Mobile Browsers That Stick Their Noses Into Your Business

The folks behind Surfshark VPN have looked to see which mobile browsers are most likely to compromise your privacy, and offers some ways that you can protect yourself.

Some figures hit my desk this morning about mobile browsers and the data they collect that I found interesting enough to want to pass on. Some of this won’t surprise anybody, such as the fact that Chrome is the most data-hungry mobile browser app. What might come as a surprise to many, is that Chrome is the only browser that collects financial information, such as payment methods, card numbers, and bank account details. It also collects contacts from a phone’s address book.

The figures came from Surfshark, the cybersecurity folks with an eponymous VPN, which took a look at the 10 browsers it identified as the most popular.

Topping the list was Chrome, which presents a somewhat mind-boggling list of privacy intrusions that includes everything from contacts and financial information to data on location, browsing and search history, content — such as photos, videos, audio recordings, uploaded files, and other stuff — usage data, identifiers — device ID, user ID, or IP address — as well as even more data that’s not identified by the study.

Making Chrome’s data collection more concerning is the fact that much of the data it gathers is for Google services, such as Google Search, Gmail, and Google Maps. These services are not only deeply integrated with Chrome, they also collect user data.

“It is often explained that browsers collect data to personalize and improve a user’s experience,” Tomas Stamulis, Surfshark’s chief security officer said in a statement. “If we rely on this explanation, it appears that the more data you provide, the smoother and seamless your browsing should be. In any case, the newest Surfshark study is a reminder to look through your browser app permissions”

Google’s browser is by far the most used browser on the planet worldwide, with a global use rate of close to 70%. Its usage numbers are quite a bit lower in the US and other richer countries however, where iPhone — and therefore Safari — use is higher. In the US, for example, 50% of mobile users are using Safari, which drops Chrome use to 43%. Numbers are similar in the UK and South Korea, where iPhone usage is also high.

Those last tidbits brings a bit of good news, since Safari ranks fourth when it comes to how much data it collects.

A Browser-by-Browser Breakdown

Among the 10 browsers included in the study, Chrome is the most data-hungry, and collects from 20 different data types. By comparison, the other nine browsers collect on average from only six data types, and the Bing app, which shows up second on the list, collects from 12 data types.

Brave, which sells itself as being privacy-focused and includes features to minimize data collection, collects from only two data types: identifiers and usage data. Not surprisingly, Tor is by far the most privacy-centric, since it’s designed to safely take users anywhere on the web — including the so-called “dark web” — without being detected.

DuckDuckGo and Firefox take middle ground and avoid the most sensitive data collection practices. While they do gather some contact information — identifiers such as user IDs, which are necessary for things like session management, as well as usage data and diagnostics, but basically offer a balance between functionality and privacy.

Why Browsers Collect Data

Although without some data collection, surfing the web would be nigh impossible, or not nearly as seamless as we’re used to experiencing, most data is collected for private interests who are sticking their big noses into users’ business.

Opera, the search engine Bing, and Pi Browser, the study says, collect data for third-party advertising, either for the ads that display within mobile apps or to share with entities that display third-party ads. The good news is that Surfshark says that only 30% of browser apps collect data for this purpose. Pi Browser, Edge, and Bing collect data that’s used to track users. Pi Browser collects five data types: browsing history, search history, device ID, product interaction, and advertisement data. Microsoft’s Edge goes so far as to collect data generated during a customer support request.

Some browsers analyze users’ physical location. Safari, Chrome, and Opera collect “coarse” location data, which means they reference users’ or devices’ location with something less precise than exact latitude and longitude. Bing collects precise location data. The study’s creators wonder — considering that 60% of mobile apps don’t collect location information at all — why some browsers collect this data and how it’s used.

User Mitigations

Thankfully, Surfshark’s Stamulis offered some steps that can be used to help protect privacy on mobile devices:

• Allow: Storage (to save downloads), a camera and microphone if you use video calls.
• Deny or restrict: Location, contacts, SMS, and phone access unless absolutely required.
• On Android: Use “Only While Using App” or “Ask Every Time” when granting permissions like location or microphone.
• Choose privacy-focused browsers that collect data strictly necessary for browsing.
• Turn off the personalization settings on your browser app:
• Syncing with your Google/Microsoft account
• Ad personalization
• Activity tracking (location history, web & app activity)
• On Android:
• Go to Settings > Privacy > Ads > Opt out of ad personalization
• Revisit app permissions monthly — many apps request more than they need over time.

And while you’re taking these steps, you might consider quitting the practice of bringing your phone to the dinner table. That’s not going to help you protect your privacy, but it is going to help you realize that it’s OK if you miss receiving someone’s text by a half hour or so.

Christine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

FOSSForce.com