Brave Browser’s Ad Replacement System: Vulture in Lion’s Clothing?
Editor’s note: At the request of the Brave team, Bitcoinist will be conducting an interview with the company’s CEO so he can make his case for Brave’s data collection practices. We will publish this interview in full on Bitcoinist.net.
Editor’s note (3/13/2016 3:39 PM EST): The Brave CEO did not agree to an interview with Bitcoinist. Instead, an interview between Bitcoinist and “someone from Brave” was discussed. We would like to apologize to our readers for this miscommunication. Brave has since declined any interview with us. Instead, they have opted to leave their input in the comments section of this article.
10 March 2016 – Brave has been available for over a month in a more or less fully functional state, and is promising bitcoin payment functionality in future versions. While their default ad-blocking functionality and forcing traffic encryption is certainly a step forward in browser security and privacy policies, no one seems to be talking about the other flagship feature of Brave: Ad Replacement. Security-minded users should know that the information collection policy that Brave Inc. Implements to make Ad Replacement effective might make the browser even worse for your privacy than existing solutions.
Brave Compiles a Wealth of User Info Locally
While they aren’t funneling your usage data into their servers for analysis and sale, they are leveraging their sole access to their Ad Replacement system to leverage it in much the same way. The Brave FAQ certainly doesn’t mince words about the browser’s data collection policies:
“…the browser knows almost everything you do. It knows what sites you visit, how much time you spend on them, what you look at, what is visible “above the fold” and not occluded by opaque layers, what searches you make, what groups of tabs you open while researching major purchases, etc.”
In effect, the browser is offloading the work that would normally be done by costly data analytics engines to provide incredibly granular usage data directly through the Brave browser. As Brave gains popularity, a nontrivial amount of targeted ad platforms will have to partner with Brave Inc. to remain competitive. There isn’t currently a standard for what Brave provides to advertisers and other through their “intent signaling” system, which raises questions about how future versions of the browser will handle user information.
While the wealth of data collected from the user only stored locally and “anonymized” via public key cryptography that only associates it to a UUID across the user’s devices, companies like Google devote a massive amount of resources on correlative analysis to enhance their ad targeting and analytics platforms. Their system’s implementation of the UUID system effectively makes the data pseudonymous, not truly anonymous. The anonymized data provided by Brave will be detailed and high quality, providing considerable incentive to analytics and online advertising companies to attempt traffic correlation and fingerprinting on said data once partnered with Brave Inc. Similar techniques have been used to de-anonymize Tor and other privacy-based networks, so assuming Brave will be immune isn’t exactly forward-thinking.
The Need For a Dialog About Ad Replacement
Let there be no mistake about how brave functions: the Brave browser does not stop data collection on its users. It just shifts the power over that data slightly towards the user, in addition to adding a massive single point of failure on the client side for information security. A bug or exploit in the brave browser could mean widespread hemorrhages of private information not available locally from regular browsers. This begs the question: why use Brave If I can use my browser of choice with a few plugins and have comparable if not better privacy? The answer isn’t entirely clear at the time of writing.
Brave Inc. does offer a better user experience for those that don’t like ads and a fast, effective web browser as a product. Their browser isn’t intrinsically more transparent or private in its current state than the major players in the browser market right now, though. Truly privacy-minded people should be aware of the technology and practices behind Brave’s Ad Replacement technology before attempting to switch from their current solution, and Brave’s current users should not lull themselves into a false sense of security if they are not taking care to implement other layers of privacy into their daily browsing habits. There should be a dialog about the implications of this new type of data collection among the early adopters and those concerned with anonymizing their browsing experience before Brave is accepted as a de-facto privacy standard on any level.
What do you think of Brave’s Info Collection Policies? Be sure to let us know in the comments!
Images courtesy of Brave