This is the sixteenth post in an ongoing, regular series describing new and upcoming privacy features in Brave. This post describes work done by Software Engineer Aleksey Khoroshilov and Senior Software Engineer Ivan Efremov. This post was written by Senior Director of Privacy Peter Snyder.
Brave is shipping a new, powerful privacy-protecting feature called Unlinkable Bouncing. This feature protects your privacy by noticing when you’re about to visit a privacy harming (or otherwise suspect) website, and instead routes that visit through a new, temporary browser storage. This prevents the site from identifying you by tying your footprint to that of previous visits, but allows the site to otherwise function as normal. Essentially, each visit appears as a unique, first-time visit, thus anonymizing your digital fingerprint. This temporary storage is then deleted when you browse away from the suspect site, preventing the site from re-identifying you on future visits.
Brave currently uses Unlinkable Bouncing as an additional protection against bounce tracking, alongside Brave’s existing query parameter stripping, debouncing, and bounce-tracking interstitial features. The feature is enabled in Brave Nightly, and will be in Brave’s full release on version 1.37. Unlinkable Bouncing is the first use of a broader capability Brave is developing called “first-party ephemeral storage,” which we’ll share more about soon.
What is bounce tracking?
Bounce tracking is a way for trackers to track you even if browser-level privacy protections are in place. Privacy respecting browsers try to prevent sites from learning about your behaviors and activities on other sites. Bounce tracking attempts to circumvent these protections by gaming how your browser behaves when you browse from one site to another.
Bounce tracking injects intermediate tracking sites in the middle of your browsing. For example, if you’re on rabbits.example, and click a link to visit turtles.example, a tracker might change the URL you click on at the last moment, so that you’re actually taken to tracker.example. The injected tracking site would then learn that you’re interested in rabbits and turtles, before forwarding you to your intended, turtles.example destination. If tracker.example is able to inject itself between enough of your navigation, over time it’ll build up a detailed (and privacy-violating) profile of your interests.
How Unlinkable Bouncing protects against bounce tracking
Unlinkable Bouncing is the fourth technique Brave uses to defeat bounce tracking. This section briefly summarizes those existing features, and how Unlinkable Bouncing complements them.
When you enable Aggressive blocking in Brave Shields, Brave will warn you before you visit a suspected bounce-tracking site. This feature allows users to reverse navigation if they want to completely avoid the intermediate bounce tracking site. However, this is only a warning—it provides no protection to users if they still need to get to the intended destination site.
Brave removes known tracking related query parameters from URLs you visit. This technique is very effective in preventing popular tracking scripts (from companies like Google, Microsoft, and Facebook) from tracking you across the web. However, it doesn’t prevent intermediate bounce-tracking sites from learning about your browsing behaviors.
Brave includes a debouncing feature, where Brave will try to skip an intermediate site and navigate you directly to your intended destination, if the browser detects that you’re about to visit an injected bounce-tracking site. This is a very strong protection when applied, but sometimes Brave isn’t able to determine your intended destination, based only on the URL for the intermediate tracking domain.
Unlinkable Bouncing complements these features by preventing the intermediate bounce-tracking site from learning more information about you over time. The injected site tracker.example can still learn that someone is coming from rabbits.example and going to turtles.example, but Unlinkable Bouncing prevents tracker.example from knowing it was the same person who visited yesterday.
Combined, these four protections provide the strongest protections against bounce tracking of any popular browser.
How Unlinkable Bouncing works
Unlinkable Bouncing works in the following way:
If that URL appears in a filter list, the browser checks the Trackers & ads blocked shields setting for the destination site. If that setting is Aggressive, the user is presented with a warning for whether they want to continue with the navigation, as described in a prior blog post.
If the user has Trackers & ads blocked in the default setting (or decides to continue with the navigation in the Aggressive setting), the browser then checks the first-party DOM storage values (cookies, localStorage, etc.) for the destination site. If the user has any existing stored values, the navigation continues using the existing stored values (in other words, Unlinkable Bouncing is not applied). If no DOM storage values exist for the destination site, the browser creates a new, temporary browser storage area for the destination site.
Soon after you leave the suspected bounce-tracking site (meaning no tabs are open for that site) the temporary storage is deleted, preventing the site from re-identifying you the next time you’re bounced through the site.
First-party ephemeral storage: building on Unlinkable Bouncing
Unlinkable Bouncing is Brave’s first application of a new, powerful capability we’re developing, called “first-party ephemeral storage.” This is a set of techniques that allow sites to remember (or identify) you only for as long as you’re visiting the site. It’s similar to—though more powerful and user-friendly than—clearing your browser storage every time you leave a site.
First-party ephemeral storage builds on Brave’s existing protections against third-party tracking. Currently Brave uses a unique system for protecting against third-party tracking called ephemeral third party storage, where all third-party storage on a site is cleared when you leave the first-party site embedding those third parties. Effectively, first parties could remember you across site visits (e.g., you would stay logged into the site you visited), but third parties wouldn’t be able to. This policy for managing third-party state is unique to Brave, and is the most restrictive—and privacy-protecting—of any browser.
First-party ephemeral storage takes things one step further, and prevents the first-party site from re-identifying you: sites will be able to remember you across visits only if you want them to. This brings about a total shift in the Web’s default behavior: to date, browsers have assumed users want every site to remember them unless the user takes some explicit step against that remembering. Instead, Brave is working toward forgetfulness (and thus privacy) by default.
Unlinkable Bouncing is just the first application of our first-party ephemeral storage plans, and we’re excited to share more features with Brave users soon.