In the past decade, several browsers have jumped at the opportunity to offer a privacy-focused browsing experience. Brave is one of them.
Brave was founded by Brendan Eich, the former CTO of the Mozilla Foundation and creator of the popular programming language JavaScript. Available for both desktop and mobile, Brave is not only focused on prioritizing privacy; it also comes with a built-in crypto wallet, a VPN, and rewards for interacting with its ad network provided in a cryptocurrency known as BAT. It's also one of the few browsers to support IPFS.
In this article, you'll learn about Brave's many privacy and security features—and where it falls short.
Brave's Privacy Features
Privacy is Brave's core foundation, so it comes as no surprise that it comes packed with a ton of privacy features. Many anti-tracking features are part of Brave Shields, but the browser also comes with deAMPing, private windows, and a built-in VPN available with a subscription.
Tracking Protection with Brave Shields
Brave groups most of its privacy features under the Shields banner. Shields is a set of techniques that prevents websites from tracking you, and it acts as a visual identifier to show users that they are browsing safely.
Storage-Based Tracking
Traditionally, Brave blocked all third-party cookies and other types of storage. It prevented unique identifiers from being saved and transmitted to domains other than that of the website the user visited.
However, completely blocking third parties from accessing storage often resulted in broken websites. For this reason, Brave pioneered ephemeral site storage, which partitions data from a third-party context in various situations. Because a third party gets a different storage area for each top-level website, ephemeral site storage prevents cross-site tracking.
For example, when news.com loads scripts, cookies, and other data from tracker.com, it will be saved separately from when gossip.com loads scripts from tracker.com. The result: when a user visits news.com and gossip.com, tracker.com will not be able to combine a user's behavior on those websites into a single profile.
These partitions are also automatically cleared when you close the website or restart the browser.
No other browser matches Brave's partitioning scope, which not only includes cookies and the storage APIs but also various caches and local databases.
Navigation-Based Tracking
Many tech giants use tracking query string parameters to identify users across websites.
For instance, Google, Facebook, and Microsoft respectively add the gclid, fbclid, and msclkid parameters to (paid) links that leave their ecosystem. When a user lands on their destination, third-party scripts from these same tech companies process the parameters and successfully identify the user.
Brave counters this practice by blocking a list of known tracking parameters and removing them from a URL before the HTTP request is sent.
A similar approach is known as bounce tracking, often used for affiliate schemes. An organization would insert a third-party redirect before a user lands on their destination website so that the redirect provider knows which websites a user visits. For example, when a user clicks on a link to smartphone.com, they are first redirected to tracker.com before landing on the destination page on smartphone.com. This way, tracker.com can prove that a user actually clicked on the link.
Brave debounces these redirects by immediately sending the user to its final destination page.
Referrer Removal
At first, Brave completely removed the referrer information that comes with HTTP requests. However, web crawlers and other types of bots often also remove this information. The result was that some websites blocked Brave users.
Since 2021, Brave has been using the strict-origin-when-cross-origin referrer policy, which is used by most modern browsers. It's less secure than the initial approach—in some rare situations, some private data in the URL can be shared with third parties. However, the new approach doesn't cause blocking.
DeAMPing
The Accelerated Mobile Pages (AMP) framework compresses images and scripts to load websites faster. However, to make AMP work, website owners are forced to integrate with the Google ecosystem, giving the tech giant more opportunities to track users around the web.
For this reason, Brave blocks AMP versions of websites and instead redirects users to the canonical version of a web page.
Private Mode and Private Windows
Like most browsers these days, Brave comes with an incognito mode, which does not store any search history or share any stored data with the websites you visit.
However, Brave comes with a next-level version of incognito mode known as Private Windows with Tor.
If you browse this way, you connect through three devices in the Tor network, which is run by privacy-minded volunteers. The first one knows where the connection is coming from, the third one knows where it's going, and the second one sits in the middle to prevent the other two from talking to each other.
However, using Tor has two downsides. Websites load a lot slower because the connection is rerouted several times. Furthermore, many bot-prevention mechanisms on websites will constantly ask you to prove you're human or block your access completely.
Brave VPN and Firewall
Brave VPN is a built-in subscription-based tool that encrypts all traffic so that internet service providers can't see your traffic or identify the websites you visit. Brave VPN also hides your real IP address from the websites you visit so that they can't identify you through your internet connection.
Furthermore, Brave's VPN comes with a firewall that blocks known tracker domains to prevent your device from interfacing with them. If ephemeral site storage is not private enough for you, the firewall will prevent certain servers from accessing it.
Brave's Default Search Engine
Unlike most browsers, Brave does not have Google as its default search engine. Instead, it uses Brave Search.
Unlike a search engine like Ecosia that uses third-party search indexes from Google or Yahoo, Brave Search was built from scratch. Although it has its own ad network, your browsing behavior is not stored for profiling and marketing segmentation.
Brave's Security Features
Besides ensuring privacy, Brave comes with a set of techniques that prevent you from getting phished or installing malicious software.
Strict HTTPS Upgrade Mode
By default, Brave upgrades all connections to HTTPS and only falls back to HTTP if HTTPS is not available for a website.
This behavior can be made stricter through Strict HTTPS Upgrade Mode. If this setting is enabled, Brave will warn you when you visit an unsafe website, and the request will only be made if you approve it.
Strict behavior is enabled by default if you browse through Private Windows with Tor.
Phishing and Malware Protection
Brave uses Google Safe Browsing to identify websites that are known for phishing users or hosting malicious software. It also blocks you from downloading potentially dangerous software and prevents you from installing browser extensions known for violating policies.
Brave augments Google Safe Browsing by keeping a record of malicious websites in the browser, which drastically limits the number of verification requests and doesn't require sending requests to Google-hosted servers. Finally, to ensure privacy, safe browsing requests go through a proxy server, which prevents the server that hosts the list of malicious websites from seeing your IP address.
Browser Fingerprinting and Brave
Since browsers, operating systems, and extensions started preventing websites from tracking their users via cookies and other storage-based techniques, websites have been in need of other techniques to prevent phishing and other fraud, enforce paywalls, and prevent account sharing.
One such technique, called browser fingerprinting, collects various data points to identify a user's device. While each of these data points isn't unique when taken individually, combining them can give you a unique identifier. Even privacy-friendly tracking software like Piwik PRO uses some kind of device fingerprint.
In turn, browsers have attempted to prevent browser fingerprinting. While many other browsers do so using privacy budgets, Brave prevents fingerprinting by doing three things:
- Brave disables several data points (like WebGL, Canvas, and Web Audio) by default so that the website cannot access it for a visitor.
- Brave prevents websites from loading known fingerprinting scripts as part of its set of mechanisms known as Shields.
- Brave uses a technique known as farbling to inject session-level random noise in several data points, such as browser language and user agent string. This means that every time a user visits a website, they will have a slightly different fingerprint for that website.
Conclusion
Brave incorporates many of the industry's best practices for privacy and security features and adds a lot more on top of that: navigation-based tracking, farbling, and a built-in VPN. Despite its notorious missteps, Brave has a loyal user base in the privacy niche.
If you want to identify Brave users on your website, consider Fingerprint. Fingerprint accurately identifies up to 99.5 percent of traffic from supported browsers, which includes popular options like Chrome, Safari, Edge, Firefox, and Brave.
