Table of Contents
If you are keen on personal privacy, you might have come across Brave Browser. Brave is a Chromium-based browser that promises to deliver privacy with built-in ad-blocking and content-blocking protection. It also offers several quality-of-life features and services, like a VPN and Tor access. I mean, it's even listed on the reputable PrivacyTools website. Why am I telling you to steer clear of this browser, then?
Let us take a step back.
Where did Brave Browser come from?
Brave Browser was founded in 2015 by its current CEO, Brendan Eich. If this name rings a bell to you, there may be multiple reasons for it. Brendan Eich is most famously known as the creator of the JavaScript programming language — the language your browser can interpret and run — back during his days at Netscape Communication Corporation, the company behind the historical Netscape Navigator web browser.
Furthermore, he wrote the original version of SpiderMonkey, the JavaScript interpreter that Firefox uses to this day. Eich continued to oversee the development of Spidermonkey under Mozilla, from 1998 onwards, after Mozilla had inherited the Netscape code.
In fact, Mozilla was founded by Eich and others as a FOSS project around the same time frame. The Mozilla project was meant to be a wrapper for the open-source contributions to the Netscape browser.
Eich grew his career inside the Mozilla organization, becoming appointed CTO in August 2005, and continued to develop Spidermonkey until 2011, when he ceded its development to Dave Mandelin.
His career at Mozilla started to decline when, after being appointed CEO of Mozilla Corporation on March 24, 2014, several Mozilla employees called on him to resign.
Brendan Eich's anti-LGBTQ+ political involvement
This happened because Brendan Eich had been donating small sums of money to very problematic, anti-LGBTQ political organizations, which — rightfully — caused Mozilla employees who were part of the LGBTQ community to feel uneasy and in danger under the new leadership.
Over the years, Eich has donated money to incredibly problematic political initiatives and organizations, such as California Proposition 8 - a movement that sought to ban same-sex marriage in the state of California back in 2008 — on top of some even more generous donations to Tom McClintock, a Republican politician who supported Proposition 8.
This scandal caused a chain reaction that led half of Mozilla's board to step down.
Ultimately, this backslash forced the CEO to “express sorrow for causing pain” and promise he would “work with LGBT communities and allies”, statements that were in all likelihood more motivated by the necessity of saving face and running a PR campaign to cleanse his image and avoid stepping down as CEO rather than by genuine regret.
Predictably, these empty excuses were not enough to soften the blow, as some activists created an online campaign against Eich, to pressure him to step down as CEO. One of the hardest blows was caused by the dating website OKCupid, which began displaying a message warning the users about Eich's actions and strongly encouraging them not to access their website using Firefox or other Mozilla products as a form of boycott when a user was using a Firefox user agent.
Shortly after, on April 3, 2014, Brendan Eich finally agreed to step down as Mozilla CEO and decided to leave Mozilla as a whole.
After a two-year hiatus, Eich finally came back and launched a new browser, Brave Software, with its development version getting released in January 2016, after obtaining 2.5 million dollars in funding in late 2015, shortly followed by another 4.5 million dollar funding round in 2016. As we are about to see, however, the story far from ends here, as even this new venture will quickly prove to be, at the very least, ethically questionable.
With this out of the way, let's keep going.
2016 — Brave Browser promises to replace webpage ads
Although the browser had just been released, the first controversy around it did not take long to surface. In 2016, Brave Browser shared a plan to launch a feature called Brave Ad Replacement. That feature planned to do pretty much what it says on the tin: it would block existing advertisements online and replace them with “privacy-friendly” ads that Brave itself would inject.
According to Brave's marketing, these new “Brave Ads” would also paid publishers, which would have made them sustainable; however, it would've done so in a volatile cryptocurrency, instead cutting down their reliable fiat income stream, and they would pay them half compared to before. And, of course, they would also take a 15% cut for themselves.
This idea was about as bad as it would look to any reasonable person, and it never really came to life. Soon enough, the Newspaper Association of America reacted by issuing Brave a cease-and-desist letter, calling out what Brave was doing as “blatantly illegal”.
If you think this is bad enough, though, I recommend you mentally prepare for what's to come. 2016 was nine years ago already — yes, time absolutely flew by — which means we still have just short of an entire decade of screwups to cover.
2018 — Brave runs a questionable donation campaign
In 2018, Tom Scott, a content creator famous for creating incredibly entertaining videos where he creates unusual stuff, tweeted a warning to their followers to not send donations to anyone asking for any in his name, as he was not taking donations. He said that Brave was using "his name and photo without his consent".
What was happening? Well, Brave was collecting donations in their cryptocurrency from its users to creators to website owners, offering to pay them out when it reached a minimum value of 100$. This program was open to any website owner, regardless of whether they had a Brave Rewards account or not; thus, Tom Scott one day noticed that Brave was accepting donations "on his behalf", thought to himself, oh, I never set that up, and believed he was being impersonificated. He wasn't, but I can see why he would think that.
Naturally, Tom reached out to Brave, demanding to opt out of this campaign. Quoting him verbatim, the company responded that “we'll see what we can do” and that “refunds are impossible”. The latter is true since, well, these crypto donations were anonymous and thus impossible to refund. But this only added to the idea of Brave being some scummy impersonator.
For what it's worth, Brave quickly rolled out an improved infographic that made it a bit clearer that they were not affiliated with the creators you could donate to, and Tom deleted the tweets since.
2020 — Brave injects referral links when visiting crypto wallets
In 2020, it was found that the Brave Browser injected referral links into URLs of crypto wallets and exchange websites like Coinbase.
Referral links are a common marketing campaign used by several services, to encourage onboarding of new users. How they typically work is that a user of a service may advertise the platform to new users and encourage them to join with a referral link, used to validate the identity of the person or entity who invited them. The more new users a person helps sign up through their referral links, the more they are rewarded by the service. A typical reward is a small share of the royalties from a purchase a user makes, a discount on paid-tier features, or other benefits that have a monetary value.
The person who initially sounded the alarm was Twitter user @cryptonator1337, who, having a good level of involvement with the cryptocurrency and blockchain community, noticed something fishy going on. When he used Brave Browser to log in to Binance, his crypto exchange of choice, the browser would silently add a query string containing Brave's affiliate code.
Yes. Without ever informing the user, let alone asking for permission, Brave would inject its referral ID to URLs that contained a domain related to a crypto wallet of some kind, just to make a quick buck. Users would sign up for those services using Brave's referral, unbeknownst to them, involuntarily giving Brave money.
Now, yes, the CEO apologized and said that they "are not perfect", but they "course correct quickly", disabling this feature entirely. It's nonetheless extremely worrying that they thought this was acceptable in the first place – this is the same exact behavior that got Honey to be marked as a terrible scam nowadays.
2020 — Brave puts ads in user's home screens
What is the absolute funniest thing a browser whose main selling point is having a strong built-in adblocker could do? If you thought "serving ads right in its UI" would be up there, you thought well.
In January 2020, Brave officially introduced the Sponsored Image program, directing its presentation to partner businesses and advertisers. By default, Brave Browser would start to display sponsored images as the background for the home and new tab pages.
It all started with an innocent feature. Brave would already rotate several pictures on its new page, a feature that users liked. Things took a turn for the worse when a Twitter user randomly suggested Brave would add pictures from a SpaceX rocket launch to the rotation since SpaceX had released and licensed those pictures under a Creative Commons license.
This addition prompted users to wonder whether SpaceX was paying for those pictures being added to the rotation. They were not, but this conversation caused Brave to have yet another bright idea: what if we charged advertisers to push their own ads right to our users' new tab pages? So, that was that.
Naturally, people didn't like that. They felt it was a bad first impression that a browser whose main selling point was built-in ad-blocking would serve ads by default right inside its UI and, furthermore, they found the nature of the ads pretty suspicious, since a lot of them were related to cryptocurrencies.
Not only was this decision not reversed, but one of Brave's contributors considered the idea of adding friction to the opt-out process 2 years later. Thankfully that suggestion has not been implemented, but it speaks volumes about the mission Brave is trying to go for: the point has never been putting users in control, the point has always been to lure privacy-conscious users to use a product that was meant to be nothing but a cash cow with the primary goal of extracting every single cent of profit that can be extracted in any way - ethical or not.
2021 - Brave ships an insecure Tor feature
In 2021, Brave shipped a Tor functionality that leaked onion addresses as part of the DNS traffic, exposing users using Tor for anonymity to a really bad security issue.
Tor, which stands for The Onion Router, is a protocol and an overlay network that allows people to access the web in a completely anonymous form, by routing the user's traffic through a random path of decentralized nodes, passing the data between them in such a way that the negative impact a malicious node would make is limited. Furthermore, users who are connected to the Tor network may visit .onion domains - special websites that are inaccessible from the regular www protocol and that are typically used to guarantee complete anonymity.
The main use case of Tor is providing users with complete anonymity in cases where it is crucial to have it. Tor is widely used by investigative journalists, political opponents, activists, and other categories of people who are highly likely to be targeted or watched by an entity that seeks to harm them. The project gets regularly used for use cases where any privacy leak would result in significant personal repercussions for the user in question. Above all things, the main thing that must not happen is leaking data to the user's ISP, which knows all about their real identity, and who must comply with federal laws.
The latter is actually what happened. For a while, Brave Browser had been exposing the .onion domains people visited as part of the DNS traffic, hence, completely breaking one of the main points of using Tor: keeping your activity on The Onion Network from your ISP. The damage of this could somehow be mitigated in case the user had manually changed the DNS provider the system is configured to use from the default values to something like Quad9, a DNS provider that has a good track record for caring about privacy, but not only is that not optimal, it is also the unlikely scenario since the default case is using your ISP's DNS server. What it means is that it is entirely possible that users who used Brave's Tor feature for carrying out tasks that required complete anonymity had been telling their service provider what websites they had been visiting the entire time, potentially putting them in great danger.
2023 - Brave hides their crawlers to websites
In 2023, Brave announced that they'd be selling their search data to AI companies for inference. (According to stackdiary.com/, it also included AI training, though I was not able to confirm this). This caused some pushback, especially since Brave Search snippets of webpages are particularly lengthy and contain a good slice of the webpage.
Some websites, as a result, wanted to opt out of this, which means blocking the Brave crawler. However, the Brave Search scraper does not have any identifiable information that would allow us to block it specifically, differently from other crawlers (who usually put the company name in the user agent).
Here's Bing, as an example, openly disclosing the user agent, which includes "bingbot".
Well, why is Brave hiding itself? According to their own - quite angry - email to the author of the blog post I've shown you, they just don't have the resources to "contact all domain owners who, rightfully or not, discriminate against anyone but Google".
What they are saying is: well, a lot of websites intentionally ask not to be scraped by other search engines, or by Brave specifically, and we don't have the resources to complain about this to them. Thus, we will do it secretly so that you cannot block us unless you also block Google.
2024 - So-called "privacy browser" deprecated advanced fingerprinting protection
What is one of the funniest things a so-called privacy-oriented browser could do? If you guessed "taking away privacy features that were previously implemented", you got it right again.
In 2024, Brave decided to deprecate the option for Strict fingerprinting protection. This feature is useful to try and stop websites from following users around the web and uniquely identifying them creating a "personal fingerprint" of them, composed of a set of little details, such as whether they use a dark mode or what operating system they are on.
The reason for removing the feature was that, when set to Strict mode, fingerprinting protection caused several sites to break. While this may be true, however, there is little point in not giving the users the chance to choose for themselves - something that one would take for granted from a browser that is supposed to be all about privacy and putting the user first.
And More!
There's a few other minor things that still bug me. Like, Brave decided to pay for advertisement whenever users searched for "Firefox" in the Play Store, displaying "Forget the Fox" in the title of the application. Many users thought this was unprofessional (and I agree, to some extent) but sure, it's not a big deal.
That said, the VP of Brave decided to go on twitter and claim that it was photoshopped. Even thought multiple independent people were claiming it was true, and posting screenshots about it. Did he… not know about his ad campaign? Was he lying? I'm deeply confused.
And, just going through his Twitter feed - and, again, this is the VP of Brave - gives me negative confidence in his product. He's 100% into all things Crypto, from NFT to FTX (when it existed), uses AI-generated images to promote them, retweets right-wing activists… nothing of this is necessarily bad per see, but it certainly does not inspire me confidence in his product. You do you, though.
Similarly enough, Brendan Eich's feed also contains some worrying content, in my opinion. Ranging from, again, retweeting right-wing activists, to weird Republican propaganda. He claims to be independent and not a Republican, but this does not make me any less worried about the type of ideas he follows.
But yeah, if you are a big fan of AI and crypto, and are okay with having advertisements in the user interface out of the box, are okay with past attempts to steal money from websites and collect donations towards people who wouldn't necessarily even receive it, plus you can put up with occasional privacy mistakes… use Brave!
Credits
This has been a long article to write. This article and video would not be possible without the several amazing resources that I referenced during its creation:
- /u/xusflas's list of Brave fuckups, and serveral articles referenced by it. Thank you, this post is an absolute gold mine, and it must have taken hours and hours of research .
- "Stop Using Brave Browser" on spacebar.news. Corbin's articles never disappoint and this article makes no exception. While it does not contain all of the screwups Brave is involved in, it still manages to make an extremely compelling point for steering clear from this browser.
- Any news article that has been explicitly linked throughout the article
