Brave browser explains Facebook whitelist to concerned users

Privacy-conscious web browser company Brave was busy trying to correct the record this week after someone posted what looked like a whitelist in its code allowing its browser to communicate with Facebook from third-party websites.

Launched in 2016, Brave is a browser that stakes its business model on user privacy. Instead of just serving up user browsing data to advertisers, its developers designed it to put control in the users’ hands. Rather than allowing advertisers to track its users, the browser blocks ad trackers and instead leaves users’ browsing data encrypted on their machines. It then gives users the option to receive ads by signalling basic information about their intentions to advertisers, but only with user permission. It rewards users for this with an Ethereum blockchain-based token called the Basic Attention Token (BAT). Users can also credit publishers that they like with the tokens.

Brave’s FAQ explains:

Ads and trackers are blocked by default. You can allow ads and trackers in the preferences panel.

Yet a post on the YCombinator Hacker News site reveals that the browser has whitelisted at least two social media sites known to be aggressive about slurping user data: Facebook and Twitter. The post points to a code commit on Brave’s GitHub repository from April 2017 that includes the following code:

const whitelistHosts = ['connect.facebook.net', 'connect.facebook.com', 'staticxx.facebook.com', 'www.facebook.com', 'scontent.xx.fbcdn.net', 'pbs.twimg.com', 'scontent-sjc2-1.xx.fbcdn.net', 'platform.twitter.com', 'syndication.twitter.com', 'cdn.syndication.twimg.com']

The code was prefaced with this:

// Temporary whitelist until we find a better solution

The whitelist was in an archived version of the repository but also turns up in the latest current master branch.

Brave staff have separately commented on the issue in different threads. CTO Brian Bondy commented directly in the YCombinator thread saying:

There’s a balance between breaking the web and being as strict as possible. Saying we fully allow Facebook tracking isn’t right, but we admittedly need more strict-mode like settings for privacy conscious users.

He added that Brave’s Facebook blocking is “at least as good” as uBlock origin, which is a cross-platform ad blocker.