What's Brave Done For My Privacy Lately #5: Grab Bag


Level 67
Thread author
Top poster
Mar 29, 2018
Brave has shipped a steady stream of privacy-improving features over the last month, to keep one-step-ahead of trackers. In order to stay one step ahead of online trackers, Brave regularly releases new privacy features and improvements. This post discusses three recent changes in Brave that each help make the web a more privacy, and person, respecting platform. All of these are tweaks, subtle changes, or first-steps of a new approach to a more private, more compatible Web.

1. Removing Known Tracking Parameters From URLs
First, Brave removes common tracking parameters from URLs[1] by default. These are parameters trackers use to collect your activity across the web. Common examples of these include the “Facebook Click Identifier” (fbclid), used by Facebook to record which sites you visit when you’re not on Facebook, the “Google Click Identifier” (gclid), used by Google to link the advertising and analytics data they have on you, and Microsoft’s equivalent (msclkid).These values are added to URLs you click, so that advertisers can learn more about you and your behavior on the web. Brave currently removes these tracking-related query parameters from URLs, allowing you to visit the sites you want to visit, without being tracked.

What is Query Parameter Tracking (and why is it tricky to stop)?
Query parameter tracking (sometimes called “link decoration”) refers to trackers adding uniquely identifying query parameters (typically, what appears after the ? in the URL) to links when you leave a site, and then reading them back out of the URL when you land on a different, possibly unrelated site. This allows the tracker to connect your behavior between two different, independent websites.

Query parameter tracking is a particularly difficult form of tracking to block. As a result, most browsers do not have effective countermeasures to query parameter tracking[2]. To understand why query parameter tracking is difficult to block, contrast it to how most tracking is done on the web. Most online tracking depends on your browser fetching URLs you’d rather your browser didn’t fetch, either because of third-party cookies carried on that request, or because of the JavaScript returned in that request. As a result, browsers can (in principal, though not always in practice) prevent such tracking by either not sending cookies on third party requests, or by blocking requests for tracking-related JavaScript. And in fact most major browsers provide some combination of these defenses.

Brave provides the strongest protections, by blocking third party cookies[3], blocking third party storage, and blocking (or replacing) requests for tracking-related JavaScript. Safari blocks third-party cookies, and partitions third party storage by default. Firefox and Edge also restrict third-party cookies and storage for known trackers[4] and block requests for social media trackers by default. Chrome is the only major browser that does not currently provide any of these protections. Query parameter tracking is difficult to block, though, because it happens through URLs you want to visit; query parameter identifiers sit alongside benign, user-serving values in the URL. Blocking requests every time these identifiers appeared in the URL would prevent you from visiting many sites you wish to visit.

How Does Brave Prevent Query Parameter Tracking?
Whenever you visit a page with a known tracking query parameter in the URL, such as Example Domain, Brave removes the value from the URL before your browser makes the request. Because these query parameters are used for tracking, but not necessary for the site to work correctly, removing the query parameter prevents the tracking, but otherwise doesn’t affect the site’s behavior. Brave currently determines which parameters are tracking related by building a list of known tracking parameters and building them into the browser. These parameters are determined by reading the documentation provided by the trackers themselves, drawing on existing crowdsourced lists, and through parameters Brave developers and users have encountered themselves. The current list of removed query parameters can be found in Brave’s source code, and the technique and its caveats are described further in our wiki.

2. Referrer Policy Changes

Last but not least, Brave has changed how it handles the referrer, or “referer” (sic),[5] policy. Our previous approach frequently broke websites, requiring users to turn off Shields to use a site, and so lose all privacy protections. Our new approach greatly reduces the number of broken sites, while still aggressively protecting your privacy. ...

... Continue reading about changes to referer policy and more


Level 3
Jan 10, 2018