Privacy risks from allowing sites to access hardware

Giving sites access to specific hardware devices poses privacy risks, and can potentially allow the site to re-identify you across visits, even when you clear storage or change browsers. This is for several reasons.

Some hardware includes semi-identifiers (e.g., product numbers, model numbers) that, when combined with other semi-identifiers (e.g., region, operating system) allow your browser to be "fingerprinted," and so re-identified even when clearing cookies. Other hardware even includes unique identifiers (e.g., serial numbers, device keys), that identifies your specific piece of hardware. Sites that can read unique identifiers will likely be able to re-identify you across sites, sessions, or even browsers.

Brave protect against these privacy risks in a range of ways. First, Brave puts most information about your hardware behind permission prompts, so that users can restrict which sites have access. Second, where possible, Brave will remove or randomize unique identifiers on hardware, though this is not always possible. Hardware may present unique and semi-unique identifiers to websites though in unpredictable ways, in which case Brave is unable to obscure the identifier for you.

In conclusion, users should be careful and conservative in deciding which sites to give access to their hardware. While Brave includes best-effort privacy protections, Brave cannot remove the privacy risk that comes from sharing such devices completely.