Skip to content
DevMeme
5108 of 7435
Brave Browser Under Fire in Tech Community for Unconsented VPN Installation
Security Post #5592, on Oct 19, 2023 in TG

Brave Browser Under Fire in Tech Community for Unconsented VPN Installation

Why is this Security meme funny?

Level 1: Trust Betrayed, in Plain Terms

Imagine you have a trusted friend who always talks about keeping secrets safe. You give them your diary because they promise, “I’ll guard it and never peek.” But one day you find out they secretly made a copy of your key and opened your diary without asking. You’d feel pretty upset and tricked, right?

That’s what happened here with Brave browser and its users. Brave was like the friend who promised to protect your privacy (your secrets). People chose Brave because it said, “I won’t do sneaky things with your data.” But then Brave went and added a new secret tool (a VPN) on people’s computers without telling them first – kind of like that friend sneaking a look at your diary.

For the people using Brave, this was both upsetting and a bit ironically funny in a “seriously? you too?” way. It’s like the safety-first toy company that suddenly includes a surprise gadget in the box that nobody asked for. Even if that gadget is meant to be helpful, doing it behind everyone’s back makes it feel wrong.

So the heart of the joke is: a browser that was supposed to be super honest about privacy did something privately, without permission. It’s a mix of disappointment and “I can’t believe they did that,” which is why folks are talking about it and sharing this meme. Everyone’s basically shaking their heads and saying, “Even the ‘good guy’ browser pulled a sneaky move!”

Level 2: But Did You Ask?

For those newer to this arena, let’s break down the scenario. Brave is a web browser, much like Chrome or Firefox, but it brands itself as privacy-focused. It automatically blocks ads and trackers, and many privacy-conscious users install Brave to feel safer online. Now, a VPN (Virtual Private Network) is a tool that routes your internet traffic through an encrypted tunnel to a server, hiding your IP address and encrypting data so your ISP or others can’t easily snoop on your browsing. VPNs can be great for privacy if you choose to use them. The key phrase there is “if you choose.”

What happened, according to the meme’s screenshot (from a tech forum), is that Brave appeared to install a VPN service without asking the user. A “service” here likely means a program running in the background of your computer (for example on Windows, something listed in the Services panel, or a daemon on macOS/Linux). Normally, if you want a VPN, you’d install it yourself or explicitly enable a VPN feature. But Brave seemingly did this on its own, during an update, quietly. The user didn’t click “Yes, install Brave VPN” – it just showed up.

This is causing an uproar in communities focused on Security and Data Privacy (two key categories mentioned). Why? Because user consent is a cornerstone of trust. When software that promises to protect you does something without asking, it feels like a breach of trust.

Imagine you downloaded Brave precisely because you were wary of big companies sneaking in unwanted things. You’re enjoying your tracker-free browsing… then one day you see a news headline (like the one in the image: “Brave appears to install VPN Services without user consent”). It’s jarring: the browser that was supposed to respect your choices made a pretty big choice on your behalf.

Let’s clarify a few terms and context tags in simpler words:

  • PrivacyConcerns / Privacy Marketing vs Practice: Brave’s marketing says “we care about your privacy.” The concern is that their practice (installing something silently) doesn’t match the promise. It’s like a restaurant that advertises healthy, organic food but then you find out they add secret sugar syrup to everything.
  • BrowserSecurityFeatures: Modern browsers often have extra features like password managers, ad-blockers, or even VPNs. Brave’s VPN in this case might be one of those features – possibly meant to give users more privacy by letting them tunnel traffic. Opera (another browser) for example offers a built-in VPN but it’s clearly a selectable feature. The outcry here is Brave included its VPN component without the clear “Click to install” step.
  • Silent_vpn_install / User_consent_violation: “Silent install” means installing in the background, without popping up a dialog or asking the user. User consent violation means the user wasn’t given a choice or didn’t approve this action. In software terms, it’s like not respecting an opt-in model.
  • Browser_trust_issues: People now have “trust issues” with their browser. A browser is an application you use constantly and often grant a lot of freedom (it can update itself, it handles all your web data). If it misbehaves, you feel betrayed. This tag signals the meme is about the trust relationship between users and the Brave browser being damaged.

The image itself shows a forum post on 4chan’s technology board (known as /g/). The user posted the news article and wrote “Bravebros?” which is a tongue-in-cheek way to get the attention of Brave enthusiasts (“Brave, bros, care to explain?”). It’s a quick way to stir discussion among developers and techies: “Look, your favorite privacy browser might be doing something shady.” In forums like these, it’s common to challenge fans of a technology when bad news drops – a bit of tech community ribbing.

So in summary at this level: Brave Browser, champion of privacy, reportedly installed a VPN component on users’ machines without asking them. This has raised eyebrows and hackles in the developer and privacy communities. It’s a clear clash between Brave’s privacy-first reputation and an action that feels more like something a sneaky adware-laden app might do. New developers witnessing this learn an important lesson: always be transparent with users. If even a well-regarded app gets flak for skipping consent, it’s because trust is hard to earn and easy to lose in software.

Level 3: Brave’s Hidden Service Betrayal

At the most technical level, this meme spotlights a browser trust model failure. Seasoned engineers see the irony: Brave – a browser celebrated for privacy by default – apparently slipped a VPN service onto user systems without explicit consent. Under the hood, Brave likely pushed an update bundling a background VPN component (maybe a system service or daemon) that runs outside the usual browser sandbox. This is a big deal because installing system-level services silently edges into malware territory. It breaks the implicit social contract of software updates: we trust that security features are opt-in or at least well-communicated, not covertly injected.

Why do seniors find this both horrifying and darkly humorous? Because we’ve seen this movie before. Privacy tools gone rogue form a classic trope in tech. It’s the “encrypted wolf in sheep’s clothing” scenario. The meme shows a 4chan /g/ thread referencing a ghacks.net article, complete with a laptop displaying code (a nod to developer scrutiny). The poster quips “Bravebros?” – calling out Brave’s loyal fans. It’s a sarcastic way of asking: “Well, what do you say now, Brave advocates?”

From a Senior DevOps/Security engineer perspective, a browser surreptitiously adding components triggers multiple alarms:

  • Security Surface Expansion: Every additional service is another point of potential failure or exploit. If Brave’s VPN module has a bug, it could become a new attack vector on your machine.
  • User Consent Violation: In security culture, unconsented changes are an absolute no-go. It’s akin to finding an SSH backdoor left by a trusted sysadmin – technically functional, but a profound betrayal of trust.
  • Supply-Chain Transparency: Developers preach reproducible builds and open-source scrutiny. If an update silently adds something, how do we know it’s intentional and vetted? Could it have been a supply-chain attack? (e.g., malicious code injected into Brave’s build process). Even if it wasn’t malicious, opacity here sets a dangerous precedent.
  • Privacy Hypocrisy: Brave markets itself against “big brother” browsers (like Chrome’s data collection). So doing something sneaky in the background – even if well-intentioned (say, prepping a feature) – reads as hypocritical. It’s an architectural and ethical misstep.

Consider the technical mechanics: to install a VPN service, Brave might have bundled a TUN/TAP driver or configured a system-level network adapter. On Windows, that could mean a new service in services.msc or a background process always listening. This isn’t trivial – it may require admin rights (perhaps granted during update installation). The very act reminds battle-scarred engineers of past incidents where software overstepped: antivirus suites installing root certificates without asking, or updaters bundling unexpected “features” that looked like spyware.

In essence, this meme’s humor is a bitter, knowing laugh. Brave’s hidden VPN is the punchline to an unsaid joke: “Of course the ‘privacy-first’ browser is doing something without telling us – why am I not surprised?” It resonates with veteran devs because it validates a cynical worldview: no piece of software, no matter how noble its mission, is above slipping up or succumbing to business pressures. The situation is absurd yet predictable, making it ripe for gallows humor on forums.

Description

This image is a screenshot of a thread from a technology-focused online forum, likely 4chan's /g/ board, discussing a controversy involving the Brave web browser. The post, identifiable by the URL structure '/g/96752876/', shares a link to a ghacks.net article. The article's headline, 'Brave appears to install VPN Services without user consent', is prominently displayed above a generic stock photo of a laptop with code on the screen. The original poster has added the question 'Bravebros?', a common term used in such forums to address fans of a product, in this case, seeking their response to the negative news. The core of this post is the technical and ethical issue of a privacy-focused browser allegedly installing software components without explicit user permission. For developers, this is a significant breach of trust, raising concerns about software bloat, unwanted background processes, and a company acting against its own stated principles of privacy and user control

Comments

41
Anonymous ★ Top Pick Brave's new feature is zero-click VPN installation. It's so private, even *you* don't know it's running. They've finally achieved statelessness by removing the user's state of consent
  1. Anonymous ★ Top Pick

    Brave's new feature is zero-click VPN installation. It's so private, even *you* don't know it's running. They've finally achieved statelessness by removing the user's state of consent

  2. Anonymous

    Brave silently bundling a VPN is the browser edition of the ops team kubectl-injecting a sidecar into every prod pod on Friday afternoon and labeling the commit “zero-trust”

  3. Anonymous

    The irony of a privacy-focused browser silently installing services without consent is like a security consultant leaving their laptop unlocked at DefCon - it's not the vulnerability that hurts, it's the betrayal of fundamental principles you literally built your reputation on

  4. Anonymous

    When your 'privacy-focused' browser decides to practice security through obscurity by installing VPN services without asking - because nothing says 'we respect your privacy' quite like making unilateral decisions about your network stack. The real brave move here is trusting any browser that thinks informed consent is just a suggestion, not a requirement

  5. Anonymous

    Brave: npm install vpn --silent --no-audit --ignore-consent

  6. Anonymous

    Nothing screams privacy like silently shipping a privileged VPN daemon; it’s opt‑in the same way surprise cronjobs are “scheduled features.”

  7. Anonymous

    Privacy-first browser quietly dropping a VPN daemon is the version of Zero Trust where the vendor trusts the user zero - check your services list before the marketing page

  8. @SpYvy 2y

    Read the primary sources.

  9. @SamsonovAnton 2y

    What is so terrible with installing some module without using it, aside from occupying extra drive space? Majority of people do not use most of a program's functions anyway.

  10. @endisn16h 2y

    i like how every time that brave is once again is found out to be malicuous, brave users are screeching so hard my nigger, no fucking shit

    1. @hotsadboi 2y

      how is this malicious? i have never ever used brave before so i can only judge by the limited information i've been fed by the media but other browser running companies seem to do marginally more fucked up things on a constant basis, like embedding livestreams into the browser itself or spending a big part of their money sponsoring non-existent organizations

      1. @endisn16h 2y

        not 'exactly' this article, but various previous ones

      2. @maximilionus 2y

        Brave has done similar things in the past (inserting their own referrals into crypto links, etc). So it can already be considered malicious because it's bloated with garbage and ads, and completely untrustworthy in terms of any privacy because of past mistakes.

      3. @qtsmolcat 2y

        brave has repeatedly shown it gives no fucks about user choice, in spite of all their talk about being better than google. they only backtrack after people get mad about things

  11. @mpolovnev 2y

    Linux users of Brave suffer much more. It spawns a daemon!

    1. @endisn16h 2y

      wellthat was cheap but i still had a laugh

    2. @RichStallman 2y

      I'd just like to interject for a moment. What you're refering to as Linux, is in fact, GNU/Linux, or as I've recently taken to calling it, GNU plus Linux. Linux is not an operating system unto itself, but rather another free component of a fully functioning GNU system made useful by the GNU corelibs, shell utilities and vital system components comprising a full OS as defined by POSIX. Many computer users run a modified version of the GNU system every day, without realizing it. Through a peculiar turn of events, the version of GNU which is widely used today is often called Linux, and many of its users are not aware that it is basically the GNU system, developed by the GNU Project. There really is a Linux, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine's resources to the other programs that you run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of a complete operating system. Linux is normally used in combination with the GNU operating system: the whole system is basically GNU with Linux added, or GNU/Linux. All the so-called Linux distributions are really distributions of GNU/Linux!

      1. @RiedleroD 2y

        obligatory fuck stallman

      2. @BruhElement 2y

        “I use Linux as my operating system,” I state proudly to the unkempt, bearded man. He swivels around in his desk chair with a devilish gleam in his eyes, ready to beardsplain with extreme precision. “Actually”, he says with a grin, “Linux is just the kernel. You use GNU+Linux!’ I don’t miss a beat and reply with a smirk, “I use Alpine, a distro that doesn’t include the GNU coreutils, or any other GNU code. It’s Linux, but it’s not GNU+Linux.” The smile quickly drops from the man’s face. His body begins convulsing and he foams at the mouth and drops to the floor with a sickly thud. As he writhes around he screams “I-IT WAS COMPILED WITH GCC! THAT MEANS IT’S STILL GNU!” Coolly, I reply “If windows was compiled with gcc, would that make it GNU?” I interrupt his response with “-and work is being made on the kernel to make it more compiler-agnostic. Even you were correct, you won’t be for long.” With a sickly wheeze, the last of the man’s life is ejected from his body. He lies on the floor, cold and limp. I’ve muslpilled Mr. Stallman to death.

        1. @callofvoid0 2y

          this text is very literature rich and beyond my everyday vocabulary

        2. @SamsonovAnton 2y

          What about Debian GNU/kFreeBSD though? Does/has anyone use that monster?

          1. @endisn16h 2y

            sounds horrible

  12. Kademlia 2y

    Remember when Brave hijacked URLs?

    1. @RiedleroD 2y

      no

      1. Kademlia 2y

        It's one way to recieve funding https://davidgerard.co.uk/blockchain/2020/06/06/the-brave-web-browser-is-hijacking-links-and-inserting-affiliate-codes/

        1. @RiedleroD 2y

          lmao, cringe

        2. @callofvoid0 2y

          so it puts a referrer link instead of the actual links, right?

          1. @RiedleroD 2y

            they just added a referral id as a GET parameter

            1. @RiedleroD 2y

              it's still the same link, but with an extra bit that tells the website that the user got there via brave, so brave gets a bit of money from that website

        3. @anatoli26 2y

          OMG, never used brave as well said in the article “As such, it’s a favourite with crypto people — or ones who don’t know how to install uBlock Origin, anyway”, but couldn’t imagine it was so shitty 🤯 why to use it in the first place?

  13. @RiedleroD 2y

    it's yet another way of tracking the user via fingerprinting

  14. @spiritualattunement 2y

    thorium ftw

    1. @RiedleroD 2y

      …no. just no.

  15. @misesOnWheels 2y

    why not just use TOR ?

    1. @RiedleroD 2y

      it's got some important features disabled. you have to balance being trackable with being usable

      1. @TheRamenDutchman 1y

        So how about LibreWolf?

        1. @RiedleroD 1y

          unintuitive defaults. not worth it if you know how to change some basic privacy settings

          1. @TheRamenDutchman 1y

            Gotcha, what would you recommend?

            1. @RiedleroD 1y

              stock

              1. @TheRamenDutchman 1y

                I was already thinking to myself, “Please recommended Safari or something, it wouldn't be wrong but it would still be funny somehow” Would you even recommend this when it comes to Edge on Windows?

                1. @RiedleroD 1y

                  safari is fine, just a bit outdated when it comes to implementing modern standards I meant stock firefox, not stock browser of whatever OS you're using. Edge is terrible

Use J and K for navigation