The most recent incident has seen the browser auto-completing URLs to certain cryptocurrency site with an affiliate link, without notifying the user as to what is going on.
Profiting from a privacy browser
For those not familiar with affiliate programs, the most important note is that this issue does not compromise user privacy or involve any sort of hacking.
Affiliate programs are a means of monetizing a website. In this case, a special URL is provided to an affiliate to promote a partner’s services. When someone signs up via that distinct URL, the affiliate gets some sort of payment for it.
Many countries have laws mandating that affiliates disclose their relationship with the advertiser if links of this nature are posted. In the United States, the FTC requires that sites detail their relationship with affiliate partners in a clear and easily visible way. The EU’s GDPR has similar terms that require affiliate disclosure when user tracking is taking place.
In addition to this being an unethical practice, Brave likely violated some of these regulations with their referral scheme. When a user entered the name or URL of certain cryptocurrency sites into the privacy browser, it would automatically redirect them to that site with Brave’s referral code appended to the URL. Binance, Coinbase, Ledger and Trezor were among these sites.
Eich apologized for the scheme once it was discovered by users, stated that it had been fixed, and vowed that the company would not do it again. However, he also defended the practice by stating that the affiliate referral scheme had been visible in the browser’s open-source code for months. Eich stated in a series of Twitter posts that “We made a mistake, we’re correcting: Brave default autocompletes verbatim “http://binance.us” in address bar to add an affiliate code. We are a Binance affiliate, we refer users via the opt-in trading widget on the new tab page, but autocomplete should not add any code … Sorry for this mistake — we are clearly not perfect, but we correct course quickly.”
Eich implied that the revenue was necessary for Brave to support itself. The privacy browser’s central revenue scheme is an opt-in advertising system that entices users with a little cryptocurrency if they allow select ads to be shown. The ads are supposed to be display-only and not furnished with any user personal information. Users get portions of Brave’s “Basic Attention Token” (BAT) for each ad they view. BAT is an Ethereum-based token and can be exchanged at a number of the sites that the privacy browser was auto-completing referral links to.
Forks going their own way
At least one group, which goes by the handle “BraverBrowser” on social media, is proposing a fork of the open-source project that strips out all presence of advertising and the BAT entirely. However, this new fork is being led by the developer of nOS, a similar privacy browser that has its own similar BAT-equivalent attention token called the NOS.
Another fork called Dissenter, announced about a year ago, proposed replacing the BAT with Bitcoin. The project is tied to Gab, a social media platform that has built a reputation for extreme free speech policies and as a haven for controversial ideological views that tend to be deplatformed elsewhere.
It remains to be seen if this controversy will result in more attempts to fork the popular browser, which recently benefited from an endorsement by star podcaster Joe Rogan. It is not the first time that the privacy browser has been criticized, however.
When it was first announced in 2016, a number of commentators at popular tech magazines took issue with the fact that Brave blocks the ads that websites serve (and often rely on for revenue) in favor of its own system.
Brave also has a system called Brave Rewards, which allows users of the privacy browser to opt-in to delivering their cryptocurrency micropayments to the sites they visit. This requires publishers to sign up with Brave in order to be able to receive these payments. However, some publishers have noted that users of their site report that Brave offers a donation option even if the publisher has not signed up or been in contact with Brave; these “donations” appear to go to Brave instead if the publisher does not sign up and collect them.
While these issues will probably represent some loss of business for Brave, the company is still at the top of the mountain in terms of privacy browser brands. A recent study by Trinity College found that Brave is by far the most private of the popular browsers, doing the smallest amount of “phoning home” to the developers and to advertising partners. Other browsers such as Chrome and Firefox can be made comparably private, but require a lot of changing of default settings.