A new study by Professor Douglas J. Leith of Trinity College Dublin tested various browsers for privacy leaks associated with sending data back to their makers’ servers. Brave emerged as the most private browser while the new chromium-based Microsoft Edge and Yandex emerged as the most privacy-intrusive browsers. This outcome is because of their use of privacy-intrusive telemetry. Their phoning-home activities and other secret tracking methods allow them to track users across browser installs.
Organization of the study
To test the various browsers for privacy leaking telemetry, the researcher organized the study into five various scenarios.
- When the browsers start for the first time after fresh installs
- On closing and restarting a browser
- When a user pastes a URL into the address bar
- When a user types a URL into the address bar
- When browsers are lying idle
According to Prof Leith, “In the first (most private) group lies Brave, in the second Chrome, Firefox, and Safari, and in the third (least private) group lie Edge and Yandex.”
The most private browser
Using its default settings, Brave emerged as the most private browser from all the tests. According to prof. Leith, Brave sent the least amount of data using its out of the box settings. The web browser does not tag telemetry data with identifiers that could allow the browser maker to track users. The most private browser also does not track the user’s IP address or the websites visited.
Lesser private browsers
Additionally, the browsers shared the pages that the users visited with their makers. The search autocomplete functionality on these browsers sends data to the backend servers in real-time as the user types. Although this feature is silently enabled by default, users could turn it off. Firefox goes a step further and maintains an open WebSocket linked to a unique identifier. This socket can receive push notification as well as track users.
Although Safari came with non-invasive default settings, its start page includes several third-party tracking services such as social networks. Safari browser allows third party services such as Facebook and Twitter to set cookies without obtaining user consent.
The professor noted that although users could turn off the telemetry features in Firefox and make changes to privacy settings in Chrome and Safari, users required specialized knowledge. This requirement made the browsers fare much worse compared with Brave, the most private browser.
Browser makers should give users control over their phoning home process. Having non-invasive default settings that prevent browser sending data is the preferred option. This would allow many users who lack additional knowledge on customizing the privacy settings of their browsers to remain protected by default.
Most invasive browsers using privacy-invading telemetry
The professor discovered that the most privacy-intrusive telemetry features were in the new Microsoft Edge browser and Yandex. Telemetry features on these browsers not only used unique identifiers, but they linked to the device hardware instead of browser installations. This form of tracking allows the browser makers to track users across browser restarts as well as new installations. Additionally, this form of tracking allowed Microsoft and Yandex to link browser tracking with various apps as well as online identities. Yandex tracked a hash of the hardware serial number and MAC address. Similarly, the new Microsoft Edge collected the users’ hardware UUID, which cannot be altered without hardware alteration.
“As far as we can tell, this behavior cannot be disabled by users,” Prof. Leith said.
Additionally, the browsers collected and sent back information entered into the search autocomplete feature.
Worse still, the professor found that the browsers sent back pages not related to search autocomplete functionality. This was proof that Microsoft and Yandex had other secret methods of tracking users.