xmr.club
EN 中文 ES RU
← all #OPSEC52
#OPSEC52 · week 06 / 52 · Digital identity compartmentalization

Your clock is your face — locale and timezone fingerprinting

You can route through a pristine Tor exit and still get pinned to a region by your clock. Timezone, language, date order, and number format are a quiet regional fingerprint most people never think to obfuscate — and the worst case isn't leaking it, it's leaking one that contradicts your IP. A clean exit with a Shanghai clock is louder than no VPN at all.

Digital identity compartmentalization intermediate $0 2026-07-01

OPSEC52 / Week 6 — Locale and timezone fingerprinting

You can route through a pristine Tor exit and still get pinned to a region by your clock. Timezone, language, date order, and number format are a quiet regional fingerprint most people never think to obfuscate — and the worst case isn’t leaking it, it’s leaking one that contradicts your IP. A clean exit with a Shanghai clock is louder than no VPN at all.

Threat model: browser and OS locale signals (timezone, language, date/number format, currency) that geolocate you regardless of IP; metadata timestamps in files, commits, and emails that carry your real UTC offset; a mismatch between your network location and your machine’s locale that flags you as evasive; and platforms that silently key on your timezone to fingerprint or segment you without disclosure.

Last week we treated your browser as a correlation engine and split it into profiles. One of the four collapse mechanisms was fingerprinting — and the quietest inputs to it aren’t canvas or fonts. They’re your clock and your language settings. You spend money on a VPN, you spin up Tor, you get a clean exit in another country — and then your machine cheerfully announces Asia/Shanghai, zh-CN, and a 2026/07/01 date format to every page you load. The network says one thing; the locale says another. That contradiction is the signal.

Why your clock and language are a regional fingerprint

Four locale signals leak your region without a single cookie:

  1. Timezone. Intl.DateTimeFormat().resolvedOptions().timeZone returns your exact IANA zone (Asia/Shanghai, Europe/Moscow), and new Date().getTimezoneOffset() gives the raw offset. No permission prompt, no IP needed.
  2. Language. navigator.language, the full navigator.languages list, and the Accept-Language header sent on every request rank your preferred locales — often down to the regional variant.
  3. Date and number format. 2026-07-01 vs 01/07/2026 vs 2026/07/01, a decimal comma vs point, 24h vs 12h clock, first-day-of-week — each narrows the field.
  4. Currency and units. Default currency, metric vs imperial, and paper size (A4 vs Letter) quietly encode where you were configured.

Individually these are weak. Combined with a network location that disagrees with them, they’re strong — because now you’re not just “someone in region X,” you’re “someone actively hiding region Y,” which is a much smaller, much more interesting set.

The metadata timestamps everyone forgets

The browser is the obvious surface. The sneaky one is everything you produce offline, which stamps your real UTC offset into files you then hand to strangers:

You compartmentalized your identity, your email, and your browser — and then leaked the timezone in a commit trailer.

The mismatch is the tell

The mental model to fix: your goal is not to hide your timezone, it’s to make it match your cover. A Tor user whose browser reports UTC looks like every other Tor user. A “private” setup that routes through Sweden but reports Asia/Shanghai and zh-CN has manufactured a contradiction that exists for exactly one reason. Consistency beats concealment.

This is not hypothetical: timezone as a targeting key

If you want proof that platforms actively key on this, it’s shipping right now. The current Claude Code CLI (claude.exe, v2.1.159) contains — verifiable in the installed binary — a small routine that runs when a session connects through a third-party endpoint (ANTHROPIC_BASE_URL set). It reads your system timezone, sets an internal cnTZ flag if it is Asia/Shanghai or Asia/Urumqi, classifies your proxy hostname against an obfuscated (XOR + base64) list of Chinese corporate domains and known Claude-reseller mirrors, and then encodes those bits steganographically into the apostrophe character of the Today's date is … line injected into the system prompt — choosing between four visually identical glyphs (', ', ʼ, ʹ). For Chinese-timezone sessions it also rewrites the date from 2026-07-01 to 2026/07/01.

Read the motive charitably — the reseller domains suggest it’s abuse detection aimed at unauthorized Claude proxies, not surveillance of ordinary users. It doesn’t matter for our purposes. The mechanism is the lesson: your timezone was the trigger. A single, unremarkable setting most people never obfuscate was enough to segment you, invisibly, with no disclosure. That’s the whole thesis of this week, demonstrated by a shipping product.

The fix

This week’s drills

Next week we move into the account & password layer, where a password manager turns all this compartmentalization into something you can live with. Until then: set the clock to UTC, and stop letting your locale narrate your location.

Curated by Cyber Satoshi

Share on X: twitter.com/intent/tweet