Microsoft Edge received the lowest privacy rating in a recent study comparing user information collected from major browsers. Yandex, the less popular browser of Russian web search provider Yandex, shared this dubious distinction. Brave, the start browser that makes data protection a priority, has the highest rank.
The ranking was published in a research report by computer scientist Doug Leith from Trinity College Dublin. He analyzed and rated the privacy of Google Chrome, Mozilla Firefox, Apple Safari, Brave, Edge and Yandex. In particular, the study examined how browsers send data – including unique identifiers and details about entered URLs – that users can use to track them over time. The results categorized the browsers into three categories, with Brave ranked highest, Chrome, Firefox and Safari ranked middle, and Edge and Yandex lagged behind the others.
Leith wrote in the newspaper:
From a data protection perspective, Microsoft Edge and Yandex differ qualitatively from the other browsers examined. Both send persistent identifiers that can be used to link requests (and the associated IP address / location) to back-end servers. Edge also sends the device's hardware UUID to Microsoft, and Yandex similarly transmits a hashed hardware ID to back-end servers. As far as we can tell, this behavior cannot be deactivated by users. In addition to the auto-complete search feature, which shares details about web pages visited, both transmit web page information to servers that do not appear to be related to the auto-complete search.
Strong, permanent identifiers
The study found that both Edge and Yandex send identifiers that are tied to the device hardware. These unique strings, which can also be used to link different apps that run on the same device, remain unchanged even after new browser installations. Edge sends a device's universally unique identifier to a Microsoft server at self.events.data.microsoft.com. This identifier cannot simply be changed or deleted. In addition, the Edge feature, which automatically completes website requirements and sends details of typed websites to a back-end server, cannot be deactivated. The researcher said he didn't know how users could disable data collection.
Yandex meanwhile collected a cryptographic hash of the hardware MAC address and details of the websites visited via the autocomplete function, although the latter could be deactivated. Because Edge and Yandex collect identifiers that are associated with the hardware on which the browsers are running, the data is retained when the browser is reinstalled and can also be used to link different apps that are running on the same device. These identifiers can then be used to track IP addresses over time.
“Transferring device identifiers to back-end servers is obviously the most worrying because it is a strong, permanent identifier of a user device that can be regenerated at will, even from other apps (thereby linking data between apps of the same) Manufacturer is enabled) and cannot simply be changed or reset by users, ”warned the paper.
A Microsoft representative provided an answer on the condition that it is not named and the answer is not quoted. There was no reason for this requirement. She said Edge is asking for permission to collect diagnostic data that will be used to improve products. She said that this collection can be turned off. The data may include information about websites visited, but is not stored in users' Microsoft accounts.
When users are signed in to Edge, they can sync their browsing history to make it available on other devices. Users can view and delete this history on the privacy dashboard at privacy.microsoft.com. Microsoft's Defender SmartScreen – a Windows 10 feature that protects against phishing and malware websites and downloading potentially harmful files – checks URLs that users want to visit. This standard functionality can be deactivated via the settings for Edge data protection and services.
With the unique identifier, Edge users can delete associated diagnostic data stored on Microsoft servers with a single click.
At the other end of the data protection spectrum was Brave. The study found that Brave's default settings offer the greatest data protection because no collection of identifiers allows IP addresses to be tracked over a long period of time, and the details of websites visited with back-end servers are not shared.
Chrome, Firefox and Safari fell into a medium category. The autocomplete feature in all three browsers transmitted details of the websites they visited in real time as the URLs were entered. However, these default settings can be deactivated. Other potentially harmful behaviors were:
- Chrome: sends a permanent identifier along with website addresses so that the two can be linked
- Fire fox: Contains identifiers in telemetry transmissions that can link these things over time (telemetry is enabled by default, but can be disabled). Firefox also opens a permanent web socket for push notifications. The web socket, according to the researcher, is linked to a unique identifier and may possibly be used for tracking, which is not easy to deactivate.
- Safari: The default value is a start page on which information can be passed on to "several third parties" who can load pages with identifiers in advance into the browser cache. In addition, associated iCloud processes have made connections that contain identifiers.
Representatives from Google, Mozilla and Apple did not immediately respond to the results. This post will be updated if the answers come later.
Chrome, Firefox, and Mozilla users can improve privacy protection by disabling the website's auto-complete feature, which I have never found so useful anyway. My inspection of Edge appeared to confirm the researcher's claim that there is no way to disable autocomplete in Edge. However, Microsoft's answer above provides ways to curb some of the other data transfers. While the browser has advanced security measures that are resistant to exploits, users who prioritize data protection should consider disabling the default behavior or using a different browser.