies"
- This needs to be changed by going into settings, "cookies and site permissions" tab, hit "manage and delete cookies and site data", and then turn on "Block 3rd-party cookies"
Opera- Default behavior is "Block 3rd-party cookies in private mode".
- This effectively means allow all 3rd-party cookies, since people don't use incognito/private mode all the time.
- This needs to be changed. Go to settings, privacy and security" and change "Block 3rd-party cookies in private mode" to "Block 3rd-party cookies".
- Then keep this option disabled (which is off by default) "allow related sites to see your activity in the group". According to Google documentation, related sites are websites like "brandx.com and fly-brandx.com—or domains for different countries such as example.com, example.rs, example.co.uk and so on."

Testing all desktop browsers in their ability to block 3rd party cookies, after changing all of the above settings:
To test your browser for 3rd party cookies go to:
GRC.com Cookie Forensics
BrowserResult of test?
ChromeSuccess, blocked all 3rd-party cookies
EdgeSuccess, blocked all 3rd-party cookies
Safari for MacOSSuccess, blocked all 3rd-party cookies
FirefoxSuccess, blocked all 3rd-party cookies
BraveSuccess, blocked all 3rd-party cookies
OperaSuccess, blocked all 3rd-party cookies
DuckDuckGoSuccess, blocked all 3rd-party cookies
Arc for MacOSSuccess, blocked all 3rd-party cookies
Summary:
- This shows that the browsers for desktop are indeed blocking 3rd-party cookies (after we've changed their settings).

Disable 3rd-party cookies (for iOS browsers)
Testing all iOS browsers in their ability to block 3rd party cookies:
To test your browser for 3rd party cookies go to:
GRC.com Cookie Forensics
BrowserResult of test?
Chrome for iOSSuccess, blocked all 3rd-party cookies
Edge for iOSSuccess, blocked all 3rd-party cookies
Update: this seems weird, since the default option for edge is to allow all cookies (1st-party and 3rd-party)
Update 2: It's because of Web Kit (reason below)
Safari for iOS (default browser)Success, blocked all 3rd-party cookies
Firefox for iOSSuccess, blocked all 3rd-party cookies
Brave for iOSSuccess, blocked all 3rd-party cookies
Opera for iOSSuccess, blocked all 3rd-party cookies
DuckDuckGo for iOSSuccess, blocked all 3rd-party cookies
Firefox Focus for iOSSuccess, blocked all 3rd-party cookies
Arc for iOSSuccess, blocked all 3rd-party cookies
Vivaldi for iOSSuccess, blocked all 3rd-party cookies
Summary:
- This shows that the browsers for iOS are indeed blocking 3rd-party cookies.
Update:
- That's because of "All iOS browsers are required to use the same iOS based Web Kit rendering engine (same as Safari). Apple has that locked down..."

Disable 3rd-party cookies (for Android browsers)
Testing all Android browsers in their ability to block 3rd party cookies:
To test your browser for 3rd party cookies go to:
GRC.com Cookie Forensics
BrowserResult of test?
Chrome for AndroidSuccess, blocked all 3rd-party cookies
Firefox for AndroidFailed, allowed 3rd-party cookies
Brave for AndroidSuccess, blocked all 3rd-party cookies
Edge for AndroidSuccess, blocked all 3rd-party cookies
DuckDuckGo for AndroidSuccess, blocked all 3rd-party cookies
Firefox Focus for AndroidFailed, allowed 3rd-party cookies
Opera for AndroidSuccess, blocked all 3rd-party cookies
Opera Mini for AndroidFailed, allowed 3rd-party cookies
Samsung Internet for AndroidSuccess, blocked all 3rd-party cookies
Vivaldi for AndroidSuccess, blocked all 3rd-party cookies
Orions for AndroidSuccess, blocked all 3rd-party cookies
Ghostery for AndroidFailed, allowed 3rd-party cookies
Summary:
- This shows that the most (but not all) browsers for Android are blocking 3rd-party cookies by default

How to block 3rd-party cookies for the browsers that failed the test above?
BrowserChange these settings to block 3rd-party cookies
Firefox for AndroidSettings, "enhanced tracking protection", change from 'standard' to 'custom', then under 'cookies', change from 'isolate cross-site cookies' to 'all third-party cookies (may cause websites to break)'

update: The grc cookie test still fails after changing these settings above... very strange! perhaps a bug in firefox?
update 2: This looks like a false positive. read my notes. In other words, Firefox for Android is safe to use!
Firefox Focus for AndroidSettings, 'Block cookies', change from 'block cross-site' to 'block 3rd-party cookies only'

update: this passed grc cookie test now
Opera Mini for AndroidThere's no options for you to change, avoid this browser.
Ghostery for AndroidThere's no options for you to change, avoid this browser.
Summary:
- Avoid 2 browsers for Android (since you can't disable 3rd-party cookies): 1. Opera Mini 2. Ghostery

Disable Topics (Chrome for desktop only)
What is Topics?
- Google has implemented the next evolution of Cookies, called "Topics" or "Privacy Sandbox".
- This was rolled out to all Chrome users in September 2023.

What are the 3 Topics?
- Explanations by eff.org
1. Ad topics:
- This is the fundamental component of Privacy Sandbox that generates a list of your interests based on the websites you visit. If you leave this enabled, you'll eventually get a list of all your interests, which are used for ads, as well as the ability to block individual topics. The topics roll over every four weeks (up from weekly in the FLOCs proposal) and random ones will be thrown in for good measure.
2. Site-suggested ads:
- This confusingly named toggle is what allows advertisers to do what’s called "remarketing" or "retargeting," also known as “after I buy a sofa, every website on the internet advertises that same sofa to me.” With this feature, site one gives information to your Chrome instance (like “this person loves sofas”) and site two, which runs ads, can interact with Chrome such that a sofa ad will be shown, even without site two learning that you love sofas.
3. Ad measurement:
- This allows advertisers to track ad performance by storing data in your browser that's then shared with other sites. For example, if you see an ad for a pair of shoes, the site would get information about the time of day, whether the ad was clicked, and where it was displayed.

How to disable Topics for Chrome browser for Desktop?
1. In Chrome, go to settings, "privacy and security", "ad privacy" and you'll 3 sections.
2. Disable all 3.

Can you use a Chrome Extension to disable the Topics signal from being sent by Chrome for desktop?
Yes, you can install one of these Google Chrome extensions. These serve the same function as disabling all 3 options in Chrome's settings (I mentioned above).
1. OptMeowt (chrome web store)
2. PrivacyBadger (chrome web store)

Should you disable Topics?
- Most people agree that "Topics" or "Privacy Sandbox" is better than the 3rd-party cookies being stored in your browser and which are used to track you across multiple 1st-party domains.
- The wording is deceptive from Google. "Privacy Sandbox" is still tracking—of a different nature—under the name of "Privacy".
- We don't want tracking of any kind, so we turn this off.

Disable Topics (Chrome for Android only)
How to disable Topics for Chrome for Android?
1. Open Chrome for Android
2. Settings, 'privacy and security', 'ads privacy', then disable all 3:
- Ad topics
- Site-suggested ads
- Ad measurement

Enable Maximum Protection (for desktop browsers)
- For those wanting the best possible protection when using your browser, look at these settings.
- By default, most browsers offer a 'balanced protection', instead of 'maximum protection'. So I'll summarize on how to enable these settings.
BrowserNotesExplanations
Chrome1. Go to settings, privacy and security, security
- Change 'standard protection' to 'enhanced protection'.
Explanation 1:
Enhanced Protection:
If you’ve opted into “Enhanced protection” (pictured above), in addition to all the protections described above for “Standard protection” mode, Chrome will use the real-time checks mechanism described above for checking the Safe Browsing reputation of top-level URLs and iframe URLs. If you're signed in to Chrome, the requests for performing real-time checks and the requests for checking potentially dangerous file downloads contain a temporary authentication token tied to your Google account that is used to protect you across Google apps. Enhanced protection also enables reporting additional data relevant to security to help improve Safe Browsing and overall web security, and it enables Chrome’s password breach detection. When browsing in incognito or guest mode, these extra checks do not occur, and Enhanced protection mode operates the same way as Standard protection.

Explanation 2:
Enhanced Protection:
  • Automatically warns you about potentially risky sites, downloads, and extensions.
  • Automatically warns you about leaked passwords.
  • Sends additional info to Google about your activity. Learn more about safe browsing protection.
  • Inspects the safety of your downloads and warns you when a file may be dangerous.
    • You can choose to send this file to Google to be scanned for added security.
Explanation 3:
To help protect your account and data, Enhanced Safe Browsing for your account checks for risky:
  • URLs
  • Downloads
  • Browser extensions
  • System information
  • Small sample of pages
Edge1. Go to settings, privacy search and services
- Change 'tracking protection' from 'balanced' to 'strict'.

2. Go to settings, privacy search and services
- Enable 'enhanced your security on the web', then change 'balanced' to 'strict'.
1. Tracking Protection
Explanation 1:
- Balanced (Recommended): Blocks potentially harmful trackers and trackers from sites you haven’t visited. Content and ads will likely be less personalized.
- Strict: Blocks potentially harmful trackers and most trackers across sites. Content and ads will likely have minimal personalization. This option blocks the most trackers but could cause some websites to not behave as expected. For example, a video might not play, or you might not be able to sign in.

2. Enhanced Your Security On the Web
Explanation 2:
-Enhanced security in Microsoft Edge helps safeguard against memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation and enabling additional operating system protections for the browser. These protections include Hardware-enforced Stack Protection and Arbitrary Code Guard (ACG). With these protections in place, Microsoft Edge helps reduce the risk of an attack by automatically applying stricter security settings on unfamiliar sites while adapting to your browsing habits over time.
- Balanced (Recommended): Microsoft Edge applies added security protections to sites you don’t visit often or are unknown to you. Websites you browse frequently will be left out. Most sites will work as expected.
- Strict: Microsoft Edge applies added security protections to all sites visited by default. Strict mode may impact your ability to complete normal tasks on the web because some parts of websites might not work as expected.
FirefoxGo to settings, privacy and security, change from 'standard' to 'custom'.
1. Change 'tracking content' from 'only in private windows' to 'In all windows'.

2. Change 'suspected fingerprints' from 'only in private windows' to 'In all windows'.

3. In previous section about Cookies, I've mentioned to change the 'cookies' from 'block cross-site tracking cookies and isolate other cross-site cookies' to 'block all cross-site cookies'
1-2. Too many changes to list, here's Firefox articles to read:
Explanation 1. Firefox's protection against fingerprinting
Explanation 2. Enhanced Tracking Protection in Firefox for desktop
Explanation 3. Trackers and scripts Firefox blocks in Enhanced Tracking Protection
Explanation 4. SmartBlock for Enhanced Tracking Protection


3. Cookies:
Disables all 3rd-party cookies
BraveGo to settings, shields.
1. Change 'trackers and ads blocking' from 'standard' to 'aggressive'.

2. Change 'block fingerprinting' from 'standard' to 'strict'.
1. Trackers and ads blocking:
Improving privacy by improving Web compatibility

2. Block Fingerprinting:
Fingerprinting protections
Safari for MacOSGo to settings, advanced
1. enable 'use advanced tracking and fingerprinting protection' (which I believe should be enabled since Sep 2023)

2. Change 'use advanced tracking and fingerprinting protection' from 'in private browsing' (default setting) to 'in all browsing'.
Explanation 1:
In Safari 17.0, Private Browsing gets even more private with added protection against some of the most advanced techniques used to track you. Technical changes include:
  • Blocking for known trackers and fingerprinting.
  • Support for mitigating trackers that map subdomains to third-party IP addresses.
  • Blocking for known tracking query parameters in links.
  • Noise to fingerprintable web APIs.
  • Console log messages when blocking requests to known trackers.
  • Support for blocking trackers that use third-party CNAME cloaking.
  • Support for Private Click Measurement for direct response advertising, similar to how it works for in-app direct response advertising.
OperaNo settings are available to configureNo settings are available to configure
DuckDuckGoNo settings are available to configureNo settings are available to configure
Arc for MacOSGo to settings, general, 'privacy and security', select 'security', change from 'standard protection' to 'enhanced protection'To find detailed info

Enable Maximum Protection (for iOS browsers)
- For those wanting the best possible protection when using your browser, look at these settings.
- By default, most browsers offer a 'balanced protection', instead of 'maximum protection'. So I'll summarize on how to enable these settings.
BrowserNotesExplanations
Safari for iOS (default browser)Open iOS, to Settings, Safari, Advanced, select 'advanced tracking and fingerprint protection'. The default option is 'private browsing', change to 'all browsing'Explanation 1:
In Safari 17.0, Private Browsing gets even more private with added protection against some of the most advanced techniques used to track you. Technical changes include:
  • Blocking for known trackers and fingerprinting.
  • Support for mitigating trackers that map subdomains to third-party IP addresses.
  • Blocking for known tracking query parameters in links.
  • Noise to fingerprintable web APIs.
  • Console log messages when blocking requests to known trackers.
  • Support for blocking trackers that use third-party CNAME cloaking.
  • Support for Private Click Measurement for direct response advertising, similar to how it works for in-app direct response advertising.
Chrome for iOSOpen Chrome, settings, 'privacy and security', 'safe browsing', change from 'standard protection' to 'enhanced protection'To find detailed info
Edge for iOS1. Open Edge, settings, 'privacy and security', select 'tracking prevention', and change 'balanced' to 'strict'
2. Open Edge, settings, 'privacy and security', select 'cookies', and change from 'don't block cookies' to ' block only third party cookies'
To find detailed info
Brave for iOSOpen Brave, settings, 'brave shield and privacy', select 'trackers and ads blocking', change from 'standard' to 'aggressive'To find detailed info
Firefox for iOSOpen Firefox, settings, 'tracking protection', change from 'standard' to 'strict'To find detailed info
Opera for iOSOpen Opera, settings, content filters, enable 'ad blocking'To find detailed info
DuckDuckGo for iOSNo settings are available to configureNo settings are available to configure
Firefox Focus for iOSNo settings are available to configureNo settings are available to configure
Arc for iOSNo settings are available to configureNo settings are available to configure
Vivaldi for iOSWhen running for the first time, change 'no blocking' to 'block trackers and ads'To find detailed info

Enable Maximum Protection (for Android browsers)
- For those wanting the best possible protection when using your browser, look at these settings.
- By default, most browsers offer a 'balanced protection', instead of 'maximum protection'. So I'll summarize on how to enable these settings.
BrowserNotesExplanation
Firefox for AndroidSettings, 'enhanced tracking protection', change from 'standard' to 'custom', then set 'cookies' from 'isolate cross-site cookies' to 'all third-party cookies (may cause websites to break)'To do
Chrome for Android1. Settings, 'privacy and security', change 'third party cookies' from 'block third-party cookies in incognito' to 'block third-party cookies'
2. Settings, 'privacy and security', 'send a do not track request', enable it
3. Settings, 'privacy and security', 'safe browsing', change from 'standard protection' to 'enhanced protection'
To do
Edge for Android1. Settings, 'privacy and security', 'tracking prevention', change from 'balanced' to 'strict'
2. Settings, 'privacy and security', 'do no track', enable it
To do
Brave for Android1. Settings, 'brave shield and privacy', change 'block trackers and ads' from 'standard' to 'aggressive'
2. Settings, 'brave shield and privacy', change 'block fingerprinting', from 'standard' to 'strict'
3. Settings, 'brave shield and privacy', change 'send do not track request', enable it
To do
DuckDuckGo for AndroidNothing to configureNothing to configure
Firefox Focus for AndroidNothing to configureNothing to configure
Opera for Android1. Settings, 'privacy and security', enable 'tracker blocking'
2. Settings, 'privacy and security', 'cookies', change from 'enabled' to 'enabled, excluding third-party'
To do
Opera Mini for AndroidNothing to configureNothing to configure
Samsung Internet for AndroidNothing to configureNothing to configure
Vivaldi for Android1. Settings, 'privacy and security', 'send a do not track request', enable itTo do
Orions for AndroidNothing to configureNothing to configure
Ghostery for AndroidNothing to configureNothing to configure

Force 'Global Privacy Control' (for desktop browsers)
What is Global Privacy Control?
- Global Privacy Control (GPC) refers to a standard designed to give individuals more control over their online privacy by allowing them to assert their legal rights to opt-out of online tracking and data sharing. It aims to simplify the process of communicating user privacy preferences across websites and online services.
- The concept is similar to "Do Not Track" (DNT), but GPC is an effort to create a more enforceable and standardized approach. The GPC initiative is typically implemented through browser extensions or settings that users can enable to signal their desire to opt-out of online tracking. When a website or online service recognizes the GPC signal, it is expected to respect the user's preference and refrain from collecting or sharing their personal information.

How to test your browser for this?
Go to GlobalPrivacyControl.org and see what the message on top says.
- If you see "GPC signal detected. Test against the reference server.", then your browser passed the test, and your browser is protected.
- If you see "GPC signal not detected. Please download a browser/extension that supports it.", then your browser failed the test and you're not protected.

Global Privacy Control test for Desktop OS:
BrowserDoes the browser pass the test, by default?How to make the browser pass the test?
OperaNo, it failedNothing can be done in Opera.
-Note: Enabling "Send a "Do Not Track" request with your browsing traffic" doesnt help.
BraveYes, it passedNothing needs to be done, since Brave protects you by default
ChromeNo, it failedNothing can be done in Chrome.
-Note: Enabling "Send a "Do Not Track" request with your browsing traffic" doesnt help.
Safari for MacOSNo, it failedNothing can be done in Safari for MacOS
FirefoxNo, it failedThere is a quick fix:
-Go to settings, privacy and security, enable 'tell websites not to sell or share my data'. Now the test passes.
EdgeNo, it failedNothing can be done in Edge.
-Note: Enabling 'send do not track requests' doesnt help.
DuckDuckGoYes, it passedNothing needs to be done, since DuckDuckGo protects you by default
Arc for MacOSNo, it failedNothing can be done in Arc for MacOS.
-Note: Enabling "Send a "Do Not Track" request with your browsing traffic" doesnt help.
Summary:
- Brave and DuckDuckGo for desktop protected you by default.

What application for Desktop OS, you can install to pass this test?
- AdGuard. Website (free to install, but requires a license) (see my previous 'youtube ads' guide on how to get a license)
Will this pass the test?
- No, it will fail the test by default.
- But if you enable "send do-no-track signals" (found under 'advanced tracking protection', then 'general' tab, in MacOS), then it passes the test.
- Since AdGuard works at OS level, it will work for any browser you use.

Which browser extension, you can install to pass the test?
1. Privacy Badger (website).
- Available for Chrome, Firefox, Edge, Opera.
- Your browser will pass the test after you install this extension.
2. Disconnect (website).
- Available for Chrome, Firefox, Opera.
- By default, this option is turned off, which means the browser will fail the test.
- Select the icon, and hit 'enable GPC', now the browser will pass the test.
3. OptMeowt (github)
- Available for Chrome, Firefox.
- Your browser will pass the test after you install this extension.
4. DuckDuckGo Privacy Essentials (website)
- Available for Chrome, Firefox, Edge
- Your browser will pass the test after you install this extension.

Which browser extension failed to pass this test?
1. AdGuard for Safari (website).
- While this extension is useful for blocking ads, it fails this test since Adguard hasn't implemented the GPC signal.
- On the other hand, if you use Adguard for Desktop OS instead (like I mentioned earlier), then GPC signal can be activated, in which case that will pass the test.2
2. Ghostery (website)
- Did nothing about GPC

In Summary:
-If you're using Brave or DuckDuckGo, you won't need to install any browser extension to pass this test, since it's built into browser (like I mentioned above).
-If you're using Firefox, you need to make one simple change in Firefox's settings, to pass this test, since it's built into Firefox (like I mentioned above).
-If you're using Chrome or Edge or Opera, you'll need to install any of the browser extensions (like I mentioned above), to pass this test.
-If you're using Safari for MacOS, I don't have a solution for you yet (other than AdGuard application for desktop OS).

Force 'Global Privacy Control' (for iOS browsers)
How to test your iOS browser for this?
Go to GlobalPrivacyControl.org and see what the message on top says.
- If you see "GPC signal detected. Test against the reference server.", then your browser passed the test, and your browser is protected.
- If you see "GPC signal not detected. Please download a browser/extension that supports it.", then your browser failed the test and you're not protected.

Global Privacy Control test for iOS:
BrowserDoes the browser pass the test, by default?How to make the browser pass the test?
Safari for iOSNo, it failedNothing can be done
Chrome for iOSNo, it failedNothing can be done
Firefox for iOSNo, it failedNothing can be done
Edge for iOSNo, it failedNothing can be done
Brave for iOSYes, it passedNothing needs to be done, since Brave protects you by default
Opera for iOSNo, it failedNothing can be done
DuckDuckGo for iOSYes, it passedNothing needs to be done, since DuckDuckGo protects you by default
Arc for iOSNo, it failedNothing can be done
Firefox Focus for iOSNo, it failedNothing can be done
Vivaldi for iOSNo, it failedNothing can be done
Summary:
- Brave and DuckDuckGo for iOS protected you by default.

Force 'Global Privacy Control' (for Android browsers)
How to test your Android browser for this?
Go to GlobalPrivacyControl.org and see what the message on top says.
- If you see "GPC signal detected. Test against the reference server.", then your browser passed the test, and your browser is protected.
- If you see "GPC signal not detected. Please download a browser/extension that supports it.", then your browser failed the test and you're not protected.

Global Privacy Control test for Android:
BrowserDoes the browser pass the test, by default?How to make the browser pass the test?
Chrome for AndroidNo, it failedSome Chrome extension for Android? To find out
Firefox for AndroidNo, it failedSome Firefox extension for Android? To find out
Edge for AndroidNo, it failedSome Edge extension for Android? To find out
Brave for AndroidYes, it passedNothing left for you to do
Opera for AndroidNo, it failedYou can't
Firefox Focus for AndroidNo, it failedYou can't
DuckDuckGo for AndroidYes, it passedNothing left for you to do
Opera Mini for AndroidNo, it failedYou can't
Samsung Internet for AndroidNo, it failedYou can't
Vivaldi for AndroidNo, it failedYou can't
Orions for AndroidNo, it failedYou can't
Ghostery for AndroidNo, it failedYou can't
Summary:
- Only Brave and DuckDuckGo for Android protected you by default.

Device Fingerprinting Results for Desktop, using CoverYourTracks
Go to CoverYourTracks to test the browser.
For browser settings, I enabled the 'maximum protection' options mentioned before.
BrowserBlocking tracking ads?Blocking invisible trackers?Protecting you from fingerprinting?
Safari for MacOSYesYesYour browser has a unique fingerprint
ChromePartial protectionPartial protectionYour browser has a nearly-unique fingerprint
FirefoxYesYesYour browser has a unique fingerprint
Firefox + NoScript (addon)YesYesNo
Firefox + PrivacyBadger (addon)YesYesYour browser has a unique fingerprint
Firefox + Disconnect (addon)YesYesYour browser has a nearly-unique fingerprint
Firefox + DuckDuckGo Privacy Essentials (addon)YesYesYour browser has a unique fingerprint
Firefox + Ghostery (addon)YesYesYour browser has a nearly-unique fingerprint
Firefox + Chameleon (addon)YesYesYour browser has a unique fingerprint
Firefox + CanvasBlocker (addon)
apply 'max protection'
YesYesYour browser has a unique fingerprint
EdgeYesYesYour browser has a unique fingerprint
BraveYesYesYour browser has a randomized fingerprint
OperaPartial protectionPartial protectionYour browser has a unique fingerprint
DuckDuckGoYesYesYour browser has a unique fingerprint
Arc for MacOSPartial protectionPartial protectionYour browser has a unique fingerprint
Summary:
- Brave is the only one browser with 'randomized fingerprint'. Explanation, Explanation2

Device Fingerprinting Results for iOS, using CoverYourTracks
Go to CoverYourTracks to test the browser.
For browser settings, I enabled the 'maximum protection' options mentioned before.
BrowserBlocking tracking ads?Blocking invisible trackers?Protecting you from fingerprinting?
Safari for iOSYesYesYour browser has a unique fingerprint
Chrome for iOSPartial protectionPartial protectionYour browser has a unique fingerprint
Firefox for iOSYesYesYour browser has a unique fingerprint
Edge for iOSYesYesYour browser has a unique fingerprint
Brave for iOSYesYesYour browser has a unique fingerprint
Opera for iOSPartial protectionPartial protectionYour browser has a unique fingerprint
DuckDuckGo for iOSYesYesYour browser has a unique fingerprint
Arc for iOSYesYesYour browser has a unique fingerprint
Firefox Focus for iOSYesYesYour browser has a unique fingerprint
Vivaldi for iOSYesYesYour browser has a unique fingerprint
Summary:
- All iOS browsers are very similar.

Device Fingerprinting Results for Android, using CoverYourTracks
Go to CoverYourTracks to test the browser.
For browser settings, I enabled the 'maximum protection' options mentioned before.
BrowserBlocking tracking ads?Blocking invisible trackers?Protecting you from fingerprinting?
Firefox for AndroidYesYesYour browser has a unique fingerprint
Chrome for AndroidPartial protectionPartial protectionYour browser has a unique fingerprint
Edge for AndroidYesYesYour browser has a unique fingerprint
Brave for AndroidYesYesYour browser has a randomized fingerprint
DuckDuckGo for AndroidYesYesYour browser has a unique fingerprint
Firefox Focus for AndroidYesYesYour browser has a nearly-unique fingerprint
Opera for AndroidYesPartial protectionYour browser has a unique fingerprint
Opera Mini for AndroidYesYesYour browser has a unique fingerprint
Samsung Internet for AndroidPartial protectionPartial protectionYour browser has a unique fingerprint
Vivaldi for AndroidYesYesYour browser has a unique fingerprint
Orions for AndroidYesYesYour browser has a unique fingerprint
Ghostery for AndroidPartial protectionPartial protectionYour browser has a unique fingerprint
Summary:
- Brave for Android is the only one browser with 'randomized fingerprint'. Explanation, Explanation2

Device Fingerprinting Results for Desktop, using CreepJS
CreepJS's Github page and Test page.
For browser settings, I enabled the 'maximum protection' options mentioned before.
BrowserResults
Safari for MacOS
Chrome
Firefox
Edge
Brave
Opera
DuckDuckGo
Arc for MacOS

Device Fingerprinting Results for iOS, using CreepJS
CreepJS's Github page and Test page.
For browser settings, I enabled the 'maximum protection' options mentioned before.
BrowserResults
Safari for iOS
Edge for iOS
Chrome for iOS
Firefox for iOS
Brave for iOS
Opera for iOS
DuckDuckGo for iOS
Arc for iOS
Firefox Focus for iOS
Vivaldi for iOS

Device Fingerprinting Results for Android, using CreepJS
CreepJS's Github page and Test page.
For browser settings, I enabled the 'maximum protection' options mentioned before.
BrowserResults
Firefox for Android
Chrome for Android
Edge for Android
Brave for Android
DuckDuckGo for Android
Firefox Focus for Android
Opera for Android
Opera Mini for Android
Samsung Internet for Android
Vivaldi for Android
Orions for Android
Ghostery for Android
Summary:
- ...

Changelog
2023-12-15:
- Launched
2023-12-16:
- Added DuckDuckGo browser for desktop
- Added 3rd-party cookie checking website for desktop and mobile
- Tested desktop browsers against 3rd-party cookie website
- Tested mobile browsers against 3rd-party cookie website
- Added "Enable Maximum Protection (for all mobile browsers)"
- Added explanations for various settings
2023-12-17:
- Device fingerprinting results for a few websites for desktop and iOS
2023-12-18:
- Added "Device Fingerprinting Results for iOS, using CoverYourTracks"
- Added "Force 'Global Privacy Control' (for all iOS browsers)"
- Added Arc for MacOS and iOS
2023-12-19:
- Added colors to sections, for similar topics. Makes it much easier to see.
- Added 'Disable 3rd-party cookies (for all Android browsers)'
- Added 'Enable Maximum Protection (for all Android browsers)'
- Added 'Force 'Global Privacy Control' (for all Android browsers)'
- Added 'Device Fingerprinting Results for Android, using CoverYourTracks'
- Added GRC's 3rd-party cookie explanation page that talks about tracking in much more detail. Link
- Added reason for why Firefox for Android's GRC's 3rd-party cookie test keeps failing. Link
 
Last edited:

TonyJZX

Major Contributor
Joined
Aug 20, 2021
Messages
1,940
Likes
1,888
would you guys recommend avoiding chrome and edge?

I use FF and Opera pretty much and have done so for a LONG time...
 

Dunring

Major Contributor
Forum Donor
Joined
Feb 7, 2021
Messages
1,240
Likes
1,321
Location
Florida
Vivaldi or Duckduckgo browsers are a simple solution I use. Linux Mint and a VPN, can't beat it for privacy.
 
OP
sweetchaos

sweetchaos

Major Contributor
The Curator
Joined
Nov 29, 2019
Messages
3,896
Likes
11,842
Location
BC, Canada
would you guys recommend avoiding chrome
Google is not doing themselves any favors by launching the recent aggressive YouTube anti ad-blocking campaign. Link
Plus Topics for all Chrome users in September 2023.

They lost around 3% marketshare in the last year, so that's not a big drop.
It doesnt look like people are jumping ship, per say, but at least people are aware of Google's aggressive strategy to maintain and/or increase their earnings, in the last few months.

Edge doesnt have Topics or any of Google's problems. Yes, Edge is based on Chromium, just like Brave. But Microsoft and Brave choose which parts of Chromium to maintain and publish in their browsers. Google has their own agenda for Chrome, which often conflicts with user's privacy.

Hopefully my guide shows you how each browser handles various elements of privacy/security.

I plan to expand to 'device fingerprinting' and other tests, browsers, and to test mobile devices. Stay tuned.
 

kysa

Member
Joined
Jan 22, 2023
Messages
77
Likes
58
Vivaldi or Duckduckgo browsers are a simple solution I use. Linux Mint and a VPN, can't beat it for privacy.
Vivaldi browser is a tracker by itself, lol. And can't protect you from fingerprinting either.

most browsers failed to protect your privacy/security by default.
- Luckily, with my guide, you can fix that.

Until it doesn't.
This whole browser tweaking topic is completely useless. If you really want websites to stop tracking you — use Tor Browser. Every browser trick you enable makes you stand out more, not less.

 
OP
sweetchaos

sweetchaos

Major Contributor
The Curator
Joined
Nov 29, 2019
Messages
3,896
Likes
11,842
Location
BC, Canada
Changelog:
2023-12-16:
- Added DuckDuckGo browser for desktop
- Added 3rd-party cookie checking website for desktop and mobile
- Tested desktop browsers against 3rd-party cookie website
- Tested mobile browsers against 3rd-party cookie website
- Added "Enable Maximum Protection (for all mobile browsers)"
- Added explanations for various settings

To do:
- Android OS
- Vivaldi for desktop, mobile
- Will test browsers against fingerprinting tests (must find worthwhile ones)

Observations:
- Interesting that all iOS browsers by default block 3rd-party cookies. I didn't realize, until I tested for this. That's so different from desktop browsers (which are about 50-50 now, meaning half block, and half allow, by default).

Will continue to update this...
 

Randyman...

Member
Joined
Apr 6, 2023
Messages
77
Likes
64
Observations:
- Interesting that all iOS browsers by default block 3rd-party cookies. I didn't realize, until I tested for this. That's so different from desktop browsers (which are about 50-50 now, meaning half block, and half allow, by default).
All iOS browsers are required to use the same iOS based Web Kit rendering engine (same as Safari). Apple has that locked down...
 
OP
sweetchaos

sweetchaos

Major Contributor
The Curator
Joined
Nov 29, 2019
Messages
3,896
Likes
11,842
Location
BC, Canada
Until it doesn't.
This whole browser tweaking topic is completely useless. If you really want websites to stop tracking you — use Tor Browser. Every browser trick you enable makes you stand out more, not less.
I don't agree with any of this.

Here's my reasons:
1. Tor is not meant for clear-web browsing. Tor is meant for dark-web browsing. Plus, Tor introduces major latency and loss of speed, making web browsing painful, hence normal people don't use it.

2. I mention tweaking settings in a specific browser in order to help you increase your privacy/security. Some browsers, like Brave and DuckDuckGo, were created with these privacy/security settings enabled by default. While other browsers (like Chrome, Edge, etc) come with settings that are too relaxed. We can identify these settings by comparing all browsers against each other.

3. Browser fingerprinting websites check for certain criteria (like your timezone, fonts, etc) and check whether your browser is disclosing this information. We can test each desktop and mobile browser against these websites and get an easily understandable report card. Both mobile and desktop browsers implement various anti-fingerprinting technologies, so we don't really know all of them, until we test for it. Anyway, I plan to test all browsers against these fingerprinting websites, so we'll soon see a report card for them all.

4. Locking down your privacy/security is not an argument towards "Well, that makes you stand out more".

Anyway...
 
OP
sweetchaos

sweetchaos

Major Contributor
The Curator
Joined
Nov 29, 2019
Messages
3,896
Likes
11,842
Location
BC, Canada
My preliminary testing shows that Brave is the only desktop browser that provides "randomized" fingerprint protection.
Brave's Explanation, Explanation2 on Randomized fingeprint protection.
In other words, Brave browser actually protects you against fingerprinting.

Tested all browsers (and some extensions) by going to CoverYourTracks.
No other desktop browser seems offers this protection.
Perhaps some extension can do this? I haven't found any that do yet. Please report if you find.
 

Pe8er

Active Member
Joined
Jul 2, 2019
Messages
174
Likes
358
Location
Bay Area
What a fantastic piece of work, thank you so much for taking the time!! If you get a chance, check out Arc Browser (https://arc.net/) I ran it through a few of the tests you posted and it did pretty well.
 

kysa

Member
Joined
Jan 22, 2023
Messages
77
Likes
58
I mention tweaking settings in a specific browser in order to help you increase your privacy/security.

If at least one of the fingerprinting methods identifies the user, then all those privacy settings become useless. And they are in fact useless, because the commercial solutions I use in my work, as well as the open source telemetry research projects, easily captures a specific browser user.


I plan to test all browsers against these fingerprinting websites, so we'll soon see a report card for them all.
Your methodology is completely wrong, which just reinforces my impression that you don't know what you're doing. You're supposed to look at total views count, not browser trust score. Visit creepjs, wait for a couple of seconds, close and reopen your browser, visit again. If the number is <1 — congratulations, your browser loses against real world tracking ;)

4. Locking down your privacy/security is not an argument towards "Well, that makes you stand out more".
My point about "it makes you stand out more" was that some of the things that supposedly increase user privacy by making tracking impossible actually make it easier for tracking libraries, because when you don't harden your entire browser (as Tor Browser does), such tracking only narrows the circle of suspected devices, since fewer people have certain features enabled. An already classic example of this reverse effect in action would be uBlock regional lists. if you were to enable it, the tracking libraries will immediately realize that you are using it, which would enable them to narrow the pool of similar fingerprints.

Brave browser actually protects you against fingerprinting.
Brave browser has Safe Browsing as well as telemetry enabled by default, which literally tracks your activity. And, once again, Brave doesn't protect against real world tracking libraries.
 

Blumlein 88

Grand Contributor
Forum Donor
Joined
Feb 23, 2016
Messages
20,652
Likes
37,318
If at least one of the fingerprinting methods identifies the user, then all those privacy settings become useless. And they are in fact useless, because the commercial solutions I use in my work, as well as the open source telemetry research projects, easily captures a specific browser user.



Your methodology is completely wrong, which just reinforces my impression that you don't know what you're doing. You're supposed to look at total views count, not browser trust score. Visit creepjs, wait for a couple of seconds, close and reopen your browser, visit again. If the number is <1 — congratulations, your browser loses against real world tracking ;)


My point about "it makes you stand out more" was that some of the things that supposedly increase user privacy by making tracking impossible actually make it easier for tracking libraries, because when you don't harden your entire browser (as Tor Browser does), such tracking only narrows the circle of suspected devices, since fewer people have certain features enabled. An already classic example of this reverse effect in action would be uBlock regional lists. if you were to enable it, the tracking libraries will immediately realize that you are using it, which would enable them to narrow the pool of similar fingerprints.


Brave browser has Safe Browsing as well as telemetry enabled by default, which literally tracks your activity. And, once again, Brave doesn't protect against real world tracking libraries.
How is the Tor browser built into Brave?
 

kysa

Member
Joined
Jan 22, 2023
Messages
77
Likes
58

Blumlein 88

Grand Contributor
Forum Donor
Joined
Feb 23, 2016
Messages
20,652
Likes
37,318
Brave has a built-in Tor Network, not Tor Browser. It basically proxies almost all browser traffic to Tor Network. Tor Project advises not to do so:

I've not used Tor browser for two or three years. At the time it broke my use of many websites. Has it improved in that sense so that one can use it as their daily driver browser?
 

kysa

Member
Joined
Jan 22, 2023
Messages
77
Likes
58
I've not used Tor browser for two or three years. At the time it broke my use of many websites. Has it improved in that sense so that one can use it as their daily driver browser?
It will likely never improve since everything that Tor Browser brakes is bad for your privacy.
 

Blumlein 88

Grand Contributor
Forum Donor
Joined
Feb 23, 2016
Messages
20,652
Likes
37,318
It will likely never improve since everything that Tor Browser brakes is bad for your privacy.
That is about what I suspected. Thank you for the answers and sharing your knowledge.
 
OP
sweetchaos

sweetchaos

Major Contributor
The Curator
Joined
Nov 29, 2019
Messages
3,896
Likes
11,842
Location
BC, Canada
Changelog:
2023-12-17:
- Device fingerprinting results for a few websites for desktop and iOS
2023-12-18:
- Added "Device Fingerprinting Results for iOS, using CoverYourTracks"
- Added "Force 'Global Privacy Control' (for all iOS browsers)"
- Added Arc for MacOS and iOS

Interesting finding:
- Only Arc for iOS browser (of all iOS browsers) offered a randomized fingerprint, using CoverMyTracks test.

Will work on Android OS next.
 

Joramun

Member
Joined
Mar 23, 2023
Messages
51
Likes
81
There's an open-source firewall that will block trackers

Portmaster
 
Top Bottom