Is Brave Browser Really a Good Privacy Option?

Sunday 23 August 2020
Bob Leggitt
I'd rank Brave higher than Firefox in terms of privacy provision. For a start it comes with almost infinitely better native control of JavaScript.
Brave Browser using Tot
Brave Browser has its own Tor window, which facilitates true private browsing in "incognito" mode.

Data is, so they say, the new oil, and the desperation for it across the web has turned once optional data-harvesting processes into regimes of force.

Internet browsers are now firmly on that bandwagon. Omniboxes or Omnibars routinely send data to search providers. Telemetry and user-profiling are engaged even on the privacy-advocate's one-time fave Firefox… And as for Chrome's trick of sneakily signing the actual browser into your Google account… Don't even get me started…

There are precious few stories of all-round browsers heading back in the other direction to restore good privacy. The story of Brave is one of the few, but it's a browser I found very hard to take seriously, prior to trying it.

This year, however, I did finally try out Brave, and I'm going to document what I found. How does Brave compare with its contemporaries, privacy wise? Is it the saviour of online privacy, or is it just some same old, same old hack-up hiding behind a pile of empty spin?

[UPDATE - July 2021: My opinion on Brave has evolved after updates to the browser since this post was written. Please read the rest of this post in conjuction with Why I Uninstalled Brave Browser, which presents some more recent information.]

THE BASIC DESIGN

At the most basic level, there's little difference between Brave and its original code source, Chromium. Chromium is the open source template for Google Chrome.

Brave does, however, go further than other Chromium-based browsers to distance itself from the Google relationship. By default, Brave is absolutely NOT free from Google data-harvesting tricks. But it's not going to try to sign your browsing history into a Google account, and that's an immediate head start over Chrome.

Brave then augments this slightly Google-distanced version of Chrome with a Shield system, designed to block ads, and the trackers who serve them. Roughly speaking it's like adding an ad blocker and something like Ghostery to Chromium. Imagine Chrome with those extensions, and without the Google sync, and you have a basic idea of what Brave is, out of the box.

Before I go any further I want to be clear in saying that I like the Brave browser per se and I think it has a lot to offer. I'll go into that in due course, but things get a bit negative for a while here, and I don't want anyone to think I'm dismissing the product…

NO THANKS...

Bundled in with Brave you have a Rewards programme, the basic concept of which is that you earn tokens for looking at ads, and then use the tokens to pay the people whose sites you saw the ads on. Which is more or less what you'd be doing if you hadn't bothered using Brave in the first place. Brave does claim to achieve this anonymously, but to me that just comes across as patronising.

In order for the Rewards system to function free from fraud, you have to be assigned an identifier, which is stored on Amazon servers. You must also agree to the Terms and Privacy Policy of a payment processor called Uphold, which is itself a tracker. Yawning yet?… Your IP address is collected by Brave in connection with your claim to tokens, and the data is kept for as long as you have the Rewards account, plus another four years after that. Brave asserts that your browsing history is not associated with this accounting process.

Brave Rewards was described as "illegal" by the Newspaper Association of America, because blocking the original ads and then serving new ads through Brave, amounts to Brave monetising content it doesn't own, without consent. Brave has protested that it doesn't serve unauthorised ads within the web pages themselves, but it obviously does serve them as part of the browsing experience, which would not be possible without the content. Much as I really don't have any concern for the welfare of news sites, I think they were right to object to a concept that removes publishers' ads and then serves its own - however that premise is achieved.

But since this post sets out to explore the privacy aspects of Brave, let's forget about signing up for Brave Rewards and focus on the browser purely as a browser.

Whilst Brave and Rewards are packaged as one entity, you don't have to get involved with Rewards. If you don't sign up for Rewards, Brave is just a straightforward browser with extra privacy features. And you can hide any references to Rewards. After a few days you forget it ever existed.

In all honesty I think Brave's userbase would increase much more rapidly without all the Rewards baggage. Brave might be better off detaching that as an add-on under separate branding. I think it's tainting the name of a very good browser at the moment. But that's their decision, obviously.

Another offputting factor for me was the installation process. I nearly didn't install Brave at all, due to its lack of a transparent download and setup option.

With Brave, you don't download an executable file or a portable folder. You download an installer, and if your firewall blocks outgoing connections, you then have to disable a path on your firewall for Brave's installation to do whatever it likes. If you have a strict firewall regime, that's a hassle in itself.

And you obviously can't install with the Internet disconnected. For security, some people like to install things offline, and not clear them through the firewall until a first run has been assessed. It would make sense for a browser trading on privacy to recognise this.

I also didn't like the auto-updater running in the background as a Windows service, without consent. I know you can go into Services and zap it, and delete the updater program, but Brave really needs to decide whether it cares about privacy or not. Good privacy means you ASK IF IT'S OKAY to run routines on people's computers. It means you ASK IF IT'S OKAY to let Google sit in the browser's address bar collecting data…

Brave Shields
The Shields section in Brave's settings offers protections that don't typically come natively in a browser.

BRAVE BROWSER PRIVACY

Maintaining good privacy is difficult for any browser in 2020. We're now in a world where online businesses deliberately engineer their sites not to work if their users won't accept privacy invasion. So if a browser provider simply says: "Right, we'll block this, this and this…", the product is basically going to be unusable for the majority.

Problem number two is that browser providers need to make money, and the easiest way for them to do that is through data-harvesting and/or advertising. By default, Brave comes with Google search live in the Omnibar (address bar). Omnibar search can be switched to any of a selection of "private search engines", or Bing. Or it can be disabled altogether using the Chromium NULL trick…

To nullify Omnibox search, add a new search engine to the selection using the Add button. Then fill in the fields as follows…

Search engine: No
Keyword: null
URL: http://%s

This will create a fake search engine that doesn't do anything. You then just make this fake search engine the default, and Omnibox search is disabled. Works in most Chromium-derived browsers. See below…

Brave - search engines

But the point is that Brave is making a song and dance about privacy, and then taking a backhander from Google for Omnibar occupancy. That gives Google access to terms entered into the Omnibar, some of which may be inadvertent, and/or contain personal information.

So there's always a conflict between the idealism of browser providers wanting to appear privacy-focused to users, but simultaneously needing the money that trackers can give them.

By default, Google Safe Browsing is also set active in Brave. Useful for many surfers, but another way for Google to fish its hands into your data. I prefer to switch Safe Browsing off and take my chances. I don't really see it as taking a chance anyway. I haven't used an antivirus for nearly eight years, and all I've seen is a performance improvement.

So much of the Internet's safety and security rhetoric is scaremongering. It's an easy way to change public behaviour in line with big tech's desire for more data.

Want phone access? Hey, security! Two-factor auth!... Want to scan someone's drive? Hey, security! Bound to be some malware there, right?... Want fingerprints and a photo? Hey, security! Never know who might try to log into your device! Keep them out by giving us stuff you wouldn't even let the Police have without an arrest warrant...

But returning to the plot, if you really do care about privacy, you'll need to change a lot of Brave's default settings. Most of this is not actually Brave's fault. As I say, if a browser just blocks every privacy violation, countless sites won't work and most users will perceive the browser as useless. So Brave allows cookies and JavaScript by default. I prefer to block both, and then set exceptions for individual sites. Like Chromium, Brave makes that relatively easy.

Brave also incorporates a blocker specifically for social media tracking on third party domains. But again, if you want maximum blocking you're going to have to change settings. Blocking social widgets and functions results in sites not working the way most people expect them to - hence the browser allowing most social media loads by default.

Let's be clear, though. It's a bonus that you can block this stuff.

BRAVE SHIELDS

Brave Shields is a built-in system that lets you tailor the basic browser privacy further to your requirements, and reports to you on what's being blocked, once you load a page. It's non-intrusive and is easily the nicest implementation of blocked content reporting that I've seen.

One of my favourite things about Brave Shields is that it sidesteps the need to use third party tools. Having to use third party tools means more people get their hands on your data. When you keep everything under one roof, you minimise the data spread.

By default, Shields blocks most ads and trackers, and a range of fingerprinting attempts. You can increase the intensity of the blocking in relation to both, at the potential cost of certain sites not working.

I've tested Brave with my own privacy settings and I was impressed with the Network Request readings when loading voracious data-harvesting pages. Without the need to load any additional blocking routines, pesky little sneaks like Google Tag Manager are banished.

Tag Manager is a really important block, since it loads a lot of aggressive third party scripts, and can appear on Government sites where your business really should not be anywhere near an online tracker's tools. Most regular ad-blockers won't zap Tag Manager, but Brave can do it natively. Thumbs up for that.

MORE PRIVACY

There is no doubt that Brave offers deeper privacy settings and more privacy safeguards than other Chromium-based browsers. For example, you can open a private Brave browser window to run through Tor, and that really does hit the trackers where it hurts. With Tor, none of the sites you visit can see your IP address, and your Internet Service Provider can't see your surfing history.

OTHER FEATURES

Another feature of Brave I imagine would go down really well with most users is its Wayback Machine referral prompt. If you arrive at a page that's inaccessible due to a "404 not found" error, Brave will ask if you want to try to find a copy of the page on the Internet Archive. If you say yes, Brave will attempt to find the page for you and display it. If Wayback has the page, the process is effortless and almost instant.

I'm not sure about it from the privacy viewpoint of the page owner (who may not want it to be accessible). It's not very respectful of copyright, but for the average web-surfer it's undeniably most useful.

And you get a Brave Stats page. This lets you gloat over how many trackers and ads you've blocked, how much download bandwidth you've saved through not streaming all the page bloat, and how much of your precious life you've saved not having to wait for junk-heavy pages to load. It soon mounts up.

VERDICT

It is such a shame that Brave can't be assessed without reference to the (in my opinion) rather nuts Reward scheme. It's true that conventional online advertising is in decline, but I don't think Brave Rewards is the solution. It's really just changing the centre of gravity in the same system.

It makes a lot of sense to Brave, because they're the ones creaming off the money. But the reality is we can all block ads and trackers if we care enough. Why would we then choose to start looking at ads again? Realistically, even if we're cut in on the proceeds, it's not gonna make us more than a few peanuts - at the expense of our privacy.

I do get the ethics of it, and I get that Brave has a different outlook on privacy from the likes of Doubleclick and Facebook. But generally, we either want to block ads, or we don't care. And neither of those attitudes seems very compatible with Brave Rewards.

Setting aside Rewards (which gladly, you can easily do), Brave is an excellent browser that facilitates a good standard of online privacy. Don't expect it to do that out of the box, because no conventional browser will. If you want good privacy, you need to take the time to set up cookie and JavaScript exceptions, and go through all the settings deciding what you do and don't want selected.

The good news is that all the tools are there, and Brave broadly remained slick in use, even when I was blocking a large number of undesirables. You can make Brave just about as private as it's possible for a browser to get, but "make" is the operative word.

In truth, nearly all browsers come littered with insidious privacy invasions, regardless of how friendly they claim to be. Firefox included. I'd rank Brave higher than Firefox in terms of privacy provision. For a start it comes with almost infinitely better native control of JavaScript. And setting up the equivalent of Brave Shields in Firefox is not as simple as a lot of people imagine.

I'd go as far as to say that if you take time with the settings, Brave is natively the best all-round browser currently available for privacy advocates. Obviously, Tor is more private, but there's a vast number of websites and applications that reject Tor, or spam it with irremovable captchas, or use other means to render it useless. Brave has a Tor window if you want it, but it also lets you log into all your favourite sites.

The parting message? Don't be put off by the shady-looking installation process or the Rewards tie-in. If you care about privacy, install Brave, use it in place of Chrome or Firefox, and I will bet you feel more positive about your browser.