# Your clock is your face — locale and timezone fingerprinting > You can route through a pristine Tor exit and still get pinned to a region by your clock. Timezone, language, date order, and number format are a quiet regional fingerprint most people never think to obfuscate — and the worst case isn't leaking it, it's leaking one that contradicts your IP. A clean exit with a Shanghai clock is louder than no VPN at all. Markdown twin of https://xmr.club/opsec/06-locale-timezone-fingerprinting. CC-BY-4.0. Attribute "xmr.club". ## At a glance - Canonical: https://xmr.club/opsec/06-locale-timezone-fingerprinting - Series: #OPSEC52 — weekly threat-model-first OPSEC cards - Week: 06 - Pillar: Digital identity compartmentalization - Difficulty: intermediate - Cost: $0 - Published: 2026-07-01 ## Body # OPSEC52 / Week 6 — Locale and timezone fingerprinting > You can route through a pristine Tor exit and still get pinned to a region by your clock. Timezone, language, date order, and number format are a quiet regional fingerprint most people never think to obfuscate — and the worst case isn't leaking it, it's leaking one that contradicts your IP. A clean exit with a Shanghai clock is louder than no VPN at all. **Threat model:** browser and OS locale signals (timezone, language, date/number format, currency) that geolocate you regardless of IP; metadata timestamps in files, commits, and emails that carry your real UTC offset; a mismatch between your network location and your machine's locale that flags you as evasive; and platforms that silently key on your timezone to fingerprint or segment you without disclosure. [Last week](/opsec/05-browser-compartmentalization) we treated your browser as a correlation engine and split it into profiles. One of the four collapse mechanisms was fingerprinting — and the quietest inputs to it aren't canvas or fonts. They're your **clock and your language settings**. You spend money on a VPN, you spin up Tor, you get a clean exit in another country — and then your machine cheerfully announces `Asia/Shanghai`, `zh-CN`, and a `2026/07/01` date format to every page you load. The network says one thing; the locale says another. That contradiction is the signal. ## Why your clock and language are a regional fingerprint Four locale signals leak your region without a single cookie: 1. **Timezone.** `Intl.DateTimeFormat().resolvedOptions().timeZone` returns your exact IANA zone (`Asia/Shanghai`, `Europe/Moscow`), and `new Date().getTimezoneOffset()` gives the raw offset. No permission prompt, no IP needed. 2. **Language.** `navigator.language`, the full `navigator.languages` list, and the `Accept-Language` header sent on **every** request rank your preferred locales — often down to the regional variant. 3. **Date and number format.** `2026-07-01` vs `01/07/2026` vs `2026/07/01`, a decimal comma vs point, 24h vs 12h clock, first-day-of-week — each narrows the field. 4. **Currency and units.** Default currency, metric vs imperial, and paper size (`A4` vs `Letter`) quietly encode where you were configured. Individually these are weak. Combined with a network location that *disagrees* with them, they're strong — because now you're not just "someone in region X," you're "someone actively hiding region Y," which is a much smaller, much more interesting set. ## The metadata timestamps everyone forgets The browser is the obvious surface. The sneaky one is **everything you produce offline**, which stamps your real UTC offset into files you then hand to strangers: - **Git commits.** Every commit records an author date *with your timezone offset* (`+0800`). A pseudonymous repo with a consistent `+0800` on 400 commits has told you where the author sleeps. - **Photos (EXIF).** Camera timestamp, offset, and often GPS. Strip it before anything leaves your machine. - **Office & PDF docs.** Creation/modification time and author-timezone are embedded in the file metadata. - **Email `Date:` headers.** Your mail client writes your offset into every message. - **File modification times** in any archive (`.zip`, `.tar`) you share. - **Screenshots** — the clock in your status bar, the date format in the corner. You compartmentalized your identity, your email, and your browser — and then leaked the timezone in a commit trailer. ## The mismatch is the tell The mental model to fix: **your goal is not to hide your timezone, it's to make it match your cover.** A Tor user whose browser reports `UTC` looks like every other Tor user. A "private" setup that routes through Sweden but reports `Asia/Shanghai` and `zh-CN` has manufactured a contradiction that exists for exactly one reason. Consistency beats concealment. ## This is not hypothetical: timezone as a targeting key If you want proof that platforms actively key on this, it's shipping right now. The current Claude Code CLI (`claude.exe`, v2.1.159) contains — verifiable in the installed binary — a small routine that runs when a session connects through a third-party endpoint (`ANTHROPIC_BASE_URL` set). It reads your system timezone, sets an internal `cnTZ` flag if it is `Asia/Shanghai` or `Asia/Urumqi`, classifies your proxy hostname against an obfuscated (XOR + base64) list of Chinese corporate domains and known Claude-reseller mirrors, and then **encodes those bits steganographically into the apostrophe character** of the `Today's date is …` line injected into the system prompt — choosing between four visually identical glyphs (`'`, `'`, `ʼ`, `ʹ`). For Chinese-timezone sessions it also rewrites the date from `2026-07-01` to `2026/07/01`. Read the motive charitably — the reseller domains suggest it's abuse detection aimed at unauthorized Claude proxies, not surveillance of ordinary users. It doesn't matter for our purposes. The mechanism is the lesson: **your timezone was the trigger.** A single, unremarkable setting most people never obfuscate was enough to segment you, invisibly, with no disclosure. That's the whole thesis of this week, demonstrated by a shipping product. ## The fix - **Set your OS clock to UTC** on machines used for anonymous work, and let the browser inherit it. Tor Browser already reports `UTC`; don't undo that. - **Use a standardized-locale browser.** Tor Browser and Mullvad Browser normalize `navigator.language` to `en-US` and spoof the timezone so thousands of users look identical. Don't "fix" this by setting your real locale. - **Make network and locale agree.** If your cover is a Sweden exit, your timezone and language should not scream Shanghai. Match the cover or go fully neutral (`UTC` / `en-US`). - **Fix git before you commit.** `git config user.email` you already know; also neutralize time: commit with `TZ=UTC git commit`, or set `git config --global` hooks to normalize author/committer dates. Check existing repos with `git log --format='%ai'`. - **Strip metadata before sharing.** `exiftool -all= file.jpg`, `mat2` for documents, and re-zip archives created under a UTC clock. - **Watch the `Accept-Language` header**, not just JS. It's sent on every request; the standardized browsers handle it, a "hardened" Chrome does not. ## This week's drills - [ ] Set the OS clock to **UTC** on your anonymous-tier machine (or verify Tor/Mullvad Browser reports `UTC` at a fingerprinting test page). - [ ] Audit `navigator.language` / `Accept-Language` on your anonymous profile — it should read `en-US`, not your regional locale. - [ ] Run `git log --format='%ai'` on any pseudonymous repo and check the timezone offset you've been broadcasting; switch to `TZ=UTC` for future commits. - [ ] Add **metadata stripping** (`exiftool`, `mat2`) to your routine for any file — image, doc, archive — that leaves your machine. - [ ] Sanity-check for **mismatch**: does your VPN/Tor exit region contradict your clock, language, and date format? Make them agree or make them neutral. Next week we move into the **account & password** layer, where a password manager turns all this compartmentalization into something you can live with. Until then: set the clock to UTC, and stop letting your locale narrate your location. *Curated by [Cyber Satoshi](https://x.com/xbtoshi)* ## Related - HTML: https://xmr.club/opsec/06-locale-timezone-fingerprinting - Series index: https://xmr.club/opsec - Twin index: https://xmr.club/llm/opsec.txt