What’s Brave Done For My Privacy Lately-Episode #1: Web Resource Replacements (replacing tracking code with privacy-preserving code that keeps sites working well)
Note: This is the first in what will be an ongoing, regular series of blog posts by Pete Snyder (Privacy Researcher), describing new privacy features in Brave. This post describes work done by Research Engineer Anton Lazarev, Performance Researcher Andrius Aucinas, and CTO Brian Bondy.
Problem: Blocking Trackers Sometimes Breaks Sites
One of many ways Brave protects your privacy on the Web is by blocking requests to trackers. By blocking these requests, Brave prevents you from being followed around the Web, and from ad companies, data brokers, and other privacy-harming parties from recording your online activity.
In some cases though, sites break if tracking-related code is blocked. This can be the result of an intentional choice on the part of the site’s developers, or an unintended side effect of other choices. Whatever the site’s intent, the effect is the same; users are forced to choose between either protecting their privacy, or accessing a website. These sites mix tracking-related code with the core user-serving code; blocking the former breaks assumptions made by the latter, breaking the site.
This can manifest itself in other, subtler ways too. Some trackers “punish” people using privacy tools by introducing pauses, slowdowns, or blank screens. In such cases, web sites don’t hard-break, but become less pleasant to use.
Because of this problem, privacy tools are forced into a lose-lose situation: either break the website (but protect users’ privacy), or allow the invasion of privacy (but keep the site working as expected). Neither of these options is acceptable to Brave’s mission of a privacy-preserving, pleasant-to-use, user-focused Web.
Example: Google Analytics and The 4-Second Blank Screen
A common, representative example of trackers punishing privacy-protecting users is Google Analytics. Google Analytics is an extremely popular library that allows sites to track and record information about you across the Web. This includes information about where you live, your gender, interests, and “lifestyle choices”, among other information. Given how sensitive such information is, many, many privacy-protecting tools (including Brave) identify Google Analytics as a tracker and block it.
Possibly as a result of this blocking, Google suggests that site owners make their sites less pleasant to use for people who block Google Analytics (ironically, Google refers to this as “optimizing” a site). Specifically, Google suggests sites use a particular way of including Google Analytics that makes the page blank for four seconds if Google Analytics is blocked. Not surprisingly, this has the effect of incentivising users to reduce their privacy, all so that Google can do a “better” job of tracking you.
Solution: Don’t Just Block, Replace
Because trackers sometimes punish (intentionally or otherwise) people who want to protect their privacy online, it is not enough to just block known trackers; sometimes tracking code needs to be replaced with new code that both preserves privacy and keeps sites from breaking or degrading.
This functionality is in Brave Beta today, you can test it now, and we expect it’ll be part of the next Brave stable release.
If you’re using Brave Beta (or Dev), try loading a site that includes Google Analytics, like The Verge. You should notice that the page loads quickly, and if you’re watching your network traffic (say, using a man-in-the-middle proxy), you’ll also see that no requests are made to google-analytics.com. However, if you look at the developer tools, you’ll see a successful request, but for a new, not-Google authored piece of code. This code is carefully written to prevent Google from tracking you, but without impacting page functionality.
Another example is Nature’s Scientific Reports site, shown in the above video. If you load the site using a standard blocking extension (like AdBlock Plus on Chrome or Firefox), the page has an unpleasant 4-second pause before displaying. Loading the same site in Brave show’s the page immediately, while still blocking the same trackers.
This is just one of many examples where Brave uses this replacement-functionality to better protect Web privacy. Currently we use replacement libraries authored by the excellent uBlock Origin project, and will be sharing replacements we author too. This functionality is implemented through Brave’s open-source adblock library, written in Rust for speed and security (also available as a node module).
Protecting privacy online requires vigilance and innovation from us at Brave, but taking advantage of these privacy protections is easy for Web users. Just by using Brave you automatically benefit from protections like the ones described in this blog post. Resource replacement is just one of many ways Brave protects Web users, and we have many new projects and plans underway. We’re excited and looking forward to sharing them with you soon.
Look for more updates here to learn about new ways Brave is fighting for a private, performant, and user-focused Web.
Continue reading for news on ad blocking, features, performance, privacy and Basic Attention Token related announcements.
Brave opposes FLoC, a recent Google proposal that would have your browser share your browsing behavior and interests by default with every site and advertiser with which you interact.
You can learn quite a bit about a browser from observing the requests it makes in its first moments with a new user profile. Often, a cursory examination will tell you a great deal about how the browser thinks about, and handles, user privacy and security.
This post presents “ephemeral site storage”, a new strategy for managing third-party storage in Brave, designed to improve Web compatibility, while maintaining the same level of privacy protection.