Vanadium Spoofing

Blank

I wonder if Vanadium could include a spoofing options for tracking. Indeed, I am extremely beware about my online fingerprinting. I know that website could track many information about our device (screen size, OS...) With the use of cookies. Therefore could Vanadium include an option to spoof our device spec to enhance privacy ? I already know it already spoofs MAC address for Wi-Fi. What do you think of my idea ?

Thanks for your feedbacks.

Mystified3527

From https://grapheneos.org/usage#web-browsing,

Vanadium will be following the school of thought where hiding the IP address through Tor or a trusted VPN shared between many users is the essential baseline, with the browser partitioning state based on site and mitigating fingerprinting to avoid that being trivially bypassed. The Tor Browser's approach is the only one with any real potential, however flawed the current implementation may be.

It seems like spoofing is not very effective against fingerprinting techniques given that the devs don't consider it as an approach with real potential. Instead at https://grapheneos.org/features#vanadium they say

Anti-fingerprinting depends on having a large userbase with the same browser, extensions, content filters and other web-facing configuration.

Also display info is needed to display web pages properly; if this is spoofed pages would display strangely. The closest to this is Tor's letterboxing, though it would be unreasonable on small phone screens. Vanadium users have very similar display and hardware info anyway since it's only available on pixels, so spoofing may not be necessary. See the GrapheneOS features and FAQ pages for Vanadium for more info on anti fingerprinting.

Spoofing OS would probably not work given that Vanadium is only on Graphene OS, so if a site can identify that the user is on Vanadium, they can tell they are using a pixel with Graphene anyway.

IIRC Brave uses spoofing in their anti fingerprinting measures, and it only fools fairly basic scripts with the real fingerprinting threats still being able to work without issue.

Blank

Mystified3527 thanks for your very clear explanation. In addition I think you're right since with the rise of AI agent detection it would be harder to spoof hardware. So I guess it isn't possible to completely hide. The best way is yo use VPN to hide IP address and not modifying its browser's parameters too much since it would identify you even more...

Mystified3527

__Blank__
Yes, the devs recommend leaving Vanadium's settings as their defaults for this reason, and be careful with the VPN you use as some just track you (I believe express VPN is known for this, though you should confirm this and there are other forum posts with much more info about VPNs).

Also, keep in mind that Tor Browser on GOS is not a great idea due to some security issues that gecko-based browsers have on android; I believe it bypasses or weakens some form of sandboxing and this is mentioned more on the browser FAQ page. Though Tor on a computer may have better anti-fingerprinting capabilities than Vanadium.

If you want a way to test fingerprint resistance, you can try this site (that I will link further below) for a commercial fingerprinting company that has a demo of their capabilities. If you open this repeatedly in separate browser sessions and it gives you the same user ID and the correct number of visits, then you can be fingerprinted. Most other fingerprint tests tend to not be very reliable or have issues, while this is what actual fingerprinting would look like. Be warned though, the site tries to track you and get your location as part of the demo, so definitely use a VPN when testing. The site is fingerprint .com.

Blank

Mystified3527 do not worry, I always use the default browser delivered with GOS, since I do believe cyber security researchers working on the GOS project. For VPN I know two honorable companies which are trustworthy : Mullvad and Proton. I would only recommend those two companies.