Timezone, language and locale: the quiet fingerprinting trio

Three pieces of information that feel utterly mundane, your timezone, your preferred languages, and your locale formatting, combine into a surprisingly sharp identifier. Worse, the way these values relate to your network location can flag you as evasive even when each value on its own looks ordinary. This article shows exactly where these signals leak, how much they reveal, and what you can realistically do about them.

Where the trio leaks

None of these values requires a permission prompt. Any page you visit can read all of them silently, through a mix of HTTP headers and JavaScript APIs.

Timezone

The clearest leak is Intl.DateTimeFormat().resolvedOptions().timeZone, which returns an IANA timezone name such as Europe/Berlin or America/New_York. This is far more specific than the older approach of inferring offset from Date.getTimezoneOffset(), because a named zone distinguishes places that share an offset but differ in daylight-saving rules. America/New_York and America/Toronto may have the same offset yet remain distinguishable, and the offset itself still leaks separately, revealing whether DST is currently active.

Language

Language leaks twice. The Accept-Language HTTP header is sent on every request and lists your preferred languages with quality weights, for example en-US,en;q=0.9,hr;q=0.8. In JavaScript, navigator.language gives your primary preference and navigator.languages gives the full ordered array. The header and the JavaScript values usually agree, and a tracker can compare them; a disagreement is itself a signal that something is spoofing one but not the other.

Locale formatting

Beyond the explicit language tag, the Intl APIs expose how your system formats data. Intl.DateTimeFormat().resolvedOptions() reveals your locale, calendar (Gregorian, Buddhist, and so on), and numbering system. Intl.NumberFormat reveals whether you use a comma or a period as the decimal separator and how you group thousands. Intl.Collator reflects locale-specific sorting rules. These derive from your operating system's regional settings and can differ from your browser's language, adding yet another dimension.

How much do they actually reveal?

Fingerprinting strength is measured in bits of entropy: each bit roughly halves the population that shares your value. A perfectly even split of the world into two groups is one bit; distinguishing one person in eight is three bits.

  • Timezone is the heaviest hitter of the three. There are roughly 350 named IANA zones, but real browsers cluster into far fewer commonly seen values. Empirical fingerprinting studies have measured timezone at around 3 to 3.5 bits of entropy, distinguishing roughly one client in eight to ten on its own.
  • Accept-Language contributes meaningfully because the full ordered list, with quality weights and secondary languages, varies widely. Measurements commonly put it in the 1.5 to 2.5 bit range, and the long tail of multilingual users (someone whose list is hr-HR, en-US, de-DE in a specific order) can be far more identifying than that average suggests.
  • Locale formatting details add smaller increments individually but stack with the above and rarely overlap perfectly.

The headline number is what happens when you combine them. These signals are only loosely correlated, so their entropy is largely additive. Timezone plus full language list plus locale formatting can reach five to six bits together, narrowing you to roughly one client in fifty. That is not unique by itself, but combined with a hardware or browser-layer fingerprint it pushes a profile well toward uniqueness. This is why the privacyscore.dev report treats locale signals as a distinct category rather than folding them into a single line.

The mismatch problem: when consistency matters more than the value

Here is the part most privacy advice misses. The individual values matter less than whether they agree with each other and with your network location. A coherent profile, a German IP with Europe/Berlin timezone, de-DE language, and German number formatting, is unremarkable. The danger is contradiction.

Consider a common scenario: you connect through a VPN whose exit node is in Frankfurt, so the website sees a German IP address. But your browser still reports America/New_York as its timezone and en-US as its only language, with US number formatting. To any analytics or anti-fraud system this is a glaring inconsistency. Real German residential users do not browse from New York time in US English. The mismatch is not just neutral data; it is an active signal that you are using a VPN or proxy, and a tracker can use the combination to fingerprint VPN users as a class and even to guess your true region from the timezone the VPN failed to mask.

The reason is structural. A VPN reroutes your network traffic, changing your IP. It does not touch your browser's timezone, which comes from your operating system clock, or your language settings, which come from your OS and browser configuration. So the IP moves while the locale stays put, and the gap between them becomes the fingerprint. An inconsistent profile is often more identifying than the original honest one, because it places you in the small, suspicious population of people whose signals do not line up.

Defences that work, and pitfalls that don't

The goal is a coherent profile that blends into a large crowd, not a contradictory one that stands out.

Match your VPN locale

If you use a VPN to appear in a given country, your browser locale should match that country. Connecting to a German exit is far less revealing if your timezone is also Europe/Berlin and your language list is plausibly European. Some privacy-focused setups let you align timezone with VPN exit; at minimum, avoid the worst case of a US-locale browser behind a European exit node.

Tor's standardisation approach

Tor Browser takes the opposite strategy from spoofing: instead of randomising, it makes every user look identical. It reports UTC as the timezone for all users regardless of real location, and standardises Accept-Language to en-US,en by default. Because the entire Tor population shares these values, the locale trio contributes almost zero entropy among Tor users. This is the crowd-blending principle in its purest form, and it is far more robust than trying to invent a convincing fake.

Why ad-hoc spoofing backfires

Manually overriding one value while leaving the others untouched is a classic mistake. Common pitfalls:

  • Partial spoofing. A browser extension that changes navigator.language but not the Accept-Language header creates a detectable disagreement between the JavaScript value and the header, which no genuine browser produces.
  • Impossible combinations. Setting a timezone your reported locale never uses, or a language and number format that no real region pairs, produces a configuration that exists nowhere in the wild, making you uniquely strange.
  • Inconsistent across surfaces. Trackers cross-check Date.getTimezoneOffset() against Intl timezone, and the JavaScript language array against the HTTP header. A spoofer that misses any of these surfaces leaves a seam.

The lesson mirrors the network layer: a perfect, coherent disguise that matches a real population is hard to build by hand, and a sloppy disguise is worse than none.

Practical guidance

  • If privacy is your priority and you accept the usability cost, use Tor Browser, which neutralises this trio by standardising everyone to UTC and en-US.
  • If you use a VPN, choose exit locations consistent with a plausible browser locale, and prefer privacy-oriented browsers that can align timezone with the exit rather than leaving it on your real one.
  • Avoid single-value spoofing extensions unless they cover every surface (header, navigator.language, navigator.languages, Intl timezone, and offset) consistently; a partial fix increases your entropy.
  • Be aware that your honest, default configuration is often less identifying than a clumsy fake. The most common mistake is creating a contradiction in pursuit of privacy.
  • Run a check on privacyscore.dev to see exactly which locale values your browser exposes and whether they form a consistent story with your apparent location.

Timezone, language, and locale feel too ordinary to matter, which is precisely why they are effective. They leak without a prompt, they stack into several bits of entropy, and their relationship to your IP can betray the very tools you use to hide. The fix is not to scrub them away but to make them agree, with each other and with where you appear to be.