Microsoft Edge has more privacy-invading telemetry than other browsers

Microsoft may be making great claims about the speed and security of Edge, but a recent study found that the browser is one of the least private. Douglas J Leith from the School of Computer Science & Statistics at Trinity College Dublin, Ireland, tested six web browsers to determine how often they phoned home, and what data they were sharing.

He pitted Google Chrome, Mozilla Firefox, Apple Safari, Brave Browser, Microsoft Edge and Yandex Browser against each other, and the results were rather damning of Edge. Among the findings was the disturbing fact that all URLs typed into Edge are shared with multiple Microsoft sites, as are unique hardware identifiers, opening up the possibility of history tracking.

See also:

The aim of Leith’s study was to « assess the privacy risks associated with […] back-end data exchange » – in other words, determining the invasiveness of telemetry. A series of tests were used to see what data was shared in five scenarios: when first starting the browser after a fresh installation, when closing and restarting the browser, when pasting a URL into the navigation bar, when typing a URL into the address bar, and when a browser is sitting unused.

While Brave is praised for offering good levels of privacy out of the box, there is bad news for Edge. In a paper about the study, Leith says:

From a privacy perspective Microsoft Edge and Yandex are much more worrisome than the other browsers studied. Both send identifiers that are linked to the device hardware and so persist across fresh browser installs and can also be used to link different apps running on the same device. Edge sends the hardware UUID of the device to Microsoft, a strong and enduring identifier than cannot be easily changed or deleted.

Right from the first time it is launched, Edge was found to be phoning home, and the browser was recorded sharing every URL typed into the address bar with not only Microsoft’s SmartScreen website (nav.smartscreen.microsoft.com), but also Bing.

Concluding the paper, Leith writes:

From a privacy perspective Microsoft Edge and Yandex are qualitatively different from the other browsers studied. Both send persistent identifiers than can be used to link requests (and associated IP address/location) to back end servers. Edge also sends the hardware UUID of the device to Microsoft and Yandex similarly transmits a hashed hardware identifier to back end servers. As far as we can tell this behaviour cannot be disabled by users. In addition to the search autocomplete functionality that shares details of web pages visited, both transmit web page information to servers that appear unrelated to search autocomplete.