"The company knows those megatrackers shouldn't be there. It's already evolving from privacy by default to privacy for sale."
I've split up with my browser… No, it's okay, I'm fine… I'm picking up the pieces. I mean, obviously, you don't end a relationship without some personal impact, but… No honestly I'm fine… I really just don't wanna talk about it… Well, except to say…
Like some other brands in the “ethical tech” genre, Brave talks a good game. And I want to stress from the start that it's a good thing alt brands do have some potent spin. Whether we like them or not, the world needs companies like Brave. Companies who can make enough money and attract a big enough userbase to put pressure on mainstream tech. It's competition from the likes of Brave, DuckDuckGo et al, that will eventually drive the biggest forces in tech to do better, and be better.
For us, the consumers - or “the products”, as we might equally be considered - an environment in which there are only a few browser providers, and two search engines, is full of doom. We need a broad base of fully independent options, with different ideas and strategies. The more competition that exists, and the more of us who are aware of that competition, the more seriously each brand will need to take its user experience and policies.
But unfortunately, Brave Browser's user experience has worsened in the period of nearly a year since I reviewed it. In August 2020 I documented the pros and cons of Version 1.11, which I blocked from updating and so was able to continue using until spring 2021. At that point I chose to update to Version 1.23, which introduced three immediate annoyances.
- Multiple nags for default browser status - the last of which I refused to clear, because why tell Brave “Not Now”, when your actual sentiments are “Not effing EVER”? This supposed “consent” practice that certain companies have adopted, in which no available option actually says “No”, has no place in 21st century society, but it's rife among tech providers.
We should all be aware that consent is a straight “Yes / No” issue. And it seems that in personal life, the vast majority of us get that. Certain businesses, however, still think it's okay to project consent as a “Yes / Keep Asking Me Until I Give In” issue, and it stinks. How is that NOT setting an example for abusers to follow? If you want valid consent, and you don't want to encourage abusers, it is imperative that you provide, and accept, a straight “NO” for an answer.
When I refused to dismiss the nag, the browser would not close by any means other than shutting down the computer. That's the kind of behaviour you find on ransomware sites.
- The introduction of Brave Today. So yet another tech company wants to be a news and content-delivery mechanism, strewn with affiliate links to some of the worst trackers on the Web. I know a business has to generate revenue, but Brave Browser is supposed to be a PRIVACY tool. Is thrusting Amazon, LinkedIn/Microsoft, the Daily Mail and other megatracking corporate thugs into the faces of users, really compatible with privacy?
Brave Today has been a groanworthy sign that even Eth Tech companies can't resist trying to make portals. Brave even wants to directly monetise the Today feed, taking payments from readers in exchange for elimination of all the affiliate crap. So the company knows those megatrackers shouldn't be there. It's already evolving from privacy by default to privacy for sale.
And be in no doubt; if you're clicking through, Brave Today is definitely not private. It's packed with affiliate referral links, that come with traditional affiliate tracking UTM tails. Post-click, there's no proxy, so the affiliate collects as much data as it can get. The list of affiliates is self-evidently based on the amount of money Brave can make - not the amount of privacy the user can expect. And importantly, because the Brave Today system uses your BROWSING HISTORY as a basis for PERSONALISING content, the target affiliate also gets an implied insight into the type of browsing history you're likely to have.
In conjunction with the affiliate linking, Brave Today's personalisation is not, in my view, vastly different from the concept of Google's much-maligned FLoC. I would suggest that Brave got peeved about Google's now delayed FLoC plans, not because Brave abhors privacy threats that masquerade as privacy enhancements, but because the system sails way too close to Brave's own monetisation plans. How can Brave market itself as different, if Google is basically doing the same thing?
Brave would no doubt assert that you can turn off Brave Today, and you can. The issue is that the public come to trust these supposed “privacy” brands, and believe they can use all the features without being tracked. At least Google tells you it's tracking your ass. There's a lot of smoke and mirrors with Eth Tech brands.
- The appearance of a new “crypto card”, which is an ad type Brave admits it will purposely show from time to time even when the cards have been disabled. A calculatedly placed ad, in a browser whose supposed mission is to block ads. I'll be up-front. I couldn't care less about cryptocurrency, and I can't even find the words to express how sick to the teeth I am of spammers trying to ram it down everyone's throat. If my browser's gonna start doing it, I'm out. If I never hear mention of crypto again, it will be way too soon.
So to put it mildly, the update has not gone well. But some deeper exploration of the product revealed that maybe I was a bit hasty in giving Brave a partial thumbs-up last year.
Mike Kuketz has provided an excellent roundup of the various browsers' surreptitious technical behaviour - importantly, including at the moment of startup, before the browser's own transmission reporting tools become active. His documentation of Brave (which non-German speakers will need to translate), reveals that the product is far from innocent when it comes to “phoning home”. We expect this from Big Tech products, but Ethical Tech claims it's different, and in Brave's case it's really not.
The browser is tagging users with an ID (which Vivaldi has also admitted to doing), and carrying out A/B experimentation on tagged individuals. Kuketz could not find a way to disable these processes. The browser also sends regular telemetry transmissions, which can be disabled. If you read the post, you'll see there are other surreptitious communications, one of which involves the apparent transfer of affiliate information and is described as “questionable” by Kuketz.
Separately, I found Brave is also duping users by stating in its browser connections comparison that all the connections Brave browser makes on first run go to "subdomains of brave.com". This is technically true, but what the article doesn't disclose is that two of the domain names are applied to Google servers. Other "Brave" domains in the list are on the servers of Fastly - a company so desperate for data that they even buy it.
The clear implication is that all of the connections are internal, and this is absolutely not the case. This determination to trick users is far worse than the data transfer itself. If Brave are covering up connections to third party servers by rebranding them with their own domain names, what else are they covering up? Quite a lot judging by my incidental findings in a Traceroute study.
I sought out this information when I fired up Brave after about a month out of use, and saw major network activity on startup. Since I believed I'd disabled all possible sources of activity bar the actual loading of DuckDuckGo (html-only version - which is a tiny load), I thought I'd have a look round for some insight. I'd disabled the telemetry, the updater, the spell-checker, the "security protection"… And yet there was still this big spike of traffic on the computer's main network meter.
In truth I was probably going to uninstall anyway, but the unprompted activity was a final indication that Brave does not understand the meaning of privacy, or consent. The browser really is just another advertising and data-mining machine that allocates numbers to people, uses them as lab rats, and sells them as products to Amazon, Microsoft and the usual gang. The company has shown poor ethics in quite a range of areas, and should not in any way be considered a saviour of integrity.
REPLACEMENT?
As an alternative to Brave I've used Ungoogled Chromium with the uBlock Origin add-on since the spring, and whilst it hasn't been as slick in performance as Brave, I've been more comfortable in the knowledge that it does what it's told, doesn't sneak, doesn't nag, doesn't wanna be another bloomin' news feed, updates only when you manually download the next version, and doesn't really have a home to phone.
I've missed some aspects of Brave, but not enough to tolerate its growing attitude problem. After some weeks with no use, I fully uninstalled it today, and there will permanently be one less "Brave Service Key" snitching back to base from now on.