I thought we're about Privacy here

I just finally downloaded Brave. Within a few hours, I was into the Extensions, looking to simulate the nice add-ons setup I had in FireFox. But I am really surprised that the only source for these is Google’s Chrome extentions store. Wha?

I went through about 50 of them, and (under Privacy practices), EVERY one either did not mention anything about maintaining privacy OR they stated “The publisher has disclosed that it will not collect or use your data.” Great (I thought), until I read the little section stating " This publisher declares that your data is (first point of three): Not being sold to third parties, outside of “the approved use cases.” But there’s a link to what that means, and it’s incredibly vague. Essentially, Google (or whoever) can do whatever they want with your data if they deem it is “If necessary to providing or improving your single purpose.”

I don’t know about anyone else, but in this world we’re now living in —yes, the one that has us moving to (supposedly) better, more secure browsers— we’re given Google as the trusted place to keep our data safe?

I’m going back to FireFox. If anybody can give me a good reason not to, I’m all ears. Thanks.

@marcos55 Well, extensions are something you’re installing after and they each have their own policies on what they can see or how they interact with a browser. It is up to the User whether they want to use these extensions and want to allow the extension to interact in such ways. Otherwise, you go without it. It’s also important to note that if you’re worried about privacy, that using extensions makes your device easier to fingerprint and is generally not suggested.

In terms of getting extensions, the primary way is through Chrome store until they do away with it after Manifest V3 is launched. And no, Brave doesn’t have any immediate plans for an extension store at this time.

You can avoid the Chrome extension store by manually installing extensions by downloading the CRX file and applying it to the browser yourself. Yet you’ll still have whatever data they need to interact with as part of the agreement and it will still make your browser a bit easier to fingerprint.

The purpose for using Brave?

  • Brave is faster

  • Brave blocks ads by default and will continue doing so, even after Manifest V3, which is something other browsers won’t be able to do.

  • Brave and Firefox both isolate cookies and prevent 3rd party from tracking. One big win for Brave though will be that it also is implementing a feature to do away with all cookie notices, especially since many of them were found to be fake and still try to put cookies on your device even if you declined.

  • There are a lot of included features on various versions, such as Playlist that either are already available or will be soon.

  • Though may not matter to you, Brave also has Brave Wallet innate so you can use it to send/swap/receive crypto.

  • Rewards is there. Regional Support is being revamped, so there’s more restricted access for the time being in terms of removing it to your bank or outside of Brave, but it can be “free money” up to $5 or so a month depending on where you live.

I’m probably missing a few things, but food had just finished as I was typing this and I don’t want to let it get cold. I will end with one thing though, and that’s a link to a Q&A we recently had with Luke Mulks and Jimmy Secretan from Brave. You might find some of it interesting. Link is Some of your questions answered. Recap of Community Call from 09/20/2022

One thing I’ll point out in particular though is about extensions:

Question #25 Will Brave ever have its own extension store rather than relying on Google’s extension store?

Answer: The overhead involved in bringing out something like an extension store is blocking it for now. There are a lot of questions about whether that would be best or doing something more like a DApp experience/DApp store. But there are no immediate plans for an extension store at this time.

First of all, if you are into super-duper privacy, you should not have installed even one extension.
Tor browser themselves recommend not to install even a single extension (other than no-script). No idea why you trying to go through 50 extensions.

Most powerful extensions are those that inject scrip lets, change webpage elements, hijack and modify URL’s which are ad-blockers. Brave already has a state of the art adblocker by default called brave shields. So, the harmful extensions from security/privacy point of view like adblockers and not needed on brave in the first place.
(Note that adblockers like Ublock origin are open source and not harmful at all)

Google has all the money in the world, meaning that they have enough resources to stop malicious extensions on their store (it is subjective if they do a good or bad job).

Also, it is recommended to use Open-Source extensions in the first place, so that the user knows what data is taken, where it goes, and what happens to it.

2 Likes

Thank you both for your comments. The reason for using extensions of course —seems like a duh to me— is to provide functionality that the browser itself doesn’t. I didn’t install 50 extensions, I just clicked on a lot of tabs to check them out. It wasn’t until I went through a whole lot of them that I realized there was a conflict between adding good (for me, necessary) features and negating some of the reason I switched to Brave in the first place.

As to Saoiray’s advice, I imagine that the “threat” is not in adding the extension from Google’s store (thought I wouldn’t doubt it) but from actually using it. I bristle when I read that my data will be used for features that really don’t require anything “personal” from me. In this world, as it currently is, I just find myself more suspicious than I’d like to be. — I will follow up on reading the recap of Community Call from 09/20/2022.

Lastly, a question for whoever (and sorry for the possible excessive post): In the Developers Policies under “Limited Uses of User Data,” it states:

“Upon accessing personal and sensitive user data for a single purpose, your use of the user data obtained must comply with the below requirements. The requirements apply to both the raw data obtained and the data aggregated, anonymized, de-identified, or derived from the raw data. They also apply to scraped content or otherwise automatically gathered user data.”

Those conditions (well, the ones I’m concerned about) are:

  1. Limit your use of user data to providing or improving your single purpose
  2. Only transfer user data to third parties
    a. If necessary to providing or improving your single purpose.

I honestly don’t know what the heck this means, but how it sounds is that, under the auspices of “improving [my] single purpose,” my data can be taken and maybe used. If this is not true, I’d love someone to tell me, because it’s the basis of my concern.

Again, sorry for the long post. Maybe others have had the same thoughts/worries, and that this dialog (and potentially good answers) will be helpful to others.

Thanks again for your replies.
Mark

@marcos55 Have you ever gone through Firefox’s privacy listings?

Add-ons must limit data collection to what is necessary for functionality and use the data only for the purpose for which it was originally collected. Data includes all information the add-on collects, regardless of the manner.

The bit you quoted kind of sounds familiar to a point. At least to:

I think the second part, which is:

Maybe extensions like iBotta which would have to pass on info from your purchases to retailers so they can get you the rebates. Basically, extensions that have to interact with websites, extensions, or some other entity as part of their default usage.

Oh, and while on Privacy, I want to also help point out Brave’s. They actually just advertised some changes coming up you may want to read on. Not sure how “deep down the rabbit hole” you want to go or how much you know, but it can be intriguing to learn.

And prior to that, you had:

What’s neat is kind of checking out the information as well. Like Brave straight up shows you EXACTLY what information they collect at https://github.com/brave/brave-browser/wiki/P3A

And they do go pretty far in constantly researching and updating. If ever have the time and want to go through research papers, they share them at https://brave.com/research/

We can make it very simple. If anyone is accessing or taking your data, then they wanna use it. Otherwise they would not bother taking it.
So, yes, you should concern about ANY software that collects data.

You also need to balance the pros and cons of using each piece of software. 100% privacy does not exist. It is all about a balance between what you provide and what you get.
Once a wise professor said “The most secure computer is a computer in a bunker, without network, without keyboard or mouse and without monitor. But then it is a useless computer”

Guys, I really appreciate your contributions here. FWIW, I actually trust Brave to not abuse the data on me that they collect. (That is not really a founded trust, but I feel it nonetheless.) From what I’ve read, that commitment to privacy seems sincere.

I do not necessarily feel that when it comes to extensions, particularly those on the Google/Chrome store. Regarding what Rodrige wrote, the essence of the issue is that I don’t actually know (or even have a way of knowing) “what I’m providing” for what I get. That would clarify and simplify things greatly. But, of course, for those entities interested in data use for more than just “single purpose” improvement, it’s not as if they’re just going to tell me what they’re up to! — This is really the essence of the problem… that I am (we are) operating in the dark. Yes, there is the “bunker” solution, but…

@marcos55 Yeah, which now you’re alluding to a question I sent in to the Privacy team but they haven’t responded to yet. It’s also something I wanted to discuss in our last Community Call which was privacy focused, but we didn’t have time for it. Not sure if @fmarier or anyone else might be able to answer. The way I phrased it was:

  • Does Brave have any protection from data that can be collected by extensions? (Basically, do we toss out privacy and extensions can track everything or how does the browser help prevent that?)

Yes, good. Thank you. At least, relatively new to this as I am, that I’m not alone in barking up this tree. — I’d be surprised, though, if the Brave team as the resources (or even ability) to monitor/affect what extensions do with our data.

Extensions are a really tricky topic. The root of the problem is that they are meant to enable users to do things that the browser does not allow sites to do and sometimes to change the behavior of the browser from what the browser vendor intended. Adblockers are a good example: they change what every website is allowed/not allowed to load for example, or change the page content outright. Normal websites can’t do this to other websites, of course.

So essentially what that means is that extensions are implicitly trusted to do what the user wants (the assumption here is that users know what they’re doing when they install an extension) and they can therefore be granted higher privileges. Sadly, many extensions are not worthy of that trust in practice.

There are several ways to deal with that problem:

  1. don’t allow any extensions in the browser (most secure, but denies users the ability to do anything that’s not officially blessed by the browser developer)
  2. only allow a small set of extensions trusted by the browser developers (presumably these are reviewed by the team)
  3. allow anyone to publish an extension but have mandatory manual reviews (what Firefox used to do, requires a lot of people to do this work, developers complain about slow updates)
  4. allow anyone to publish an extension and mostly rely on automatic reviews to find malicious ones to ban (what Google does)
  5. allow anyone to publish an extension and don’t check anything (“use at your own risks”)

Brave started at #1, and then changed to #2. It was very unsatisfying to users though and so we eventually settled on letting users install extensions from the Chrome store (so #4). Firefox is the same except that it’s their own store, and I’m not sure whether or not they do automated security reviews like Google.

Personally, I like #3 the best, but it would require a lot of resources to manually review extensions and probably would mean that we would have a lot fewer extensions available. Since that’s not really an option right now, I would say that the best approach for users would be to install as few extensions as they can. That’s why Brave has so much built-in (e.g. adblocker, tracking protection, HTTPS everywhere). We want to reduce the need for extensions and provide as good a default experience as possible.

If you do install extensions, looking for Open Source ones, as others have pointed out, is often a good way to avoid the worst offenders.

1 Like

That is great feedback; thank you. I don’t remember seeing that many open source extensions in the Chrome store, but it might be that I have to look more carefully for that. The best would be if there’s a cache or site for open source add-ons to search through (ideally listing how many users have them installed).

I don’t necessarily need a lot of them, but I do have my favorites (from Firefox) that I’m definitely missing here. The Chrome store has a lot, but I don’t know about open sources…

Also (fmarier), since it appears you’re part of the Brave team, one idea you might consider is to spend a day looking through the most popular and highly rated Chrome-source extensions… and then pick your favorites —mine are generally functionality-oriented— and try to incorporate them directly into the browser.

If you guys wanted to do that, I might be inspired to help in the selection/search…

Thank you, Francois. I replied to you on the community page before seeing this.
I’m assuming that there are different kinds of extensions… ones that Brave can
and cannot run with. How would I search these out… the open source ones?

Also note that I left online a suggestion for the team to consider.

Best,
Mark

That’s a good idea and something that we do from time to time when it makes sense and fits with our privacy guarantees. For example, we recently added a feature to the iOS browser to redirect people to old.reddit.com instead of www.reddit.com since there’s a popular extension that does that (given how many people dislike the new Reddit interface).

That’s sometimes pretty tricky to do because they are not labeled in this way like on the Firefox Add-ons directory:
Screenshot from 2022-10-13 19-07-50

What I look for on the Chrome Web store are links to GitHub and/or explicit mentions of the license in the extension description, like for example on the uBlock Origin page:
Screenshot from 2022-10-13 19-10-06

1 Like

thank you, fmarier. This will take some work, but at least it’s doable. I will start going through both the github pages AND and the Chrome listings with this in mine. — Thank you (and all) for your help. I am sure this dialogue will be of benefit to others as well.

This topic was automatically closed after 30 days. New replies are no longer allowed.