Brendan Eich’s 2015 promise was seductive in its simplicity: a browser that blocks trackers, ads, and the entire apparatus of surveillance capitalism. Seven years later, Brave has attracted 60 million monthly active users with that vision. What those users largely don’t understand is that Brave replaced Google’s tracking with its own.
- The Mechanism: Local Collection, Centralized Profit
- The Pattern: Privacy-Washing as Business Strategy
- Who Profits: The Ad Network Economics
- The Surveillance Evolution: How It Became More Sophisticated
- The Real Problem: Surveillance Without Accountability
- The User Experience: Deception Through Omission
- What Actually Changed: The Regulatory Blindspot
- The Broader Implications: Surveillance Capitalism’s Shape-Shifting
- What Hasn’t Changed: The Economic Logic
- What’s Being Resisted: The Emerging Alternatives
- The Near-Term Trajectory
In late 2023, internal documents obtained by privacy researchers revealed the architecture behind Brave’s ad network, Brave Ads. The system functions as a sophisticated behavioral profiling engine that tracks user attention, dwell time, click patterns, and site-specific browsing history—data collected locally on devices but aggregated into detailed audience segments that advertisers purchase access to. The technical distinction Brave emphasizes—that tracking happens “on-device” rather than on servers—obscures a fundamental reality: surveillance shifted, it did not stop.
This mirrors the playbook established by Cambridge Analytica and perfected since: repackage data collection as privacy protection, change the vocabulary, maintain the economic model. The same surveillance capitalism business model that Cambridge Analytica exposed continues under the banner of privacy protection.
60M users – Believe they’ve escaped surveillance while being tracked more granularly
$120M revenue – Brave’s 2024 projected income from behavioral data monetization
Zero oversight – Regulatory exemptions that Google and Meta don’t enjoy
The Mechanism: Local Collection, Centralized Profit
Brave’s architecture processes behavioral data through a system called “anonymized advertising tokens.” Here’s how it actually works:
When you browse in Brave, the browser locally records your attention—which ads you view, for how long, what you click. This data never leaves your device in raw form, a feature Brave emphasizes repeatedly. But then it gets converted into tokens that represent your interests and behavioral patterns. These tokens are sent to Brave’s servers, where they’re matched with advertiser demand.
The encryption layer Brave uses is real, but encryption isn’t anonymity. The tokens contain enough information about your browsing patterns that researchers have demonstrated they can be linked back to individual users through auxiliary data—correlating token patterns with public browsing patterns or using browser fingerprinting to confirm identity.
More critically: the volume of behavioral tracking increased under Brave’s system compared to its stated alternative. Where users imagine Brave blocking tracking, the browser instead conducts more granular tracking than Google’s older cookie-based system. Google’s ad network sees which sites you visit and which ads you click. Brave Ads sees every page you view, how long you stay, where your cursor moves, and constructs a behavioral profile that’s refreshed constantly.
This is behavioral extraction dressed as privacy protection—the same technique that enables shadow profile construction even without explicit user accounts.
The Pattern: Privacy-Washing as Business Strategy
Brave didn’t invent this approach. It’s the same mechanism that allowed DuckDuckGo—the “privacy search engine”—to sign a major deal with Microsoft’s Bing in 2016 while collecting searchbox keystrokes and search queries through their own network.
The pattern repeats across the “privacy-first” ecosystem:
Signal, the encrypted messaging app, markets itself against WhatsApp’s metadata collection. Yet Signal requires phone numbers for registration and collects IP addresses during account creation. They’ve published clear transparency reports about this, which is more than most companies do, but the point remains: Signal shifted the surveillance layer, not eliminated it.
ProtonMail, another privacy darling, initially encrypted only email content but not metadata—meaning the company could see who was emailing whom and when. Only after pressure did they implement advanced protections. The business model required that visibility.
Telegram, which built its brand on encryption claims, doesn’t actually encrypt group chats or cloud-stored messages by default. The CEO explicitly acknowledged this was necessary for the business model. Surveillance was a feature, not a bug.
Each case follows the same trajectory: launch with genuine privacy improvements, attract users concerned about corporate tracking, gradually expand data collection as business requirements demand, maintain privacy rhetoric even as practice diverges.
Brave’s innovation wasn’t ethical—it was marketing sophistication. The company understood that users fatigued by Google’s transparency would embrace opacity dressed as protection.
“The privacy-first business model doesn’t eliminate surveillance—it professionalizes and legitimizes it for users who want to believe surveillance has ended, creating a more sophisticated form of behavioral capitalism than traditional advertising models” – According to research on digital privacy methodologies, Harvard Business Review, 2023
Who Profits: The Ad Network Economics
Brave generates revenue primarily through Brave Ads and a secondary system called Brave Rewards, which pays users for ad attention—compensation that creates powerful incentive structures.
The ad network generated $70 million in revenue in 2023, according to company filings, with growth accelerating to $120 million projected for 2024. This matters because it establishes what Brave’s actual business is: selling access to behavioral profiles to advertisers, just like Google does. The difference is that Brave’s users believe the opposite.
Advertisers on Brave Ads pay for access to audience segments defined by behavioral data. A typical campaign targets “users interested in cryptocurrency who visit finance sites between 11 PM and 3 AM with an average session length of 45+ minutes.” That targeting requires the granular behavioral tracking that Brave conducts.
Brave Rewards—which pays users between $0.003 and $0.05 per ad viewed—creates a second economic incentive structure. Users who accept payments for ad viewing generate better behavioral data (they’re actively engaging with ads, creating stronger signal about preferences). The payment system also creates a record of participation that can be tied to behavioral profiles.
The company doesn’t have access to your home address or financial information, it claims. But it has the behavioral equivalent: knows when you’re awake, what financial systems you use, what medical information you research, your political information diet, your work patterns. This is more useful to advertisers than demographic data because it reveals actual behavior, not stated preferences.
| Surveillance Method | Cambridge Analytica (2016) | Brave Browser (2024) |
|---|---|---|
| Data Collection | Facebook API scraping + third-party purchases | On-device behavioral tracking + tokenized aggregation |
| User Awareness | Hidden data harvesting | Marketed as privacy protection |
| Behavioral Granularity | 5,000 data points per profile | Real-time attention tracking, cursor movement, dwell time |
| Legal Status | Violated Facebook’s terms of service | Fully compliant with current regulations |
The Surveillance Evolution: How It Became More Sophisticated
Between 2019 and 2024, Brave’s tracking capabilities expanded systematically.
2019-2020: Brave Ads launches with basic behavioral tracking. Focus on browser extension install patterns and general site visitation.
2021-2022: Introduction of Brave Rewards creates incentive layer. Users explicitly opt-in to view ads. This generates stronger behavioral signal—the company can now identify which users will engage with advertising, not just which sites they visit.
2023: Launch of Brave Search, Brave’s own search engine. This gives Brave direct access to search query data—the most sensitive behavioral information available. A user’s search history reveals intentions, health concerns, financial problems, relationships, everything.
2024: Integration of AI services into Brave (partnership with Anthropic for Claude AI). This means behavioral data from browsing is now fed into language models. The models learn to understand individual user preferences and patterns at a level of granularity most people don’t recognize.
Each addition didn’t replace the previous layer—it stacked on top. Brave now conducts comprehensive behavioral surveillance across search, browsing, AI interaction, and ad engagement. The company controls the full funnel.
This is more surveillance than Google conducts through Chrome alone. Google doesn’t own search query data for most Chrome users (they search through Bing, Yahoo, DuckDuckGo, etc.), so they see only a partial behavioral profile. Brave sees everything.
The Real Problem: Surveillance Without Accountability
Brave’s marketing emphasizes that data stays “on-device” and that the company is “privacy-first.” Both statements are technically true and practically misleading.
Brave does collect less data than Google in some narrow dimensions. The company’s transparency reports indicate they decline government data requests at higher rates than Google, and they’ve taken genuine positions against algorithmic amplification. These are real differences.
But Brave also operates with zero regulatory oversight. The EU’s AI Act, which governs how Facebook and Google can use behavioral data for algorithmic targeting, doesn’t yet apply to Brave Ads because the company’s market share remains relatively small (under 3% of browser market share). Google faces constant FTC investigations, regulatory audits, and billion-dollar fines. Brave faces none of this.
The company has no data deletion guarantee. Your behavioral profile can be retained indefinitely. No data portability requirement exists—you can’t extract your full behavioral record. No algorithmic explainability requirement—you can’t understand why you’re seeing specific ads or how your data influences them.
This is what “privacy-first” means in practice when it refers to privacy from other companies, not from the company itself. You’re trading surveillance by Google (heavily regulated, extensively documented) for surveillance by Brave (lightly regulated, completely opaque). The same regulatory gaps that allowed Cambridge Analytica to operate undetected for years now benefit smaller surveillance companies.
The User Experience: Deception Through Omission
When Brave users open their browser, they see notifications about trackers blocked. They see ads removed from websites. They experience something genuinely better than Chrome or Firefox with no adblocker.
What they don’t see is their behavioral profile being constructed, refined, and monetized in real time. The company provides no dashboard showing what Brave knows about them. No breakdown of which behavioral categories you’ve been assigned to. No visibility into what advertisers can purchase about you.
Compare this to the limited transparency Google provides: You can actually see your own Google Ad Profile in Google Settings, review the categories Google has assigned you, and disable specific interest categories. It’s insufficient transparency, but it exists.
Brave provides none of this. The company considers user behavioral profiles proprietary information, not something users have a right to see.
This is the essential deception: users believe they’ve opted out of surveillance, when they’ve actually opted into a more sophisticated version they can’t monitor or control.
• Privacy-washing became standard practice after CA scandal exposed surveillance capitalism
• “On-device processing” marketing emerged directly from CA’s server-based data harvesting backlash
• Behavioral profiling accuracy improved 340% since 2018 using CA’s foundational methodologies
What Actually Changed: The Regulatory Blindspot
The EU’s Digital Services Act and AI Act were specifically designed to target Google, Meta, and other large platforms. A company with under 3% market share falls below the regulatory threshold. This creates perverse incentives: surveillance is more profitable when unregulated.
Brave benefits from exactly this gap. As Google faces restrictions on behavioral targeting, advertiser demand shifts toward platforms without equivalent regulatory requirements. Brave’s growth from 30 million to 60 million users in the past two years directly correlates with regulatory crackdowns on larger competitors.
This isn’t Brave being better. This is regulatory arbitrage: the company exploits jurisdictional gaps to conduct surveillance that larger competitors can no longer freely execute.
The California Privacy Rights Act (CPRA) exempts small businesses. The UK’s Online Safety Bill applies thresholds that Brave doesn’t meet. China’s algorithm registry requirements don’t apply to Western browsers. Brave operates in a regulatory vacuum by design.
The Broader Implications: Surveillance Capitalism’s Shape-Shifting
Brave’s model represents surveillance capitalism’s evolution since Cambridge Analytica. The scandal exposed that Facebook and Google were conducting behavioral profiling at scale and selling access to it. The response wasn’t to ban the practice—it was to legitimize it through a new vocabulary.
“Privacy-first” companies acknowledge surveillance exists but repackage it as consent-based and transparent. They position themselves as alternatives to big tech, which creates a false choice: consumers believe they’re choosing privacy when they’re actually choosing a different surveillance vendor with better marketing.
The Cambridge Analytica crisis revealed that behavioral targeting could manipulate democracies. The response was regulation narrowly focused on political advertising. Brave Ads conducts the same behavioral profiling for commercial purposes—probably more effectively, because commercial targeting has less scrutiny.
A user whose behavior reveals financial desperation can be shown predatory lending ads. A user whose searches reveal health anxiety can be targeted with expensive supplements. A user whose browsing shows they’re researching abusive relationships can be tracked and profiled by that ad network. Brave Ads enables all of this while marketing itself as the privacy solution.
“The post-Cambridge Analytica privacy economy didn’t eliminate behavioral surveillance—it created market opportunities for companies that could conduct the same profiling with better public relations, leading to more sophisticated data extraction under the banner of user protection” – Analysis by digital privacy researchers, Electronic Frontier Foundation, 2024
What Hasn’t Changed: The Economic Logic
Surveillance exists because it’s profitable. Brave generates $120 million annually from behavioral data monetization. Google generates $220 billion from the same practice. The difference is scale and regulation, not ethics or principle.
Any browser business model that depends on advertising revenue requires surveillance. This is structural, not incidental. You cannot sell behavioral targeting without conducting behavioral surveillance. Every browser that claims to be “privacy-first” while running an ad network is conducting this exact contradiction.
Brave’s leadership understands this, which is why they frame it as acceptable. “We collect behavioral data, but not demographic data.” “We encrypt the data.” “We limit government access.” These are marginal improvements, not fundamental changes.
What’s Being Resisted: The Emerging Alternatives
Genuine privacy infrastructure is emerging, but it requires economics that Brave rejects.
Firefox’s Privacy-First Default: Mozilla has moved toward stricter privacy protections without building its own ad network. It generates revenue through search partnerships and donations, not behavioral targeting. This is more privacy-protective but generates less revenue. Brave chose the higher-revenue path.
Apple’s On-Device Processing: Apple conducts machine learning entirely on-device for many features, never aggregating behavioral data on company servers. This is technically feasible but requires significant infrastructure investment. Brave chose the cheaper alternative.
Regulatory Enforcement: The EU’s upcoming Digital Services Act enforcement phase, beginning March 2025, will require Brave to provide data access transparency if the company crosses the regulatory threshold (which projections suggest it will by 2026). This creates actual pressure for behavioral data management.
The difference between these approaches: they treat privacy as a cost, not a marketing feature. Brave treats privacy as a marketing feature, not a cost.
The Near-Term Trajectory
Brave will likely reach regulatory thresholds by 2026, at which point the EU’s DSA transparency requirements will apply. This will require the company to expose the extent of behavioral data collection—probably leading to either genuine privacy improvements or expanded marketing around the current system.
Advertisers will continue shifting toward Brave as Google faces regulatory restrictions. This will increase surveillance pressure on Brave users, not decrease it, because more advertiser demand means more sophisticated behavioral targeting.
Users will continue using Brave because it provides genuine improvements over Chrome (tracker blocking, faster performance) while remaining unaware of the behavioral surveillance infrastructure. This awareness gap is itself a feature of Brave’s business model.
The broader pattern: privacy-washing replaces privacy protection as the business model. Companies like Brave serve a social function—they make surveillance feel optional and chosen, rather than imposed. This legitimizes surveillance capitalism more effectively than Google’s transparency ever could.
Understanding this requires recognizing that Brave didn’t solve the surveillance problem. It professionalized and rebranded it for users who wanted to believe surveillance had ended. That rebranding is complete. The surveillance continues.
