Privacy updates

Brave and UC San Diego announce SugarCoat, a new solution to strengthen the protection of Web users’ privacy while not breaking websites

By the Brave Privacy Team

This is the twelfth post in an ongoing, regular series describing new privacy features in Brave. This post presents the results of a research collaboration between Brave Software and the University of California at San Diego. The work was done by Michael Smith and Deian Stefan at UC San Diego, and Peter Snyder, Shivan Sahib, and Ben Livshits at Brave Software.

The TL;DR;

Brave is pleased to announce SugarCoat, the result of a year-long research collaboration with University of California San Diego to create a new system to improve Web privacy without sacrificing compatibility at Web scale. SugarCoat is a solution to a common and long-known problem in Web privacy work: “how to protect users from privacy harming Web trackers, without breaking websites that include and integrate with tracking scripts”. Brave is deploying SugarCoat-based protections in its browsers this year. Brave and UC San Diego researchers are also excited to share the source code and results of the SugarCoat project with the wider privacy community.

The research was presented at the 2021 ACM Conference on Computer and Communications Security (CCS) by UC San Diego Doctorate Student Michael Smith on November 15th. A preprint of the paper is available today.

Problem: Privacy Protections can Break Websites

SugarCoat is the solution to a common problem in Web privacy: how to protect Web users from Web sites that expect to be able to violate user privacy. Popular privacy tools like content blockers (sometimes called ad-blockers) often face a lose-lose choice when users visit a privacy-harming website. Either block the privacy-harming page functionality and break the website, or prioritize making sure the page works correctly but exposing the browser user to the privacy harm they wished to avoid in the first place.

Privacy tools like the terrific uBlock Origin project have attempted to solve this problem by creating alternate, privacy-protecting versions of tracking libraries, scripts that maintain the benign parts of tracking code while removing the privacy harming parts. This approach has proven very effective, and Brave has incorporated and contributed to such projects.

However, though useful, this approach has a serious limitation; generating privacy-preserving versions of tracking libraries is a difficult and tedious task. Tracking libraries are large, complex and sometimes intentionally-obfuscated. As a result, the privacy community is limited in the number of privacy-preserving alternative-versions of tracking scripts it can maintain.

SugarCoat: Privacy or Compatibility, Pick Any Two

SugarCoat helps solve this privacy-v.s.-compatibility trade-off by automating the creation of privacy-preserving implementations of tracking libraries. Brave will both deploy SugarCoat generated scripts this year in the Brave browser, and publish them so they can be used by other popular content blocking tools (including the previously mentioned uBlock Origin project).

At a high level, SugarCoat works in two steps: first, by using Brave’s PageGraph system to analyze how a page uses a tracking library, including which Web APIs the script uses and what additional scripts the tracking library pulls in. SugarCoat then uses this information to rewrite the tracking library, by replacing calls to privacy-affecting Web APIs with alternative, “mock” implementations of the same APIs. These mock API implementations look the same to the tracking library, but prevent the underlying privacy harm from occurring. SugarCoat incorporates a range of techniques to ensure that the benign parts of tracking libraries continue to work as expected, and that only privacy-relevant behaviors are modified.

The SugarCoat process can be run in a fully automated manner, allowing SugarCoat to be deployed at Web scale, against tens of thousands of sites if needed. Being able to run fully automated is critical, so that SugarCoat can keep up to date with scripts that try to evade SugarCoat or sites that frequently change.

The full details of the SugarCoat pipeline can be found in the research paper.

Deploying SugarCoat in Brave Browsers

Brave will begin rolling out SugarCoat generated scripts to Brave browser users in Q4 2021. Brave is also excited to work with the maintainers of popular content blocking tools so they can also enhance the privacy of their users’ browsing. The source code for SugarCoat, and the automation framework around it, are fully open source. Brave will also share, grow and keep up-to-date the privacy-preserving alternative libraries generated by SugarCoat, so that they can be incorporated by other privacy tools.

Related articles

Request "Off the Record"

Request OTR is another in Brave's suite of features that support the privacy needs of individual users, protecting far beyond the "standard" threats browsers typically watch out for.

Read this article →

Forgetful Browsing

Forgetful Browsing is similar to, but more powerful and protective than, popular browsing extensions and private browsing modes. It's another example of Brave offering the most powerful privacy features of any popular browser.

Read this article →

Ready to Brave the new internet?

Brave is built by a team of privacy focused, performance oriented pioneers of the web. Help us fix browsing together.


Almost there…

You’re just 60 seconds away from the best privacy online

If your download didn’t start automatically, .

  1. Download Brave

    Click “Save” in the window that pops up, and wait for the download to complete.

    Wait for the download to complete (you may need to click “Save” in a window that pops up).

  2. Run the installer

    Click the downloaded file at the bottom left of your screen, and follow the instructions to install Brave.

    Click the downloaded file at the top right of your screen, and follow the instructions to install Brave.

    Click the downloaded file, and follow the instructions to install Brave.

  3. Import settings

    During setup, import bookmarks, extensions, & passwords from your old browser.

Need help?

Get better privacy. Everywhere!

Download Brave mobile for privacy on the go.

Download QR code
Brave logo Click this file to install Brave
Click this file to install Brave Brave logo