Microsoft’s new Edge browser is fast, pretty, and compatible, but researchers from Trinity College Dublin say it’s falling behind in privacy. An analysis of the connections of six major browsers to their back-end servers revealed three distinctive groups, with Microsoft’s Edge grouped in the lowest, alongside Russian browser Yandex.
“From a privacy perspective Microsoft Edge and Yandex are qualitatively different from the other browsers studied. Both send persistent identifiers than can be used to link requests
(and associated IP address/location) to back end servers. Edge also sends the hardware UUID of the device to Microsoft and Yandex similarly transmits a hashed hardware identifier to back end servers.“
These persistent identifiers could be used to discover a user’s real identity. Previous research has shown that by tracking a user’s IP address/location over time, it’s possible to find users, particularly when combined with other data.
Notably, the study did not look at the web services provided by each of the companies, which also included Google, Apple, Brave, Mozilla. The focus was on the browsers themselves, rather than the ecosystem as a whole, which shows only one important part of the puzzle.
What’s the Best Browser for Privacy?
That said, the researchers found Brave to be the best for privacy, living up to its main selling point. This was followed by Chrome, Firefox, and Safari, which made up the second aforementioned group. It did not feature any identifiers that would allow for IP address tracking over time.
Chrome, Safari, and Firefox, meanwhile, tag requests with identifiers, but that information is reset when the browser is re-installed. All send details of the webpages visited to the backend via auto-complete, but with verifying identifiers.
Chrome is, in this case, are persistent, while Safari’s are ephemeral and Mozilla doesn’t have identifiers at all. Edge has the same hardware persistence as Yandex.
All of this paints a concerning picture for privacy enthusiasts who were looking get away from Google. Edge uses the same underlying engine as Chrome, but a selling point has been its removal of 53 Google services.
Some assume this would make Edge for privacy-friendly, but out of the box, the information it sends to the back-end isn’t friendly at all.
More worrisome, though, is the report that it’s impossible to disable this functionality. Edge lets you toggle off additional data collection for advertising, but it seems this doesn’t touch the telemetry the study discusses.
Researcher Douglas J. Leith raises a consideration for GDPR in this context, asking if users have really given informed consent, if opting out is easy enough, and whether the justification for data collection is specific enough.