Professor Douglas J Leith of Trinity College Dublin studied network activity of popular browsers, and came to the conclusion that Microsoft Edge and Yandex.Browser show alarming performance compared to Brave, Chrome, Firefox and Safari.
The expert tested Chrome (80.0.3987.87), Firefox (73.0), Brave (1.3.115), Safari (13.0.3), Edge (80.0.361.48) and Yandex.Browser (126.96.36.1995), setting them with default settings and using proxies to capture traffic. He checked the data sent by browsers on first launch, as well as the data that browsers transmit when they go to a web page, including if the URL was manually typed (this could be the case for the cloud-based autocomplete function). In addition, the expert studied how browsers behave if they are left running and inactive for a day. All tests Leith conducted on the Mac and intentionally did not log in to the services of Google, Microsoft, Apple and Firefox, since he was interested in the unconfigured default settings.
In his report, Leith writes that as a result, browsers were divided into three groups according to their level of confidentiality. The first group, with the highest level of privacy, included only the Brave browser. The second group with average results included Chrome, Firefox and Safari. Edge and Yandex.Browser were credited to the third group of browsers with the most unsatisfactory privacy.
The researcher explains that the problem with the last two browsers is that the identifiers that they pass to their developers allow different search queries and sessions to be linked together. So, Edge and Yandex.Browser use the so-called "hardware IDs", that is, identifiers that bind to physical equipment and cannot be easily changed.
At the same time, Chrome and Firefox use identifiers, which, in essence, are random numbers generated when the browser is first launched. Such IDs are saved between sessions, but you can easily get rid of them during a new installation: for this, before a new installation of browsers, Leith deleted all configuration data remaining in the user profile.
The analyst continued further experiments by inserting (not entering) the URL into the address bar of browsers. Chrome creates a request to www.google.com/complete/search with the details of the URL (for example, http://leith.ie/nothingtosee.html) passed as a parameter, as well as two identifiers (psi and sugkey). Edge also sends the URL to the Bing autocomplete API along with the cookie cookie. Yandex.Browser sends the URL to its servers before starting navigation. Firefox, Brave and Safari do not collect any data about the address inserted into the address bar.
If you type in the URL manually, the functions of autocomplete URL or search come into play. Leith says that in this test Safari shows the most aggressive behavior: the browser generates 32 different requests to the Google and Apple servers. At the same time, requests to Apple servers include IDs that are saved after the browser is restarted, which means that they can be used to restore browsing history and link requests to each other.
In turn, the Edge browser sends typed text to www.bing.com as you type. A separate request is sent for almost every character typed, resulting in about 25 requests, each of which contains a cvid value, the same for all requests, but changing when the browser restarts.
Yandex. The browser also sends text to yandes.ru/suggest-browser as it is typed. Like Edge, it creates a query for each letter, and ultimately generates about 26 queries. Requests are accompanied by the transfer of cookies and a number of different IDs. When the set is completed, two more requests are sent to yandex.ru and translate.yandex.ru. The first passes the typed URL, and the second sends the text content of the landing page.
Chrome behaves almost as aggressively: it generates 19 requests to Google servers, and these requests also contain an identifier that is saved when the browser restarts.
Firefox is more private: it does not transmit the ID along with the requests and stops the requests after the first typed word, therefore, in total it generates only 4 requests.
The Brave browser has shown itself best of all, which disables autocompletion by default and does not send any requests at all when the user enters text in the address bar.
Of course, the question remains how exactly the companies use the data obtained in this way, and how the situation changes if the user logs in to the browser to use the synchronization of bookmarks and history on different devices.
So far, only representatives of Mozilla have commented on Leith’s study. In the organisation reportedthat user browsing history is only transmitted to servers in Mozilla if the user has enabled the synchronization service. Moreover, the synchronization data is fully encrypted and employees do not have access to it.
“Firefox collects some technical data about how users interact with our product, but that doesn’t apply to your browsing history. Data is transmitted along with a unique, randomly generated identifier. IP addresses are stored for a short period of time for security and abuse detection, and are then deleted. They are separated from telemetry data and are not used to compare user activity during different sessions, ”say Firefox developers.