Nebula: Brave's differentially private system for privacy-preserving analytics
Introducing Nebula, a novel and best-in-class system developed by Brave Research for product usage analytics with differential privacy guarantees.
Read this article →Brave has worked towards a more private Web for several years. The current third-party-based advertising ecosystem is built on the continual surveillance of users, so we’ve spent a lot of time thinking about the economy of the Web and how it can work while still maximizing user privacy, which is why we offer Brave Ads.
We’re happy to see other browsers paying more attention to these issues as well. Mozilla, for example, recently announced their Privacy-Preserving Attribution (PPA) feature to track ad interactions in the browser while preserving user privacy. Mozilla’s PPA, co-designed with Meta and default-enabled in the Firefox browser, was met with a lot of criticism on launch, however. While we agree with the overall goal of the Mozilla/Meta system (i.e., privacy-preserving advertising), we disagree with the design of the system itself.
We believe that ad measurement should be transparent, simple, and limited to parties the user trusts—not random third-party advertisers.
Mozilla’s ad measurement scheme is default-enabled and — unless you’re hunting around in Settings — undiscoverable by users. This means that if you go to a page which happens to have ads on it, the browser will record that ad impression and eventually send it to the advertising measurement server. This lack of transparency is a problem, as users deserve to be in control of what information is being shared and with whom.
Mozilla’s argument is that no personal data is actually being shared in PPA (given their protections), and that a consent dialog prior to enabling PPA would have been user-hostile. We agree that consent dialogs are often bad for user privacy (which is one reason we block cookie consent banners by default), but PPA is a complicated, unproven, and experimental prototype operating over extremely sensitive user browsing data.
Users should not be guinea pigs, especially not for a system that is built for third-party advertisers and does not directly benefit users.
Ad measurement in the browser is inherently privacy-sensitive because users’ website browsing activity is being tracked and sent. To preserve privacy, Mozilla’s PPA combines novel differential privacy (DP) and multi-party computation (MPC) techniques to provide arbitrary websites with ostensibly only aggregated data. Websites (unbeknownst to the user) ask the browser to generate encrypted reports that are then sent by the browser to an “aggregation service” backend, which is run by another third-party.
As mentioned above, this is all experimental, complex, and carries a fair amount of privacy risk. The more complex the system, the higher the risk of bugs and vulnerabilities. Complex systems are not only harder to audit but also increase the chances of mistakes that can compromise user privacy. The more moving parts, the higher the risk of something going wrong — this is software engineering 101.
Complexity is especially dangerous for a system that will be used for online advertising, where there is a lot of economic motivation for bad actors to try to break privacy protections.
One of the most glaring flaws with Mozilla’s approach is that it is built to attempt to incrementally improve the traditional third-party advertising economy. In doing so, it allows third parties, who have no known relationship with the user, to measure ad performance while increasing privacy risk for the user.
We at Brave believe third-party advertising is fundamentally broken. It doesn’t need patching or tweaking — it needs to be completely overhauled. No user wants to be tracked by third-party advertisers, and the vast majority of users find third-party ads to be, at best, annoying, and at worst a dangerous vector for malware and spam. This is why ad and tracker blockers such as Brave have become a necessity for so many, and are widely considered security best practice.
Mozilla’s response to the controversy is especially worrying. In their Reddit post, they correctly note that Firefox has shipped several useful anti-tracking features over the years, and that there is an arms race happening between privacy-enhancing tools and malicious actors on the Web. But the post then doubles down on the third-party bet, and concludes that the only way to increase privacy on the Web at this point is to collude with third-party advertisers and ad-tech providers, and design systems for their use.
We strongly disagree. Brave offers an alternative to the traditional third-party-based advertising model of the Web. Brave Ads center the user, not the advertiser and definitely not ad-tech third parties, while operating on principles of transparency and simple, proven privacy techniques. The Brave browser offers best-in-class privacy and anti-tracking features for all users. We focus on protecting our users by blocking third-party ads and intrusive trackers entirely, and shipping privacy- and Web compatibility-enhancing features in the browser.
This isn’t easy. It requires constant work to ensure websites don’t break while also protecting user privacy by default. But it’s the right thing to do by our users, versus prioritizing third-party advertising and “ad-tech” over user privacy and security.
Introducing Nebula, a novel and best-in-class system developed by Brave Research for product usage analytics with differential privacy guarantees.
Read this article →Related Website Sets is a user-hostile weakening of the Web's privacy model, plainly designed to benefit websites and advertisers, to the detriment of user privacy.
Read this article →Introducing BLaDE: Brave's open-source testbed for automated mobile performance evaluation. This system accurately measures device metrics while simulating user actions, enhancing mobile app assessment.
Read this article →