SAN FRANCISCO — Despite many claims to the contrary, privacy is hardly dead — at least not to web-browser makers. How browsers can better protect user privacy is shaping up to be a big factor in how they compete over the next decade, but it turns out they can't quite agree on how to do it.
What the debate on Tuesday morning (Jan. 28) between representatives from Google Chrome, Microsoft Edge, Mozilla Firefox, and Brave at the Enigma Conference here lacked in thrown vegetables or fisticuffs, it more than made up for in clear and different approaches to how each browser protects its users' privacy.
It's not just the vendors who take privacy seriously. Following allegations Monday that antivirus vendor Avast was collecting and selling user browsing data without permission (in fact, Avast did ask permission) Sen. Mark Warner (D-Virginia) tore into the Federal Trade Commission (FTC) for apparently not doing enough to protect consumers.
"No consumer would realistically have an inkling that their antivirus software could be selling their browsing data — and even more sensitive information such as mouse movement — to an array of third parties," Warner told Vice and PC Magazine. "It's increasingly clear that the FTC hasn't kept up with how these markets for data operate, and appears to be unwilling to use its authorities to do so. Congress can't afford to ignore these issues any longer."
The good news about browser privacy
It's nearly impossible for browser vendors to stop surveillance by an add-on or extension after the user has installed it, but there are other privacy options and innovations that browser vendors have already successfully implemented.
Forcing websites to use secure HTTPS encryption by default, and downgrading the sites in search results if they didn’t, was a muti-year Google project that encouraged better standardized privacy on the web.
Likewise, most modern browsers have taken steps to reduce or eliminate fingerprinting, which is the practice of combining telltale signs such as a browser's User Agent, tracking cookies, and HTML5 tracking to identify users across the Internet.
But how do you let ads do their job?
Yet solving other privacy problems, including protecting data in transit, blocking trackers, and permitting extensions that increase privacy has proven a thornier proposition.
That's not only because each vendor has a different approach to presenting privacy settings to the user, but also because one of the major influences on browser design and development is advertisers.
Display ads play a big part in keeping commercial websites in business, and ad networks often demand more user data to show (in part) better-targeted ads. Advertisers stand to gain the most from weak privacy protections — but they weren’t represented on yesterday's panel.
Instead, advertisers were the elephant in the room when Justin Schuh, Chrome’s director of trust and safety engineering, outlined the difference between what advertisers want and what advertisers need.
"Advertisers don’t really need your data," Schuh said. "They just want to monetize efficiently.”
He believes that advertisers can continue to effectively target browser users and measure ad effectiveness through a proposed set of new, privacy-protective web standards called the Chrome Privacy Sandbox, which Google last year announced will replace tracking cookies in 2022.
Although there weren't any advertising representatives on stage, there was at least one in the audience. Gabriel DeWitt, the vice-president of product and tech ops at the ad network Index Exchange, disputed the assertion that advertisers don’t care about privacy.
"How can the ad industry work with you guys to avoid the problems of GDPR and somewhat with CCPA?" he asked, referring to recently enacted European Union and California online-privacy regulations. "Change has happened quickly, and we feel a bit out of the loop. We also care about user privacy."
In-house privacy extensions
Firefox principal engineer Tanvi Vyas agreed with Schuh's concerns over advertising, but said Mozilla supported a different approach.
Firefox now blocks tracking cookies, but also has developed its own privacy-forward add-ons, such as Facebook Container, a walled garden that keeps Facebook from seeing your activity on other websites. (Facebook itself yesterday let all users worldwide start using the Off-Facebook Activity tool, which is meant to do the same thing.)
"Safari, Firefox, Brave, Edge have tracking protections by default," Vyas said. "We differ from Chrome by not wanting to maintain the existing model."
No popcorn trail
The newly rebuilt Microsoft Edge, which now shares the same Chromium open-source foundation as Chrome and Brave, has privacy goals that are complicated by a wide range of needs from its diverse user base, said Eric Lawrence, Edge's product manager.
To that end, he said Edge will soon support stripping out (or altering) website referers (sic) so that websites won't see where you were before you landed on their pages.
"Simplicity matters," Lawrence said. "Compatibility matters. If we provide great privacy, but we're not compatible with the web, people will either choose a different browser or turn off the privacy features."
When Apple sneezes, Brave catches a cold
Apple did not send a Safari representative to the panel, but its fingerprints were nevertheless present.
Yan Zhu, Brave's chief information security officer, said that in making privacy design decisions, Brave will often look to see what Safari has recently changed. If those changes don't break sites for Apple users, then Brave will consider implementing those changes too.
"Brave is smaller and has a more privacy-focused crowd, so that lets us be a lot more experimental and aggressive in what we offer to people," Zhu said.
"The most fundamental difference is [that] we have an alternative revenue model, an alternative to tracking-based advertising on the web," Zhu said, referring to Brave's own privacy-minded, micropayments-based ad network. "We can reject the entire notion that websites need to track you wherever you go."