Microsoft Edge is one of the least private web browsers — even more so than other popular browsers like Google Chrome and Mozilla Firefox — according to academic researchers.
According to the analysis, from Douglas Leith with the School of Computer Science and Statistics at Trinity College in Ireland, Edge sends privacy-invasive telemetry to Microsoft’s back-end servers — including “persistent” device identifiers and URLs typed into browsing pages.
Leith measured the connections made by six browsers to back-end services during web browsing sessions. From these measurements, he deduced Brave Browser to be the most private, with Google Chrome, Mozilla Firefox and Apple Safari coming in as part of a less-secure second group. In the third, least private group was Microsoft Edge and Russian web browser Yandex Browser. Internet Explorer wasn’t included in the research since it is largely confined to legacy devices.
“The results of this study have prompted discussions, which are ongoing, of browser changes including allowing users to opt-out of search auto-complete on first startup plus a number of browser specific changes,” said Leith, in research released last week. “From a privacy perspective Microsoft Edge and Yandex are qualitatively different from the other browsers studied. Both send persistent identifiers than can be used to link requests (and associated IP address/location) to back-end servers.”
Previous web browsing privacy research has measured web tracking and advertising ecosystems, or methods for detecting and blocking trackers — but Leith said that these observations have assumed the browser itself is a trustworthy program. Browsers contact back-end infrastructure to check for updates, facilitate running of field trials (or testing features before full rollout) or providing telemetry, which is the collection of data from the device. And, while the transmission of user data and telemetry data to back-end servers is intrinsically not considered a privacy problem, issues arise when data can be tied to a specific user, said Leith.
“When the same identifier is used across multiple transmissions it allows these transmissions to be tied together across time,” he explained. “While linking data to a browser instance does not explicitly reveal the user’s real-world identity, many studies have shown that location data linked over time can be used to de-anonymize [users].”
With this in mind, Leith’s research paper, “Web Browser Privacy: What Do Browsers Say When They Phone Home?” looked at whether data allows servers to track the IP address of a browser instance over time and whether the browser leaks details of web pages visited. Based on these factors, Leith found Microsoft Edge and Yandex to be the least private browsers tested.
Edge sends hashed identifiers that are linked to device hardware, called the hardware UUIDs (universally unique identifiers) to Microsoft, which are “strong and enduring identifier[s] than cannot be easily changed or deleted.” Worse, this behavior can’t be disabled by users.
In addition, Edge features a search autocomplete functionality that shares details of web pages visited (although this can be disabled by users). Part of this functionality transmits web page information to servers that appear unrelated to search autocomplete, Leith said.
Leith also found that when used with its default settings, Brave is “by far the most private of the browsers studied.” Brave did not use any identifiers allowing the tracking of IP addresses over time, and performs no sharing of the details of web pages visited with back-end servers, he said.
Chrome, Firefox and Safari were found to be in-between Brave and Microsoft Edge/Yandex in terms of privacy. These three browsers all tag requests with identifiers that are linked to the browser instance. While Microsoft Edge’s identifiers cannot be deleted, these browsers use tag requests, which only persist across browser restarts – but are reset with a fresh browser install. All three browsers also share details of web pages visited with back-end servers via the autocomplete functions, sending web addresses to the servers in real time, while they are being typed out.
“Chrome tags these web addresses with a persistent identifier that allows them to be linked together,” according to the analysis. “Safari uses an emphemeral identifier, while Firefox sends no identifiers alongside the web addresses. The search autocomplete functionality can be disabled by users, but in all three browsers is silently enabled by default.”
Threatpost has reached out to Microsoft for comment.
Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.
