What do browsers say when they phone home?

Professor Douglas Leith from Trinity College in Ireland, tested six web browsers to determine what data they were sharing.

According to research [1], tested browsers splits into three distinct groups from this privacy perspective.
In the first group, the most private, lies Brave:

Used “out of the box” with its default settings Brave [2] is by far the most private of the browsers studied. We did not find any use of identifiers allowing tracking of IP address over time, and no sharing of the details of web pages visited with backend servers.

The second group includes Firefox [3], Chrome [4] and Safari [5]:

Chrome, Firefox and Safari all tag requests with identifiers that are linked to the browser instance (i.e. which persist across browser restarts but are reset upon a fresh browser install). All three share details of web pages visited with backend servers. This happens via the search autocomplete feature, which sends web addresses to backend servers in realtime as they are typed.

In the third group, the least private, lie Yandex [6] and Edge [7]:

From a privacy perspective Microsoft Edge and Yandex are qualitatively different from the other browsers studied. Both send persistent identifiers than can be used to link requests (and associated IP address/location) to back end servers. Edge also sends the hardware UUID of the device to Microsoft and Yandex similarly transmits a hashed hardware identifier to back end servers. As far as we can tell this behaviour cannot be disabled by users. In addition to the search autocomplete functionality that shares details of web pages visited, both transmit web page information to servers that appear unrelated to search autocomplete.

The researcher has also questioned Chrome‘s and other browser’s behavior: for example, Chrome scans the entire computer and reports hashes of executable programs back to Google to build Chrome’s Safe Browsing platform.

Then Chrome, Firefox and Safari share details of every webpage you visit with their services. All these browsers use autocomplete feature to send web addresses to their services in realtime.

Finally, Firefox’s telemetry transmissions, which is silently enabled by default, can potentially be used to link these over time.
In Firefox, there is also an open WebSocket for push notifications and it is linked to a unique identifier, which could be used for tracking, according to the researcher.

For more technical information, please refer to research paper.


References

  1. Web Browser Privacy: What Do Browsers Say When They Phone Home?
  2. Secure, Fast & Private Web Browser with Adblocker | Brave Browser
  3. Firefox – Protect your life online with privacy-first products
  4. Google Chrome – The New Chrome & Most Secure Web Browser
  5. Safari – Apple
  6. Yandex Browser
  7. Microsoft Edge

Related posts

  1. Why Huawei USB stick setup on linux adds a strange “Huawei Autorun” script in system start?
  2. How secure and privacy-oriented is iOS?
  3. Sara Morrison: how SDKs, hidden trackers in your phone, work
  4. Weekly Cybersecurity Roundup #13
  5. Weekly Privacy Roundup #11