This post was originally published on 26 DEC 2020. It has since been revised and updated.
Privacy browsers mostly function the same as your “normal” browsers – but user (read: your) privacy and security are at the forefronts of their functions.
Ideally, these browsers are open-source so that their source code can be read, verified, tweaked, or compiled from source if wanted/needed by the public. Additionally, open source promotes transparency and can lead way to the validity of a browser’s claims to protect your privacy.
Should you use a privacy-oriented or a secure browser? The short answer is: Absolutely! You should’ve been using a browser focused on privacy yesteryear.
First, if you’re not already aware, then you should understand the very basics of what what your “regular” browser does.
At its most basic function, a browser is simply software that you use to easily access the internet.
The browser does this by pulling together a list of requests for different bits of content, which often include the likes of scripts, text, and images. It then compiles these requests, processing scripts and rendering content to spit out the webpage you typed into the address bar. That’s it.
NOTE: Of course, it’s worth noting that in today’s age, browsers have grown to be just as complicated (if not more complicated) as entire operating systems. As you probably know, many browsers have enhanced capabilities and features.
And here’s an example of a (static) request:
You want to visit avoidthehack! so you type
avoidthehack.cominto the address field of your web browser.
The home page for avoidthehack! isn’t stored in one convenient file, on a single server. Your web browser sends requests for the data and content that make up the webpage.
The servers that point to
avoidthehack.comserve up your browser’s requests.
Your browser then compiles everything according to instructions laid out in code and scripts.
The final product is how you see the home page as it is in your browser.
Keep in mind that this is a simplified example and a simplified explanation of how a web browser works. Numerous other variables commonly get thrown into this exchange between your browser and the web server(s), especially when interacting with a web app or a web service, but that’s outside the scope of this particular post!
Now, notice the use of the word exchange. The example of above might give you the illusion that information is only getting fed one way; from the web servers to your web browser.
However this is only half the case; data is being exchanged both ways as your web browser and the web servers “talk to each other.” Reference:
It’s important to understand that in connecting to and viewing a webpage, your browser isn’t just requesting information from any given server(s) of the websites you visit. Your browser also provides data to the web servers.
This of itself is not a cause for concern as it’s simple routine and all a normal part of accessing the internet. At the end of the day, machines must communicate both ways so that we can see the final product; the final product most commonly being the fully rendered webpage you want to access.
The real cause for concern is the amount of data “regular” browsers share.
“Regular” browsers most often share more than the “required” data; they have a tendency to engage in information overshare with the various websites, web apps, and web services you visit. You can think of this overshared information as similar to a data leak and these “leaks” prove beneficial in allowing different tracking methods and fingerprinting techniques to be effective.
For example, some data points browsers may commonly share as a “default” can include:
- Your precise location (particularly for GPS-enabled devices)
- The exact build and version of the software you’re running
- Full referrer headers, to include session and token data
- Scroll location, taps and click information, cursor location –
The unrequested data “offered” by your web browser can be data that you might not necessarily want transmitted to other servers for one reason or another. Add on that this data can and is sometimes transmitted/collected without expressed user knowledge.
Browser telemetry and phoning home
Unfortunately, the data leakage and information oversharing doesn’t stop at the “front-end” of the browser, where it talks to the servers of the webpage you requested. “Regular” browsers regularly engage in “back-end” transactions or talks with remote servers. In other words, they engage in what is commonly called “phoning home” behavior.
Now, it’s important to understand that very generally speaking some instances of phoning home are indeed benign. For example, your browser may “phone home” to update servers in order to ensure that the version running on your device is the latest.
However, when we talk of “phoning home,” we’re typically referencing the browser transmitting collected/stored data to remote servers – remote servers that are independent of the ones you may connect to when visiting a website. Typically, this goes beyond simple telemetry, such as anonymized crash data reporting that some developers might use. In essence, “phoning home,” is seen as privacy invasive as it can be used to collect highly specific and personalized data that can then be sold/shared/auctioned off to third-parties.
We can break down the data that a “regular” browser may phone home into two big categories here: 1) identifying data and 2) usage data. Frequently these two can and do overlap.
Your browser may phone home identifying data such as:
- Any unique IDs of your browser installation itself
- Universally Unique Identifier(s) (UUID) of hardware
- Connected network information
- Declared information such as age and gender
Your browser may phone home your “usage data” such as:
- Your browsing history
- Your search history (irrespective of the specific search engine you may use)
- Click/tap history
- Location data – to include past/archived/saved location data
Learn more about the data that regular browsers collect on the avoidthehack private browser page.
Privacy-oriented browsers do everything your mainstream browser does, except they do everything with the privacy of the user (read: you) in mind.
As a whole, privacy-oriented browsers aim to share as little data as possible, both on the “front-end” and on the “back-end.” Many also aim to mitigate the effectiveness of common tracking methods and fingerprinting techniques that some websites, web apps, and web services may use.
Some privacy-oriented browsers accomplish this in varying ways to differing degrees – you can think of it like some sort of spectrum. Some privacy-oriented browsers eliminate telemetry and any sort of phoning home totally while others may greatly reduce and anonymize the data shared with their respective servers.
Some privacy browsers come with a native adblocking solution while others may come with a trusted adblocker such as uBlock Origin installed. Others may go a step further and implement fingerprinting mitigation techniques, such as randomizing user-agent strings.
Others may implement/improve upon existing browser security flaws – a privacy-browser might always force HTTPS and refuse connections that are not upgradable.
All of this to say that privacy-oriented browsers aim to protect your privacy.
There are many private browsers to choose from.
View the Private Browser Comparison Tool to help you pick out a browser that best fits your needs.
In the end, all privacy-oriented browsers attempt to put some control of data in the hands of the users.
Standard “private browsing” vs. privacy focused browsers
All of the well-known and commonly used browsers have a mode that enables “private browsing,” with the exact name varying between the different browsers; for example, Google Chrome calls its private browsing feature “Incognito” whereas Microsoft Edge named the same feature “InPrivate.”
It’s reasonable to think that when you have your standard browser’s version of “private browsing” enabled that you’re doing just that – visiting websites and maintaining your privacy. So, you may think that you’re getting the same benefits from using the “private browsing” feature as you would using a true privacy-oriented browser.
This is not the case.
“Private Browsing” is not nearly as private as many people think it is. Long story short, the name is, for lack of better terms, deceiving.
At most, the “private browsing” feature on web browsers automatically erase the likes of browsing history, search history as it exists within the browser, and cookies after the “private browsing” session has closed.
It does not provide ad/tracker blocking capabilities, does not reduce telemetry/browser data collection, does not provide any level of encryption (you need HTTPS enabled for that), and does very little in mitigating tracking and fingerprinting techniques.
In fact, to drive home the telemetry and phoning home aspect: In 2020 Google was slapped with $5 billion lawsuit that claimed Google tracked users who used Incognito Mode.
It’s also worth mentioning that “private” browsing has extremely little to do with improving your security – for example, “private browsing” cannot defend you from exploits by malicious actors. Learn more about private browsing.
Now, unlike simple “private browsing,” privacy-oriented browsers do enable more private and secure browsing.
Many privacy-oriented browsers do include advanced ad/tracker blocking. Most privacy-oriented browsers greatly reduce or outright eliminate telemetry and other potential avenues of data collection; many simply don’t phone home outside of automatically checking for the latest versions. Most private browsers do force HTTPS as default.
Privacy browsers give you better control of what information you broadcast to the internet, improved security, and a smoother overall user experience.
Privacy-oriented browsers improve your ability to control the information you transmit knowingly and unknowingly with websites, web services, and web apps.
Remember, “regular” browsers have a tendency to share information that you might not necessarily want shared with third parties – and that this data sharing occurs on both the “front” and “back” ends of the browser.
Privacy-oriented browsers aim to stop the browser sharing excessive information with the websites you visit by resisting common fingerprinting techniques, blocking ads, and blocking various tracking methods.
Furthermore, most privacy-oriented browsers limit the amount of “phoning home” they perform; some outright don’t phone home at all, with the common exception being querying for updated versions of the browser.
In many cases, if the privacy-respecting browser does communicate on the back-end with its servers in excess of checking for updates, the data it transmits isn’t as sensitive as your browsing or search history. In most cases, these browsers may be collecting anonymized telemetry or providing specific services that you as the user have opted-in to.
It’s also worth noting that the defaults found on many privacy-oriented browsers beat defaults found on “regular” browsers. Again, this stems from privacy-oriented browsers putting the privacy of the user first.
A lot of privacy browsers block scripts and other bits of code that can execute with or without the user’s (your) consent. They also block ads, and the trackers that commonly exist within the ads themselves from loading.
In addition to helping to maintain your privacy and saving your eyes from annoying advertisements, this blocking also improves your security posture.
How? The simple answer is that the scripts/bits of code that load upon serving these advertisements can be malicious.
It’s a common misconception that you have to click/tap on an ad to get infected via malvertising. Loading the scripts associated with a malicious advertisement can easily be enough to get infected. A good real-life example is when major news networks such as the New York Times, the BBC, and AOL served infected adverts to users.
Another common security feature found across privacy-oriented browsers is Forced HTTPS; most will force HTTPS connections by default, upgrading insecure HTTP connections where possible.
Some browsers, such as Librewolf, will refuse to load webpages where the connection is non-upgradable, such as when the website’s certificate has expired.
Privacy-oriented browsers produce a better user experience in a couple of different ways:
Better loading times
The most notable of these improved user experiences is the speed of which webpages load.
This isn’t to say that privacy-oriented browsers have some super magic code to force webpages to load faster, but rather by blocking the loading of tracking scripts and ads, the webpages you visit thus load faster.
Excessive, and often nonessential, scripts ultimately slow down your browsing experience if they’re not blocked. Excessive scripts are often associated with the likes of ads, trackers, and invasive analytics software.
Other benefits that users see alongside faster loading times are less bandwidth usage and better battery life for more mobile devices.
Privacy-oriented browsers across all platforms tend to offer better customization and tweaking options. This enables users to fine-tune the browser to their specific needs.
Additionally, most privacy-oriented browsers are forks of browser engines, the two most common being Gecko (Firefox) and Chromium. Even as forks, many privacy-oriented browsers will also work with extensions/add-ons found within their respective stores.
While privacy-oriented browsers can prove an asset in improving your privacy, as with most things in life they do have limitations:
Privacy-oriented browsers are not proxy servers. They do not route traffic through another server for any level of anonymity. In order to achieve this level of anonymity from a browser, you’ll need to use the TOR browser.
Privacy-oriented browsers cannot hide your traffic from the likes of your internet service provider (ISP) or another third-party. If you are a user who is interested in hiding their web traffic from an entity such as your ISP, then you should look into using a trusted, verified no-logs VPN provider (or the TOR browser).
Privacy-oriented browsers cannot prevent the execution/downloading/installation of malware. While privacy-oriented browsers can certainly reduce the likelihood of certain avenues of attacks, they are no where near a silver-bullet. Best practice is to maintain good cybersecurity habits such as not clicking on suspicious links or downloading/opening suspicious files.
Privacy-oriented browsers do not make good password managers. You shouldn’t use your browser to store sensitive information such as account credentials. Use a trusted password manager instead.
Privacy-oriented browsers cannot make other software more private/secure. This goes for other software installed on your device. If you’re looking for more privacy (and security!) out of your device’s operating system, you may want to consider migrating to a new one.
Additionally, privacy-browsers cannot block ads/trackers or force encryption outside the browser. For network wide protection, look into using an encrypted, ad-blocking DNS provider and/or setting up a Pi-Hole.
Overall, avoidthehack! highly recommends using a browser that both respects and maintains your privacy.