[pmurt7]

> If earning half a penny in a month is okay for you, in exchange of your privacy, because of course, they’re tracking you with Rewards, then enjoy your money.

Lie. Brave doesn't track you. Your ad data never leave your machine (a bit like your bookmarks). The ad engine works privately on your computer and not on Brave server.

[ehutch79]

If it's fetching ads, it has to 100% be sending some data to someone, who is likely able to correlate it and track you. It doesn't take much.

[jonathansampson]

A regional catalog is downloaded routinely. The only "data" going out is your region (e.g. the United States). This returns a protobuf catalog of ads for your region. Your device privately studies this catalog for relevant entries. When an ad is shown, it's presented as a native notification on the OS. This means the user sees a title (text), and a body (text). Screenshots of these notifications are on https://brave.com/rewards. I also covered this model in brief detail recently https://youtu.be/LsrrT502luI (skip to about 3:22 if you like).

[freediver]

> The only "data" going out is your region (e.g. the United States).

Every request Brave makes "home" will transfer private data like IP address of the user and browser fingerprint, regardless of the payload. Can you clarify what is done with this data?

Also if it is true what says in the article that some requests "home" can not be disabled, why is that the case?

[jonathansampson]

What browser fingerprint are you seeing in your research? I don't believe Leith et al found any such issue in their review at https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf, nor did I in https://brave.com/popular-browsers-first-run/.

I'm happy to discuss any requests you like; we also document all of this to the best of our ability on GitHub as well (https://github.com/brave/brave-browser/wiki).

As for disabling requests, this is a valid petition. Our goal is to have no extra requests when and where possible. We've worked hard to keep them to a minimal. There are some requests (e.g. product update requests) that we've been hesitant to make more easily blockable, since this could potentially leave large swaths of Brave users disconnected, and increasingly vulnerable.

[freediver]

Thanks for the attempt to clarify. My question was, what do you do with the IP address of the user that you get through these “phone-home” requests and I think it is left unanswered?

> We've worked hard to keep them to a minimal.

How is 80 requests minimal? (source: your own above-mentioned article). It seems to me that 0 requests would be minimal.

What is preventing Brave from being a zero-telemetry browser by default?

[jonathansampson]

We drop the IP address. When needed, we'll convert it to a regional identifier (e.g. United States) so that we can have a count of how many users are in the US, UK, etc.

I'm not sure where you saw 80 request; my network analysis post (https://brave.com/popular-browsers-first-run/) shows Brave issuing 70 requests over a 10-minute period. Compare with Chrome (91 requests), Firefox (2,799 requests), Edge (367 requests), and Opera (106 requests).

0 requests is not realistic, IMHO. When you launch a browser you want to make sure the user has a fresh local DB of known-malicious URLs (so you don't have to pipe each request through a look-up service, like Opera does) for client-side checking. You also want to make sure the client has an updated list of blocking rules for other types of content. There's quite a bit of setup needed when you launch a web browser.

Zero telemetry is unwise, assuming you want to build a product that works for a diverse set of users, devices, and environments. The main issue here is not whether you collect telemetry, but [how] you do so, and what that looks like. Brave is careful to preclude abuse from the design phase; see https://www.brave.com/p3a for more on how we handle Privacy-Preserving Product Analytics.

[dane-pgp]

> private data like IP address of the user and browser fingerprint

Presumably it would send the same data whenever it checks for software updates too.

I can't think of a threat model where downloading updates and downloading ads are different in terms of user privacy (except, of course, that a malicious update can do far more harm).

[ehutch79]

How does it report the ad was viewed?

[jonathansampson]

When the notification pops on screen, you are granted the rewards. If your OS is not able to show the notification (due to Focus Assist, DND, or some other reason) then you are not rewarded (a future update to Brave will let users control visibility from within the browser entirely).

[nieve]

I believe the question was about the mechanism by which you viewing the ad is reported to Brave, not how the ad display was implemented. (A weird interpretation of "reported".)

[jonathansampson]

Our Rewards server distributes virtual tokens to the instance of Brave (which has an associated Payment ID). These tokens can be exchanged when ad notifications have been viewed, and when other ad-related events occur. The tokens aren't tied to any user information.

[gentleman11]

and how do they prevent users from faking ad views to accumulate bat?

[pmurt7]

The entire ad catalog is sent on your machine and some ad engine running inside the browser decides which ads to show you. It's funny seeing all these folks nitpicking at Brave but who are fine using Google or Microsoft every day

[gentleman11]

Do you have to download the chosen ad or is it already on your system? If you selectively downloaded ads, your ip address could give you away and you get a floc like situation

[jonathansampson]

The ad catalog for your region is downloaded; it comes with click-through URLs, titles, body text, and some other information. There is no connection made beyond this to retrieve any other ad-related data. You can see what your own regional catalog contains by visiting https://sampson.codes/brave/ads/my_region/.

[gentleman11]

Thanks for clarifying!

[ehutch79]

I don't really care about brave either way, it's just dubious that the ads are somehow untrackable when you apparently get credit for seeing them some how?

[jonathansampson]

We use zero-knowledge proofs and blinded tokens to track when an ad has been viewed by a user. But there is no user data involved here. The magic of cryptography is that you can prove you viewed the ad without telling us anything about you

[x4e]

Do you have any reading material about how you achieved this?

I can't really see how zero-knowledge proofs could solve this. There is no cryptographic way to prove that software executing on a clients machine triggered a notification. Especially on Linux where an open source notification manager could be modified to reject it.

[freebuju]

Assuming you have gone through this [0] and it did(n't) click for you.

I'm equally not so convinced on this anonymous ad system they claim to have built. The browser claims to generate an adID based on your history but encrypt this info to the advertiser. Maybe someone who has actually interacted with the ad platform can provide more insight on what information is exposed.

Zero-knowledge advertising sounds practically like an oxymoron to me, but hey they claim to have made it work.

[0] https://brave.com/themis/

[jonathansampson]

Certainly! Check out the resource detailing our Ad Confirmation process at https://github.com/brave/brave-browser/wiki/Security-and-pri... (it's a little old, but should be helpful). We leverage the Privacy Pass approach too, so reading https://www.petsymposium.org/2018/files/papers/issue3/popets... will also help understand our process. I hope this helps!

[nieve]

Ah, I hadn't noticed you declaring your financial interest before and was wondering if you were a Brave employee.

[mthoms]

You misunderstand. The sensitive data here is your browsing history (and all that it infers). Brave never sees that.

But yes, when you view an ad, that gets recorded somewhere (so that you can get rewards, and the advertiser can be billed).

You decide if you’re comfortable with this or not. The feature is easily turned on or off.