Introduction

At Brave, we want our browser not only to provide the best protection against the surveillance economy, but to be the very best way to experience the web.  We rely extensively on community feedback to make sure that the product provides the most vital features and is as reliable as it can possibly be. Sometimes, however, this simply is not enough to make sure we are providing the best experience to as many users as possible.  Many people simply don’t have time to provide feedback, and there are many questions left unanswered. Do people make it through onboarding, or do we need to make it shorter? Are people using Brave Rewards? Are people using sync and if so, on how many devices? How many people still need to download important browser updates?  

In an ordinary software company, these questions would be answered by using one of dozens of third-party analytics services. But the way such services operate would mean that Brave users could be individually identified and tracked, by a third party, and in some cases that behavior would be aggregated with other tracked behavior from the ad/tracker ecosystem for the benefit of the third party alone. None of this would be remotely acceptable to Brave given our commitment to user privacy. 

We believe that completely private product analytics are the most effective way for us to make Brave the best it can be — by providing us with insights into how the various features of the product are actually being used, so we can shape the product to better match the needs of our users.  As always, our code is open source and available for third-party audits and verification.

How P3A Works

Privacy is our first value. We really, genuinely don’t want to know anything about you individually, or to know anything that could be used to track you. That means that we need to approach product analytics very differently from most other companies. We’ve built a completely private system which we’re calling Privacy-Preserving Product Analytics, or P3A for short. This project goes well beyond industry norms and GDPR requirements when it comes to privacy preservation. Here are the mechanics:

• P3A doesn’t collect any personal information. Nothing that could identify you, and nothing sensitive like your browser history, search queries, etc.
• Every so often, in the background, the browser sends reports containing simple, non-identifying information on product feature usage. These are essentially automatically-delivered answers to specific questions defined by Brave.
• All answers are safeguarded by STAR, an award-winning (CCS ‘22) cryptographic telemetry system. STAR guarantees that Brave only accesses an answer if several users reported the same one, thus providing “anonymity through a crowd” and preventing linkability between individual reports.
• We send some attributes (such as the browser version) with each P3A answer. These attributes are also cryptographically protected by STAR and we are only able to access attribute information on an answer if several users reported the same attribute for that answer. This is to ensure that we don't learn anything about individual users even via metadata.
• We limit overlapping questions as well as questions that span collection periods as a further protection against report linkage.
  
• All the “questions” we ask of the browser (the measurements collected) will be posted publicly in human-readable form.  You can find the current list here. 
• You can turn P3A off at any time in the “Privacy and Security” section of the browser preferences.
• All the P3A code will be open source (as is all our code except anti-fraud server-side code) — you can always check that your browser is only sharing the specific things we promise.

This system is designed so that we, Brave, are unable to associate any particular response with any other, so we do not have sufficient information to link together any particular user’s “answers”. Instead, each response is an independent data point.

You can see the full list of questions and attributes on our Github here: https://github.com/brave/brave-browser/wiki/P3A 

Data Retention

Log level records are automatically deleted from our servers within 30 days.  Note that these log-level records will not contain IP addresses or exact timing information.  Our anonymized summaries of the data are intended to be kept indefinitely.

Privacy Policy

Brave’s privacy policy can be found here: https://brave.com/privacy/ 

Conclusion

Most of the software you use includes some sort of product analytics, or usage data collection, as does every major browser. And for good reason — knowing which features are resonating and which need work is an important part of making software that’s a pleasure to use. We’ve been cautious about building analytics because we knew we had to get it exactly right. Some other browsers collect thousands of measurements along with a substantial amount of information about what you’ve searched for and which sites you visited. None of the commercial analytics products we’ve seen come anywhere close to our privacy standards. Building this ourselves took a lot longer than using an existing system, but we think that’s time well spent. We hope you agree.