Privacy Protection & Security Features | Brave Browser (2024)

Brave is built on the open-source Chromium project, the same engine that powers Google Chrome, Microsoft Edge, and Vivaldi (among others). While Chromium provides the foundation for a very secure browser, it’s unfortunately not good for user privacy—at least, not the version in Chrome and Edge. Brave, on the other hand, makes numerous changes (and subtractions) with every Chromium release, including:

• Proxying communication with Google services through Brave servers.
• Reimplementing sync to be encrypted client-side and never touch Google’s servers.
• Removal of privacy-harming features like Google’s Reporting, Topics, and Network Status APIs, as well as removal of FLoC and Fledge.

Accelerated Mobile Pages (AMP) is a non-standard publishing format, designed and enforced by Google. In theory, AMP allows your browser to access a mobile-optimized version of a webpage for faster page load. But in practice, AMP just strengthens Google’s monopoly: it gives Google an even broader view of which pages people view on the Web, and how people interact with them.

Brave works to circumvent AMP (or “de-AMP”) pages, and instead load the real (or “canonical”) version of the page instead.

• Brave improves upon the limited network-state partitioning that’s already in Chromium. Brave’s DOM state partitioning will partition each site you visit (knowingly or unknowingly), to prevent cross-site tracking.
• Brave also expands that partitioning to other storage mechanisms in the browser, a protection known as network-state partitioning.
• Likewise, Brave protects against some sophisticated forms of pooled-resource attacks.

• Referrer policy is the system that browsers and websites use to inform a destination site (the site you’re going to) about the source website (the site you’re coming from). This poses a clear privacy harm to users. It tells sites you might not trust about your browsing behavior, and what site led you to the site you’re viewing now.
• Brave reduces the amount of information present in the referrer header, and in some cases removes the header all together.

• As more browsers offer default protection against tracking, the ad tech industry has developed a clever way to get around this protection: bounce tracking. Bounce tracking involves hiding a tracker directly in the link you click, making it harder to block without breaking websites. These tracking links might look like “www.sitename.com/article?123abc” where everything after the “?” is a tracker.
• Brave blocks multiple variants of this scheme, and has the most robust protection against bounce tracking of any popular browser. It removes tracking parameters from URLs, blocks bounce tracking via filter lists, and pioneered both debouncing and unlinkable bouncing protections.
• With debouncing, Brave adds an extra layer of protection against bounce tracking by recognizing when you’re about to visit a known tracking domain, skipping that visit altogether, and instead directly navigating you to the intended destination.
• With unlinkable bouncing, Brave can notice when you’re about to visit a privacy harming (or otherwise suspect) website, and instead route that visit through a new, temporary browser storage.

• While we’d love if every user could share product feedback, most simply don’t have the time. Still, we need some indicator on whether people are using (and liking) Brave. So, rather than outsource analytics about usage to some third-party (and thus expose user data), we introduced our own methodology: Privacy-Preserving Product Analytics (P3A).
• P3A tells us basic things like how often the browser or its features are being used, but nothing about who’s using them. P3A also prevents Brave from linking large groups of measurements together—with P3A, Brave further protects your privacy by rendering itself incapable of building profiles of pseudonymous responses. This methodology is open-source, and can be easily opted out of.

• The European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two of the strongest pieces of legislation to protect user data online. Brave strives to comply with these regulations, and go a step further: to safeguard your data by not collecting it in the first place.
• We also join open letters to regulatory bodies to strengthen data protections, and call out Big Tech when they try to skirt the law. See an example letter Brave wrote to the California state legislature, and another post detailing work we did to uncover a Google scheme to circumvent GDPR.
• Learn more about Global Privacy Control (GPC).

Brave applies filter lists from the EasyList and EasyPrivacy projects, the uBlock Origin project, and lists Brave has generated directly. We also fund and support the maintenance of tracking-protection lists, to help support the privacy community. By pulling from many different tracking protection lists, Brave blocks more unwanted tracker resources than any other browser.

Brave has partnered with—and supported—multiple academic institutions on research into web privacy standards and improvements, producing multiple research papers that have moved the browser industry toward privacy-by-default, and resulted in tangible code improvements in Brave.

See some of Brave’s academic research contributions.

• Brave advocates for, and improves privacy in, proposed Web standards, as members of the W3C and IETF. We also co-chair the W3C’s privacy review interest group (PING).
• See some of Brave’s work to improve web standards for all.