In the 1990s, web browsers like Netscape Navigator and Microsoft Internet Explorer competed bitterly to offer the snazziest new features and attract users. Today, the browser landscape looks totally different. For one thing, Chrome now dominates, controlling around two-thirds of the market on both desktop and mobile. Even more radical, though, is the recent competitive focus on privacy, a welcome change for anyone who’s gotten sick of creepy ad tracking and data mismanagement. But as browsers increasingly diverge in their approaches, it’s clear that not all privacy protections are created equal.
At the USENIX Enigma security conference in San Francisco this week, developers, security researchers, and privacy advocates presented differing views of how browsers should protect their users against data abuses. In a panel discussion that included representatives from Mozilla Firefox, Google Chrome, Microsoft Edge, and Brave, all participants agreed that collaboration across the industry has driven innovation and helped make privacy a priority. But some browsers are taking a hardline approach, while others prefer to increase protections within the status quo.
“I think competition pushes everyone toward being more private by default,” Yan Zhu, chief information security officer of the Brave browser, said during the panel. “For instance, when Brave sees Safari rolling out a new protection we think ‘oh, we should at least try to match that,’ because as a privacy-first, privacy-focused browser that is one of our main selling points.”
“When we choose between the existing model and privacy we’ll always choose privacy.”
Tanvi Vyas, Mozilla
Browsers can take a number of steps to thwart the tracking efforts of websites and ad networks. They can add anti-fingerprinting measures, which make it harder for sites and services to connect your browsing to you based on unique characteristics—a “fingerprint”—of your browser and device. They can block trackers embedded in sites. They can take extra steps to encrypt information about what websites you visit. And they can support third-party extensions that allow users to further adapt and customize their privacy protections.
Another longstanding topic of debate is how to handle third-party website “cookies” that browsers store to customize your web experience, but that sites often also use for tracking. Safari, Firefox, and Brave have all decided to block third-party cookies by default—much to advertisers’ chagrin. Google announced earlier this month that it will eventually take this step as well, though not for two years. As a major ad distributor itself, Google also stands to benefit from blocking third-party trackers that other browsers don’t.
Almost all mainstream browsers take these privacy-friendly steps in some form, but under different conceptual approaches. A lot of the debate hinges on the question of how far to push screening and blocking, given that these protections can sometimes create collateral damage. Privacy defenses can sometimes break legitimate website functionality; comments that load from a third-party hosting service, for example, could be mistaken for a sketchy targeted ad module. So each browser has to weigh how it prioritizes privacy versus ease of use.
“Firefox, Edge, Brave, and Safari all have anti-tracking protections by default and they all vary a little bit, they all have different tradeoffs,” Tanvi Vyas, Mozilla’s principal engineer, said during the panel. “But in the end we’re all trying to improve those protections and we’re learning from each other on how to do that. I think we [Firefox] differ from Chrome in that we’re not trying to preserve the existing model. For us our highest priority is privacy, so when we choose between the existing model and privacy we’ll always choose privacy.”
That existing model allows companies and advertisers at least some access to marketing data; one argument for preserving it is that if browsers become too restrictive, those parties will pull content from the open web and move it to mobile apps instead.
“The web doesn’t exist in a vacuum. People who are building sites and services have choices about the platforms they target,” says Eric Lawrence, an Edge program manager. “They can build a mobile application, they can take their content off the open web to put it into a walled garden. And so if we do things in privacy that hurt the open web we could end up pushing people to less privacy-preserving ecosystems.”