• by Laurie Sullivan  @lauriesullivan, February 24, 2020

Findings from a study published Monday, which analyzed six browsers, show how they track user location and share browsing history.

Douglas Leith, professor and chair of computer systems at the School of Computer Science & Statistics, Trinity College Dublin, Ireland, spearheaded the research.

Leith measured the connections to backend-servers - -Google Chrome, Mozilla Firefox, Apple Safari, Brave Browser, Microsoft Edge, and Yandex Browser -- during normal web browsing to determine the privacy risks associated with this back-end data exchange.

The research -- Web Browser Privacy: What Do Browsers Say When They Phone Home? -- divides the browsers analyzed into three groups. The browser Brave was categorized as the most private. The research did not find any use of identifiers allowing tracking of IP address over time, and no sharing of the details of web pages visited with back-end servers.

Chrome, Firefox and Safari landed in the second group. All of the browsers tag data with identifiers linked to the browser, and all three share details of web pages visited with back-end servers. This happens via the search autocomplete feature, which sends web addresses to backend servers in real-time as they are typed. The function can be disabled.

Microsoft Edge, as well as Yandex, fell into the least private group. Both send identifiers linked to the device hardware and can be used to link different apps running on the same device. Edge sends the hardware UUID of the device to Microsoft, according to the research. Yandex transmits hardware serial number and MAC address to back end servers.

The analysis evaluates the data shared in different scenarios, such as when typing a URL into the top bar or when a browser sits idle.

Leith was presently surprised to learn Google Chrome engineers were easy to contact and open to discussion and proposals for changes.

“I was also pleasantly surprised by Brave,” he wrote in an email to Search Marketing Daily. “I expected all browsers too be pretty much the same, so I was surprised there was such a clear gap in the level of privacy with default ‘out of the box’ settings between Brave and the other browsers. I wouldn’t be surprised if this gap narrows though as some of the other browsers improve their default configuration.”

And while most of his surprises were positive, he also pointed to a surprise to learn Edge and Yandex share device hardware identifiers. 

“I don’t see why any browser needs to do that,” he wrote.

The study shows that when location and browsing history can be inferred from collected data then even if this inference is not made by the organisation that collects the data it may be made by third parties with whom data is shared, which points to commercial partners, state agencies and disclosure through data breaches.

The research also lists where the data goes. For example, Microsoft Edge sends text to bing.com. A request is sent for nearly every letter typed, resulting in 25 requests. Each request contains a value that is persistent across requests although it changes across the browser.

Once someone types an address into the URL, Edge makes two requests. The first request goes to web.vortex.data, and the second goes to microsoft.com.nav.smartscreen.microsoft.com. The request to nav.smartscreen.microsoft.com includes the URL entered, while the request to web.vortex.data.microsoft.com transmits two cookies.

The full study is posted to the Trinity College Dublin website.