Browser fingerprinting has evolved beyond traditional techniques like canvas rendering and user agent analysis. One of the more subtle methods involves the Internationalization API (Intl API), which websites can exploit to gather unique information about your browser configuration through locale settings. This technique is particularly concerning because it uses legitimate web APIs that many users don’t even know exist.

What is the Internationalization API?

The Internationalization API, commonly referred to as the Intl API, is a built-in JavaScript API that provides language, cultural, and regional formatting capabilities. Web developers use it to format dates, numbers, currencies, and text according to user preferences. However, the same APIs that help websites display content appropriately can also serve as fingerprinting vectors.

The Intl API provides several objects that fingerprinting scripts can query:

• Intl.DateTimeFormat - Date and time formatting
• Intl.NumberFormat - Number and currency formatting
• Intl.Collator - String comparison and sorting
• Intl.Segmenter - Text segmentation
• Intl.ListFormat - List formatting

Each of these objects can reveal information about the browser’s supported locales, time zones, and formatting preferences.

How Locale Fingerprinting Works

When you visit a website, JavaScript code can instantiate Intl objects with various locale arguments and observe how the browser responds. The responses vary based on your operating system, browser version, installed language packs, and regional settings.

Detecting Supported Locales

One of the primary fingerprinting techniques involves querying which locales your browser supports:

// Check if specific locales are supported
function detectSupportedLocales() {
  const testLocales = [
    'en-US', 'en-GB', 'de-DE', 'fr-FR', 'es-ES',
    'ja-JP', 'zh-CN', 'zh-TW', 'ko-KR', 'ar-SA',
    'he-IL', 'th-TH', 'hi-IN', 'ru-RU', 'pt-BR'
  ];
  
  const supportedLocales = testLocales.filter(locale => {
    try {
      const formatter = new Intl.DateTimeFormat(locale);
      return formatter.resolvedOptions().locale === locale;
    } catch (e) {
      return false;
    }
  });
  
  return supportedLocales;
}

console.log(detectedLocales);

The array of supported locales forms a unique fingerprint. Users with uncommon language combinations will have more distinctive fingerprints.

Time Zone Detection

The Intl API can also reveal your time zone:

// Detect user timezone
function detectTimezone() {
  const timezone = Intl.DateTimeFormat().resolvedOptions().timeZone;
  const tzOffset = new Date().getTimezoneOffset();
  
  // Try multiple locales to see which timezones are recognized
  const possibleTimezones = Intl.supportedValuesOf('timeZone');
  
  return {
    timezone,
    tzOffset,
    recognizedTimezones: possibleTimezones.length
  };
}

This reveals not only your current time zone but also how many time zones your browser recognizes, which varies between operating systems and browser versions.

Number and Date Format Variations

Different locales format numbers and dates differently. Fingerprinters can detect these variations:

function detectFormatPreferences() {
  const testDate = new Date(2024, 11, 25, 14, 30, 0);
  const testNumber = 1234567.89;
  
  // Test various locales
  const locales = ['en-US', 'de-DE', 'ja-JP', 'ar-SA', 'fa-IR'];
  
  const results = locales.map(locale => {
    const dateFormat = new Intl.DateTimeFormat(locale).format(testDate);
    const numberFormat = new Intl.NumberFormat(locale).format(testNumber);
    
    return { locale, dateFormat, numberFormat };
  });
  
  return results;
}

The way your browser formats these values depends on your system locale settings and installed language packs.

What Information Can Be Extracted

Through Intl API fingerprinting, websites can determine:

Operating System Details

Different operating systems ship with different default locales and language support. By analyzing the supported locales, fingerprinters can often identify:

• Windows vs macOS vs Linux distribution
• Language packs installed
• Regional settings configuration

Language Preferences

The combination of preferred languages reveals:

• Primary language
• Secondary languages
• Language learning or usage patterns
• Geographic location indicators

Browser Configuration

Browser-specific behavior includes:

• Supported ECMAScript features for Intl
• Number formatting precision
• Date format variations
• Currency display preferences

Real-World Fingerprinting Examples

Modern fingerprinting libraries incorporate Intl API queries alongside traditional techniques. Libraries like FingerprintJS and others have added Intl-based signals to their fingerprinting algorithms.

Basic Fingerprint Collector

A comprehensive fingerprinting script might combine multiple signals:

function collectIntlFingerprint() {
  const fingerprint = {
    // Locale information
    defaultLocale: navigator.language,
    languages: navigator.languages,
    
    // Timezone data
    timezone: Intl.DateTimeFormat().resolvedOptions().timeZone,
    timezoneOffset: new Date().getTimezoneOffset(),
    
    // Supported locales detection
    availableLocales: Intl.supportedValuesOf('locale'),
    
    // Date format variations
    shortDatePattern: new Intl.DateTimeFormat(navigator.language).formatToParts(new Date(2024, 0, 1)),
    
    // Number format
    numberFormat: new Intl.NumberFormat(navigator.language).format(1000.1),
    
    // Currency formatting
    currencyPattern: new Intl.NumberFormat(navigator.language, { 
      style: 'currency', 
      currency: 'USD' 
    }).format(1000),
  };
  
  return fingerprint;
}

This information, combined with other fingerprinting vectors, creates a highly unique browser signature.

Privacy Implications

The use of the Intl API for fingerprinting raises significant privacy concerns:

Difficult to Detect

Unlike canvas fingerprinting which requires rendering hidden graphics, Intl API fingerprinting uses standard formatting operations that appear completely normal to users. There’s no visible indication that your browser is being queried for locale information.

Persistent Across Sessions

Unlike cookies which can be cleared, locale settings are inherent to your browser and system configuration. Your fingerprint remains consistent across sessions, allowing trackers to recognize you even when using incognito mode or clearing all cookies.

Difficult to Protect

Standard privacy tools like ad blockers and anti-tracking extensions often don’t block Intl API queries because they’re legitimate JavaScript APIs used for web functionality. This makes protection particularly challenging.

Protection Strategies

Browser Configuration

Some browsers have implemented protections against Intl fingerprinting:

• Firefox includes privacy.resistFingerprinting which normalizes some Intl responses
• Brave Browser randomizes certain Intl responses
• Tor Browser provides the most comprehensive protection by presenting uniform locale information

Extension-Based Protection

Some privacy extensions attempt to mitigate Intl fingerprinting:

• Extensions that override Intl objects to return normalized values
• Tools that block or randomize timezone information
• Language preference randomizers

Technical Mitigation

For developers concerned about their applications being used for fingerprinting:

// Example: Normalizing Intl responses in a privacy-focused application
const originalDateTimeFormat = Intl.DateTimeFormat;

Intl.DateTimeFormat = function(...args) {
  // Force consistent locale
  args[0] = args[0] || 'en-US';
  return new originalDateTimeFormat(...args);
};

Intl.DateTimeFormat.prototype = originalDateTimeFormat.prototype;

Detection and Monitoring

If you want to check whether your browser is being fingerprinted via the Intl API:

Check Available Information

You can see what information your browser reveals:

// View your browser's Intl fingerprint
console.log('Default locale:', navigator.language);
console.log('All languages:', navigator.languages);
console.log('Timezone:', Intl.DateTimeFormat().resolvedOptions().timeZone);
console.log('Available locales:', Intl.supportedValuesOf('locale').slice(0, 20));

Testing Tools

Several online tools can analyze your browser’s fingerprint including Intl-based signals:

• Cover Your Tracks (formerly Panopticlick)
• AmIUnique
• BrowserLeaks

These tools show you exactly what information websites can collect about your browser configuration.

The Future of Intl Fingerprinting

As traditional fingerprinting techniques become more widely known and blocked, fingerprinters are increasingly turning to less obvious vectors like the Intl API. The Webkit team has noted this trend, and browser vendors are gradually implementing protections.

Future developments may include:

• More sophisticated normalization of Intl responses
• Browser-level protections similar to those for canvas fingerprinting
• Web standards proposals to limit fingerprinting vectors
• Privacy-focused browser defaults that limit information exposure

Conclusion

The Internationalization API represents a subtle but powerful tool in the fingerprinting arsenal. While it serves legitimate purposes for web internationalization, it also exposes information that can uniquely identify users. Understanding this technique is the first step toward protecting yourself and your users from this form of tracking.

As with all fingerprinting vectors, the best protection comes from using privacy-focused browsers, keeping software updated, and being aware of the information your browser reveals. The fight against browser fingerprinting is ongoing, and awareness of techniques like Intl API fingerprinting is essential for maintaining online privacy.