Brave browser: less privacy-respectful than I was expecting

In my ongoing attempt to use Microsoft Teams on Debian 11, I thought I'd would give Brave a go, as a replacement for Chrome.

Teams works in Chrome on Linux; I've not yet got to test it in Brave.

Frankly, I'll probably forgive everything below if Teams works, as I'd still prefer Brave over Chrome.

Analytics are on by default?

Brave's "privacy-preserving product analytics" setting (described below)

Brave was, I thought, all about privacy. So I was bit surprised to find that it has an analytics feature on by default. (And I only spotted this because I was looking through the settings pane.)

It says:

Allow privacy-preserving product analytics (P3A). This completely anonymised info helps Brave estimate the overall usage of certain features and make them better for you.

There is no link to learn more, such as an explanation of what it is sending, or how it gathers it.

If this is indeed collecting and sharing information from my computer, I'm sceptical that it complies with the Privacy and Electronic Communications Regulations 2003, since it is not "strictly necessary" for, well, anything, and I have not given my consent to it.

I get that companies want analytics information, but, given Brave's positioning, I'm very surprised that this was not an "active choice" setting, offered to me when I first ran the browser.

Update about 10 minutes after posting:

That was fast! Sampson, who works for Brave, tweeted:

P3A is a privacy-preserving means of enabling Brave Software to understand how Brave is being used for purposes of fixing problems, delivering features, and more. Details at http://brave.com/p3a.

Good point about needing a link in the description of the Settings page. Thanks!

The overall functionality is described here and the specific list of information it collects is here.

Screenshot from https://github.com/brave/brave-browser/wiki/P3A, showing information collected on tabs on number of bookmarks open

Looking down that list - things like a generalised number (e.g. "21-100", rather than "24") of bookmarks a user has stored, number of open tabs, how many extensions are installed - I'm pretty confident it is transmitting information stored on my computer to Brave, thus triggering Regulation 6 PECR. This means Brave must show that getting this is "strictly necessary" (I doubt it is), or else get my consent (which it did not). Tsk.

Inconsistent settings

I found the UI/UX confusing in places.

Here, for example, it requires a user to toggle on a control so that Brave shows suggested sites, but to toggle on a control to not show the Brave Rewards button:

Brave's settings for toggling aspects of the interface, described in this section

Wouldn't it be clearer if the toggle always meant the same? (i.e. that "on" meant "show" and "off" meant "hide").

There's also no information: what is a "Brave suggested site". What is the basis for Brave's suggestions?

Brave runs unspecified things in the background

Hidden away under "Additional Settings", there is an option, toggled on by default:

Continue running background apps when Brave is closed

What are these "background apps"? Why are they running in the background? There's no information, nor a link to find out more.

Surely the default expectation is that, if I've closed an application, it is not running in the background?

Update

Samson also commented on this:

With regards to Background Apps, these are things like long-living extensions that you might have installed. This is an inherited feature from Chromium, but definitely could benefit from some type of explainer.

Brave Rewards

Apparently these are what you get for "viewing privacy-respecting ads".

I'd rather not sell my attention, or view any ads, and I've no intention of using them, but I thought I'd read the "Terms of Service" anyway.

Mandatory arbitration

My eye was first drawn to:

including the mandatory arbitration provision and class action waiver

It's good that my eye was drawn to it - the bold type achieved its purpose - but I'm not a fan of forced arbitration, so that the first red flag for me.

(When - if - you get down to clause 16, it says that "it contains additional provisions applicable only to individuals located, resident, or domiciled in the United States", so perhaps that big warning at the top does not apply to me anyway.)

Poor definitions

Second, I noted that they've picked an odd approach to defining who they are:

Brave Software International SEZC, a Cayman Islands company (“Company” or “we”)

Pick one or the other, else it gets confusing.

Worse definitions

But not as confusing as the bit which says:

If you are accessing or using our Services on behalf of another person or entity: references to “you” in these Terms collectively refer to you and that person or entity, and you represent that you are authorized to accept these Terms on that person or entity’s behalf and that the person or entity agrees to be responsible to us if you or the other person or entity violates these Terms.

This is rather circular.

If references to "you" mean "you and someone else", who is the "you" in the "you represent that you are authorized to accept these Terms on that person or entity’s behalf"? Is that you as in me, or you as in me and someone else?

Same with the "you" in "if you or the other person or entity violates these Terms". If "you" means "you and someone else", but then you immediately use it in a way which means "but not someone else", you create a mess.

Surely there's a clearer way of handling that.

What is the outcome of that clause anyway? Is the other person contractually bound? I doubt it. But since I "represent ... that the person or entity agrees to be responsible to us", perhaps Company can sue me for breach of representation.

Basically, this bit is a mess.

How old do you have to be?

In order to access and use our Services, you must ... be at least 18 years old and have the capacity to enter into a legally binding agreement

So 18 or older.

But it goes on to say:

If you are the parent or legal guardian of individual(s) between 16 and the legal age of majority in the jurisdiction where you reside, you may allow those individual(s) to use the Services

The two sentences are inconsistent; the second needs to be a caveat to the first, since one cannot be both between 16 and 18 and "at least 18 years old".

The terms conflate / misuse "must" and "will"

The terms sometimes use "must" and "will" interchangeably, and then sometimes they do not.

For example, they say:

"In order to access and use our Services, you must ... comply with all the terms and conditions set forth in these Terms"

I presume they are using "must" here in the sense of an obligation: that I have a duty to comply with the terms, breach of which means Company has rights to do something.

But they also say:

you will not ... violate any applicable law, contract, intellectual property or other third-party right or commit a tort

And

To the fullest extent permitted by applicable law, you will indemnify...

Presumably those too are obligations, breach of which is sanctionable. (Why not just "you indemnify" anyway...?)

But it says:

In order to earn [BAT through private ads] ... you must claim your BAT once a month

Here, "must" is not an obligation: there is no sanction for non-compliance. It's not a breach of the agreement. Not doing this means you have not followed the process, and so renders you ineligible for earning or collecting (that too is unclear) BAT.

I gave up at this point. Even my academic and professional interest in other people's terms only stretches so far, for a feature I've no plans on using.


Author: neil

I'm Neil. By day, I run a law firm, decoded.legal, giving advice on Internet, telecoms, and tech law. This is my personal blog, so will be mostly about tech stuff, cycling, and other hobbies.