New versions of Brave will hide—and, where possible, completely block—cookie consent notifications. Brave's approach is distinct and more privacy-preserving than similar systems used in other browsers.Read this article →
"Unlinkable bouncing" for more protection against bounce tracking
By the Brave Privacy Team
This is the sixteenth post in an ongoing, regular series describing new and upcoming privacy features in Brave. This post describes work done by Software Engineer Aleksey Khoroshilov and Senior Software Engineer Ivan Efremov. This post was written by Senior Director of Privacy Peter Snyder.
Brave is shipping a new, powerful privacy-protecting feature called Unlinkable Bouncing. This feature protects your privacy by noticing when you’re about to visit a privacy harming (or otherwise suspect) website, and instead routes that visit through a new, temporary browser storage. This prevents the site from identifying you by tying your footprint to that of previous visits, but allows the site to otherwise function as normal. Essentially, each visit appears as a unique, first-time visit, thus anonymizing your digital fingerprint. This temporary storage is then deleted when you browse away from the suspect site, preventing the site from re-identifying you on future visits.
Brave currently uses Unlinkable Bouncing as an additional protection against bounce tracking, alongside Brave’s existing query parameter stripping, debouncing, and bounce-tracking interstitial features. The feature is enabled in Brave Nightly, and will be in Brave’s full release on version 1.37. Unlinkable Bouncing is the first use of a broader capability Brave is developing called “first-party ephemeral storage,” which we’ll share more about soon.
What is bounce tracking?
Bounce tracking is a way for trackers to track you even if browser-level privacy protections are in place. Privacy respecting browsers try to prevent sites from learning about your behaviors and activities on other sites. Bounce tracking attempts to circumvent these protections by gaming how your browser behaves when you browse from one site to another.
Bounce tracking injects intermediate tracking sites in the middle of your browsing. For example, if you’re on rabbits.example, and click a link to visit turtles.example, a tracker might change the URL you click on at the last moment, so that you’re actually taken to tracker.example. The injected tracking site would then learn that you’re interested in rabbits and turtles, before forwarding you to your intended, turtles.example destination. If tracker.example is able to inject itself between enough of your navigation, over time it’ll build up a detailed (and privacy-violating) profile of your interests.
How Unlinkable Bouncing protects against bounce tracking
Unlinkable Bouncing is the fourth technique Brave uses to defeat bounce tracking. This section briefly summarizes those existing features, and how Unlinkable Bouncing complements them.
When you enable Aggressive blocking in Brave Shields, Brave will warn you before you visit a suspected bounce-tracking site. This feature allows users to reverse navigation if they want to completely avoid the intermediate bounce tracking site. However, this is only a warning—it provides no protection to users if they still need to get to the intended destination site.
Brave removes known tracking related query parameters from URLs you visit. This technique is very effective in preventing popular tracking scripts (from companies like Google, Microsoft, and Facebook) from tracking you across the web. However, it doesn’t prevent intermediate bounce-tracking sites from learning about your browsing behaviors.
Brave includes a debouncing feature, where Brave will try to skip an intermediate site and navigate you directly to your intended destination, if the browser detects that you’re about to visit an injected bounce-tracking site. This is a very strong protection when applied, but sometimes Brave isn’t able to determine your intended destination, based only on the URL for the intermediate tracking domain.
Unlinkable Bouncing complements these features by preventing the intermediate bounce-tracking site from learning more information about you over time. The injected site tracker.example can still learn that someone is coming from rabbits.example and going to turtles.example, but Unlinkable Bouncing prevents tracker.example from knowing it was the same person who visited yesterday.
Combined, these four protections provide the strongest protections against bounce tracking of any popular browser.
How Unlinkable Bouncing works
Unlinkable Bouncing works in the following way:
If that URL appears in a filter list, the browser checks the Trackers & ads blocked shields setting for the destination site. If that setting is Aggressive, the user is presented with a warning for whether they want to continue with the navigation, as described in a prior blog post.
If the user has Trackers & ads blocked in the default setting (or decides to continue with the navigation in the Aggressive setting), the browser then checks the first-party DOM storage values (cookies, localStorage, etc.) for the destination site. If the user has any existing stored values, the navigation continues using the existing stored values (in other words, Unlinkable Bouncing is not applied). If no DOM storage values exist for the destination site, the browser creates a new, temporary browser storage area for the destination site.
Soon after you leave the suspected bounce-tracking site (meaning no tabs are open for that site) the temporary storage is deleted, preventing the site from re-identifying you the next time you’re bounced through the site.
First-party ephemeral storage: building on Unlinkable Bouncing
Unlinkable Bouncing is Brave’s first application of a new, powerful capability we’re developing, called “first-party ephemeral storage.” This is a set of techniques that allow sites to remember (or identify) you only for as long as you’re visiting the site. It’s similar to—though more powerful and user-friendly than—clearing your browser storage every time you leave a site.
First-party ephemeral storage builds on Brave’s existing protections against third-party tracking. Currently Brave uses a unique system for protecting against third-party tracking called ephemeral third party storage, where all third-party storage on a site is cleared when you leave the first-party site embedding those third parties. Effectively, first parties could remember you across site visits (e.g., you would stay logged into the site you visited), but third parties wouldn’t be able to. This policy for managing third-party state is unique to Brave, and is the most restrictive—and privacy-protecting—of any browser.
First-party ephemeral storage takes things one step further, and prevents the first-party site from re-identifying you: sites will be able to remember you across visits only if you want them to. This brings about a total shift in the Web’s default behavior: to date, browsers have assumed users want every site to remember them unless the user takes some explicit step against that remembering. Instead, Brave is working toward forgetfulness (and thus privacy) by default.
Unlinkable Bouncing is just the first application of our first-party ephemeral storage plans, and we’re excited to share more features with Brave users soon.
Grab bag 4: privacy improvements for our iOS browsers make them best-in-class with leading protections
Recent versions of Brave on iOS include many new privacy features, ensuring that Brave iOS users have the strongest available protections of any iOS browser.Read this article →
Brave's new system STAR protects user privacy by ensuring the data users contribute are never unique to that user. This property, sometimes called k-anonymity, ensures that the data collector can only see a submitted value if the same value has also been submitted by some number of other users.Read this article →
Ready to Brave the new internet?
Brave is built by a team of privacy focused, performance oriented pioneers of the web. Help us fix browsing together.Download Brave