Brave browser simplifies its fingerprinting protections
With desktop and Android version 1.64 in a couple of months, Brave will sunset Strict fingerprinting protection mode.
Read this article →Web resource replacements
Replacing tracking code with privacy-preserving code that keeps sites working well
By the Brave Privacy Team
Problem: Blocking Trackers Sometimes Breaks Sites
One of many ways Brave protects your privacy on the Web is by blocking requests to trackers. By blocking these requests, Brave prevents you from being followed around the Web, and from ad companies, data brokers, and other privacy-harming parties from recording your online activity.
In most cases, just blocking these requests is enough. Tracker code is usually unrelated to the main things a site does, and so blocking tracking-related JavaScript doesn’t affect the rest of the site’s behavior. In these cases (the vast majority of cases) Brave can protect your privacy, transparently and without issue.
In some cases though, sites break if tracking-related code is blocked. This can be the result of an intentional choice on the part of the site’s developers, or an unintended side effect of other choices. Whatever the site’s intent, the effect is the same; users are forced to choose between either protecting their privacy, or accessing a website. These sites mix tracking-related code with the core user-serving code; blocking the former breaks assumptions made by the latter, breaking the site.
This can manifest itself in other, subtler ways too. Some trackers “punish” people using privacy tools by introducing pauses, slowdowns, or blank screens. In such cases, web sites don’t hard-break, but become less pleasant to use.
Because of this problem, privacy tools are forced into a lose-lose situation: either break the website (but protect users’ privacy), or allow the invasion of privacy (but keep the site working as expected). Neither of these options is acceptable to Brave’s mission of a privacy-preserving, pleasant-to-use, user-focused Web.
Example: Google Analytics and The 4-Second Blank Screen
A common, representative example of trackers punishing privacy-protecting users is Google Analytics. Google Analytics is an extremely popular library that allows sites to track and record information about you across the Web. This includes information about where you live, your gender, interests, and “lifestyle choices”, among other information. Given how sensitive such information is, many, many privacy-protecting tools (including Brave) identify Google Analytics as a tracker and block it.
Possibly as a result of this blocking, Google suggests that site owners make their sites less pleasant to use for people who block Google Analytics (ironically, Google refers to this as “optimizing” a site). Specifically, Google suggests sites use a particular way of including Google Analytics that makes the page blank for four seconds if Google Analytics is blocked. Not surprisingly, this has the effect of incentivising users to reduce their privacy, all so that Google can do a “better” job of tracking you.
Solution: Don’t Just Block, Replace
Because trackers sometimes punish (intentionally or otherwise) people who want to protect their privacy online, it is not enough to just block known trackers; sometimes tracking code needs to be replaced with new code that both preserves privacy and keeps sites from breaking or degrading.
This functionality is in Brave Beta today, you can test it now, and we expect it’ll be part of the next Brave stable release.
If you’re using Brave Beta (or Dev), try loading a site that includes Google Analytics, like The Verge. You should notice that the page loads quickly, and if you’re watching your network traffic (say, using a man-in-the-middle proxy), you’ll also see that no requests are made to google-analytics.com. However, if you look at the developer tools, you’ll see a successful request, but for a new, not-Google authored piece of code. This code is carefully written to prevent Google from tracking you, but without impacting page functionality.
Another example is Nature’s Scientific Reports site, shown in the above video. If you load the site using a standard blocking extension (like AdBlock Plus on Chrome or Firefox), the page has an unpleasant 4-second pause before displaying. Loading the same site in Brave show’s the page immediately, while still blocking the same trackers.
This is just one of many examples where Brave uses this replacement-functionality to better protect Web privacy. Currently we use replacement libraries authored by the excellent uBlock Origin project, and will be sharing replacements we author too. This functionality is implemented through Brave’s open-source adblock library, written in Rust for speed and security (also available as a node module).
Conclusion
Protecting privacy online requires vigilance and innovation from us at Brave, but taking advantage of these privacy protections is easy for Web users. Just by using Brave you automatically benefit from protections like the ones described in this blog post. Resource replacement is just one of many ways Brave protects Web users, and we have many new projects and plans underway. We’re excited and looking forward to sharing them with you soon.
Look for more updates here to learn about new ways Brave is fighting for a private, performant, and user-focused Web.
Related articles
Localhost Resource Permission
Starting in version 1.54, Brave for desktop and Android will include more powerful features for controlling which sites can access local network resources, and for how long.
Read this article →Request "Off the Record"
Request OTR is another in Brave's suite of features that support the privacy needs of individual users, protecting far beyond the "standard" threats browsers typically watch out for.
Read this article →
