In the paper, Leith wrote:
From a privacy perspective Microsoft Edge and Yandex are qualitatively different from the other browsers studied. Both send persistent identifiers that can be used to link requests (and associated IP address/location) to backend servers. Edge also sends the hardware UUID of the device to Microsoft and Yandex similarly transmits a hashed hardware identifier to back end servers. As far as we can tell this behaviour cannot be disabled by users. In addition to the search autocomplete functionality that shares details of web pages visited, both transmit web page information to servers that appear unrelated to search autocomplete.
Strong, enduring identifiersBoth Edge and Yandex send identifiers that are tied to device hardware, the study found. These unique strings, which can also link various apps running on the same device, remain the same even after fresh installs of the browsers. Edge sends the universally unique identifier of a device to a Microsoft server located at self.events.data.microsoft.com. This identifier can’t easily be changed or deleted. The researcher said that the Edge autocomplete, which sends details of typed sites to a backend server, can’t be disabled. As Ars reader karinto pointed out in a comment, however, instructions for disabling the feature are here. Yandex, meanwhile, collected a cryptographic hash of the hardware MAC address and details of visited websites through the autocomplete function, although the latter could be disabled. Because Edge and Yandex collect identifiers that are linked to the hardware running the browsers, the data persists across fresh browser installs and can also be used to link various apps running on the same device. These identifiers can then be used to track IP addresses over time.
“Transmission of device identifiers to backend servers is obviously the most worrisome since it is a strong, enduring identifier of a user device that can be regenerated at will, including by other apps (so allowing linking of data across apps from the same manufacturer) and cannot be easily changed or reset by users,” the paper warned.
A Microsoft representative provided a response on condition she not be named and the response not be quoted. She gave no reason for this requirement. She said that Edge asks for permission to collect diagnostic data that’s used to improve products. She said this collection can be turned off. While the data “may” contain information about visited websites, it isn’t stored with users’ Microsoft accounts.
Browser syncingWhen users are signed into Edge, they can sync their browser history to make it available on other devices. Users can view and delete this history on the privacy dashboard located at privacy.microsoft.com. Microsoft’s Defender SmartScreen—a Windows 10 feature that protects against phishing and malware websites and the downloading of potentially malicious files—works by inspecting URLs that users intend to visit. This default functionality can be disabled through the Edge Privacy and Services settings.
The fractured future of browser privacy
The unique identifier allows Edge users to use a single click to delete associated diagnostic data stored on Microsoft servers.At the other end of the privacy spectrum was Brave. The study found the default Brave settings provided the most privacy, with no collection of identifiers allowing the tracking of IP addresses over time and no sharing of the details of webpages visited with backend servers.
In betweenChrome, Firefox, and Safari fell into a middle category. The autocomplete feature in all three browsers transmitted details of visited sites in real time as the URLs are being typed. These default settings, however, can be disabled. Other potentially privacy-harming behaviors included:
- Chrome: sends a persistent identifier along with website addresses, allowing the two to be linked
- Firefox: includes identifiers in telemetry transmissions that can link these things over time (telemetry is on by default but can be disabled). Firefox also opens a persistent websocket for push notifications. The websocket, the researcher said, is linked to a unique identifier and can potentially be used for tracking that’s not easily disabled.
- Safari: Defaults to a start page that can leak information to “multiple third parties” who can preload pages containing identifiers to the browser cache. What’s more, associated iCloud processes made connections containing identifiers.