On Partner Referral Codes in Brave Suggested Sites
Over the weekend, one of our users noticed that typing “binance.us” into Brave’s address bar added an affiliate code to the end of the address (commonly called a URL) that was typed in.
The bad news is that we made a mistake when adding affiliate codes and logic using them to suggest alternative completions shown in the drop-down under the address bar. The error was adding the affiliate code to the default completion (where you go if you hit the <enter> or <return> key) for a small set of URLs, instead of only to the suggested alternative completions that users must pick manually.
We apologize to our users for this error.
What we intended is shown by this example with a keyword prefix, “ledger,” typed into Brave:
The default completion, selected immediately if you hit the <enter> or <return> key, is the first item in the dropdown, a clearly-labeled Google search. (Note that we are not a paid search partner of Google.) The alternative completion is an affiliate-coded URL for a specific Ledger product, which the user is free to select or ignore.
What we did not intend was the wrong default shown here:
The default suggestion should have been the third item, “binance.us”.
Again, we apologize to our users for this error, and we wanted to share more about how we will ensure that this does not happen again.
The good news is that this does not compromise user privacy, nor does it reveal any personal information. The affiliate code identifies Brave to the partner; it does not identify the user or anyone else.
In no case would affiliate codes ever be added to or overwritten in any link in a web page, as some have misreported. The bug affected only URLs typed into the address bar.
We have already fixed the issue in Brave’s open source on GitHub and in the Brave Nightly, Beta, and Developer release channels, as well as in the Stable (1.9.80) release of our desktop browser that just went live, by changing the “Show Brave suggested sites in autocomplete suggestions” setting’s default to “off”:
Unfortunately, our review process failed to check carefully all combinations of default versus alternative completions for URLs as well as built-in keywords. The default completion for a URL should never add any such code or alter the URL other than to upgrade from http: to https: if possible (this is the HTTPS Everywhere function built into Brave), and per web standards for normalizing URL syntax.
We promise never to add anything to the default completion for URLs typed into the address bar. We also will check for all ways that affiliate codes can appear in Brave’s user interface, and clearly delineate to our users the differences between affiliate-coded suggestions; completions based on history, bookmarks, and open tabs; and search queries.
Finally, we have checked with Binance to confirm that we will make no revenue from the unintended default URL auto-completions that added affiliate codes to the address typed in.
We should note that all browsers with major search engine partnerships add affiliate codes to search queries (this is industry-standard since Safari’s Google deal in 2003). We believe the browser can provide suggestions (without default completions) as a “pre-search engine” for keywords typed into the address bar, reducing the amount of information people currently send to search engines. But for URL completions, we will never modify URLs, and we will present affiliate-based suggestions clearly labeled as such.
Delivering a better Web means protecting people’s privacy while building new, sustainable revenue models for creators and for Brave itself. We are trying new economic models that do not depend on user tracking or privacy violations, such as sharing opt-in private ad revenue with users. We will explore more ways to make revenue that rewards creators and users alike. We won’t get everything right at all times. But we listen to our users, who come first with us and upon whom we depend entirely for ongoing success. And we fix issues as quickly as we can.
 In most browsers, the browser identity is already automatically available to the partner via the user-agent header. However, for privacy reasons, Brave does not normally identify itself in the user-agent. Also, affiliate-code-free links in pages clicked on by Brave users should not be taken as our referrals just because Brave is the user agent requesting the linked resource at Binance. Only specific URLs containing explicit affiliate codes should get credit.
Continue reading for news on ad blocking, features, performance, privacy and Basic Attention Token related announcements.
Starting today, new Brave users will have the search functionality in the Brave browser powered by Brave Search, giving them the privacy and independence of a search/browser alternative to Big Tech.
Marketers from challenger brands unveil the strategies and tactics behind the risks they’ve taken in a new 10-episode season of The Brave Marketer Podcast.
This is the eleventh post in an ongoing, regular series describing new privacy features in Brave. This post describes work done by Senior Software Engineer Mark Pilgrim and Filter List Engineer Ryan Brown, and was written by Director of Privacy Peter Snyder.
Brave, along with a team of DNS experts from the industry and open source communities, recently helped publish an IETF standard (RFC 9103) to fix a long-standing privacy and security hole in the DNS.
Today, Brave launched Brave Talk, a new privacy-focused video conferencing feature built directly into the Brave browser.
This is the tenth in a series of blog posts on new Brave privacy features. This post describes work done by Anton Lazarev, Research Engineer. Authors: Peter Snyder and Anton Lazarev.