[mherrmann]

Disclaimer: I do consulting work for Brave. Opinions my own.

Maintaining a browser is a huge amount of work. The web evolves constantly and security fixes are extremely important. Being competitive in the space requires a very large amount of engineering resources.

A commercial entity has a sustainable path to providing those resources. While nobody likes ads, I think they're opt-in in Brave and at the end of the day they're a potential source of funding for the necessary development efforts. Brave also has a unique way of serving ads in a privacy-friendly way.

Most of Brave is developed in the open. Where it isn't, there are good reasons why such as for example security. But I'm also privy to some of the internal discussions. It is amazing how much thought and effort the people at Brave put into privacy, even when it is not visible to the outside world. Again serious engineering resources are devoted to changing Google's Chromium implementation to make it better for privacy. One discussion I vaguely remember was how browser caching can be used to fingerprint users in a very subtle way, and Brave engineers thought very long and hard about how to close this particular loophole of the web.

In short, I don't think "commercial" is bad and having seen some of the internal discussions, I trust Brave a lot when it comes to privacy.

[feanaro]

> Most of Brave is developed in the open. Where it isn't, there are good reasons why such as for example security.

I don't think you can muster a good security reason for not developing something in the open.

[lazyier]

It's normal in any open source project to keep security mailing lists and things of that nature private. And for good reasons.

One of the reasons is they are dealing with security related bug reports. Public disclosure before having a fix in place puts users at risk.

Besides that 'security' is a process that all groups are responsible for. So it can't help being _developed_ in the open if the project is open. Which Brave is.

[feanaro]

I agree with the above. I guess I interpreted the comment as saying some code parts of Brave are not open for security reasons. I don't actually know whether this is true or not.

[giancarlostoro]

Code wise, sure, but if you're discussing a 0-day in the wild, you may want to keep it private while you work out the details and the solution, otherwise you're inviting more abuse.

[mattarm]

> A commercial entity has a sustainable path to providing those resources....

[...]

> ...having seen some of the internal discussions, I trust Brave a lot when it comes to privacy.

I felt similarly about Google while I worked there. There were and still are a great many very skilled people focusing on security and privacy within Google, with good intentions. I personally had my own work vetted multiple times for security related stuff, and I was quite impressed.

Yet, Google has grown a bit of a PR problem with respect to privacy issues.

The (potential) problem is structural. Commercial entities exist to make money for investors. Protecting user privacy is a different goal. We also live in a world of grey areas, so judgement calls need to be made.

What structurally prevents the Brave corporation from changing once those people leave, leadership changes, acquisitions happen or Brave is acquired?

I see no particular structural reason to trust Brave more than Google. They're both companies that go to great lengths to respect and preserve user privacy. They're both corporations that exist to make money for investors.

What would I trust even more than Brave or Google? Something run under some form of governance that is legally accountable at a primary and structural level to what it is actually aiming to provide (e.g. privacy) rather than to making money (most every corporation in the world).

[mherrmann]

One difference between Google and Brave is that Brave has privacy as its selling point to users. If they compromise on that, then they will become less attractive to users. As such, they are much better aligned with users when it comes to privacy. I would say that actually is a structural reason.

[the_duke]

The difficulty is , as always, incentives.

Brave is an ad company, in the sense that their only revenue is from ads.

Brave has every motivation to make external tracking as useless as possible, because it increases the relative competitiveness of their own ad platform. Since they own the browser, they can track as much as they want. I'm not saying that they do this today, their implementation might be very privacy focused right now.

I also appreciate that you need money to maintain a browser, even if it's just a layer on top of Chromium.

But we've seen again and again that maximizing revenue always wins out in the long term.

As long as primary revenue for Brave is ads I don't see why I should trust them any more than Google. Less so in fact, because Google doesn't depend on Chrome to generate revenue. For them it's just a helpful sidekick.

[koheripbal]

> Brave is an ad company, in the sense that their only revenue is from ads.

This is like saying non-profits are donation companies. It's stretching the definition to make a point and ultimately circular logic.

[approxim8ion]

> This is like saying non-profits are donation companies

Not sure how true that is. Non profits definitely rely on donations as their sole income, and are incentivized to take actions to maximize donations, but the difference is that (ideally) they can't really line their own pockets with the income that comes in. So the only reason they would maximize their income is to put more money into the things that they do.

This is not the case with Brave. The browser is a front, or a channel, for their token and ad network. They only need to keep the browser part of it functional enough to keep traffic. They have no real incentive to improve the browser beyond that point, especially if other competitors stagnate and the money keeps coming in.