Microsoft Edge received the lowest privacy rating in a recently published study, which compared the user information collected by major browsers. Yandex, the less-popular browser developed by the Russian Web search provider Yandex, shared that dubious distinction; Brave, the upstart browser that makes privacy a priority, ranked the highest.

The rankings were revealed in a research paper published by Trinity College Dublin computer scientist Doug Leith. He analyzed and rated the privacy provided by Google Chrome, Mozilla Firefox, and Apple Safari, as well as Brave, Edge, and Yandex. Specifically, the study examined the browsers’ sending of data—including unique identifiers and details related to typed URLs—that could be used to track users over time. The findings put the browsers into three categories with Brave getting the highest ranking, Chrome, Firefox, and Safari receiving a medium ranking, and Edge and Yandex lagging behind the rest.

In the paper, Leith wrote:

From a privacy perspective Microsoft Edge and Yandex are qualitatively different from the other browsers studied. Both send persistent identifiers that can be used to link requests (and associated IP address/location) to backend servers. Edge also sends the unique hardware identifier of the device to Microsoft, and Yandex similarly transmits a hashed hardware identifier to backend servers. As far as we can tell, this behavior cannot be disabled by users. In addition to the search autocomplete functionality that shares details of web pages visited, both transmit web page information to servers that appear unrelated to search autocomplete.

Strong, Enduring Identifiers

Both Edge and Yandex send identifiers that are tied to device hardware, the study found. These unique strings, which can also link various apps running on the same device, remain the same even after fresh installs of the browsers. Edge sends the universally unique identifier of a device to a Microsoft server located at self.events.data.microsoft.com. This identifier can’t easily be changed or deleted. The researcher said that the Edge autocomplete, which sends details of typed sites to a backend server, can’t be disabled. As Ars reader karinto pointed out in a comment, however, instructions for disabling the feature are here.

ARS TECHNICA This story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent company, Condé Nast.

Yandex, meanwhile, collected a cryptographic hash of the hardware MAC address and details of visited websites through the autocomplete function, although the latter could be disabled. Because Edge and Yandex collect identifiers that are linked to the hardware running the browsers, the data persists across fresh browser installs and can also be used to link various apps running on the same device. These identifiers can then be used to track IP addresses over time.

“Transmission of device identifiers to backend servers is obviously the most worrisome since it is a strong, enduring identifier of a user device that can be regenerated at will, including by other apps (so allowing linking of data across apps from the same manufacturer) and cannot be easily changed or reset by users,” the paper warned.