A team of computer scientists at the University of California San Diego and Brave Software have developed a tool that will increase protections for users’ private data while they browse the web.
The tool, named SugarCoat, targets scripts that harm users’ privacy—for example, by tracking their browsing history around the Web—yet are essential for the websites that embed them to function. SugarCoat replaces these scripts with scripts that have the same properties, minus the privacy-harming features. SugarCoat is designed to be integrated into existing privacy-focused browsers like Brave, Firefox, and Tor, and browser extensions like uBlock Origin. SugarCoat is open source and is currently being integrated into the Brave browser.
“SugarCoat is a practical system designed to address the lose-lose dilemma that privacy-focused tools face today: Block privacy-harming scripts, but break websites that rely on them; or keep sites working, but give up on privacy,” said Deian Stefan, an assistant professor in the UC San Diego Department of Computer Science and Engineering. “SugarCoat eliminates this trade-off by allowing the scripts to run, thus preserving compatibility, while preventing the scripts from accessing user-private data.”
I emailed the author of that article and was told SugarCoat was enabled in the latest version of Brave. If so, how do you see it or know it’s working?
Thanks for your interest @pogue. Both @Mattches and the author of that article are correct. We initially rolled out SugarCoat resources to all users over summer. However, we hit some memory limits on Android and hardware-constrained devices, so they had to be pulled back out.
Since then, we’ve done a significant amount of optimization and retooling around how we deploy resource-replacements (both from SugarCoat, and elsewhere) to save memory in a lot of places (including with the SugarCoat resources). So, we’re now re-deploying them in Desktop and Android browsers before the end of the year.
Hope that clarifies things and thanks for your interest!
So, will this be something you can turn on or off or is it baked into the browser by default? Will it make extensions like Ghostery, Disconnect, and uBlock obsolete?
Thanks for the reply. I did read the paper, I just wasn’t sure how it effected the other extensions & will we use and a view other “GUI” questions I had about how it will work with user’s being able to configure it and what not.
As far as I have understood it, it firewalls privacy harming scripts. Then replces them with similar scripts without privacy harming tech.
If we use normal ad-blockers or tracker-blockers like brave shields (easylist) and u-block origin (u-block filters) in aggressive mode, it may break a website. So to prevent websites from breaking, it “sugarcoats” some scripts and replaces them.
Will there be a notification in Brave, or additional settings added, upon Sugarcoat’s rollout? Anything that indicates it is now present in the browser?
We’ve rolled out a small number of SugarCoat resources already to all clients: https://github.com/brave/adblock-resources/tree/master/resources, with several more planned once some performance improvements are in-place followed by testing: https://github.com/brave/brave-core/pull/10994.
We’re trying to be very careful with the rollout, because our clients are very diverse in their memory, CPU etc capabilities and this is the first time we (or anyone else) is shipping this number of resources in the browser.
1.) Should users have the right to opt-out of these sugarcoat features??
2.) Can these data be included in new version release notes, what percentage from overall malicious scripts new sandboxed scripts are changed?? (I might be wrong on 2 due to limited knowledge about sugarcoat feature)