Web Browser Privacy: What Do Browsers Say When They Phone Home?

Abstract

We measure the data sent to their back-end servers by five browsers: Google Chrome, Mozilla Firefox, Apple Safari, Brave Browser and Microsoft Edge, during normal web browsing on both desktop and mobile devices. Our aim is to assess the privacy risks associated with this data exchange between a browser and its back-end servers. With regard to shared services, all of the browsers make use of a safe browsing service to mitigate phishing attacks and our measurements indicate that this raises few privacy concerns. Similarly, with regard to the Chrome extension update service accessed by Chromium-base browsers (Chrome, Brave, Edge). Overall, we find that both the desktop and mobile versions of Brave do not use any identifiers allowing tracking of IP address over time, and do not share details of web pages visited with backend servers. In contrast, Chrome, Firefox, Safari and Edge all share details of web pages visited with backend servers. Additionally, Chrome, Firefox and Edge all share long-lived identifiers that can be used to link connections together and so potentially allow tracking over time. In the case of Edge these are device and hardware identifiers that are hard/impossible for users to change. On mobile devices, but not desktop devices, Firefox also shares device identifiers.