Root Causes 255: What Is a Privacy Browser?

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We want to talk about privacy browsers. Jason, what is a privacy browser?

• 

  Jason Soroko

  So, for those of you, obviously, who browse the internet which I think is just about everybody.

  Let’s talk about the big ones. Way, way back in the day, Tim, I remember using Links as a browser, which didn’t even have graphics. It was just something that most of you who would look at would have thought it was back in ancient times. But then, of course, we had Netscape, which then evolved into other major software vendors who created things like Google came up with Chrome. We had Microsoft coming out with Internet Explorer, which is now Edge, which is based off of Chromium and then we have, of course, Apple’s Safari which is used on their iOS devices and their Mac OS, etc., etc. Then, all of the sudden, in more recent times, Tim, you’ve probably heard of some other browsers and I’m thinking about people who were concerned with the usage of cookies, people who were concerned with the amount of tracking going on and advertisements that were targeted at you based on your browser information, etc., etc. There’s so many reasons; there’s a lot more than just one why people might use a privacy browser. Let’s name a few of them. DuckDuckGo has a privacy browser, works on mobile devices and I think there was an announcement right around middle of October about DuckDuckGo being created on desktops for Mac OS.

  And there are other desktop browsers which will also obviously work on mobile devices. Brave Browser is another privacy browser and there are, of course, the traditional browsers, FireFox, Chrome, Edge, etc., which all have things like incognito modes and privacy modes. So, each one of them will claim to do some kind of enhanced privacy but some of these privacy browsers are very, very specific in what they do and what I find interesting, Tim, and I’ll end the thought here for a moment, I find it so fascinating that the underlying code base for some of these privacy browsers are directly sourced from open-source projects that we know and love from the traditional big browsers. So, for example, this latest DuckDuckGo that was announced for Mac OS is using WebKit. In other words, it is built off of the same bones as Safari and something like I’m thinking of Brave which I believe, if I’m not mistaken is based off of Chromium, the bones of Chrome.
  

• 

  Tim Callan

  That way you don’t have to be great at that. You can focus on something specific that you want to be great at. So, like let me just make up an example. Let’s suppose that I wanted to make a browser that was entirely focused – and now I’m probably gonna show my ignorance because there probably is such a thing – but let’s suppose I was trying to make a browser that was entirely focused on people are visually impaired. I would want to be really expert at that part of it. How do I take the web and make it easily accessible to people who are visually impaired so that they can get the benefit of the web just the way that people who can read off the screen can and that would be what I would want to be really expert on. What I don’t want to be expert on is all of that other stuff. So, I use something like Chromium and all that other stuff is kind of handed to me and I have a whole community that is making that as great as they possibly can and I can focus on the thing that I need to do really well. And that’s pretty similar to this situation. Correct?

• 

  Jason Soroko

  Correct, Tim. In fact, let me make your point for you even to the highest level point may be possible. Microsoft – who I don’t know too many companies who have more developers than Microsoft, they gave up making their own browser technology.

• 

  Tim Callan

  They sure did. They moved to Chromium.

• 

  Jason Soroko

  And specifically for the exact reason you just said. They just wanted to put in Microsoft features onto a fast, good rendering engine and they chose Chromium. They didn’t even build their own. So, that is very common in the industry and it does make a lot of sense.

  So, Tim, if this podcast is really about privacy browsers, what would you like to see in a privacy browser? Like if you go into a privacy mode the funny thing is, it’s more than one thing isn’t it? We are thinking about ad blocking. We are thinking about header tracking.

  So, I think that there’s a lot of interesting feature sets in some of these alternative browsers even to the point of alright, cookie management. So, if you take any of the major browsers, they’ve always kind of allowed you to clear cookies and handle have a lot of customization in terms of how you want to handle these kinds of tracking mechanisms but some of these privacy browsers actually have full-blown cookie management systems that really do a good job and are focused on doing that specifically. And that’s part of what a privacy browser is giving you.

  I think, Tim, for those of you who haven’t seen how web traffic actually works, it used to be very common back in the day. In fact, still is. In order to be able to very specifically target you as a person browsing the web, the more bits of information about you that are unique will basically enable a marketer to basically track you and all of your traffic across the internet.

• 

  Tim Callan

  You and I talked about this, too, in a previous episode. Like maybe, I don’t know, maybe like 30 episodes ago, I think we had a series of three in a row and one of the things we talked about is if you have enough identifiers, if you have enough unique identifiers that the Venn diagram overlap of all of those could be one individual. So, you might say, well, if I have this many people and if we just use us as individuals. If I say I have this many people and they are this height and they are left-handed and they live in this neighborhood and their last name starts with a C and they work as an IT professional and they’re in a certain age range, you could get to a point where there’s only one and I’m that one. And so you could do a similar thing with identifiers on a browser or a user and you could get to the point where even though supposedly it’s genericized, it becomes an uncomfortably small set of potential individuals even down to one individual.

• 

  Jason Soroko

  Exactly, Tim. So, presumably, some of these – not all – but some of these privacy browsers also concentrate on helping to solve that issue for you as well, which is to make the header information. In other words, when you are accessing a web server you are giving away information about what browser you are using and there’s gonna be some uniqueness tied to the header information that you provide to the web server and some of these privacy browsers are making it increasingly difficult to make you trackable because of the fact that your header information is going to - - the attempt is to try to make it look as much like everybody else using that browser as possible, making it very difficult to distinguish you from other people using that privacy browser.

  There’s some other features as well, Tim, and some of these are kind of random. It’s almost like quasi VPN tools. There’s like another layer of encryption sometimes going on. Quite often, there are some very specific tracking mechanisms that are used by people who are obviously trying to market to you, trying to do – as you say – trying to identify uniquely. There are unique browser features that sometimes the bad guys are bad guys and sometimes you need just marketers that are trying to uniquely identify you. In other words, some of these privacy browsers have these features more uniformly set and there’s a lot more education to the user about, hey, if you set this feature in the configuration on or off, you will make yourself more trackable and therefore, we are defaulting to be a less trackable browser. We could get into huge amounts of data points here, Tim, in terms of configuration changes where the person tracking you is simply looking to see whether or not those features are turned on or off and those on or off binary pieces of information help to uniquely track you.

• 

  Tim Callan

  Now at the same time you may be giving something up. So, for instance, some of the markers that you can use to track somebody are actually - - they have a valid reason to be there in terms of enhancing your experience. So, if the browser is querying things like your screen resolution and your sound card and your processor speed, they may actually be presenting a different experience to you that’s supposed to be optimized for things like your screen resolution and your sound card and your processor speed and if you then obfuscate that information from the provider of that content, that optimization is no longer possible. So, one of the things that occurs to me is that there may be let’s say a less rich or less enhanced experience. We should still be able to get to the sites we want and read the fundamental words and read the book review but we may not get the level of richness or detail or quality of experience that somebody with a lower privacy threshold would be getting.

• 

  Jason Soroko

  I think in practice, Tim, the way that this works because the way that most websites are set up. So, think of yourself as a web developer for that exact site. You want your site to render cleanly to as many people as possible including those who are using privacy browsers.

  I think that there is a push by the developer community because they are fully aware of all of this and they are probably not anxious to utilize rich feature sets that will stop people from being able to render cleanly within some of these privacy browsers. So, at the moment, I’m not hearing a lot of backlash from users saying, hey, I’m not getting full rich experience here. I think the risk is there to do that. I think that when early web technology rich browsing technology, those feature sets were out there and people were experimenting by using a lot of different things and finding that not every browser was handling it the same or cleanly. I think that there then became a push to simplify and offer richness in a way that was handled by more generic rendering. And so, therefore, I think that’s less of a risk now.

  I think in practice what the privacy browsers are doing in your rendering differently than each other is going to be how they handle advertisements because a lot of websites offer advertisements on their website. Some of the privacy browsers, depending on how you have them set, are going to render those out and then how they fill white space is part of the uniqueness of the privacy browser and that’s where some of the differences come in and sometimes the competitive advantage of some of these browsers is just how cleanly they handle dealing with how do you fill in the white space left by taking away entire chunks of a website property that have to do with ads. I think in 2022, Tim, late 2022, I think that’s the world we are living in right now.

• 

  Tim Callan

  And it’s interesting, you said earlier on in this episode you said there were bad guys and then you backed away from that and said marketers and I didn’t jump on the obvious joke about marketers being bad guys, but it is important to understand, when you and I talk about protecting secrets, which we talk about a lot on this, we are usually talking about it in the context of something really authentically malicious. A genuine attacker. Somebody who is trying to get access or steal your information and steal your money or steal your identity or something along those lines. This is getting into a little bit of an interesting space, which is it’s possible that, I suppose, that there are real attacks like that that are part of the mix here but most of what people seem to be focused on is things like targeted advertising which whether you like it or you don’t I think it’s not quite the same thing as somebody gets access to my bank account and takes my money.

• 

  Jason Soroko

  There’s a big difference. I think for those people who are out there who are really big privacy advocates – and I think we should all be privacy advocates to some degree – there are some people who really, really feel I do not want you, Google, or anybody else who is tracking my basically - - I’m trying to think of a few different ways that you could profile me very easily, Tim, which is, hey, what are the YouTube videos that I watch? What is my common search engine entries? What are my typical websites that I go to? It doesn’t take very long before you can start profiling a person and quite often that profile is for targeted ads. Sometimes it could be for something else as well, unfortunately.

  Being able to tell whether somebody is a child or not can be used for really malicious purposes and so, I certainly am not sitting here with all of the reasonings for why enhanced privacy is important; however, I do know that marketers who are legitimate absolutely have their side of the story, which is, hey, we are trying to just give you a better targeted ad experience. This doesn’t really hurt you. And then on the other hand, there are people who are really experts in privacy who can give you the hundred different ways that privacy absolutely has to be enforced in our lives because there are vulnerable people and vulnerable groups and ways that you’ve never even imagined that bad things could happen to you. So, there’s both sides of the story. I don’t claim to be an expert in that area.

• 

  Tim Callan

  Fair enough. Alright. So, it’s interesting. The other thing, of course, is these “privacy browsers” and you are right, there are a certain number of privacy settings that are available and the mainstream very popular browsers obviously, but these more private, if you will, privacy browsers, are very, very nichey. Like how many people does any of us know personally who uses the browser from Brave or DuckDuckGo or someone else. It’s just a very short list. And so, I wonder if that is telling us anything important about this particular trend?

• 

  Jason Soroko

  I think, Tim, this is probably a more advanced user. Certainly an aware user of how internet technology works. Why would you use a privacy browser unless you knew why you want to use it. That’s certainly the case. I definitely think that for some people who just say, hey look, I’m doing a web search here, I don’t really want this web search to be seen by everybody so I’m gonna go into incognito mode but, hey, what happens if I use this DuckDuckGo browser which I don’t have to change any settings and it’s automatically using a search engine that is tied to privacy. Yes, you could use DuckDuckGo inside of Chrome, but it requires you to make a configuration. And if you are just one of those people who say I don’t want to mess with that. I’m just gonna use this browser because I know it automatically gives me that safe searching experience, I think you might be surprised for how many people switch into a privacy browser for a portion of their web searching. I think that’s more common than not. I definitely don’t think it’s the majority of people but I think even people who are not fully aware of how all the machinations work will sometimes use an alternative browser just for that.

  I will you though, Tim, I’m gonna add just one more thought before we come to the conclusion but some of you who are listening to this might also say, hey, if you are talking about privacy browsers why in the world wouldn’t you talk about the Tor browser and all the technologies underneath Tor and, of course, that is a whole entire different level of privacy for other purposes.

• 

  Tim Callan

  And we actually did a whole podcast on that. I don’t know the number off the top of my head, but it was in our first hundred episodes. So go back a ways and you’ll find that there is an episode on the Tor browser where we get into detail on all that and if you are interested in this topic, that’s definitely worth listening to and also that series that ran I’m gonna say, I’m gonna guess somewhere in the early 200s where we had three of them in a row that were about these sort of privacy approaches. Find the episode called What the Flock and look for the ones around there and those are also on this topic and that’s some good background as well.

• 

  Jason Soroko

  Tim, as a conclusion, I want to propose a podcast to be upcoming because now that we’ve covered Tor, we’ve covered privacy browsers, we’ve covered VPN. We’ve covered those three topics. I’d like to have a podcast where we very succinctly go through why would you choose to use any of these technologies because, obviously, as you say, it’s gonna be a niche for everyone but I do think that’s it’s worth just going through.

• 

  Tim Callan

  And there are pros and cons. There are tradeoffs and that was part of the point I’m gonna make. I think as you choose one of these solutions, there may be ways that it’s less convenient or less powerful or less rich than what you would have had otherwise and that’s a tradeoff you are gonna have to be willing to make.

• 

  Jason Soroko

  That’s right. And this is probably the main point, Tim. Every single thing is a tradeoff. VPN is a tradeoff. You have to ask the question, who do I trust and who do I distrust. That will help you to determine whether you should use VPN or not and in conjunction with because you don’t use just VPN alone typically. You are using a browser. You are choosing specifically how you are accessing specific networks. How do you choose the correct browser through the correct tunnel encryption technology such as VPN or Tailscale or any of those things and then, of course, when do you go to a level such as Tor which then is all about obfuscating your technology. Why would you do it? What are you avoiding? What are you putting yourself actually at risk of? Every single one of these things is kind of a binary decision of tradeoffs and I just want to work through the whole list, Tim. It’ll probably be one of those 15-minute podcasts. We could probably work through it pretty quickly. I think it might be worth a conversation.

• 

  Tim Callan

  So, I think that’s a good one to keep your eyes peeled for in the future. This is probably a good overview of the concept of a privacy browser and what is a privacy browser and I’m sure we’ll be returning to this topic.