Is Your Secure Browser Spying on You? (Which Online Security Tool and Secure Browser are Spying on You?)
As people start thinking more about online security, they realize that Google Chrome is not the only browser in town.
Chrome is still (and will likely be for a very long time) the dominant web browser, with 81% of Internet users using it as of December 2021, according to W3Schools. However, in recent years, secure browsers are getting more noticed as users are less keen on the company collecting their browsing data and seeing their entire web browsing history.
And while their numbers are nowhere near what Google Chrome has, Brave browser, for example, announced recently that they passed 50 million active users and 15.5 million active daily users.
But here’s the question: are private browsers really as private and secure as they claim to be or are they in fact spying on you?
Unfortunately, nothing in the world is perfect and the truth about secure browsers might not be to your liking.
(Also, read here why private browsing mode is not really private and what “incognito mode” really means).
Avast Online Security and Avast Secure Browser are Spying on You
Avast is a family of freeware and proprietary Internet security programs and solutions for Microsoft Windows, macOS, Android and iOS that is used by over 400 million people.
Its secure browser is probably one of the last places you’d think that you would get spied on, but, this was discovered to be the case in 2019.
According to this article, the culprit here was Avast Online Security, which is installed in the Avast Secure Browser by default (meaning users don’t get to choose for themselves whether they want it or not).
To make matters worse, the AOS is hidden from the list of browser extensions so it’s impossible to uninstall it without going through some hoops.
But okay, why is this such a big deal? After all, shouldn’t AOS help make your browsing more secure?
This may be the case, but it also doesn’t make it more private.
According to the article, if you use the browser’s dev tools to look at its network traffic, the AOS extension sends a request to https://uib/ff/avast/com/v5/urlinfo every time the browser loads a new page in a tab.
Basically, what this does is that AOS sends binary data to that address and gets returning info if the page you want to visit is malicious or not.
So far nothing out of the ordinary, until you dig a little deeper and look at what data is being sent about you.
Here are the data fields and their contents that the author could find after stopping the AOS browser extension in the debugger:
This means that Avast can reconstruct your online browsing behavior, including what websites you visit, how many tabs you have opened, when you switch between tabs, how much time you spend on a page, what you click on, etc.
Now, if you’re wondering, not all of this data is actually needed for the extension to work, at least not to this extent. Other browser extensions don’t seem to need it. For example, Google Safe Browsing will locally download lists to find malicious websites instead of asking the server each time you visit a website.
The bottom line is that, even if we consider the storage requirement for this to be too high to store locally, this amount of data collection is still not necessary and AOS can simply send the hostname and the full address if there is a potential match.
What About Other Secure Web Browsers?
So what of other secure browsers, like Brave, Tor browser, or Epic Privacy Browser?
Are they any better for your privacy and online security?
While they are much better at blocking tracking ads and third-party cookies, even the most secure browsers can be guilty of spying on you.
Brave Browser
For instance, Brave had something of a scandal in 2020 when it was discovered that it was redirecting users to its referral links when they were navigating Coinbase and similar crypto-exchange platforms.
What happened was that users would attempt to access an exchange platform like Binance.us and Brave would redirect them to its referral link.
Naturally, this caused an outcry in the community, so Brendan Eich, CEO of Brave apologized and responded:
We made a mistake, we’re correcting. Brave default autocompletes verbatim ‘http://binance.us’ in address bar to add affiliate code. We are a Binance affiliate, we refer users via the opt-in trading widget on the new tab badge, but autocomplete should not add any code.
It should be noted, however, that Brave quickly changed course and is no longer doing this, so that’s a big plus for them.
But let’s say this only affect you if you want to exchange cryptocurrencies. Is Brave otherwise a private browser?
According to the analysis by Neocities, not quite.
Here are their findings (it’s a short read, so we also recommend reading the whole article):
Brave uses Google as the default search engine, though you can change that to a more private search provider like DuckDuckGo for instance (keep in mind that DDG gets its results from all over the place, including Google web services among others)
It has built-in telemetry and stores collected data for several days. For those unfamiliar with the term, “telemetry”, means collecting data about your browsing.
There’s an opt-out RSS news feed that sends requests to Brave’s web servers
Brave also uses a feature called “SafeBrowsing” to protect visitors from potentially malicious websites and browser extensions. This is also powered by Google
Most of these features can be turned off, but for something that claims to be a privacy-focused browser, it is a bit worrying to see that it relies on Google to power so many of them.
That said, Brave offers built-in ad blocking and browser fingerprinting features (including randomized fingerprint Firefox also has) so it’s still a good option for privacy-oriented users.
Epic Privacy Browser
Another relatively popular private browser is Epic Privacy Browser. This Chromium-based browser was created in 2014 by a company called “Hidden Reflex” from India and claims to prevent web tracking and block tracking ads.
One thing that a user on Medium found, however, is that Epic connects to Google on startup, which doesn’t paint it in the best light as a private browser. However, it does clear DNS cache on exit.
Another issue with Epic is that the company claims for it to be open-source, when in fact it’s closed-source. This is something that they’ve been claiming since 2014:
Sorry again, there are a few issues preventing us from releasing all the source, but it’s certainly all visible/auditable. We hope to resolve those issues and release the code soon. Thanks for your support.
The Epic FAQ also states something similar to the question is Epic open source?
All of Epic’s code is visible and auditable by anyone. We are committed to complete transparency (as you know from reading this page) about how Epic works and doesn’t work. We love open-source and Epic is built on open-source Chromium. If you would like to audit any files, please let us know.
So, Epic lets you audit any code if you request it, but that’s not the same as open-source. They still don’t have their code released in full.
The third problem with Epic privacy is their claim to offer a free VPN service, with servers in 8 countries that can stop Google tracking.
Again, the company is stretching the truth here (gotta love marketing) and what this instead does is have the browser route your traffic through a US-based proxy.
Finally, Epic also doesn’t use a private search engine like DuckDuckGo, but instead Google, with the explanation that they are “unable to believe they offer any meaningful privacy benefit versus using Bing, Google or Yahoo directly”.
Tor Browser
“Just use the Tor browser.”
Well, while definitely a good option for private browsing, even Tor browser isn’t 100% anonymous and secure as we covered in a previous article.
You can read the whole article and find out for yourself is Tor browser safe and completely anonymous to use, but here are the cliff notes if you’re in a hurry:
1. It can leak your IP address
2. The connection between the exit node and the destination server on HTTP websites is unencrypted. This, however, isn’t the case on a secure HTTPS encrypted connection
3. Some nodes are malicious and not everyone runs nodes with good intentions
4. Tor is funded by the US government and developers are often working with government agencies
Again, we recommend reading the whole article to get the entire picture about Tor the browser.
Will No Browser Protect You Out There?
Now, we realize that we didn’t exactly paint different web browsers in the best of light and in some instances we might be nitpicking.
However, the whole point is that there are is no truly 100% private and secure browser that can protect you from web tracking or keep your browsing history hidden. Almost every browser out there is tracking users with invisible trackers one way or another and collecting their data, regardless of what those browsers claim.
That said, do we recommend using private browsers or is the partial protection google chrome offers with private browsing mode enough?
Yes. In fact, here are the most secure browsers that we recommend to protect your privacy and online security.
If you want privacy, remember that Google Chrome is not the only browser out there. If you’re looking for privacy, consider changing your default browser to something like Brave or Epic Privacy Browser
All the browsers we mentioned here offer much better privacy than the Chrome browser and will do a lot better job of protecting you from browser fingerprinting and blocking tracking ads.
Conclusion
Of course, this all depends on the level of privacy that you want in your web browsing. If you don’t mind web tracking all that much and believe that data collection is a good tradeoff for what you get from your browser, by all means, use Google Chrome.
However, if you want privacy and browser security, don’t want invisible trackers or web tracking, then use secure browsers. It’s also a good idea to use a private search engine with it and a password manager to protect your passwords, plus a good VPN to encrypt your connection better.
Comments
Post a Comment