10/3/22: this post is being updated and may contain outdated information.

Brave is in the news after being caught adding referral codes for their partner Binance, a platform for buying and selling cryptocurrency. Coinbase, Trezor, and Ledger are also seen in Brave's code next to Binance for the addition of affiliate codes.

This was done by auto completing the URL with referral code attached and done without the consent or knowledge of the user.  There weren't disclosures of any kind, which may be illegal in the US and UK.  This isn't even the first time Brave has done this specific thing either.

Brendan Eich, CEO of Brave software, initially responded that he believes this is entirely ethical before shortly following it up with a lengthy set of tweets claiming "they made a mistake" by implementing this and attempts to quell the masses by explaining the logic behind it after backlash.

UPDATE: Brave says they have "fixed" the issue by disabling the URL autocomplete option by default.  But, they didn't remove the hard coded affiliate/referral codes being injected into the URLs, they just turned the autocomplete feature off for new users.  What Brave is saying with this type of fix is that they believe automatically adding undisclosed affiliate and referral codes is perfectly fine.

Here are my thoughts on Brave.

Brave is a for profit ad company

Brave created their browser to help push their contextual advertising model and BAT cryptocurrency.  They entice users to download and use Brave with the potential to earn this cryptocurrency by simply viewing ads.

The core goal of Brave is to gain as many people to use their browser as possible so more people can look at their ads which in turn allows Brave to gather more ad partners (which must pay a minimum $2500 per campaign).  This is, naturally, at the expense of Google and Facebook, which Brave often attacks as unethical due to their data collection and unbreakable monopoly on the ad market.

Brave has trialed advertising with data collection

The very concept Brave rallies against with Google and Facebook has been tested in their own platform.  In 2018, Brave had an opt in trial of advertising that involved collecting data of its users.

In June, we’ll be doing opt-in tests with a select group of users to collect insight about the user experience. This test will serve to analyze user interactions with a new way to deliver ads. Around 250 pre-packaged ads will be rotated during this trial and users will be given a special version of the Brave browser loaded with those ads. This special Brave version is part of the test program only. It sends a detailed log of the browsing activity to Brave, which is used as algorithmic test data to check our on-device machine learning. Brave will not share this information, and users can leave this test at any time by switching off this feature or using a regular version of Brave (which never logs user browsing data to any server).

The mere fact that this has been trialed should be telling.  If they're willing to trail this, and if the feedback was positive, why would they not institute this in some capacity at a later date?  If contextual ads are so effective, why test data driven advertisements? The answer is because it's more lucrative.

Brave was caught collecting BAT from users for content creators who didn't have any association with Brave's advertising platform

In an attempt to encourage users to donate to their favorite content creators back in 2018, Brave was placing banners that used the creators name and photo with an attached message stating "support this site".  Here's a small excerpt of the full story:

This caused some slight problems just before Christmas — when the browser was caught presenting “support this site” banners for creators who weren’t signed up for BAT at all. Amy Castor wrote up the story for The Block.

British YouTuber Tom Scott was asked if he was getting his BAT donations — and Tom was not pleased in the slightest — “it’s about ‘passing off’, claiming you represent someone when you don’t.”

This is not only dishonest to its users but impersonating someone who has no relation to you and collecting the donated cryptocurrency "to hold in case they register" is fraud.

Brave was caught with undisclosed affiliate links to eToro

In March, Brave approved, and promoted, a sponsored image (ad) from eToro that contained an undisclosed affiliate link.  For the uninitiated, eToro is an investments and trading platform where 76% of their users lose money.

Reading through Brave's sponsored images announcements and information, nowhere does it say links may contain referral or affiliate codes.  However, it's not hard to see why Brave would want an affiliate link planted there.  People who sign up through their link allows them pocket up to $200 plus 25% revenue share for each registered user. Not only are they collecting the minimum $2500/mo required by advertisers to run an ad campaign but they are attempting to double dip by tacking on their referral link, undisclosed.

Brave enforces mandatory auto updates to their browser

Brave only allows its browser to be automatically updated in the the name of security.

Disabling this has been a requested feature for the last four years but Brave has been steadfast in their stance to not allow this to be turned off.  Last August they said they would create a flag that would disable it but it was placed as a low priority feature and, in essence, a mere platitude to calm those who have been relentlessly asking.  As of today, this feature is still unable to be disabled.

Why is this a problem? From the lens of privacy, having software that automatically updates with no easy way to stop it allows for companies to include new "features" that may be undesirable.  No other browser forces automatic updates, allowing you to use older versions that either work better or don't include the new, undesired features.  

If we were to look at the actions Brave has taken over the last few years and the mentality of their CEO, is it really unreasonable to be concerned that unwanted or privacy unfriendly features could be added?

Brave has proudly run its campaign on the pillars of privacy, transparency, and ethical advertisement.  These are excellent anchors to strap yourself to but it seems that Brave either doesn't understand what these pillars mean (unlikely) or they are more focused on what they can do to ensure they make the most amount of money possible (likely).  

2018 had Brave impersonating content creators and collecting BAT from users who tipped said creators.

Early 2020 saw Brave sneaking referral links in their ads, completely undisclosed.  In conjunction with inserting their affiliate code, the ad, which they have to approve, was for an investment and trading service where 3 out of every 4 users lost money. By approving this ad, Brave is supporting and promoting services that are statistically bad for its users.

Take us to mid 2020 and we see Brave, once again, attaching affiliate codes automatically to certain URLs, also undisclosed. The CEO of Brave stated he believes this is ethical behavior but almost immediately issued an apology after user backlash.

There was no transparency during any of this and the back-pedalling started as soon as each of these issues were brought into the spotlight.

There's a reason why the best browsers for privacy aren't made by for profit companies.  Microsoft Edge?  Nope.  Google Chrome? Not a chance.  Apple's Safari?  Better, but still not good enough.  Opera?  Oh no.

Firefox is widely considered the best browser for privacy thanks to its ability to fine tune the details, lead by a non profit organization, and actively maintained with new features that push privacy forward. Waterfox, Iridium, and Ungoogled Chromium are well known and recommended for actively removing invasive features, lack of data collection, and independently managed.

Brave is undoubtedly a fantastic browser. But for privacy, I believe their actions speak for themselves.  You are certainly better using Brave than Chrome but we shouldn't have to be spending time wondering if our browser is going to hijack a link to insert their own affiliate codes to make a few extra dollars at the expense of our trust.

Want to join the discussion?  Check out this post, and others, over at the CupWire subreddit and leave a comment.