"I think competition pushes everyone toward being more private by default," Yan Zhu, chief information security officer of the Brave browser , said during the panel. "For instance, when Brave sees Safari rolling out a new protection we think 'oh, we should at least try to match that,' because as a privacy-first, privacy-focused browser that is one of our main selling points."
Browsers can take a number of steps to thwart the tracking efforts of websites and ad networks. They can add anti-fingerprinting measures, which make it harder for sites and services to connect your browsing to you based on unique characteristics—a "fingerprint"—of your browser and device. They can block trackers embedded in sites. They can take extra steps to encrypt information about what websites you visit. And they can support third-party extensions that allow users to further adapt and customize their privacy protections.
Another longstanding topic of debate is how to handle third-party website "cookies" that browsers store to customize your web experience, but that sites often also use for tracking. Safari, Firefox, and Brave have all decided to block third-party cookies by default—much to advertisers' chagrin. Google announced earlier this month that it will eventually take this step as well, though not for two years. As a major ad distributor itself, Google also stands to benefit from blocking third-party trackers that other browsers don't.
Almost all mainstream browsers take these privacy-friendly steps in some form, but under different conceptual approaches. A lot of the debate hinges on the question of how far to push screening and blocking, given that these protections can sometimes create collateral damage. Privacy defenses can sometimes break legitimate website functionality; comments that load from a third-party hosting service, for example, could be mistaken for a sketchy targeted ad module. So each browser has to weigh how it prioritizes privacy versus ease of use.
"Firefox, Edge, Brave, and Safari all have anti-tracking protections by default and they all vary a little bit, they all have different tradeoffs," Tanvi Vyas, Mozilla's principal engineer, said during the panel. "But in the end we’re all trying to improve those protections and we’re learning from each other on how to do that. I think we [Firefox] differ from Chrome in that we’re not trying to preserve the existing model. For us our highest priority is privacy, so when we choose between the existing model and privacy we’ll always choose privacy."
And while the Data Loss Prevention API can be customized based on specific types of data an administrator wants to catch—like patient information in a medical setting, or credit card numbers in a business—DLP also needs to be comprehensive enough to catch things organizations don’t know they’re looking for.
That existing model allows companies and advertisers at least some access to marketing data; one argument for preserving it is that if browsers become too restrictive, those parties will pull content from the open web and move it to mobile apps instead."The web doesn’t exist in a vacuum. People who are building sites and services have choices about the platforms they target," says Eric Lawrence, an Edge program manager. "They can build a mobile application, they can take their content off the open web to put it into a walled garden. And so if we do things in privacy that hurt the open web we could end up pushing people to less privacy-preserving ecosystems."