In early 2020, Professor Douglas Leith of the Trinity College Dublin published a study on privacy in major web browsers. Instead of the usual focus on online tracking by third parties, the study examined whether the web browser itself is a trustworthy platform. Many browsers contact a backend infrastructure during general web browsing, for example to protect from malware using safe browsing services or to check for software updates, but also for telemetry. To assess the privacy risks of this data exchange, the researchers ran a number of tests on each major web browser.
- Google Chrome,
- Mozilla Firefox, Apple Safari,
- Brave Browser,
- Microsoft Edge,
- Yandex Browser.
The data generated by actions like first startup, pasting a URL or closing the browser was analyzed and resulted in a, in my opinion, surprising winner. User data exchanged with backend servers is not a privacy risk by itself. Localization and device type are just two examples of useful data that can't be easily linked to specific users and carry little privacy risk. But it gets problematic when data can be tied to specific users and identify them across sessions. Logging IP addresses as well session and browser identifiers are common practice. In same cases, even user browsing history is shared with backend servers. The tested web browsers were sorted into three groups, from worst to best.
All browsers were tested in their default configuration, which means advanced users may me able to disable certain privacy violations but many casual users will stay on the default settings. Not only was the amount of data analyzed but also its contents using a man-in-the-middle proxy. Let's go over the results and figure out, which browsers proved itself to be a trustworthy platform and which didn't.
The two worst browsers from a privacy perspective were Microsoft Edge and Yandex Browser, a moderately popular Russian web browser if you're unfamiliar. During the initial test of analyzing transmitted data on first startup, Yandex sent a machine ID based on the device's MAC address and the serial number to its backend and Edge even sends a hardware ID to Microsoft on first startup. These strong identifiers in combination with generated cookies can hardly be changed and can be used to link a device across fresh browser installs and even apps from the same manufacturer. Both seem to make regular connections when sitting idle, which was the second test. This is presumably for updates and safe browsing services but while Edge transmits no persistent identifiers in these specific requests, Yandex even includes identifiers in some of these. The last test of the study concerned typing in the address bar: Edge and Yandex sent a request for almost every letter typed, which means dozens of requests per URL. Microsoft Edge's requests seem to contain identifiers that at least change upon browser restart, Yandex browser includes an identifying cookie with each request and even sends the text content of the current page presumably for translation.
On the next tier of browsers which could be described as average privacy were the popular Google Chrome, Apple Safari and Mozilla Firefox. All three made use of client identifiers, but not hardware identifiers. This means browser instances could potentially be persistently identified across restarts unless they are fully reinstalled. On startup, Safari displayed a pre-made favorites page which generates requests to the respective services but the researchers assumed the persistent identifier used in Safari might be a bug based on Apple's reaction to the findings. Firefox included identifiers in telemetry data and the study claims it was the only browser to transmit data on browser closure but I couldn't verify that. Chrome sends a persistent identifier along the website address which allows it to be linked to a specific client. All three do make occasional connections while idle but none seem to contain persistent identifiers. They all send requests for each typed letter into the address bar.
Firefox and Safari seem to be a little more private here, contrary to Chrome they don't send a persistent identifier to the search engine. If you paid close attention, you will have noticed that the only browser left is Brave which the study determined to be the most private web browser at default settings. Brave did not make any use of identifiers allowing tracking by backend servers on startup. The few requests the browser did make did not share any details about the client. At idle, occasional safe browsing and software update requests notably did not use any Google services and included no persistent identifiers. And Brave by default does not use autocomplete so it made no connections at all on that test. It honestly is surprising to me that Firefox which I always thought to be a good choice for privacy, shares so much information by default. I think the lesson of this study should be: Either switch to a more private browser or make sure to turn off as many intrusive settings as possible, like autocomplete. It's always a good idea to check the default settings when installing new software. If you wanna know more details, I have included the link to the research paper below. I'll see you in the next post.