Brave beats other browsers in privacy study – Naked Security

Users looking for a privacy-focused browser might want to consider Brave first, according to a study published this week.

Douglas Leith, professor of computer systems at Trinity University, examined six browsers for his report – Web Browser Privacy: What Do Browsers Say When They Phone Home? He found that Brave’s Chromium-based browser is the least likely to reveal unique identifying information about the computer using it.

The study examined six browsers: Chrome, Firefox, Safari, Brave, Edge, and Yandex. It used several tests to deduce whether the browser can track the user’s IP address over time, and whether it leaks details of web page visits. To do this, it looked at the data shared on startup after a fresh install, on a restart, and after both pasting and typing a URL into the address bar. It also explored what the browser did when it was idle.

Even though Mozilla makes a talking point of privacy in Firefox, it was Brave, developed by Mozilla’s founder (and creator of JavaScript) Brendan Eich, that won out. Brave, which has accused Google of privacy violations, is “by far the most private of the browsers studied” when used with its out of the box settings, according to the paper.

The study placed browsers in one of three privacy classes, based on the time span over which they retain identifiers. Brave gets the top class all to itself because it uses what the study calls ‘ephemeral’ identifiers that link a handful of transmissions and then reset. This means it doesn’t remember your identifier across browser restarts.

The paper lumps Safari, Firefox, and Chrome together in the second band. These browsers share some privacy issues, the paper warns, including auto-tagging each browser instance with unique session and browser instance identifiers that can persist across restarts. These behaviours can be disabled but they’re turned on silently by default, the paper claims.

The research picks out four identifiers that Firefox uses. Two created by the browser persist across browser restarts, while the third changes between browser sessions but could be linked together because old and new values are sent together in a telemetry message, the paper said. The fourth identifier, created by the server, is associated with an open web socket used for Firefox’s push services. Firefox also sends user IP addresses with these identifiers.

Leith’s paper acknowledges that Mozilla deletes the IP addresses sent with these identifiers after 30 days, but frets that the company is “silent on the uses to which the IP data is put.” He worries that this could be used to track the user’s location, adding:

That does not mean such linking actually takes place, only that the potential exists for it to be done.

Leith had asked Mozilla whether it used IP addresses for location tracking, and also asked for the company’s IP address usage policy as part of its push service. He received no response. Mozilla spokesperson Justin O’Kelly didn’t address those issues specifically with us, but responded:

Firefox does collect some technical data about how users interact with our product, but that does not include the user’s browsing history. This data is transmitted along with a unique randomly generated identifier. IP addresses are retained for a short period for security and fraud detection and then deleted. They are stripped from telemetry data and are not used to correlate user activity across browsing sessions.

Leith’s paper also calls out Safari, which it said allows all the third-party sites listed on its start page to set cookies without user consent. It also phones home to icloud.com even from machines that aren’t registered with that Apple service, the paper warns, calling this connection “spurious”.

National Cyber Security Consulting App







National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.