AMA with Peter Snyder

by Sep 15, 2021AMA, Community, Security & Privacy

Welcome back to our series of BAT Community-run AMAs.

The ongoing AMA series on Reddit features guests from the Brave/BAT team. The goal of the series is twofold: to give fans of the project an opportunity to interact directly with team members, and to give team members, especially those who operate largely behind the scenes, a chance to share their insights and offer the community a window into their work.

The most recent AMA took place on August 18th with Peter Snyder, Senior Privacy Researcher and Director of Privacy at Brave. During the live AMA event, Peter fielded questions from Redditors on a variety of topics, including his role in developing some of Brave’s top privacy-enhancing features and tools—and how they stack up to comparable offerings from other popular web browsers—as well as privacy upgrades on Brave’s horizon. Peter also discussed other projects in the privacy space whose innovation he admires, such as Tor (a longtime collaborator with Brave), EFF, and CDT. As a fun bonus, he revealed tidbits of personal history, such as his stints as a power-pop and chiptunes bandmate, and how his time spent as a Domino’s delivery driver one bygone summer was the most fun job he’s ever had. 

Highlights can be found below, with a link to the full AMA at the bottom of this post.

The next AMA will take place on Thursday, September 9th, and will feature Brendan Eich (Co-founder & CEO) & Christopher N. (Brave Rewards PM) from Brave, and Noah Perlman (COO), Marshall Beard (Strategy), & Matthew Werner (Product) from Gemini.

Didstr: What are the best settings to turn on/off to maximize privacy without interfering too much functionality?

Peter: Not to give a slight answer, but Brave's default settings are designed to be the best balance of privacy without breaking too much. But if you flip things to maximum in Shields [accessed via the Brave lion in the URL bar], you'll wind up with more protections and shouldn't break too much.

I'm all by default all the time. 🙂

Idontlastlng: How secure is my password in the Brave browser? Does security decrease if I sync passwords across multiple devices?

Peter: I couldn't give a full comparison to all password managers (since there are so many), but last I checked Brave's Sync service (including passwords) is the most privacy preserving of any popular Browser. It is the only sync service that is truly, no-way-for-the-browser-operator-to-recover-your-material, end-to-end encrypted sync service.

Bigkitty9000: When I look up stores around my area with Brave vs Chrome, Chrome gives me the store hours, address, etc., upfront, whereas using Brave does not. Will this be improved in the future or is currently being worked on?

By the way, I love and support Brave. I want Brave to win. Thank you and have a wonderful day.

Peter: I can't say specifically what accounts for the difference here, since Google Maps is a huge, complex and constantly updating application. But, there are many kinds of data Chrome sends to sites (and, particularly, Google owned sites, see Google sync data) that allows for things like this.

I expect if you're logged into a Google account in Brave and Chrome you should see similar things, but if you're seeing differences that might account for why.

Will just add that in Brave Search, we also try to provide contextual/location-specific suggestions and notes, though with strict privacy protections 🙂

Tough-Pixels: What privacy-focused company or organization (other than Brave!) is working on exciting or interesting things, in your opinion?

Peter: The Tor folks deserve 10x the credit they receive, EFF, CDT, and other folks working the space between policy and tech, and a million other projects everyone has heard of and (rightfully) loves.

But the one angle of web privacy I think doesn't get enough love is folks working in policy. I love the GPC project, but the folks pushing for and working on CCPA (California Consumer Privacy Act) and similar are doing hero work.

bloodguard: Any plans on the board to bring something like Firefox's containers to Brave? It's about the only missing piece that's keeping me from switching.

Peter: We don't have any plans for this. Brave's Ephemeral Third-Party Storage provides the privacy benefits containers mostly are intended to provide (see https://brave.com/privacy-updates-7/), and, speaking for myself, my goals are to continue increasing the privacy we can provide using default, no-changes-or-configuration-needed settings.

That said, it's a neat feature, and kudos to Firefox for building it. It would be neat to have in Brave! I only mean to emphasize that other Brave protections remove the privacy-reasons for needing something like containers.

fgooglenbigbro: In what ways can Brave guard against government overreach and/or a company sentiment change towards censorship? Thank you. Be Brave, Be Free!

Peter: Up top, Brave's goals are not directly preventing government action. If your concern is state-level adversaries, you should go straight to Tor Browser Bundle, who focus on those use cases, and do yeoman, hero work in that area.

That said, the less mysterious, unnamed, uneditable (to you) databases your behavior winds up in, the better protected you are privacy-wise against snoops of all kinds, corporate, government or otherwise. And, the main guards Brave can offer against some possible future company-goal-change (speaking only in my own opinion here) are transparency (in our code and in our goals), working with and contributing to other trusted projects, and working with academic and research partners who peer-review or evaluate or products and findings.

JuliaKyoko: Are there any Brave-made privacy functions, tools, or developments that are automated or given to data analysis by neural networks, like when sites bypass add filters for privacy departments to find possible coding concerns? Or is it mainly manual labor?

Peter: This is a timely question, since web compatibility concerns are the major concern for any new privacy feature we deploy. We worked about a year with researchers at UCSD on trying to build a ML / NN based webcompat detector using our PageGraph instrumentation, and couldn't get beyond ~85% accuracy.

More significantly though, privacy protections on the web is an adversarial classification problem, where the thing being classified wants to control the label the classifier gives, which makes me skeptical that an on-device, real time classification approach would be useful (though it could be useful offline for identifying broken sites, etc).

See: https://github.com/brave/brave-browser/wiki/PageGraph

Tough-Pixels: I think you were associated with this awesome privacy tool: https://github.com/SugarCoatWeb. Can you talk about how it keeps up to date as other services change their setups? Have you seen anyone explicitly change their setup to break it?

Peter: Yes! That was a great project that came out of a collaboration between Brave and University of California at San Diego, and I lead the Brave side of the project.

See: https://www.peteresnyder.com/static/papers/sugarcoat-ccs-2021.pdf

We haven't seen anyone change their code intentionally to work around SugarCoat, but also we haven't rolled out SugarCoat resources wide scale yet (because the catalogue of scripts is too large to ship to everyone). But, we will have something to announce here soon!

Watch_Dominion_Now: Firefox still has significantly more "street cred" in the privacy community. To my own understanding, Brave has superior privacy in the default settings, whereas Firefox can be hardened to have stronger privacy settings than Brave. Can you compare the browsers in this respect? If I'm worried about my privacy, why should I be running Brave over Firefox?

Peter: I wrote up a response to this question a bit ago here you might find interesting.

But high level points are:

  • Brave has some features that are not easily implementable in Firefox, even a hardened one. One example that comes to mind is robust farbling / fingerprint randomization, because of timing issues in Firefox (and Chrome's) extension API and JS injection.
  • The defaults are the most important thing (anytime you have to change defaults, you're in some ways harming your privacy, since your browser will behave differently from others, making you more unique on the web).
  • The most important thing you can do for your privacy on the Web is your storage policy. Right now Brave's is the most privacy preserving (ephemeral third party storage), Safari's is a close second (browser length 3p storage). Firefox’s current default is not great (list based protections with Storage Access API) but they are working on rolling out something better (persistent partitioned 3p storage, way better than their current system, but less protective than Brave's and Safari's).
  • One thing Firefox does better than Brave is in partitioning network state, which is fantastic and which the Firefox team deserves huge credit for. Chromium browsers will get similar protections soon (see the NetworkIsolationKey work happening upstream) and network-caches aren't how online tracking is usually done, but nevertheless, it's an important thing, especially as other vulnerabilities are fixed, and huge credit to the Tor and Mozilla teams for getting there first.

builtfromthetop: Why did y'all request to be removed from Privacy[tools].io's browser list? Have you worked at other companies? How does Brave's work culture feel in comparison?

Peter: I discussed [Privacytools] a bit more over here, but the short of it is that it resulted in us being flooded by mistaken questions and accusations (a mix of ones that seemed sincere but mistaken, and some that seemed like trolling).

I worked as a delivery driver for Domino's Pizza for a summer in the Chicago South Suburbs, and it was probably the most fun job I've ever had. I got to give pizza to extremely happy birthday parties, extremely grateful drunk folks, and I learned (from my boss!) how to attack someone with a flashlight if needed.

Other than that, I've either been self employed (most of my life, doing web and iOS work), or a grad student.

Compared to Domino's, I gotta say Brave has a better PTO policy, but Domino's has better food (I worked at Dominos post their "artisanal revolution" 😛 )

Read the full AMA here.

Read our AMA with the Brave Search team from June 30th, 2021, here

Follow the BAT Community’s Updates here: https://www.reddit.com/r/BATProject/

Upcoming BAT Community AMAs:

September 9th, 2021

Brendan Eich (Co-founder & CEO) & Christopher N. (Brave Rewards PM) from Brave, and Noah Perlman (COO), Marshall Beard (Strategy), & Matthew Werner (Product) from Gemini

Related Articles

Continue reading for news on ad blocking, features, performance, privacy and Basic Attention Token related announcements.

Ready to Brave the new internet?

Brave is built by a team of privacy focused, performance oriented pioneers of the web. Help us fix browsing together.
Download Brave