New research shows that Microsoft Edge is one of the least private web browsers in the world, as it sends identifiers linked to the device hardware and details of web pages visited by users to back-end servers, unlike other popular browsers. Over time, this information can be used to de-anonymise individuals and erase their privacy, and laying bare their browsing history for anyone to see. The study done by researchers at Trinity College, Dublin, compared Google Chrome, Mozilla Firefox, Apple Safari, Brave Browser, Microsoft Edge, and Yandex Browser, and found that Microsoft Edge and Yandex Browser are the least private among the group. As intrusive tracking raises concerns about data privacy and digital security, this lax approach by Microsoft brings up serious questions about how Edge functions.
The research conducted by Douglas J. Leith from the School of Computer Science & Statistics notes that out of all browsers tested, Microsoft Edge and Yandex Browser were the least private, while Brave browser was the most private, and the others like Chrome, and Firefox were somewhere in the middle. The study states, “Edge sends the hardware UUID (universally unique identifier) of the device to Microsoft, a strong and enduring identifier that cannot be easily changed or deleted.” To make matters worse, Edge has a search autocomplete functionality which shares details of web pages visited, transfers web page information to servers that are not related to search autocomplete. Fortunately, this feature can be turned off by users.
The search autocomplete is not unique to Edge, but is also the case with Chrome and Firefox. However, it's only Edge and Yandex that track user hardware in a manner that can't be disabled, as far as the researchers were able to find.
A similar issue with Microsoft Edge was pointed out last year as well when a security researcher by the name of Matt Weeks who has previously worked for the National Security Agency and United States Air Force Institute of Technology, tweeted about this flaw in the browser. He dug into the script and noted that Edge “sends the full URL of pages you visit (minus a few popular sites) to Microsoft,” in a non-anonymous way. He also shared a screenshot of the script which had his website and username. It appears that despite issue this being raised in the past, Microsoft has still not plugged the gaps in Edge's security.
The study further noted that Microsoft Edge sends persistent identifiers than can be used to link requests (and associated IP address/location) to back-end servers. It goes on to state, “The results of this study have prompted discussions, which are ongoing, of browser changes including allowing users to opt-out of search auto-complete on first startup plus a number of browser specific changes.”
The researchers also noted that "we consistently found it much easier to engage with open source browser developers (Chrome, Firefox, Brave),” when compared to Apple and Microsoft, which would help the former platforms to develop and add new security features with interventions from the larger community.