Every internet browser sends data to “the internet”, which consists of the servers behind the websites visited.
Data is not only transferred from the server to the browser, but also in the opposite direction.

This communication is specified in the standard “HTTP Protocol” and gives the server the possibility to adjust the delivered content to the user’s device (i.e. screen resolution for smartphones, language…).
This information, known as “passive HTTP Tracking”, is already used to identify the user.

The most important data is:

User agent

For example the line “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0”.
Here you can see information on the used browser, the operating system and the various software version numbers:

  • accept formats, accept charset, accept encoding: information on the capabilities of the browser.
  • accept language: languages that are enabled in the browser.
  • referrer: last site visited by the user, typically the searchengine.

How the PrivacyMachine protects against this:
The referrer will be reset inside the newly started VM-Mask(Tab) and as many parameters as possible are changed, such as language or screen resolution.


Cookies are little text files that are generated by the server and are stored on the local computer.
The website uses these files to store i.e. the login status for online banking or the items in a shopping basket during online-shopping.

These functions need cookies to work properly. But these cookies are misused to track the browsing behaviour of the users:
If homepage is displaying an ad banner from, the ad banner is allowed to store a user id in a 3rd party cookie of
If the user later visits, which also has the banner of on its site, the ad company has access to the cookie and can build a personal profile of the user’s surf behaviour. The ad company can use this personal profile to show the user personalised ads. The company receives more money for this kind of ad than for non-personalised ads (like a road sign).

The same principle can be accomplished without cookies using browser fingerprinting, meaning that disabling 3rd party cookies is more or less useless nowadays.

How the PrivacyMachine protects against this:
3rd party cookies can be disabled in some VM-Masks. Every time the virtual machine is reset, all cookies are deleted.


JavaScript makes interactive homepages possible, i.e., where dragging with the mouse moves the map on the screen.
When JavaScript is activated, an additional user agent is sent to the server, which contains more data on the operating system. Furthermore, a list of installed plugins (helper software) is generated and these are, if necessary, activated. Sadly JavaScript is necessary nowadays, because if it is disabled most homepages only work partially or are completely unusable.

How the PrivacyMachine protects against this:
A different list of plugins will be enabled for each VM-Mask. Also, the list of fonts installed in the operating system, which is readable via flash, will be changed on each reset.


Plugins are little helper programs which are installed separately (installation is not started inside the browser). Examples are the Office plugin from Microsoft, Flash from Adobe or Java from Oracle. These plugins make it possible to view or edit special file types inside the browser. The problem from a privacy protection point of view is that each user has an individual list of these plugins and their version numbers.
In addition, the plugins can read many operating system details. In the case of Flash, all installed fonts are delivered in a unique order. For Java plugins it is possible to read all serial numbers of all computer component parts.

screenshot of installed firefox plugins

Above all the plugins have the possibility to read out many details of the operating systems. In case of flash all installed fonts in a UNIQUE order are delivered. For java plugins it is possible to read all serial numbers of all computer component parts.

How the PrivacyMachine protects against this:
Only necessary plugins are installed for each VM-Mask.

Flash Cookies and “Local Shared Objects”

These are different options for storing settings on the local disk. They are misused to create unique markers of a user to identify them along their browsing timeline.

How the PrivacyMachine protects against this:
All changes to the local virtual hard disk are deleted on reset.


The web standard WebRTC makes it possible to use VoIP or video chat (such as skype) inside the browser. The disadvantage is that the real local ip is sent to the internet through proxies such as TOR or JonDo.

How the PrivacyMachine protects against this
WebRTC is only activated if no proxy service is used and it is needed by the VM-Mask.

Cache-based tracking

There are also further ways of storing information on the disk. For example, the cache is a separate place for the browser to store content i.e. for offline access. Furthermore, near invisible one pixel pictures or mechanisms such as “HTTP Authentication Caches” or the “Javascript Property Identifier” can be used to identify users.

How the PrivacyMachine protects against this
All changes to the local virtual hard disk are deleted on reset.

Canvas Fingerprinting

With HTML5 the Canvas feature became standard. This makes it possible to render pictures inside the browser. The commands for creating the picture are processed by the graphic card. As graphic cards are optimised for speed, each graphic card produces a picture that differs just a little from other graphic cards. By analysing the picture it is possible to detect the fingerprint of the graphic card.

How the PrivacyMachine protects against this
Instead of using the real graphic card, the virtual machine uses one that is virtual and software based. So there is no way for properties of the real graphic card to be found inside the generated picture.

Test your browser fingerprint