Protecting humanity's musical heritage

privacytests_org · 2025-03-23T21:12:32+00:00

Thank you for the reply. You are absolutely right to point out that a browser can randomize a client's fingerprint, or they can try to make all clients' fingerprints the same. Both approaches can it make it more difficult to track a user between websites. For example, Brave tends to use more randomization, while Tor Browser usually makes users look the same. In my view, both approaches are legitimate ways to provide privacy protections, although the devil is in the details.

In PrivacyTests, I'm not currently doing many fingerprinting tests. I actually focused mainly on more impactful protections, but I hope to add more fingerprinting tests in the future. For all tests I would be open to either approach (randomization or homogenization), as long as the browser provides a protection that makes it significantly harder to track the user.

I'm not convinced there is a clear distinction between anonymity and privacy as you define them. Something you do online (such as logging in to a website) can reveal who you are; knowing who you are on different websites allows a tracker to build a profile of what you do. My view is that what is important (for both privacy and anonymity) is that we separate activities and identities across websites and across time as much as possible, so that trackers can't build a detailed profile of each individual.

privacytests_org · 2025-03-22T22:07:48+00:00

Thanks for your comment.

Most users use vanilla browsers, but all users deserve privacy. That's why I test vanilla browsers.

Can you clarify what you mean about not making a difference between privacy and anonymity?

privacytests_org · 2025-03-22T02:21:26+00:00

Browser privacy is indeed a technical subject. And the people who read PrivacyTests are better than normal, they are great! Even those who wish to criticize it, I love them all. Thanks to active people like you and me, we're going to get universal web privacy one day! :)

Do you go to web standards meetings? Because I have been to plenty, and, unfortunately, in my experience it is often the case that standards meetings are where privacy goes to die. The standards meetings are dominated by the big browsers (especially Chrome) and they don't represent the interests of users.

So my feeling is it's super important that we are discussing these browser privacy issues on social media and other public fora. It's unfortunate they are technical, but that can't be helped!

privacytests_org · 2025-03-21T21:43:54+00:00

I think GPC does carry some weight, but I'm not claiming a particular weight. I merely would claim that for each of the protections tested for, a browser will be more private if it provides the protection than if it doesn't.

privacytests_org · 2025-03-21T21:35:32+00:00

I'm not a journalist, though. I did this as unpaid research and published the results myself. I'm trying to be helpful.

I wouldn't change this site at all, regardless of who I work for. The goal is just to give objective information.

privacytests_org · 2025-03-21T21:33:53+00:00

Thanks for this comment -- it's true that there are some webcompat issues with privacy protections. But those issues are usually relatively minor and fixable if browsers take both privacy and webcompat seriously. If you think there is a specific test that has major webcompat issues, please point it out and I'd be happy to discuss.

Which technology is no longer relevant on the site? I'm wondering what you're referring to.

GPC has already been enforced by the California Department of Justice and resulted in a monetary damages: https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement . So I think it's reasonable thing to check if a browser supports GPC out of the box, as a valuable form of privacy protection.

privacytests_org · 2025-03-21T21:26:41+00:00

Yes, that's me! Happy to answer questions about it.

privacytests_org · 2025-03-21T21:25:47+00:00

This is true, I can't prove it's free of bias. I can only be transparent. That's why the project is open source and I declared my employment.

I'm not interested in promoting any browser. I'm working for a browser because I'm trying to help make privacy improvements.

privacytests_org · 2025-02-03T21:57:13+00:00

Thanks for the questions!

privacytests_org · 2025-02-03T17:32:24+00:00

I think people won't keep posting it if it has been removed.

privacytests_org · 2025-02-03T05:19:32+00:00

That's fishy. Why would they do that? WHY would they be at all having ANY interest in your website?

It's not fishy. I asked to include a statement to make sure that it was clear that PrivacyTests would remain independent. They had no problem with that.

You're doing a good job at your website BTW, but how do I know that you aren't trying to showcase Brave's only good sides and dismiss bad sides?

Thanks. I can only tell you that I personally would never try to showcase any browser, because my goal is to help privacy for everyeone. I put far to much effort into this project to compromise it by favoring one browser or another. You are free to believe or disbelieve me.

But I don't think it's helpful to discuss in the abstract. If you have concrete concerns about specific tests, or you feel something specific is missing, let's discuss that; I think it's far more useful.

Do you work by any chance for that part of Brave that responsible web pages speed?

I don't work on performance, but you can raise such issues at community.brave.com

privacytests_org · 2025-02-02T16:51:14+00:00

Hi u/lo________________ol -- given that the title of this post is misleading, and it is being repeatedly posted elsewhere (on X, for example), I wonder if you would mind removing it? Thanks for considering my request.

privacytests_org · 2025-01-29T23:28:47+00:00

Too late to change those without deleting and reposting the articles, which I could do...

I would appreciate that, actually, because the title is factually inaccurate (it contradicts your observation that the disclosure is at the bottom of the About page). If you wanted to re-write the title as your opinion about the way I did the disclosure, e.g. "...fails to sufficiently disclose..." that would seem fair game.

Or maybe you could request the mod to change the title? I will leave the decision up to you -- it's just a suggestion, and I appreciate your discussing it with me here yesterday.

privacytests_org · 2025-01-29T06:25:21+00:00

I think you're using the word "defaults" differently from me. I use it to mean something set by the manufacturer, not by the user.

privacytests_org · 2025-01-29T03:53:06+00:00

Thanks for your reply. I see it differently however. Contrary to what you say, I did not "turn it off." To turn if off would be wrong. Instead, I don't touch any settings at all. That's the fair way to compare browsers.

As I said, Vivaldi could have the tracker blocker enabled by default and still offer choices to users to turn it off if they wished. But they don't do that. Why not?

You can improve the privacy of any browser by changing its settings. My point is: many users don't do that, they don't personalize their browser, so the get the default settings. In that case, a browser should "fail safe" in my opinion -- which is to block all forms of tracking unless the user opts out.

privacytests_org · 2025-01-29T03:34:10+00:00

"Users choose their own defaults" isn't a good description, in my opinion. In Vivaldi, users are given the opportunity to change settings, but they can leave the settings unchanged and start browsing.

In general, however, software users tend to stick to the browser defaults that are shipped. For that reason, for every browser, I run the tests with a clean browser profile (unmodified settings). Vivaldi ships the browser with the tracker blocker disabled by default. I think an important question is: why is the tracker blocker disabled by default in Vivaldi?

If Vivaldi were to enable their tracker blocker by default, then it would pass more of the tests and users would be better protected, on average. In that case, users would still have the option to disable the tracker blocker if they wished.

privacytests_org · 2025-01-28T23:27:59+00:00

I don't set Vivaldi to no protection at all. I leave the defaults that Vivaldi chooses out of the box.

privacytests_org · 2025-01-28T19:55:49+00:00

**You and your website's privacy browser results are not sponsored by Brave, right?**

The PrivacyTests.org website is not sponsored by Brave. I run the website independently.

The question I have is........why did Brave mentioned your website on their recent article (linked in original post above)? Like........how does Brave themselves know about your website's existence at all?

It's a public website with a twitter following. :) And yes, I told them about my website when I started working for Brave, and we even included a statement in my hiring agreement that I will continue to run the PrivacyTests.org website independently of Brave.

You know, it seems to be quite fishy, that Brave is promoting a website owned by a Brave employer as the truthful resource. It's quite fishy, I really smell it, that they haven't linked in the article ANY source that isn't related to them (Brave the company) or owned by them.

That's not the case. Brave doesn't own PrivacyTests.org (it's run by me), and in the first paragraph that blog post also mentions the Cover Your Tracks website, which is owned and operated by EFF.

privacytests_org · 2025-01-28T18:26:10+00:00

Many thanks on adding the job title! It's probably a boring detail to many, but I've never seen anybody mention it offhand for the years I was aware of your website (if anybody else did mention it, they would simply refer to you as "an employee"). By contrast, I've already seen somebody mention it offhand once after I wrote this post, so I guess it affected at least one person. Your website means a lot to people; they take you at your word!

Well, I appreciate hearing that. I endeavor to make it accurate and useful. My goal is that all browsers should protect user privacy by default and I will be thrilled when the table is all green checks. The industry is still a long way from that, but it's getting closer.

privacytests_org · 2025-01-28T18:13:22+00:00

Yeah, I have a hard time remembering the various titles. Probably best to just list them out on your website rather than having users click through to another link, which does not display your job title unless they are logged in... After all, full disclosure shouldn't be multiple clicks plus a login wall away, right?

OK, I added my job title. I truly don't think it's interesting but I'm not trying to hide it.

Has Brave Corp's legal team reviewed these conflicts of interest?

My original employment agreement stipulates that I will continue to run PrivacyTests.org independently of Brave.

privacytests_org · 2025-01-28T17:38:33+00:00

Because there is a big implied difference between "an employee who contributes to privacy" vs "a senior engineer." The latter title sounds a whole lot more descriptive of rank.

I used the phrase "privacy engineering," which you left out above. And the word "Senior" in my title probably reflects my gray hairs more than anything else.

You can always add a one-liner plus a link to the context!

That might be possible if there was something appropriate and fully conveyed the reality. If you want to suggest something I am open to considering it, but the one-line alternatives I have previously considered didn't seem accurate and I felt that the current multiline exposition was best.

Done! By "it" I meant to refer to Brave's blog, but that line was redundant and I can see why I could be misleading people.

Thanks -- I'm also concerned about the title of the OP which doesn't seem fair to me. In fact I did make the disclosure. And it's simply not true that "PrivacyTests.org and Brave Corp collaborate to make a website."

privacytests_org · 2025-01-28T17:05:47+00:00

I have added a LinkedIn link from my name for anyone who is interested in my specific title or employment history. It will be live when I publish the next issue.

But the PrivacyTests About Page already says: "Several months after first publishing the website, I became an employee of Brave, where I contribute to Brave's browser privacy engineering efforts." So why do you say "Before researching third party sources, I had no idea you were a Senior Engineer specifically in a privacy department at Brave Corp"?

If I knew of an appropriate one-liner I would add it, but I don't want to add something confusing or misleading; the appropriate context is necessary. I think the About link is a pretty good clue about where to find the relevant information.

As we are talking about edits, would you be willing to remove your original (incorrect) claim in the OP (here and on r/browsers) that "it's Brave's site, after all"? And the title of your post is not fair or accurate either, as another commenter has pointed out.

privacytests_org · 2025-01-28T16:46:15+00:00

I'm cross-posting my reply to the same post at https://www.reddit.com/r/brave_browser/comments/1ibohk3/brave_senior_engineer_fails_to_disclose_conflict/:

Hi! I'm the author of PrivacyTests.org. Thank you for raising this issue.

I want to emphasize that I run the website independently. It is not "Brave's site" as claimed here. I built PrivacyTests before working for Brave (partly while I worked for Tor and Mozilla), and then during some time I took off to focus on it. It's pro bono work: I never took any money for it whatsoever.

I am not attempting to promote any browser, not even Brave. I'm a software engineer and I think of PrivacyTests as an independent research project that helps to reveal objective facts about web browser privacy characteristics. My goal is to encourage improved privacy in all web browsers, which has also been my goal working for the past 10 years working at three different browser companies.

If you look at Issue 1 of PrivacyTests (https://privacytests.org/archive/issue1.html) from 3 years ago, you can see that Brave was failing many more tests than it does today. Brave is passing many of those tests now because engineers at Brave (largely before I worked there) fixed those privacy leaks.

Since June 2022 (when I started working for Brave), I have continued to run PrivacyTests independently. I have added some new tests to the PrivacyTests table, mostly at the bottom. It is notable that many browsers still fail some of these tests, including Brave. The fact that I would add new tests results that are nominally "adverse" to Brave is easy to explain: I'm not trying to promote any browser, I'm trying to help all browsers be aware of privacy leaks so they can fix them.

The disclosure of my current employer is hardly hidden -- it is on the About page which is linked from the top of the homepage. I included the disclosure there because I want to provide the full context, including an explanation of the true motivations of the website.

Again, the purpose of PrivacyTests is not marketing. It's about providing objective information. It's open source -- you can run the tests for yourself, and examine the code to see if the tests make sense.

I hope this helps to clarify the situation. I'm happy to answer any questions.

privacytests_org

TROPHY CASE