Privacy update: Brave is the most private browser, Edge blabs like crazy

An interesting white paper from Prof Leith, Trinity College, Dublin (PDF):

We measure the connections to backend servers made by six browsers: Google Chrome, Mozilla Firefox, Apple Safari, Brave Browser, Microsoft Edge and Yandex Browser, during normal web browsing. Our aim is to assess the privacy risks associated with this back-end data exchange. We find that the browsers split into three distinct groups from this privacy perspective. In the first (most private) group lies Brave, in the second Chrome, Firefox and Safari and in the third (least private) group lie Edge and Yandex…

[When typing the text leith.ie/nothingtosee.html,] Edge sends text to www.bing.com as it is typed. A request is sent for almost every letter typed, resulting in a total of 25 requests. Each request contains contains a cvid value that is persistent across requests although it changes across browser restarts. Once the typed URL has been navigated to Edge then makes two additional requests: one to web.vortex.data. microsoft.com and one to nav.smartscreen.microsoft.com. The request to nav.smartscreen.microsoft.com includes the URL entered while the request to web.vortex.data.microsoft.com transmits two cookies…

For Brave with its default settings we did not find any use of identifiers allowing tracking of IP address over time, and no sharing of the details of web pages visited with backend servers. Chrome, Firefox and Safari all share details of web pages visited with backend servers. For all three this happens via the search autocomplete feature, which sends web addresses to backend servers in realtime as they are typed…

From a privacy perspective Microsoft Edge and Yandex are qualitatively different from the other browsers studied. Both send persistent identifiers than can be used to link requests (and associated IP address/location) to back end servers. Edge also sends the hardware UUID of the device to Microsoft [emphasis added] and Yandex similarly transmits a hashed hardware identifier to back end servers. As far as we can tell this behaviour cannot be disabled by users. In addition to the search autocomplete functionality that shares details of web pages visited, both transmit web page information to servers that appear unrelated to search autocomplete.

So it looks like the new Edge (Leith says the tested version is 80.0.361.48, which is definitely Chredge) not only tracks what you’re doing, it flags all of your actions with a hardware-unique identifier.

Somebody tell me again how Microsoft values your privacy?

Thx Catalin Cimpanu.