All together as one: This is how the Mullvad Browser works
What’s important when you develop a privacy-focused browser? In our world there’s only one method to strive for, and it’s a classic: hide in the crowd. Just like the Tor Browser, the Mullvad Browser has been developed with the purpose and ambition for all its users to appear as one (if you have the same ambition: use a trustworthy VPN together with the browser). When you have that aspiration and goal, it’s critical to choose carefully. With an internet infrastructure loaded with different tracking techniques, it could be tempting to offer as many cool features as possible to stop and block them. But the irony is: your attempt to block trackers could be the one thing to reveal you.
Sometimes having no specific defense is better than having one. By wanting to increase online privacy, you install extensions that in the end make you even more visible than before.
The Tor Project
In this case, the Mullvad Browser leans towards what computer scientist and security researcher Peter Eckersley calls “the paradox of fingerprintable privacy”. As the Tor Project describes this paradox: “By wanting to increase online privacy, you install extensions that in the end make you even more visible than before.”
The same browser fingerprint for all Mullvad Browser users
So, in order to be able to hide in the crowd, we give similar fingerprints to all the Mullvad Browser users. But how? Well, let us us give you some examples. We have standardized configurations and don’t recommend users to change settings. Firefox’s resist fingerprinting mode is on, and it will spoof many additional parameters and settings that could be used for fingerprinting. Only a specific set of fonts are made available for the browser and several hardware APIs are removed – like hardware concurrency and other APIs that could be used to extract information from your device. Another API used to fingerprint you is the WebGL, where the fingerprint attack tells your browser to render a triangle in 3D. The Mullvad Browser prevents websites from accessing the rendered content by blocking the readPixel function. One more sneaky way to collect your data for fingerprinting, is by measuring exactly how big your browser window is. Just think about it – are you the kind of user that maximizes your browser window? Or are you more a half the size of the screen kind of user? Letterboxing masks your real dimensions by adding a space around the window. So, no matter how you resize your browser, your window dimensions are unlikely to uniquely identify you. These are just a few of the fingerprint protection actions we implemented with the Mullvad Browser. Here you can dig deeper into our settings.
Don’t feed the cookie monster: private browsing by default.
What's the problem with cookies? They are saved locally on your computer and if you don't clear them, it means they can be used to uniquely identify you. Sure, you can reject cookies on every website you visit: the issue is that despite your refusal, sites can put what they often call ‘essential cookies’ on your computer anyway, just because they think it’s super-super-super necessary to do so. You may think the ‘necessary’ cookies are only first-party cookies, but that’s not the case. When you take the time to read and scroll through the list, you frequently find the big tech companies and third-party cookies under this ‘essential’ category. They do this deliberately, hiding themselves behind vague arguments, and you can’t do anything to stop them. So you must make sure you clear your cookies.
The way to fight cookies is to run the browser in incognito or private mode, which means that cookies and history aren’t saved and that each session is a new one. You may have read articles criticizing incognito mode, and the reason is that big tech browsers can log everything you do even when you’re running in incognito mode, without saving cookies. How do they do that? Well, in this case you’re using a big tech browser, so they collect your activity right from the browser. But as long as you run a privacy-focused browser, private mode is a good thing. Mullvad Browser has private mode enabled by default. This means no cookies are saved between your sessions. If you have a session running and just want to delete your cookies after visiting one page before going on to the next one, the Mullvad Browser has a reset button that creates a new session in one click.
The Mullvad Browser will isolate third-party cookies in per-domain specifics jars. That means they can’t connect the dots to build a profile on you.
The Mullvad Browser also fights cookies during your session with FPI (first-party isolation), which means that third-party cookies are being isolated in specific cookie jars. When you visit a site, all those third-party-cookies will go into a per-domain specific jar. When you go on to the next page, where this same advertiser has another third-party tracker, they will go into another jar. This solution means that the third-party trackers the advertiser uses are unable to connect to each other to build that pattern of you.
This is how we combat third-party trackers: with uBlock Origin.
First of all, if you run the Mullvad Browser together with Mullvad VPN, then your IP address is hidden, your fingerprint is similar to other Mullvad Browser users, and cookies are isolated in jars and deleted after every session. This means that even if a third-party tracker analyzes your activity on one webpage, it will be difficult to follow you on to the next one and build a profile on you – as they don’t have any identifiers of you. Still, it’s a good idea to block third-party trackers. Why? Well, there are some scripts that can analyze behavior (mouse movements, the way you write and so on) and use it to identify you. It’s a long shot, but it could still be used to track you via scripts. Moreover, scripts could contain malicious code designed to do you harm. As we have mentioned before, we don’t want to ‘try too hard’ to block trackers, with the ironic potential risk this can make it easier to identify users. But we have made one big effort to block third-party trackers, and that’s to use uBlock Origin.
Don’t let your browser ‘call home’ and betray you: all telemetry removed.
Not only are browser fingerprints a potential privacy problem in most browsers, there’s also this thing called telemetry. Telemetry is data being collected by the browser to improve its performance. That means your browser is gathering stuff like session lengths, crash and error reports, and automatically checking for update status every time you start the browser. What’s the problem with this? Well, it’s all about your trust in your browser developer (and their ability to store this data safely). Another possibility is to just remove all the telemetry. We don’t believe in collecting data about our users, so with the Mullvad Browser, we have removed all telemetry.
Finally, what’s the difference between the Mullvad Browser + VPN and the Tor Browser?
The short explanation: if you use the Mullvad Browser, you are using a Tor-developed browser without using the Tor Network. Instead, the Mullvad Browser is intended to run with a VPN. That’s the main difference. Sure, there are a few calibration differences between the two browsers – but the differences are there for only that reason; to handle the browsers’ different ways of connecting to the internet.
The Tor Browser is free and open-source software that connects to the internet through the Tor Network – a decentralized network run and operated by volunteers. It encrypts your traffic in three layers (hence the name: The Onion Router) and sends it through three different relays around the world (read more about The Tor Project and how the onion routing works).
The Mullvad Browser is a free and open-source software that connects to the internet (if you use it together with Mullvad VPN) through the encrypted VPN tunnels and VPN servers of Mullvad. You can use it with any VPN (and even without a VPN, but that’s not something we recommend), but you should make sure to use a VPN provider you can trust. Here you can read more about our policies and our transparency.