Brave sends mysterious data to clients4.brave.com

[alexpirine]

Description

While using Gmail, I noticed some connections to clients4.brave.com.

What is this about?

That's the request I saw in DevTools -> Network:

https://clients4.brave.com/invalidation/lcs/client?xpc=%7B%22cn%22%3A%22Gv-redacted-%22%2C%22tp%22%3Anull%2C%22osh%22%3Anull%2C%22ppu%22%3A%22https%3A%2F%2Fhangouts.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2Fclients4.google.com%2Frobots.txt%22%7D

(the -redacted- part represents the redacted by me)

I am sorry, but I can not share any more info.

clients4.brave.com is a valid domain, and there is nothing I can find about it.

I think that I, and many other people, would appreciate an explanation about this.

[jumde]

Hi @alexpirine, to prevent direct connections to google endpoints we proxy some URLs through *.brave.com which remove some user identifiable information like X-Forwarded-* headers. clients4.brave.com is a proxy for clients4.google.com. You can find more info about these endpoints here: https://github.com/brave/brave-browser/wiki/Proxy-redirected-URLs.

[alexpirine]

@jumde thank you for the explanation! Before we close this, can this feature be disabled? (if one is a bit concerned about Brave proxying such requests)

P.S. A Google search for "clients4.google.com" unfortunately doesn't lead to any meaningful result…

[bsclifton]

@alexpirine you're wanting the proxying of the call to be disable-able? (ex: so browser reaches directly out to Google services? able to get your IP, etc)

[alexpirine]

@alexpirine you're wanting the proxying of the call to be disable-able? (ex: so browser reaches directly out to Google services? able to get your IP, etc)

Yes… this is not an option?

[alexpirine]

What does Brave do with the proxied data?

Is it documented on the privacy policy page? (I quickly went through and can't find anything about this proxy service)

[tomlowenthal]

There's nothing about this in the privacy policy because these proxies don't record any personal info.

[alexpirine]

So, the proxies don't record IP addresses? (which - although it was subject to debate - are now, by European laws, considered as personal info (since identification is quite easy in most cases) thanks to RGPD)

It's a bit strange: if there is no personal info in these requests, why hide them from Google in the first place? If there is some personal info, there should be a policy stating how this info is handled...

[bsclifton]

@alexpirine there is no personal information recorded by US, with regards to our proxy servers. If you don't use the proxy, Google can use the information provided in any way (ex: doing a geolocate based on your IP, etc)

All Brave users will hit Google through the same proxy, so they should be undistinguishable

[chickahoona]

I assume that we cannot get rid of these calls completely?

[bsclifton]

@chickahoona not without disabling the feature completely... I am not 100% sure, but I believe the URL called out (https://clients4.brave.com/invalidation/lcs/client... which is proxied to https://clients4.google.com/invalidation/lcs/client) is used for Safe Browsing

If you'd like to turn off Safe Browsing, you can. I wouldn't recommend it (as it's a nice feature), but if you want to, you can in settings under brave://settings/privacy:

cc: @alexpirine

[rebron]

Closing. Looks like this question has been answered.