The Brave browser has provoked unhappiness among some of its users after being caught redirecting searches to affiliate links that earned it commission.
The first user to notice the issue was Cryptonator 1337, who tweeted the following observation on 6 June:
So when you are using the @brave browser and type in ‘binance.us’ you end up getting redirected to ‘binance.us/en?ref=35089877’ – I see what you did there mates.
What this means is that Brave users searching for Binance, a cryptocurrency exchange, would have had their query autocompleted so that they ended up on a special version of the Binance homepage that lets the company know that Brave’s address bar was the origin of that visit.
Autocomplete, of course, is a feature all web browsers offer and is intended as a time-saving and normally uncontroversial convenience (in Brave, ‘Autocomplete searches and URLs’ can be turned on or off by typing ‘brave://settings/autofill’ into the address bar).
But not long after, a second user discovered a GitHub page containing code used to embed rival cryptocurrency exchanges, Coinbase, Trezor, and Ledger in the same way.
At that point, Brave found itself fielding unhappy comments from users asking whether this behaviour was consistent with the company’s idealistic motto ‘Brave for a better internet’ and general championing of privacy (the latter being a virtue it recently lived up to in an independent University study).
Perhaps surprisingly, Brave founder and CEO Brendan Eich (famous for creating JavaScript and helping co-found Mozilla) quickly admitted a “serious error of judgement”, tweeting:
The autocomplete default was inspired by search query clientid attribution that all browsers do, but unlike keyword queries, a typed-in URL should go to the domain named, without any additions. Sorry for this mistake — we are clearly not perfect, but we correct course quickly.
Default autocomplete should not have added redirect code, he agreed, but the mistake had been made as the company attempted to “build a viable business.”
A mistake, then, but was it really a bad one?
The market for browsers is a strange one that eats money in development costs, which raises the question as to why anyone would get into this as a business.
For the ‘big’ browsers – Google’s Chrome, Apple’s Safari and Microsoft’s Edge – the answer is mainly to support Android, macOS/iOS and Windows.
But they are also commercial entities that earn money in one way or another from directing users to the big bucks of search engines. This is true even for Mozilla’s Firefox, which supports its own idealistic values through an identical business model.
And then there is newcomer Brave, which has styled itself as being an outsider and an innovator, right down to launching an entire Brave platform that hands out ‘attention tokens’ to users in return for consuming advertising.
It’s a balancing act, which established browsers with higher market share have the luxury of ignoring – the need to earn money from the act of browsing itself.
Sending autocompleted search traffic to affiliates would have earned Brave fractions of a cent for each user who made that journey but without revealing anything about the user.
What caused trouble here was that users wouldn’t have realised this was happening unless they looked closely at the URL. To some, this looked like a small but unnecessary deception.
However, it remains true that smaller, independent browsers face a struggle to survive. Some of the surprisingly large number kicking about below measurable statistics sell out and become ad machines whose ironic selling point is that they are not Google.
Because of its ‘we are different’ marketing, Brave has always been judged by higher standards. That comes with the downside of greater scrutiny and disappointment when mistakes are made.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.