The Impact of Privacy Addons on Tor Browser Fingerprinting

Introduction

Whether to use additional privacy and security add-ons with the Tor Browser is a perennial question [1] [2] [3] [4] [5] [6] [7].

On its face, it seems reasonable to assume that additional blockers could only improve anonymity. After all, Tails itself ships with uBlock Origin pre-installed. On the other hand, the Tor Project warns that additional add-ons can create a unique device fingerprint that can allow you to be tracked [8] [9]. An analogy might be a spy wearing three disguises at the same time. Maybe their true identity is unknown, but as the only person wearing three sets of clothes simultaneously, they are easily identified wherever they go.

The official recommendation of the Tor Project is to use the Tor Browser without any additional add-ons [10].

I have read a lot of discussion and speculation, but I have not seen any actual data, so I decided to run a home-brew experiment to inform my own operational security. The goal was to explore the effect of additional privacy add-ons on the Tor Browser’s fingerprint under different security settings, for different base systems, with and without using Tails.

Methods

I took a convenience sample of 6 devices: two desktops – an HP EliteDesk running Linux 6.13.5 (I use Arch, btw) and a custom gaming rig running Windows 10, two laptops – a Lenovo T430 running OpenBSD 7.7 beta and a Lenovo Legion 5 running Windows 10, and two phones – a Pixel 3a running stock Android 12 and a Pixel 6a running Graphene 2025031400.

Browser fingerprint was measured using Cover Your Tracks, a tool from the Electronic Frontier Foundation (EFF) that fingerprints your browser and reports the sample proportion of other visitors that share the same fingerprint and its information content in bits. It also tells you if your fingerprint is unique (the only one it has seen). Information was apparently capped at about 18 bits due to their own limited sample size of about 260,000 visitors. I left the “Test with a real tracking company” box unchecked.

The add-ons tested were uBlock Origin and Privacy Badger. The latter was developed by the EFF to block advertisements and tracking cookies that do not respect the Do Not Track setting [11]. NoScript was enabled with default settings for every trial and I did not mess with it.

The browser fingerprint (in bits) and its uniqueness (0,1) were measured for every possible combination of add-on (none, uBlock Origin, Privacy Badger, both) and security setting (standard, safer, safest), on every base system with and without using Tails (when possible). After every measurement, I clicked the “New Identity” button to restart the browser. The total number of observations was n=144.

Linear models were fit with the lm function in R. To prevent overfitting, stepwise variable selection was done in both directions with stepAIC. Model diagnostics were assessed visually. Statistical significance was taken to be p < 0.05. Post hoc comparisons were done using Tukey adjustments.

Results

I will try to state only the statistically significant results in a qualitative way without getting bogged down in the numbers.

Use of add-ons

Privacy Badger was associated with a large increase in average fingerprint, varying across systems.

In contrast, uBlock was associated with a small reduction in fingerprint for the T430 when Privacy Badger was both off and on. For the two mobile devices, uBlock was associated with a small reduction in fingerprint when Privacy Badger was off, but a small increase when Privacy Badger was on. The slight fingerprint reductions seen with the other laptops and desktops were not statistically significant.

Figure 1552×524 6.13 KB

The “safer” setting was associated with a larger browser fingerprint compared to the “standard” setting in all configurations except the T430, and the HP Elite and Pixel 6 with Privacy Badger on. The “safest” setting resulted in the lowest fingerprints. The two mobile devices had larger fingerprints compared to the other systems on the “safest” security setting.

Figure 2552×524 8.08 KB

Use of Tails

Using Tails was associated with a small reduction in browser fingerprint, but only with the “standard” and “safer” settings. The largest reductions were at both the “standard” and “safer” settings of the HP Elite and the T430, with smaller reductions in the “safer” setting with the custom desktop and Legion 5 laptop. At the “safest” security setting, there was no difference between using Tails vs. the original operating system.

Figure 3552×524 7.22 KB

The fingerprint-reducing effect of using Tails at lower security settings did not persist when Privacy Badger was installed and enabled.

Figure 4552×262 4.34 KB

Unique fingerprints

Twelve of the 144 configurations (8.3%) resulted in a unique browser fingerprint. All of these occurred while using the “standard” or “safer” setting. All but three occurred while using Privacy Badger by itself. The other three occurred while using uBlock and Privacy Badger together (but only on the mobile devices). In no cases did a unique fingerprint result from using uBlock alone or while using the “safest” security setting.

Three unique fingerprints (2.1%) happened when using Tails: on the custom desktop and on the T430, in both the “standard” and “safer” settings, with Privacy Badger enabled and uBlock disabled.

Discussion

The results suggest that using uBlock by itself has no effect or may slightly reduce the fingerprint (Figure 1). However, when used with Privacy Badger (and possibly other add-ons) it may contribute to a larger browser fingerprint and even a unique fingerprint on some systems (Figure 1, Table 1).

In this experiment, there was no advantage to using Privacy Badger (at least in terms of fingerprint reduction). On every system and security setting it resulted in a larger fingerprint or at best no change (Figure 2). It also negated the benefit of using Tails (Figure 4). This may hold true for other add-ons as well, or it may not.

The “safest” security setting resulted in the smallest fingerprints (Figures 2, 3, 4). In most cases (but not all), the “safer” setting actually resulted in a larger fingerprint compared to the “standard” setting. However, there may be other advantages to using “safer” over “standard” beyond just fingerprinting, but that is beyond the scope of this experiment.

The underlying hardware may have a greater effect on fingerprint than the operating system. For example, the use of Tails was able to reduce the browser fingerprint of the T430 in the lower-security settings (Figure 4, bottom-right), but that machine still had the largest fingerprint. A closer look at the detailed results of the test showed that “screen size and color depth” was the largest contributor to its fingerprint. The T430 is 13 years old and has a 14" screen with a resolution of 1366 x 768. There probably are not many still in use, so maybe it should come as no surprise that such a dinosaur had a unique fingerprint. This could underscore the importance of using commonplace hardware especially if you anticipate having to use a lower security setting.

This experiment also demonstrated that it is possible to have a unique fingerprint using Tails on some systems by installing additional add-ons (Table 1). However, this only occurred in the “standard” and “safer” security settings when uBlock had been disabled. Whether it is always necessary to disable uBlock and use a lower security setting for this to occur is not clear, though (see the Limitations section).

It also may be important to note that the two android devices had larger fingerprints compared to the desktops and laptops on the “safest” security setting (Figure 2). The Pixel 3 had a unique fingerprint in the “safer” security setting even without installing any additional add-ons. It may be because these two phones are relatively old and are probably uncommon in the wild, or it may be due to differences in the desktop vs. Android versions of the Tor Browser, or it may be a coincidence.

Limitations

A major limitation was the small sample size of the experiment. Only six systems were tested. Most of the hardware was relatively old, and no Apple devices were tested. Therefore, the sample should not be considered representative of the population of base systems out there, and any extrapolations or generalizations beyond the limited scope of this experiment should be done cautiously.

Another limitation is that I did not randomize the order in which configurations were tested. Each sequence on a particular system and security setting began with no addons enabled and ended with both uBlock and Privacy Badger enabled. This may have introduced a bias, as Cover Your Tracks may update its database in real-time. If an early test produced a unique fingerprint, subsequent configurations could appear less unique – not because of an actual change in fingerprint size but due to prior observations in the dataset that I myself introduced.

Conclusions and personal recommendations

I hesitate to give other people advice, but for my own self I feel comfortable making the following recommendations:

• It is probably OK to use uBlock Origin by itself. It may even result in a smaller fingerprint in addition to blocking ads.

• Do not install any other addons beyond uBlock.

• Use the “safest” security setting if possible.

• If you anticipate having to use a lower security setting for website functionality, use Tails on commonplace hardware.

• Use a desktop or laptop instead of a phone, if possible.

The goal was to explore the effect of additional privacy add-ons on the Tor Browser’s fingerprint under different security settings, for different base systems, with and without using Tails

Sorry, but this is flawed. Using tainted data and small data sets and limited metric tests such as EFF’s site is not good. The data is heavily skewed by the nature of those visiting, who then proceed to tweak things and change settings and retest, further polluting the data and even causing what I call a self-fulfilling prophesies: e.g (made up example) they repeatedly test and see that 4 is the most common hardwareConcurrency, so they stick with that (e.g. via an extension or dom.maxHardwareConcurrency pref)

To give you an example, the timeZoneName of Atlantic/Reykjavik is reported around 1 in 6. Think about that for a second. Now lets do some basic math. Population is not a perfect comparison to actual worldwide internet users and browser profiles, but it’s good enough to illustrate my point here. The population of Iceland is 400k perps. And let’s say Tor Browser users number 5 million (they all use this timeZoneName). And lets say the world’s population is 9 billion.

That gives you a probability of 5400000 / 9000000000 = 0.06%. That’s not 1 in 6, It’s not even 1 in 1000. It’s approximately 1 in 1667 - that’s not just slightly skewed, that’s nutbar crazypants off-the-charts rejected pseudo-science 275+ times inflated and would be laughed out of any peer review.

This tainted data example comes exclusively from Tor Browser’s decision to switch RRP’s timezone protection from UTC to Atlantic/Reykjavik - I watched it change over time.

And if that metric is completely damaged, all the others are too.

all entropy figures on all test sites are complete nonsense

So that was the first mistake, using entropy figures that are flawed, and by retesting, perpetuating and making the figures worse (as in lowering them: self-fulfilling). Also the site data has options for users to change the outcome (using a real tracker option) which should not be in a test such as this. And the test for an “adblocker” doesn’t work well enough - it fails to detect uBO for me - so testing uBO doesn’t do anything. It’s also only binary, when we know you can detect specific regional lists - so entropy can be way worse and is not even maxed to a reasonable degree.

Secondly, all you need to do to prove something adds entropy is to show it can be detected. So the whole exercise was a waste of time, sorry

FYI the feasibility of integrating uBlock Origin into Tor Browser is under active investigation.