Brave Web Browser Caught In Affiliate Link Controversy Prompting Fork
The Brave web browser is free software even though the distributed version has many commercial elements. Attentive users of that web browser recently noticed that the corporation behind it, Brave Software Inc, were making money off affiliate links who magically appeared in the address bar as unwelcome additions when a users typed in certain domains. A small group of upset users decided to fork Brave into Bold Browser. Brendan Eich quickly sued the one person in the group who forked Brave who used his real name. He also removed the code adding affiliate links, claiming it was a "mistake".
Controversial code found in the
brave-core git repository used to build the Brave Web Browser.
Most people do not expect a web browser to automatically add
binance.us is typed into the URL bar. That is exactly what the Chromium-based Brave Web Browser did until commit 3ccacaac997280d4: "Remove URLs from Brave Suggested Sites" was merged into the "brave-core" git repository. Several other domains including
trezor.io were modified in the same fashion.
Brave Software CEO Brendan Eich had this to say about this "feature":
"We made a mistake, we're correcting: Brave default autocompletes verbatim "http://binance.us" in address bar to add an affiliate code. We are a Binance affiliate, we refer users via the opt-in trading widget on the new tab page, but autocomplete should not add any code."
Someone was quick to point out that this was clearly not a "mistake". Brendan Eich dishonored himself and his company by trying to defend his blatant lie:
"I think you used "mistake" where you meant "accident". I never said it was accidental. We were treating it like a search query (which all big browsers do tag with an affiliate id to get paid from by the search provider). But a valid domain name is not a search query. Fixing."
A close-up inspection of brave-core commit e8fdde70a3ac2c25: "Add Brave suggested sites" clearly shows that it was no accident of mistake or anything of the sort. The code in question did not spontaneously materialize from thin air and it did not write itself.
It is also interesting to note that Brave Software co-founder and CTO Brian R. Bondy had this to say in the GitHub comments:
"This is a URL bar suggestion entry. It is not much different from every browser which puts a ref code in search results. But in the case of searches, there's nothing in the UI that tells you the search query you will enter will have a ref code. In this case there is UI that shows you."
We can respect that CTO Brian R. Bondy came out and said it in not so many words: Brave is a for-profit corporation, not a charity. This is simply one of the means they decided to use to make money. CEO Brendan Eich could and should have come out and honestly said "Yes, we write domains typed into the URL bar in order to maximize our corporations profits".
Brave Software Inc removed the code that modified domains typed into the URL with commit 3ccacaac997280d4: "Remove URLs from Brave Suggested Sites".
The story does not end there. Several very upset users decided to fork the Brave Web Browser into a new web browser called BraverBrowser.
Brave CEO Brendan Eich did not take the naming of that fork lightly.
As a Twitter post from the people who made the fork previously known as BraverBrowser said in a Twitter post:
"Due to legal threats sent to one of our community members by a certain party, specifically looking to harm them financially because of what this browser is forked from, we are immediately changing the name and removing all association to "the browser that shall not be named"."
BraverBrowser, which is a name that seems to be very similar to Brave Browser, is now known as the Bold Browser.
It is very hard to see anything wrong with Brave Software taking legal action against a group who were clearly violating their trademark. Brave Software did not take action against everyone involved, their action was directed at the one person who used his real name. It is hard to fault them for taking legal action against the only person involved they could take action against.
The shiny new Bold Browser has a very empty GitHub repository at github.com/BoldBrowser. The only actual evidence that there even is a "Bold" browser is a twitter account claiming that it does exist and is, in fact, a "Privacy-respecting browser without a token or adware. Work in progress!". It is possible that they do not want to make code available to the public until all traces of the Brave trademark have been eradicated from the code-base.
A Lesson For The Free Software Community
The controversial code in question was merged into the
brave-core on March 25th, 2020. It did take some time before people got actual releases with this code, but still: That is four months ago. "Open source" does not mean perfect, safe or secure code. And it does not automatically translate into trustworthy malware-free code. Brave Software Inc knew exactly what they were doing when they merged the auto-completion code into the
brave-core repository and they knew people could and probably would go look at the code. That raises the obvious question: How much malware and spyware is there within the gigantic code-base Chromium, the browser core Brave Web Browser, Google Chrome and Microsoft Edge are based on? We do not know.
What we do know is that free software has a distinct advantage over proprietary software in this regard: We do have the ability to look at the code. Users of proprietary software do not have that luxury. It took seven years before security-concious developers noticed that Debian had "accidentally" made OpenSSL on that distribution totally insecure, affecting up-stream distributions like Ubuntu and Linux Mint for years and years. The original mistake, supposedly done to get rid of debugger warnings, was eventually noticed and fixed. It may take seven years before a security disaster is noticed but at least it can and likely eventually will be noticed and if the source code is available. That is one of the many things that make free software superior to proprietary software. Another is that, like in the case of the new Bold Browser, people do have the option of forking when a corporation in control of free software does something morally questionable.