Brave and UC San Diego announce SugarCoat, a new solution to strengthen the protection of Web users’ privacy while not breaking websites
By the Brave Privacy Team
This is the twelfth post in an ongoing, regular series describing new privacy features in Brave. This post presents the results of a research collaboration between Brave Software and the University of California at San Diego. The work was done by Michael Smith and Deian Stefan at UC San Diego, and Peter Snyder, Shivan Sahib, and Ben Livshits at Brave Software.
Brave is pleased to announce SugarCoat, the result of a year-long research collaboration with University of California San Diego to create a new system to improve Web privacy without sacrificing compatibility at Web scale. SugarCoat is a solution to a common and long-known problem in Web privacy work: “how to protect users from privacy harming Web trackers, without breaking websites that include and integrate with tracking scripts”. Brave is deploying SugarCoat-based protections in its browsers this year. Brave and UC San Diego researchers are also excited to share the source code and results of the SugarCoat project with the wider privacy community.
The research was presented at the 2021 ACM Conference on Computer and Communications Security (CCS) by UC San Diego Doctorate Student Michael Smith on November 15th. A preprint of the paper is available today.
Problem: Privacy Protections can Break Websites
SugarCoat is the solution to a common problem in Web privacy: how to protect Web users from Web sites that expect to be able to violate user privacy. Popular privacy tools like content blockers (sometimes called ad-blockers) often face a lose-lose choice when users visit a privacy-harming website. Either block the privacy-harming page functionality and break the website, or prioritize making sure the page works correctly but exposing the browser user to the privacy harm they wished to avoid in the first place.
Privacy tools like the terrific uBlock Origin project have attempted to solve this problem by creating alternate, privacy-protecting versions of tracking libraries, scripts that maintain the benign parts of tracking code while removing the privacy harming parts. This approach has proven very effective, and Brave has incorporated and contributed to such projects.
However, though useful, this approach has a serious limitation; generating privacy-preserving versions of tracking libraries is a difficult and tedious task. Tracking libraries are large, complex and sometimes intentionally-obfuscated. As a result, the privacy community is limited in the number of privacy-preserving alternative-versions of tracking scripts it can maintain.
SugarCoat: Privacy or Compatibility, Pick Any Two
SugarCoat helps solve this privacy-v.s.-compatibility trade-off by automating the creation of privacy-preserving implementations of tracking libraries. Brave will both deploy SugarCoat generated scripts this year in the Brave browser, and publish them so they can be used by other popular content blocking tools (including the previously mentioned uBlock Origin project).
At a high level, SugarCoat works in two steps: first, by using Brave’s PageGraph system to analyze how a page uses a tracking library, including which Web APIs the script uses and what additional scripts the tracking library pulls in. SugarCoat then uses this information to rewrite the tracking library, by replacing calls to privacy-affecting Web APIs with alternative, “mock” implementations of the same APIs. These mock API implementations look the same to the tracking library, but prevent the underlying privacy harm from occurring. SugarCoat incorporates a range of techniques to ensure that the benign parts of tracking libraries continue to work as expected, and that only privacy-relevant behaviors are modified.
The SugarCoat process can be run in a fully automated manner, allowing SugarCoat to be deployed at Web scale, against tens of thousands of sites if needed. Being able to run fully automated is critical, so that SugarCoat can keep up to date with scripts that try to evade SugarCoat or sites that frequently change.
The full details of the SugarCoat pipeline can be found in the research paper.
New versions of Brave will hide—and, where possible, completely block—cookie consent notifications. Brave's approach is distinct and more privacy-preserving than similar systems used in other browsers.
Brave's new system STAR protects user privacy by ensuring the data users contribute are never unique to that user. This property, sometimes called k-anonymity, ensures that the data collector can only see a submitted value if the same value has also been submitted by some number of other users.