Microsoft Edge and Yandex Browser Have Privacy Issues, Researcher Warns

By Ava McKinneyOnline Safety

Researcher Warns of Privacy Issues in Microsoft Edge and Yandex Browser

Professor Douglas J. Leith from Trinity College Dublin has analyzed the network activity of popular web browsers and concluded that Microsoft Edge and Yandex Browser show concerning privacy results compared to Brave, Chrome, Firefox, and Safari.

How the Study Was Conducted

Leith tested Chrome (80.0.3987.87), Firefox (73.0), Brave (1.3.115), Safari (13.0.3), Edge (80.0.361.48), and Yandex Browser (20.2.0.1145) using default settings and a proxy to capture traffic. He examined the data sent by browsers at first launch, as well as the data transmitted when visiting a web page, including when a URL was entered manually (which can trigger cloud-based autocomplete features). He also studied browser behavior when left running and idle for 24 hours. All tests were performed on a Mac, and Leith intentionally did not sign in to any Google, Microsoft, Apple, or Firefox services to focus on default, unconfigured installations.

Three Privacy Groups Identified

Leith’s report divides browsers into three groups based on privacy levels:

  • Group 1 (Highest Privacy): Brave
  • Group 2 (Moderate Privacy): Chrome, Firefox, Safari
  • Group 3 (Lowest Privacy): Edge, Yandex Browser

The main issue with Edge and Yandex Browser is that the identifiers they send to their developers can link different search queries and sessions together. Both browsers use so-called “hardware IDs,” which are tied to the physical device and cannot be easily changed.

How Other Browsers Handle Identifiers

In contrast, Chrome and Firefox use identifiers that are essentially random numbers generated at first launch. These IDs persist between sessions but can be easily removed by deleting all configuration data before reinstalling the browser.

What Happens When You Enter a URL

Leith further experimented by pasting (not typing) a URL into the address bar:

  • Chrome sends a request to www.google.com/complete/search with URL details and two identifiers (psi and sugkey).
  • Edge sends the URL to Bing’s autocomplete API along with a cookie identifier.
  • Yandex Browser sends the URL to its servers before navigation begins.
  • Firefox, Brave, and Safari do not collect any data about pasted URLs.

Typing a URL: Autocomplete and Search Features

When typing a URL manually, autocomplete or search features are triggered:

  • Safari is the most aggressive, generating 32 different requests to Google and Apple servers. Requests to Apple include an ID that persists after restarting the browser, potentially allowing browsing history to be reconstructed and queries to be linked.
  • Edge sends the typed text to www.bing.com as it is entered, with nearly every character generating a separate request (about 25 in total), each containing a cvid value that changes only when the browser restarts.
  • Yandex Browser sends text to yandes.ru/suggest-browser as it is typed, also generating about 26 requests, each with cookies and various IDs. After typing is complete, two more requests are sent to yandex.ru and translate.yandex.ru, transmitting the entered URL and the content of the target page.
  • Chrome behaves similarly, generating 19 requests to Google servers, each containing a persistent identifier.
  • Firefox is more private, not sending IDs with requests and stopping after the first word is typed, resulting in only 4 requests total.
  • Brave is the most private, disabling autocomplete by default and sending no requests when text is entered in the address bar.

What Happens When You Sign In?

The study leaves open the question of how companies use the collected data and how privacy changes if a user signs in to the browser to sync bookmarks and history across devices.

Mozilla’s Response

So far, only Mozilla has commented on Leith’s research. The organization stated that a user’s browsing history is only sent to Mozilla’s servers if the user enables the sync service. These sync data are fully encrypted and not accessible to staff.

“Firefox collects some technical data about how users interact with our product, but this does not include browsing history. The data is sent with a unique, randomly generated identifier. IP addresses are stored for a short period for security and abuse detection, then deleted. They are kept separate from telemetry data and are not used to link user activity across sessions,” Firefox developers assured.

Leave a Reply