A developer's attempt to use Microsoft Teams on Debian 11 with Brave Browser—positioned as a privacy-focused Chrome alternative—uncovered unexpected default behaviors that challenge its core branding. Central to the concern is Brave’s "Privacy-Preserving Product Analytics" (P3A), enabled by default without explicit user consent during setup.

Article illustration 2

Brave’s P3A setting, enabled by default in the browser’s configuration.

The feature, described as collecting "completely anonymised info" like generalized bookmark counts, open tabs, and installed extensions, immediately raised regulatory red flags. Under the UK’s Privacy and Electronic Communications Regulations (PECR) 2003, such data transmission requires being "strictly necessary" for service delivery or explicit user consent—neither of which appeared satisfied. Brave staff swiftly responded on social media, clarifying P3A’s purpose and acknowledging the need for better in-browser documentation links to its technical overview and specific metrics.

Article illustration 3

Example of generalized data collected by P3A, including bookmark and tab counts (Source: Brave GitHub).

Beyond analytics, the browser exhibited inconsistent UX patterns. Settings like "Show Brave suggested sites" and "Show Brave Rewards button" used opposing toggle logic (on=show vs. on=hide), creating user confusion. No explanations were provided for what constitutes a "Brave suggested site" or how recommendations are generated.

Article illustration 4

Inconsistent toggle logic in Brave’s settings interface.

A buried "Additional Settings" option also revealed "Continue running background apps when Brave is closed" enabled by default. This sparked concern over undisclosed background processes. Brave clarified this is a Chromium inheritance primarily for extensions but admitted the lack of an explainer was a shortcoming.

Article illustration 5

The default-enabled background apps setting, with no explanatory documentation.

The investigation extended to Brave Rewards’ Terms of Service, revealing further issues:
- Mandatory Arbitration: A bolded clause enforced arbitration for US users, deterring class actions.
- Poor Contract Drafting: Ambiguous definitions of "you" created legal uncertainty, particularly for organizational use.
- Age Requirement Inconsistencies: Terms stated users "must be at least 18" but later permitted 16-17-year-olds with parental oversight without reconciling the conflict.
- Obligation Ambiguity: Interchanging "must" and "will" blurred contractual duties around compliance, indemnification, and reward claims.

For developers and privacy advocates, these findings underscore a critical tension: even tools marketed as privacy-respecting may prioritize product analytics over opt-in transparency. Default-enabled data collection—however anonymized—demands rigorous justification under regulations like GDPR and PECR. Brave’s rapid acknowledgment of UX flaws is commendable, but the initial experience risks eroding trust in a browser ecosystem where user agency is paramount. As privacy regulations tighten globally, configurability by default becomes as vital as the underlying technology.

Source: Neil Zone