Brave pushes the boundaries of privacy by design

The Brave browser icon in the background behind somebody using their phone

It’s one thing relying upon a swathe of various browser extensions or add-ons to help protect your privacy, block ads, add functionality to your browser of choice and wishing the plain vanilla version did more. It’s quite another to jump ship from the big three of Chrome, Edge (which uses Chromium under the hood, of course) or Safari to a browser that remains niche but provides much of that extension functionality out of the box.

Historically, or maybe histrionically would be more appropriate among some fans, the alternative choices have been Firefox, Opera and any number of very niche products. However, for many that choice has become easier, with one of the once-niche options starting to build quite the following. I’m talking about the Brave browser, which doubled its monthly active user count across 2021 to a none too shabby 50.2 million. And for very good reason, with the emphasis on the “very good” bit: for it really is.

Let’s be clear though, it’s still a tiny fish in a very big pond. Firefox, for example, has four times as many active monthly users (216 million), Edge boasts 600 million and Chrome, as far as I can make out, has a stonking 2.5 billion. I’ve not been using one of them for some time now, having found Edge to not only be quicker but easier to use without throwing as much of my private data into the Google realm. Then again, I’m not overly keen on Microsoft having my data either, which is why I eventually thought I’d give Brave another try.

Brave: The people's browser

I first used Brave back in 2017 when it was a relative newcomer and “only” commanded around one million active users. Back then I found it – how can I put this politely – a little clunky. That’s no longer the case: I’m using Brave as my daily driver these days. Yes, under the skin it’s still the Chromium engine that powers both Chrome and Edge, but it’s the nature of the skin wrapped around Chromium that makes the difference. And it’s a big difference when you’re talking in terms of privacy.

From built-in fingerprinting rejection (through ad, tracking and script blockers) to the use of Tor for private sessions, Brave pushes the boundaries of how user privacy can be baked in rather than having to be added by the user. But that’s not the only reason I’m all-in on Brave. Privacy feature development is seemingly continuous, as it needs to be if Brave is to keep pace with the dynamic and evolving world of those who would know every last thing about you and your online habits.

Take, for example, bounce tracking. As I write, I’m using Brave v1.36, but by the time you read this v1.37 may well have arrived along with a new unlinkable bouncing feature. What the actual wotsit is that I hear you ask? Simply put, bounce tracking is a sneaky way to implement third-party tracking cookies when they have been explicitly blocked by the user. So, when you arrive at a site where such cookies are already blocked, instead of just admitting defeat to the privacy rights of the user, a redirect is made to a different domain where the cookie is set before redirecting back to the original destination. It effectively bounces the tracking function so that it uses a first-party cookie instead, by carrying out what is basically a “tracker-in-the-middle” operation.

Other browsers do their best to defend against this, but it’s not easy to get right every time. Unlinkable bouncing fights back by routing visits to potentially infringing sites (using a list of known or suspected domains) through temporary browser storage, which gives the impression of a first time, and unique, visit. This prevents the tracker from re-identifying you on subsequent visits, effectively anonymising the digital fingerprint. The temporary storage is just that and gets deleted once the user navigates away from the privacy-infringing site in question.

This is in addition to existing Brave functions such as tracking query parameter-stripping from URLs and debouncing known sites by jumping straight to the intended destination where known tracking domains are being inserted. It’s all rather simple, ingenious and yet another reason to admire Brave.

We should all strive for privacy by design

That Brave uses the Chromium codebase is great for the kind of ease of use that the average user demands, especially when it comes to the choice of browser extensions. However, I must flag the fact that the more browser extensions you install, the greater the chance that you are inviting data collection and user/system fingerprinting in. That applies even when using a privacy-focussed browser such as Brave. Which means you should ensure you do a little due diligence before adding anything.

What does “a little due diligence” mean? Simple: check the privacy policy, the permissions that are required, the data that the extension sucks up and what it is used for. Spending ten minutes checking those things, and reading user reviews, is time well spent in my book. Brave is better than most, despite my warnings, because it comes with ad and tracking blocking, HTTPS everywhere and the like built in, so there’s no need to go completely mad adding loads of third-party stuff anyway. Mea culpa, I have Ghostery Plus, EFF Privacy Badger and uBlock Origin installed.

I’m not a “crypto bro” and have no use for the ability to earn BATs, basic attention tokens, in return for allowing certain adverts to be shown. Nor do I need the built-in crypto wallet, thanks very much. If you do enable this functionality then a percentage of the BATs you “earn” for having adverts displayed goes to the advertisers you interact with. None of which is problematic, given what we understand about the murky world of AdTech, as enough users enable this to allow the Brave owners and advertisers to make money. More importantly, it doesn’t impact upon a distraction-free experience for those who came for exactly that.

There’s a really good, although now four years old, technical explanation from the developers on Reddit on how Brave does away with external ad servers and instead, if you opt in, has Brave ads “matched and delivered by the browser, client-side”. An opt-in, client-side, advertising model is preferable to the alternatives if you don’t want to just block everything I guess.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at