silversurfer

Level 58
Verified
Trusted
Content Creator
Malware Hunter

Are you concerned about your web browser sending data back to the company that created it? A new study, Web Browser Privacy: What Do Browsers Say When They Phone Home?, looked at the six popular desktop web browsers Google Chrome, Mozilla Firefox, Microsoft Edge (Chromium-based), Apple Safari, Brave, and Yandex, to uncover what these browsers send back to the mothership.

If you just want the result, the study found that used out of the box, Brave "is by far the most private of the browsers studied" followed by Chrome, Firefox and Safari. Brave is the only web browser that did not use identifiers that allowed tracking of the IP address over time and did not share details of web pages visited to backend servers.

Chrome, Firefox and Safari used identifiers that are linked to the browser instance that persist over sessions and all three share web page details with backend servers via the browser's search autocomplete functionality.

The study found the Chromium-based Microsoft Edge web browser and Yandex to do worse than the other browsers of the test. Both send identifiers linked to the device hardware which means that the identifier persists even across installations. Edge sends the hardware UUID to Microsoft, and Yandex transmits a "hash of the hardware serial number and Mac address". Both also appear to send web page information to servers that "appear unrelated to search autocomplete".

The researcher logged all network connectivity on the devices the browsers ran on. Chrome connections using QUIC/UDP had to be blocked so that the browser would fall back to TCP. To inspect encrypted data, mitmdump was used and since leftovers can be an issue, extra care was used to delete all traces of previous installations from the systems.

The test design was repeated multiple times for each browser.
  1. Start the browser from a fresh install/new user profile.
  2. Paste a URL into the address bar, press Enter, and record the user activity.
  3. Close the browser and restart, record network activity.
  4. Start the browser from a fresh install/new user profile and monitor network activity for 24 hours.
  5. Start the browser from a fresh install/new user profile, type a URL and monitor traffic.
The conclusion
For Brave with its default settings we did not find any use of identifiers allowing tracking of IP address over time, and no sharing of the details of web pages visited with backend servers. Chrome, Firefox and Safari all share details of web pages visited with backend servers. For all three this happens via the search autocomplete feature, which sends web addresses to backend servers in realtime as they are typed. In addition, Firefox includes identifiers in its telemetry transmissions that can potentially be used to link these over time. Telemetry can be disabled, but again is silently enabled by default. Firefox also maintains an open websocket for push notifications that is linked to a unique identifier and so potentially can also be used for tracking and which cannot be easily disabled. Safari defaults to a poor choice of start page that leaks information to multiple third parties and allows them to set cookies without any user consent. Safari otherwise made no extraneous network connections and transmitted no persistent identifiers, but allied iCloud processes did make connections containing identifiers.
From a privacy perspective Microsoft Edge and Yandex are qualitatively different from the other browsers studied. Both send persistent identifiers than can be used to link requests (and associated IP address/location) to back end servers. Edge also sends the hardware UUID of the device to Microsoft and Yandex similarly transmits a hashed hardware identifier to back end servers. As far as we can tell this behaviour cannot be disabled by users. In addition to the search autocomplete functionality that shares details of web pages visited, both transmit web page information to servers that appear unrelated to search autocomplete.
Closing Words
The researcher analyzed the default state of the browsers and found that Brave had the most privacy friendly settings. At least some of the browsers may be configured to improve privacy by changing the default configuration, e.g. disabling autocomplete functionality.
 

plat1098

Level 17
Verified
Well, maybe Edge was virtually too good to be true, then. Surprising but not shocking--for me, I have several blocks for MS Edge written in the firewall. But, at best, incomplete.

Is anyone contemplating to switch main browsers because of these findings?

PS: big ups, oldschool, for your good Brave info. (y)
 

silversurfer

Level 58
Verified
Trusted
Content Creator
Malware Hunter
Well, maybe Edge was virtually too good to be true, then. Surprising but not shocking--for me, I have several blocks for MS Edge written in the firewall. But, at best, incomplete.

Is anyone contemplating to switch main browsers because of these findings?
Probably there is no need to worry, it's just one report about privacy related to browsers, another upcoming report may seems to be contrary ;)

Everyone can trying to tweak settings inside favorites browsers or just using browser extensions...
 

HarborFront

Level 51
Verified
Content Creator
Quote

For Brave with its default settings we did not find any use of identifiers allowing tracking of IP address over time, and no sharing of the details of web pages visited with backend servers.

Unquote

But many users here will not use its default settings. So if we tweak the settings and add extensions etc does that mean it longer is the most private browser?
 
F

ForgottenSeer 823865

Quote

For Brave with its default settings we did not find any use of identifiers allowing tracking of IP address over time, and no sharing of the details of web pages visited with backend servers.

Unquote

But many users here will not use its default settings. So if we tweak the settings and add extensions etc does that mean it longer is the most private browser?
Then it is not Brave problem anymore but users responsibility.

Btw, so much for FF, now shadow of its former past, fallen king of privacy...
 

Tiamati

Level 7
Verified
Chrome, Firefox and Safari used identifiers that are linked to the browser instance that persist over sessions and all three share web page details with backend servers via the browser's search autocomplete functionality.
So if i activate autocomplete functionality in Brave, i guess it would have the same results as Chrome?

Brave might become my new default browser on all devices.
Unfortunately, despite Brave is an excellent Browser in terms of loading speed, security (very fast updates for the last chromium versions) and privacy, it still has some big problems. I'll list some as I've been using it in windows and android for the last 4 months:

1) The major problem for me is: Sync is still very bug. Recently it seems to be removed from Brave and it will be rewritten from zero
2) It lacks automatic translation of webpages (for that, Brave use Google Translate extension, that requires you to click on it every time you want to translate a page)
3) I could not get answers for most questions i've made in Brave forum
4) Android's version lacks extension. BUT it has some great built-in features
 
Last edited:

oldschool

Level 49
Verified
So if i activate autocomplete functionality in Brave, i guess it would have the same results as Chrome?
It would make it more like Chrome or Edge but that doesn't mean "same results". You can disable this feature in Edge and Chrome ( probably, but I haven't used Chrome in ages)). It's simply one more connection, so Brave would still hold an advantage over those two.
 

Stopspying

Level 6
Opera not tested :(
I am using Brave and Firefox

No Chrome and No Edge Chromium
I lost faith in Opera before it was bought by a Chinese (if my memory still works) company a few years back, the built in VPN seemed to have too many links to servers in that country. I've not been anywhere near it since those days, previously I'd had it as a backup browser for times when FF with my prefered settings couldn't access some sites. Has it been improved since then?
 

Stopspying

Level 6
Do regular users here feel that this report is a fair summation of Brave? I used to use it for some time when it first appeared? I'm wondering if I should give it a fair trial again, it slipped down my list of browsers to use, am thinking it may be good to trial it thoroughly again.

Does anyone know of a good online setup guide for Brave, from security and privacy standpoints, that is similar to some of the ones for FF through changing about:config settings, please?
 

oldschool

Level 49
Verified
Do regular users here feel that this report is a fair summation of Brave?
Yes, it is a fair summation.

Does anyone know of a good online setup guide for Brave, from security and privacy standpoints, that is similar to some of the ones for FF through changing about:config settings, please?
Not an online guide specifically. You can achieve a decent level of privacy in Brave Settings. Most brave://flags are for security rather than privacy. There are not the same vast number of flags that are available in Firefox.

I'm using Brave more than Edge. Perhaps I will post a Brave setup thread.

Edit: I recently did a Brave feature review which you may check out.
 
Last edited:

Azure

Level 25
Verified
Content Creator
Do regular users here feel that this report is a fair summation of Brave? I used to use it for some time when it first appeared? I'm wondering if I should give it a fair trial again, it slipped down my list of browsers to use, am thinking it may be good to trial it thoroughly again.

Does anyone know of a good online setup guide for Brave, from security and privacy standpoints, that is similar to some of the ones for FF through changing about:config settings, please?
It's simple change but you can consider changing the shield setting from "Cross-site device recognition attempts blocked" to "Device recognition attempts blocked"
 
Top