A study published (PDF) this week by the School of Computer Science and Statistics at Trinity College Dublin found that the six major web browsers can be separated into three tiers in regards to out of the box privacy. The study looked at six browsers: Google Chrome, Mozilla Firefox, Apple Safari, Brave Browser, Microsoft Edge, and Yandex Browser. A family of easily reproducible tests were uniformly performed with all six browsers. The tests evaluated data shared in the following scenarios:
- on first startup of a fresh browser install
- on browser close and restart
- on pasting a URL into the top bar
- on typing a URL into the top bar
- when a browser is sitting idle.
The study split the tested browsers into three categories based on its findings, with Brave in its own category:
Used “out of the box” with its default settings Brave is by far the most private of the browsers studied. We did not find any use of identifiers allowing tracking of IP address over time, and no sharing of the details of web pages visited with backend servers.
Chrome, Firefox, and Safari were placed in the second category, as less private than Brave, but more so than Edge and Yandex. The three in this second category were found to share information regarded webpages visted with backend servers by way of the search autocomplete feature. Web addresses are sent back to these servers in real time as they are typed into the search bar. This data is tagged with an identifier tied to the browser instance, including the user’s IP address. The identifier persists across browser restarts, linking a user’s web activity and IP address over time.
The three browsers can be configured to preserve more of a user’s privacy, but most users are not aware of these issues and will not address them. Additionally, Firefox was found to have an open WebSocket for push notifications that is linked to a unique identifier. This WebSocket could potentially be used for tracking, but cannot be easily disabled.
From a privacy perspective Microsoft Edge and Yandex are qualitatively different from the other browsers studied.
The identifiers sent by Edge and Yandex are tied to device hardware, which means user web activity can be tracked across fresh browser installs. According to the study, this behavior cannot be disabled. Both browsers were also found to transmit additional webpage information seemingly unrelated to the search autocomplete feature.