OPSEC52 / Week 6 — Locale and timezone fingerprinting
You can route through a pristine Tor exit and still get pinned to a region by your clock. Timezone, language, date order, and number format are a quiet regional fingerprint most people never think to obfuscate — and the worst case isn’t leaking it, it’s leaking one that contradicts your IP. A clean exit with a Shanghai clock is louder than no VPN at all.
Threat model: browser and OS locale signals (timezone, language, date/number format, currency) that geolocate you regardless of IP; metadata timestamps in files, commits, and emails that carry your real UTC offset; a mismatch between your network location and your machine’s locale that flags you as evasive; and platforms that silently key on your timezone to fingerprint or segment you without disclosure.
Last week we treated your browser as a correlation engine and split it into profiles. One of the four collapse mechanisms was fingerprinting — and the quietest inputs to it aren’t canvas or fonts. They’re your clock and your language settings. You spend money on a VPN, you spin up Tor, you get a clean exit in another country — and then your machine cheerfully announces Asia/Shanghai, zh-CN, and a 2026/07/01 date format to every page you load. The network says one thing; the locale says another. That contradiction is the signal.
Why your clock and language are a regional fingerprint
Four locale signals leak your region without a single cookie:
- Timezone.
Intl.DateTimeFormat().resolvedOptions().timeZonereturns your exact IANA zone (Asia/Shanghai,Europe/Moscow), andnew Date().getTimezoneOffset()gives the raw offset. No permission prompt, no IP needed. - Language.
navigator.language, the fullnavigator.languageslist, and theAccept-Languageheader sent on every request rank your preferred locales — often down to the regional variant. - Date and number format.
2026-07-01vs01/07/2026vs2026/07/01, a decimal comma vs point, 24h vs 12h clock, first-day-of-week — each narrows the field. - Currency and units. Default currency, metric vs imperial, and paper size (
A4vsLetter) quietly encode where you were configured.
Individually these are weak. Combined with a network location that disagrees with them, they’re strong — because now you’re not just “someone in region X,” you’re “someone actively hiding region Y,” which is a much smaller, much more interesting set.
The metadata timestamps everyone forgets
The browser is the obvious surface. The sneaky one is everything you produce offline, which stamps your real UTC offset into files you then hand to strangers:
- Git commits. Every commit records an author date with your timezone offset (
+0800). A pseudonymous repo with a consistent+0800on 400 commits has told you where the author sleeps. - Photos (EXIF). Camera timestamp, offset, and often GPS. Strip it before anything leaves your machine.
- Office & PDF docs. Creation/modification time and author-timezone are embedded in the file metadata.
- Email
Date:headers. Your mail client writes your offset into every message. - File modification times in any archive (
.zip,.tar) you share. - Screenshots — the clock in your status bar, the date format in the corner.
You compartmentalized your identity, your email, and your browser — and then leaked the timezone in a commit trailer.
The mismatch is the tell
The mental model to fix: your goal is not to hide your timezone, it’s to make it match your cover. A Tor user whose browser reports UTC looks like every other Tor user. A “private” setup that routes through Sweden but reports Asia/Shanghai and zh-CN has manufactured a contradiction that exists for exactly one reason. Consistency beats concealment.
This is not hypothetical: timezone as a targeting key
If you want proof that platforms actively key on this, it’s shipping right now. The current Claude Code CLI (claude.exe, v2.1.159) contains — verifiable in the installed binary — a small routine that runs when a session connects through a third-party endpoint (ANTHROPIC_BASE_URL set). It reads your system timezone, sets an internal cnTZ flag if it is Asia/Shanghai or Asia/Urumqi, classifies your proxy hostname against an obfuscated (XOR + base64) list of Chinese corporate domains and known Claude-reseller mirrors, and then encodes those bits steganographically into the apostrophe character of the Today's date is … line injected into the system prompt — choosing between four visually identical glyphs (', ', ʼ, ʹ). For Chinese-timezone sessions it also rewrites the date from 2026-07-01 to 2026/07/01.
Read the motive charitably — the reseller domains suggest it’s abuse detection aimed at unauthorized Claude proxies, not surveillance of ordinary users. It doesn’t matter for our purposes. The mechanism is the lesson: your timezone was the trigger. A single, unremarkable setting most people never obfuscate was enough to segment you, invisibly, with no disclosure. That’s the whole thesis of this week, demonstrated by a shipping product.
The fix
- Set your OS clock to UTC on machines used for anonymous work, and let the browser inherit it. Tor Browser already reports
UTC; don’t undo that. - Use a standardized-locale browser. Tor Browser and Mullvad Browser normalize
navigator.languagetoen-USand spoof the timezone so thousands of users look identical. Don’t “fix” this by setting your real locale. - Make network and locale agree. If your cover is a Sweden exit, your timezone and language should not scream Shanghai. Match the cover or go fully neutral (
UTC/en-US). - Fix git before you commit.
git config user.emailyou already know; also neutralize time: commit withTZ=UTC git commit, or setgit config --globalhooks to normalize author/committer dates. Check existing repos withgit log --format='%ai'. - Strip metadata before sharing.
exiftool -all= file.jpg,mat2for documents, and re-zip archives created under a UTC clock. - Watch the
Accept-Languageheader, not just JS. It’s sent on every request; the standardized browsers handle it, a “hardened” Chrome does not.
This week’s drills
- Set the OS clock to UTC on your anonymous-tier machine (or verify Tor/Mullvad Browser reports
UTCat a fingerprinting test page). - Audit
navigator.language/Accept-Languageon your anonymous profile — it should readen-US, not your regional locale. - Run
git log --format='%ai'on any pseudonymous repo and check the timezone offset you’ve been broadcasting; switch toTZ=UTCfor future commits. - Add metadata stripping (
exiftool,mat2) to your routine for any file — image, doc, archive — that leaves your machine. - Sanity-check for mismatch: does your VPN/Tor exit region contradict your clock, language, and date format? Make them agree or make them neutral.
Next week we move into the account & password layer, where a password manager turns all this compartmentalization into something you can live with. Until then: set the clock to UTC, and stop letting your locale narrate your location.
Curated by Cyber Satoshi