GrapheneOS (@GrapheneOS@grapheneos.social)
grapheneos.social
It takes a lot of time to do the research and design for features even before beginning the implementation. Vanadium is going to have a lot of nice privacy features but we care about doing things properly instead of the faulty state partitioning and anti-fingerprinting elsewhere.

An issue was filed on our Vanadium issue tracker about a potential Chromium WebRTC privacy issue. It was filed to track our process of determining whether we needed to do something about it with a privacy enhancement in GrapheneOS. We ended up deciding not to make a change to it.

This issue has been misinterpreted by a paper published on 2023-11-27 as being Vanadium-specific. It also misunderstands the issue. Chromium generates a random number to use as a salt to protect privacy. We think this may be reducing privacy. It is not a hardware identifier.

Our decision was to avoid removing this since it could make things worse, especially if Vanadium is used outside GrapheneOS on a small set of devices. The intention of Chromium’s approach is stopping hardware fingerprinting but it causes a persistent random fingerprint instead.

We spent a small period of time considering the implications of hard-wiring the random salt but decided against it. Not every idea we come up with is a good idea which survives the rigorous review process. This didn’t make it to the point that we wrote any code to be reviewed.

There are far bigger problems than a user being fingerprinted by a site they explicitly allowed to use their camera/microphone. We have a lot of higher priority work to do. Chromium should properly partition this tiny bit of state if they haven’t already, but it’s not a big deal.

The author was in contact with one of our developers and had a lot of their questions answered. It’s hard to understand how they ended up writing these claims that we’re responsible for the way device_id_salt is implemented and wrongly implying we don’t have substantial auditing.

People discovered the paper today and we’re quite perplexed at how it ended up this way. We’re cautious with our changes as a whole and our anti-fingerprinting approach is a very long term one by necessity. No existing browser truly handles it well and it requires lots of users.

We’re aware of a lot of browser privacy issues which need to be resolved in the long term. Most of these aren’t solved by any other browsers. Many of the anti-fingerprinting approaches deployed by privacy-focused browsers are also highly flawed and don’t actually work correctly.

It takes a lot of time to do the research and design for features even before beginning the implementation. Vanadium is going to have a lot of nice privacy features but we care about doing things properly instead of the faulty state partitioning and anti-fingerprinting elsewhere.