By John P. Mello Jr.
Jun 9, 2020 9:16 AM PT

A browser that has received plaudits for privacy protection has been exposed for redirecting Web searches to make money.

Brave, a browser with some 15 million monthly users, has been redirecting searches for cryptocurrency companies to links that produce revenue for the browser’s owners through advertising affiliate programs.

Twitter user Yannick Eckl, aka “cryptonator 1337,” on Saturday revealed that when he searched for Binance, a cryptocurrency exchange, he was redirected to an affiliate version of the URL that profited Brave.

The controversy grew when Larry Cermak, director of research at The Block, a research, analysis and news brand in the digital asset space, began digging into Brave’s code on GitHub. He uncovered more redirects to another cryptocurrency exchange, Coinbase, and two cryptocurrency wallet sites, Ledger and Trezor.

Brave’s autocompletion of a URL to include a referrer link may be a bit dodgy.

“This is ethically questionable because it’s altering the address that the user thought they were typing to one that advantages Brave — apparently in the hope that the user will just hit ‘enter’ and go to Brave’s version,” said David Gerard, UK-based author of Attack of the 50-Foot Blockchain: Bitcoin, Blockchain, Ethereum & Smart Contracts.

“This is what’s called a ‘dark pattern’ in interface design — one that tries to trick the user into doing things purely for the advantage of the vendor,” he told TechNewsWorld.

Brave’s failure to warn users that it was doing affiliate marketing appears to violate FTC rules in the United States and CAP rules in the United Kingdom, Gerard said.

“Not fully informing users is deceptive marketing, and so that part is clearly unethical too,” he observed.

Sorry for the Mistake

In a series of tweets, Brendan Eich, CEO of Brave, acknowledged that the company had made a mistake and would correct it.

Brave was trying to build a business that puts users first by aligning the company’s interests and those of its users with private ads that pay users, he explained.

“But we seek skin-in-game affiliate revenue, too. This includes bringing new users to Binance & other exchanges via opt-in trading widgets/other UX that preserves privacy prior to opt-in,” he wrote.

“It includes search revenue deals, as all major browsers do,” Eich continued. “When we do this well, it’s a win for all parties. Our users want Brave to live.”

The autocomplete default was inspired by search query clientid attribution that all browsers do, but unlike keyword queries, a typed-in URL should go to the domain named, without any additions, he explained.

“Sorry for this mistake — we are clearly not perfect, but we correct course quickly,” Eich wrote.

He denied that Brave was rewriting links clicked on Web pages as well as those typed into the address bar, tweeting “We have never & will not do any such thing.”

The autocomplete function could be turned off in the browser’s settings. Now that setting is turned on by default, but in the future, the default setting will be “off,” Eich said.

Tone Deaf Response

Reaction of Brave users to the mistake was a mixed bag.

“Damage done. I’ll stop using #brave,” tweeted a user with the handle “BitcornRick.”

“TBH having this as an option is weird by itself,” tweeted Sriram Karra. “Who among your target segment would you think will *want* to turn that ON?”

To which Matthew Wallace replied, “Well, users that still like the browser and want them to stay solvent so it doesn’t disappear?”

“Glad to see you are correcting the mistake. You should be more careful if you want to earn people’s trust,” admonished Aki Rodic.

Toth Zoltan tweeted some encouragment to Eich. “Brendan, you guys have made a rocking browser, I really like it,” he wrote. “Your honesty is a plus. No one should be against you making money. Till you stay transparent.”

Overall, though, Brave’s responses on Twitter were “tone deaf,” observed Gerard.

“I see Brendan Eich and [Senior Developer Relations Specialist ] Jonathan Sampson have been responding to many, many upset users, but they don’t seem to understand what the issue is,” he said.

“And they really don’t understand that they’ve broken users’ trust,” Gerard continued. “Eich and Sampson seem to think that careful argumentation and using special definitions of words will explain everything and it’ll be fine, but they’re not showing any understanding of what they did to break users’ trust.”

No Free Lunch

While many Brave users won’t be too upset with the browser’s autocomplete-for-cash feature, there is a specific segment who will see the misstep as a betrayal, observed Liz Miller, principal analyst at Constellation Research, a technology research and advisory firm in Cupertino, California.

“There’s a group of technorati that purposefully and thoughtfully went to Brave, not because the technology was going to be different, but the mindset and the promise of the company were going to be different,” she told TechNewsWorld.

“That’s what’s really broken here,” Miller continued.

Brave’s leaders don’t understand how they’ve undermined their users’ trust in them, she said.

“They’re saying their problem was they used this different tag, when the real problem was they didn’t see what they were doing was going to be seen as advertising, which users should be compensated for and made aware of,” Miller explained.

“This is more about transparency than privacy,” she added.

“I think this came out of the blue and shocked Brave. It had been in a luxurious place of being one of the ‘good guys.’ You want ad blockers? We’ve got them. You want something that puts your privacy first? We’re going to give it to you,” Miller noted.

“After being in that rarified air, this is probably the first time they’ve been called to the mat for something,” she pointed out.

There can be substantial backlash toward a company that makes a product that says it’s providing privacy but is mining information, said Rob Enderle, principal analyst at the Enderle Group, an advisory services firm in Bend, Oregon.

“It’s disingenuous, and people can lose trust in the product and the brand,” he told TechNewsWorld.

“One of the big problems with the ad model is that to make money, you have to do things that the people using your product would rather you not do, but that’s what’s paying for the product,” Enderle said. “There’s no free lunch.”


John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.