The Brave web browser is hijacking links, and inserting affiliate codes

It’s as if Brave is performance art put on by Mozilla’s advertising department. — heavyset_go, Hacker News

The Brave web browser sells itself on privacy, security and ad-blocking. It also has its own cryptocurrency, the Basic Attention Token.

As such, it’s a favourite with crypto people — or ones who don’t know how to install uBlock Origin, anyway. [uBO Firefox; uBO Chrome]

Brave is very into affiliate marketing. Just in March this year, Brave was caught running eToro affiliate marketing without the legally-required disclaimers — and Brave staff were caught deleting all mention of this from the /r/brave_browser subforum on Reddit. [Github, archive]

If you’re using Brave and try to go to the Binance crypto exchange, Brave hijacks the Binance link you typed in, and autofills with its own affiliate code. This was spotted by @cryptonator1337 on Twitter earlier today.

The animation in @cryptonator1337’s tweet shows you what happens: [Twitter]

Sites that Brave attaches a referrer ID to include binance.com, binance.us, coinbase.com, ledger.com and trezor.io. Searches on “bitcoin”, “btc”, “ethereum”, “eth”, “litecoin”, “ltc” or “bnb” that lead to Binance also get a referrer attached. This is all in the file suggested_sites_provider_data.cc . [GitHub, version as of today]

The landing page for Coinbase even says “Brave Software International invited you to try Coinbase!” [Coinbase]

Brendan Eich, the founder and CEO of Brave, assures us that putting his referrer links into URLs that users typed in, to try to get people to click through accidentally, is all completely upright and above-board. [Twitter]

This ignores the legally required disclosures for affiliate links — the disclosures that Brave also ignored for the eToro links in March. In the US, the FTC has required full disclosure of affiliate marketing since 2009 — you have to put it right there on the page. Similar rules apply in the UK and the EU. (See my Amazon disclosure at the bottom-right of this post, for example.) [FTC; CAP]

However, Eich is very sorry that Brave got caught — again — and something will be changed in some manner to stop this behaviour, or at least obscure it. (Eich doesn’t say precisely what the totally fine thing Brave thought it was doing was, or what’s going to change here.) [Twitter]

Whatever the change is, it will at least apply for Binance — though Eich conspicuously didn’t mention the other sites, and there’s no update on GitHub as yet to the source code file I linked above. [GitHub, master branch] Update: Fix added, see below.

I have been told by multiple past subordinates of Eich’s how — in discussion of any matter whatsoever — he will not be swayed from any opinion that he feels he has reached through logic and reason, and will vehemently argue his correctness at length.

This doesn’t go so well when he’s trying to convince people on Twitter of his bona fides, when they think he’s just scammed them.

When Brave was caught in December 2018 asking for donations on behalf of other people without telling them, Eich started alluding in Twitter replies to Plato, Hume and Nietzsche. “In short run, without sounding Nietzschean, will matters. Patreon’s is weak or corrupt. Ours is not.” This didn’t convince anyone either. [Twitter archive; Twitter archive; Twitter archive]

I’d like to assume Eich is acting in good faith here — but this sort of nonsense keeps happening.

When you see you’ve done something wrong, you should fix it — then explain what you got wrong, that you understand why your users are upset, and precisely how this happened, step by step.

Then you don’t do it again. And you put systems into place so that you don’t do it again.

What you don’t do is to rack up a chain of other unmarked affiliate advertising, or pull what looks remarkably like donation fraud. Then apologise each time, say you’ve fixed it … and then do it again.

This is precisely what scammers do — they apologise, they swear they’ll fix it, and then they do it again.

What should I do, as a Brave user?

There is no good reason to use Brave. Use Chromium — the open-source core of Chrome — with the uBlock Origin ad blocker. [Chromium download, uBO Chrome]

Or use Firefox with uBlock Origin — ‘cos it blocks more ads than the Chromium framework will let anything block. [uBO Firefox]

Or, if you want a really cleaned-out Chrome — ungoogled-chromium, with uBlock Origin. [GitHub]

If you’re on Android, use Firefox with uBlock Origin, or the new Firefox Focus browser. [Mozilla]

Brave is a browser for suckers who want to keep getting played — so it’s a 100% crypto enterprise. As Eich’s pinned tweet still tells us: “Who gets paid? If not you, then you’re ‘product’.” [Twitter]

Update: Brendan Eich has responded to this post by claiming “David lies about us all the time.” I have pointed out that this is a prima facie defamatory statement, and asked him to detail these claimed lies. [Twitter, archive]

Update 2: The fix has been committed to the Brave repository on GitHub. The functionality will default to being switched off. [GitHub, GitHub]

yeah same here. that was a short @brave adventure. sad. — Cryptonator1337 (@cryptonator1337) June 6, 2020