By Peter Snyder, Senior Privacy Researcher at Brave, and Implementation by Anton Lazarev, Research Engineer at Brave
GPC launches today from a consortium of privacy-respecting organizations, to protect consumer privacy and provide consumers with greater control of their data
One of Brave’s core goals is to improve privacy on the Web. The main way Brave improves Web privacy is by building strong, on-by-default privacy protections in the Brave browser. However, Brave also works to improve privacy on the Web in general, particularly by advocating for privacy in the W3C 1.
As part of our privacy-in-Web-Standards work, we’re proud to have been involved in the design for the “Global Privacy Control” (GPC) proposal. The GPC proposal allows Web users to signal that they do not want to be tracked online, and where relevant, assert legal privacy rights, as described in legislation like the EU’s GDPR and California’s CCPA. GPC is meant as an additional privacy tool for browser vendors and Web users; it does not take the place of any existing privacy protections Brave provides.
Why Brave supports the “Global Privacy Control” proposal
First, anything that makes it clearer to the surveillance-economy that users don’t want, don’t approve of, and don’t consent to being followed and tracked on the Web is a good step (and something that Brave has been promoting since we started).
Second, similar consent mechanisms being pushed by the AdTech industry are incompatible with the kinds of privacy protections which Brave includes. For example, the Orwellian-named “consent management platforms” often require your browser to execute code from tracking companies, just to ask them to not track you. Brave blocks these network requests to tracking companies, which the tracking companies often interpret as “no preference expressed yet”.
Good solutions to improving Web privacy cannot require browsers to interact with companies that have already lost users’ trust; the “Global Privacy Control” proposal is a strong framework to begin building better privacy protections on.
Third, Brave is interested in working with responsible, ethical, privacy-respecting publishers who want to respect user privacy without requiring users to click through intentionally confusing dialogs and “consent forms”. We’re especially interested in working with publishers who want to respect user privacy both where the law requires it (e.g., GDPR, CCAP), as well as in areas where the law hasn’t yet caught up to recognize privacy as a right (and pervasive, non-consensual tracking as wrong). We’re excited by the publishers we’ve worked alongside during the “Global Privacy Control” proposal, and we hope others will follow their lead.
Brave’s Implementation of the “Global Privacy Control”
Brave is currently testing an implementation of the GPC proposal in our Nightly desktop and Android beta channels, and expect to implement it in our iOS browser as the proposal goes through the standardization process.
Importantly, Brave does not require users to change anything to start using the GPC to assert your privacy rights. For versions of Brave that have GPC implemented, the feature is on by default and unconfigurable. We’ve decided to implement GPC in this way for several reasons.
First, we believe that anyone choosing to use Brave has already made an unambiguous expression that they do not want their data to be sold or shared online. Legislation like the CCPA recognizes that the decision to use privacy-focused tools like Brave is itself an expression of user preference for privacy. Requiring users in Brave to take an additional step to enable GPC therefore seems both unnecessary and disrespectful to our users (who have already made their preference clear!).
Second, the more configuration options available in the browser, the easier it is to “fingerprint” 2 users. We build strong, unique, and innovative defenses against “fingerprinting” into the Brave Browser, and are cautious about adding configuration options that could reduce your privacy. Unless we expect configurability to be useful to a significant number of users, we err on the side of reducing configuration options. We expect few, if any, Brave users would want to disable GPC, and so have not included any configuration option.
Brave, GPC, and The Inevitability of a Private-by-Default Web
Since we started, Brave has argued that a healthy, sustainable, vibrant Web requires a privacy-preserving, privacy-by-default Web; business models that depend on tracking will soon look as antiquated as Flash, Java Applets or “made for IE” badges.
Privacy-preserving tools like Brave are just one part of what’s needed to keep improving the Web. Legislation (like the CCPA and GDPR) that enshrines and protects privacy is a second necessary part, and proposals like GPC that allow users to conveniently and privately assert their rights is a third. We’re excited for browsers to implement GPC, more publishers to interpret and respect GPC as discussed in the proposal, and more ways of protecting privacy on the Web.