New academic research published last month looked at the phone-home features of six of today's most popular browsers and found that the Brave browser sent the smallest amount of data about its users back to the browser maker's servers.
The research, conducted by Douglas J. Leith, a professor at Trinity College at the University of Dublin, looked at Google Chrome, Mozilla Firefox, Apple Safari, Brave, Microsoft Edge (the new Chromium-based version), and the Yandex Browser.
Prof. Leith used a series of automated tests to measure and collect the network communications that a browser initiates to its backend infrastructure. These network communications are also known as telemetry or phoning-home.
The tests involved collecting data during several stages of normal browser use, such as:
- On the first startup after a fresh install
- On browser close and restart
- When pasting a URL into the top bar
- After typing a URL into the top bar
- When the browser was sitting idle
The researcher then analyzed the collected network traffic for signs of the browser sending back information that could allow the tracking of a user per their IP address, per their platform identifiers, or if the browser maker was keeping track of the user's browsing history.
"In summary, based on our measurements we find that the browsers split into three distinct groups from this privacy perspective," Prof. Leith said.
"In the first (most private) group lies Brave, in the second Chrome, Firefox, and Safari, and in the third (least private) group lie Edge and Yandex."
Prof. Leith says that in their "out of the box" states, Brave is by far the most private browser, sending back the fewest amount of information.
"We did not find any use of identifiers allowing tracking of IP address overtime, and no sharing of the details of web pages visited with backend servers," he said.
Chrome, Firefox, and Safari
On the other hand, the professor found evidence that Chrome, Firefox, and Safari all tagged telemetry data with identifiers that were linked to each browser instance. These identifiers allowed Google, Mozilla, and Apple to track users across browser restarts, but also across browser reinstalls.
In addition, Prof. Leith also found that all three browsers also shared details with their respective backends about the web pages a user visited.
"This happens via the search autocomplete feature, which sends web addresses to backend servers in realtime as they are typed," the professor said. "This functionality can be disabled by users, but in all three browsers is silently enabled by default."
Furthermore, the researcher also found that Firefox also maintains an open websocket for push notifications that is linked to a unique identifier, and could be used for tracking purposes.
On the other hand, while Safari had some strong privacy defaults, it used a default browser homepage that included several third-party tracking services.
All in all, the professor found that while Chrome, Firefox, and Safari could be configured to be more private, the default browser configurations did not come with privacy-preserving settings.
Nonetheless, telemetry could be disabled in Firefox, and some settings could be made to Chrome and Safari to tamp down their tracking; however, the professor said this required user knowledge of the correct settings to change, putting the modifications out of the reach for most users.
Edge and Yandex
But the most intrusive phoning-home features were found in the new version of Microsoft Edge and the official Yandex Browser.
According to Prof. Leith, both used unique identifiers that were linked to the device's hardware, rather than the browser installation.
Tracking users by hardware allows Microsoft and Yandex to follow users across installations and potentially link browser installs with other apps and online identities.
The professor said that Edge collected the hardware UUID of the user's computer, an identifier that cannot be easily changed or deleted without altering a computer's hardware.
Similarly, Prof. Leith also found that Yandex transmitted a hash of the hardware serial number and MAC address to its backend servers.
"As far as we can tell this behaviour [in Edge and Yandex] cannot be disabled by users," the professor said.
Furthermore, just like the three browsers before, Edge and Yandex also collected and sent back information on a users' visited web pages via the search autocomplete functionality.
However, the professor also found that the two also sent back information about visited web pages that did not appear to be related to the search autocomplete feature, suggesting the browsers had other ways to track users' browsing habits.
More details on the research and the methodology can be found in a research paper titled "Web Browser Privacy: What Do Browsers Say When They Phone Home" [PDF here].