Edge Sent 160,588 Packets on First Launch. Tor Sent Zero DNS Queries. We Tested 7 Browsers.

We set up a test lab, installed seven browsers on fresh systems, and captured every packet they sent across three phases: cold start, idle, and browsing. No interaction during the first two. Just launching the browser and watching the network.

The results span a range that's wider than we expected. On one end, Microsoft Edge generated 160,588 packets and contacted 24 Microsoft domains before we touched the keyboard. On the other, Tor Browser produced zero DNS queries across the entire test. Between those two extremes, the other five browsers revealed exactly how much of the "privacy-focused" marketing holds up when you look at the wire.

Background

In 2020, Douglas Leith at Trinity College Dublin published "Web Browser Privacy: What Do Browsers Say When They Phone Home?" [2], testing Chrome, Firefox, Safari, Brave, Edge, and Yandex. The study found Brave was in a class of its own for privacy, while Edge and Yandex transmitted hardware-linked identifiers that persisted across fresh installs [11]. The paper received significant attention and remains widely cited.

Six years have passed. Every browser on that list has shipped major changes. Chrome abandoned its plan to deprecate third-party cookies in favour of a user-choice model in April 2025 [10]. Firefox introduced OHTTP relays for suggestion queries, and Brave developed the STAR protocol for privacy-preserving analytics [5]. Safari gained iCloud Private Relay [6]. Meanwhile, Edge added Copilot integration and kept expanding its Microsoft services footprint [7].

The sizeof(cat) project published a 2025 update [3] counting startup connections across browsers: Ungoogled Chromium and Tor Browser made zero, Brave made 17, Firefox 29, Vivaldi 11, Chrome 25, and Edge 48 [3]. That test counted connections. Ours counts packets, extracts domains, and extends the analysis through idle and browsing phases.

What appears to be missing from the existing literature is a full three-phase capture on 2026 browser versions that includes idle behaviour and browsing-phase telemetry alongside the cold start. This is that study, with the addition of Tor Browser and Vivaldi to the tested set.

Methodology

Test environment

Three browsers (Firefox 150.0, Brave 147.1.89.141, Vivaldi 7.9.3970.59) were tested in Ubuntu 24.04 ARM64 virtual machines running on UTM (Apple Virtualisation Framework) on a MacBook Air M3. Each browser was installed in a clean VM clone, never launched, then snapshotted. Tests started from these pristine snapshots [1].

Four browsers (Chrome 146.0.7680.80, Safari macOS 26.3.1, Edge 147.0.3912.72, Tor Browser 15.0.10) were tested natively on macOS 26.3.1 using a clean user account with no prior browser usage. Native testing was necessary because Chrome and Edge lack ARM64 Linux builds, Safari is macOS-only, and Tor Browser's macOS universal binary was the most practical option.

Capture method

All traffic was captured using tcpdump on the host network interface: bridge100 for VM browsers, en0 for native macOS browsers. Captures were analysed with tshark to extract DNS queries (dns.flags.response == 0) and TLS Server Name Indication fields (tls.handshake.extensions_server_name).

Native macOS captures include some operating system traffic (OCSP checks, iCloud, NTP). We identified and excluded these from browser-specific findings by cross-referencing Apple system domains across all native tests.

Three-phase protocol

Each browser went through identical phases [1]:

Phase 1 - Cold start (5 minutes): Launch the browser for the first time. No keyboard or mouse interaction. Accept default settings where prompted. This captures everything the browser does on its own.

Phase 2 - Idle (5 minutes): Browser remains open. No interaction. This captures background telemetry cadence: how chatty is the browser when you're not using it?

Phase 3 - Controlled browsing (5-12 minutes): Navigate to 10 predetermined sites, 30 seconds each (45 seconds for Tor Browser due to network latency). Sites chosen for diversity: example.com, Wikipedia, BBC News, Reddit, GitHub, Amazon, DuckDuckGo, NYTimes, Stack Overflow, The Guardian. Navigation was automated via shell scripts to ensure identical timing.

Default settings

Every browser was tested with its out-of-the-box defaults. Where setup wizards appeared, we accepted the defaults. This means Chrome's "Send usage statistics" was checked (it is by default), Edge's "Send diagnostic data" was checked (it is by default), and Vivaldi's crash reports were unchecked (it is by default). We recorded these choices but did not alter them. The point is to measure what happens to someone who clicks through the setup without reading it.

Findings

Cold start: what happens before you do anything

This is the most consequential phase. Every packet here was generated by the browser, not the user.

Edge is the clear outlier, though much of this traffic is its MSN news feed new tab page and component downloads. 160,588 packets generating a 192MB capture [1]. For context, Chrome - placed in the middle tier in Leith's 2020 study [2] - produced 61,590 packets and 69MB. Edge generated nearly three times the traffic of the browser it's forked from.

Where does all that traffic go? Edge contacted 24 Microsoft-owned domains on cold start, including three separate telemetry pipelines [7]: self.events.data.microsoft.com, functional.events.data.microsoft.com, and browser.events.data.msn.com. The main telemetry domain, edge.microsoft.com, was queried 21 times in five minutes. Edge also loaded comScore analytics (sb.scorecardresearch.com) on its new tab page [1] - a third-party tracker, on cold start, before the user visited anything.

Every single TLS connection on Chrome's cold start went to a Google-owned server [1]. All 15 domains, all Google. The optimizationguide-pa.googleapis.com endpoint alone was queried 12 times. Usage statistics and crash reports were opted in by default [1].

And here's an odd detail: Edge also contacted Google. Three Google domains appeared in Edge's cold start (clients2.google.com, www.googleapis.com, clients2.googleusercontent.com) via inherited Chromium code [1]. So on first launch, Edge contacts both Microsoft and Google.

Safari was the quietest at 6,888 packets and 5.1MB [1], though its Siri Suggestions start page loaded content from around 15 third-party sites generating 38 DNS queries: X (5 domains), Facebook (2), LinkedIn (2), Yahoo (3), BBC, Google, Bing, Weather.com, TripAdvisor, and Yelp among them. Firefox loaded 56 publisher domains via Pocket sponsored content on its new tab [1] - a UK-focused selection including BBC, Guardian, Mirror, Independent, Sky, Al Jazeera, Polygon, and YouTube, suggesting geo-targeted content delivery. Brave and Vivaldi loaded no third-party content on their start pages [1].

Tor Browser's 29,943 packets were almost entirely encrypted Tor circuit establishment traffic. Zero DNS queries. Zero vendor domains. The two TLS connections to non-Apple domains were Tor guard nodes using domain fronting with randomised hostnames (www.l6juis72lup7e2epp4b6zgry.com) [13]. A network observer watching Tor Browser's cold start sees encrypted traffic to IP addresses. Nothing else.

Default telemetry opt-in

Every browser except Vivaldi and Tor Browser opted users into some form of telemetry by default [1].

Brave deserves a footnote here. Its P3A telemetry is on by default, but the implementation is meaningfully different from Chrome's or Edge's. P3A uses the STAR protocol [5], which according to Brave aggregates responses cryptographically so that individual measurements cannot be linked to specific users [4]. The system collects bucketed histograms, not raw data. Whether "privacy-preserving telemetry" is still telemetry is a philosophical question, but the network traffic is verifiably different: aggregated buckets sent to collector.bsg.brave.com, not per-page pings to content-autofill.googleapis.com.

Safe Browsing: who checks the URLs

Every browser except Tor checked URLs against a phishing/malware database. How they do it varies more than you'd expect.

Safari is the only browser that doesn't use Google's Safe Browsing service at all, routing lookups through token.safebrowsing.apple instead [1]. Brave uses Google's data but proxies the requests through safebrowsing.brave.com, preventing Google from seeing the requesting IP. Chrome, Firefox, and Vivaldi all send Safe Browsing requests directly to safebrowsing.googleapis.com.

Idle: what happens when you walk away

Phase 2 measures background noise. The browser is open, the user isn't touching it.

Vivaldi produced zero packets. Tor Browser's 1,985 total packets were entirely macOS system traffic (Apple telemetry, location services) with zero from the browser itself [1]. Both browsers were completely silent when idle.

Brave produced 253 packets, all P3A telemetry beacons to collector.bsg.brave.com and the STAR randomness server [4]. Firefox sat at 831, continuing Pocket ad refreshes and OHTTP suggestion relays. Safari hit 1,290 (some macOS system-level traffic mixed in). At the top: Chrome with 1,460 packets, the noisiest idle browser we tested.

This is where it gets interesting. Chrome contacted ogads-pa.clients6.google.com during idle [1]. The domain name suggests ad-related infrastructure (the ogads prefix and clients6.google.com pattern are consistent with Google's advertising services). The browser was sitting open on a blank tab, doing nothing, and it reached out to what appears to be an ad-related server. Chrome was the only browser to do this. It also checked the Chrome Web Store and Google Play Store during idle, unprompted.

Safari contacted iadsdk.apple.com during idle - Apple's advertising SDK [1]. Firefox continued refreshing Pocket ad content via ads.mozilla.org. Edge produced just 744 packets and contacted only edge-http.microsoft.com [1], making it surprisingly quiet after its massive cold start.

Browsing: who follows you around

Phase 3 measured what happens when you actually use the browser. We visited 10 sites. The question: how many additional domains does the browser load beyond what the page itself requests?

Edge loaded 54 ad-tech domains during browsing [1]. Chrome loaded 47. The overlap is striking: 42 of those ad-tech domains appeared in both browsers and in no other browser we tested. Same Chromium engine, same advertising surface. The shared domains include the full programmatic advertising stack: Google DoubleClick, AppNexus, PubMatic, Rubicon/Magnite, Taboola, Amazon Ads, comScore, and dozens of cookie-sync services like BidSwitch, Sharethrough, and LoopMe. On top of the shared 42, Chrome added 15 of its own (including content-autofill.googleapis.com and mail.google.com), while Edge added 16 (including edge.microsoft.com, www.bing.com, and xpaywalletcdn-prod.azureedge.net).

Chrome has no built-in tracker blocking. Edge has a "Balanced" tracking prevention mode enabled by default [7], but it only blocks trackers from sites you haven't visited. Trackers embedded in the pages you actually browse still load.

The middle of the pack told a more nuanced story. Safari and Firefox each loaded approximately 20 ad-tech domains [1]. Both have some built-in tracking protection: Safari's Intelligent Tracking Prevention (ITP) limits cross-site cookie access, and Firefox's Enhanced Tracking Protection (ETP) blocks known trackers from the Disconnect list. Despite these features, 20 ad-tech domains still appeared in the capture for each, suggesting their protection focuses on limiting what trackers can do with cookies rather than blocking connections outright.

Vivaldi's tracker blocker, enabled during setup, let about 5 through [1], including graph.facebook.com and cdn.cxense.com. Effective, but not watertight.

Then the clean end of the spectrum. Brave blocked everything. Zero ad-tech domains. Shields, enabled by default, prevented connections to every tracker that Chrome and Edge loaded. The only domains visible in Brave's browsing phase were brave.com subdomains (the P3A collector, STAR server, and update checker) [1].

Tor also loaded zero, but through a different mechanism. Rather than blocking trackers, Tor routes all traffic through its network. The trackers may have loaded inside the Tor circuit, but a network observer sees only encrypted traffic to guard nodes. From a network privacy perspective, the result is the same: zero visible tracking.

Chrome's most persistent browser-initiated domain during browsing was content-autofill.googleapis.com, queried 42 times across 10 sites [1]. According to Google, autofill sends form field structure metadata to Google's servers to match saved data to form fields [9]. Google states the data is obfuscated [9], but the connection happens on every page load regardless of whether the page has forms [16]. Chrome also contacted ep1.adtrafficquality.google and ep2.adtrafficquality.google during browsing - Google's ad traffic quality verification service [1].

Edge was no quieter. edge.microsoft.com was queried 24 times, self.events.data.microsoft.com 15 times, and www.bing.com 15 times [1]. We weren't using Bing. It also contacted xpaywalletcdn-prod.azureedge.net, its wallet and payment CDN, without any payment-related user action.

The Chromium inheritance problem

Four of the seven browsers tested are built on Chromium: Chrome itself, Edge, Brave, and Vivaldi. How each fork handles inherited Google infrastructure is a useful measure of how much work they've done to de-Google themselves.

Brave is the only Chromium fork that contacted zero Google domains [1]. It replaced the update infrastructure, proxied Safe Browsing, and stripped Google Cloud Messaging. Vivaldi, despite having zero telemetry of its own, still contacted 9 Google domains through inherited Chromium code, including mtalk.google.com (Google Cloud Messaging) and android.clients.google.com (queried 12 times) [12]. Edge replaced most Google infrastructure with Microsoft equivalents but still contacts three Google domains via inherited Chromium code.

The DNS gap

Blocking a tracker connection is not the same as hiding that you tried to load it. When a page embeds a resource from pagead2.googlesyndication.com, the browser first resolves the domain via DNS, then opens a TLS connection. A tracker blocker can prevent the connection, but the DNS query has already happened. Your ISP, your corporate network, or your DNS resolver saw the lookup.

We compared DNS queries against TLS connections during the browsing phase. Any domain that appeared in the DNS capture but not in the TLS handshake was resolved but never connected to - a DNS-only leak.

Safari tops the list with 52 DNS-only domains during browsing [1]. ITP prevented cookies from being shared across those connections, but the DNS queries still went out. Domains like pagead2.googlesyndication.com, securepubads.g.doubleclick.net, and sb.scorecardresearch.com all appeared in Safari's DNS capture without corresponding TLS connections. Your network observer knows which ad networks the pages you visited tried to load.

Brave and Vivaldi showed a similar pattern: 24 and 23 DNS-only domains respectively. Brave Shields blocked the connections, but the DNS prefetch had already fired. Chrome and Edge had 17 each, though this is less meaningful for them since they connected to most domains anyway.

Firefox also logged 17 DNS-only domains. Its ETP blocks known trackers from the Disconnect list, but several analytics domains (cdn.cxense.com, pagead2.googlesyndication.com) still got DNS lookups without connections.

Tor Browser is the only browser that avoids this entirely. All DNS resolution happens inside the Tor network. A network observer sees zero domain queries - not for visited sites, not for trackers, not for anything. The DNS gap doesn't exist when there's no local DNS.

Discussion

The privacy spectrum

The data produces a clear ranking, but the gaps between browsers are more interesting than the order.

What changed since 2020

Leith's 2020 study ranked browsers in three tiers [2]. Brave alone occupied the top tier. Chrome, Firefox, and Safari fell in the middle group, with varying degrees of telemetry. Edge and Yandex were the worst, transmitting persistent hardware-linked identifiers [11].

Our 2026 data suggests the ranking has shifted. Brave has maintained its position and arguably improved it with the STAR protocol. Vivaldi, not in the 2020 study, slots in behind Brave as a low-telemetry Chromium option with an incomplete de-Googling. Safari has gained Private Relay but still loads trackers. Firefox remains talkative. Chrome remains Chrome. Edge remains the noisiest browser tested, in both our data and Leith's 2020 study. A 2024 academic study by Radivojevic et al. independently reached a similar conclusion, testing 14 browsers and placing Brave, LibreWolf, and Tor in the highest privacy tier, with Chrome and Edge in the lowest [19].

The sizeof(cat) 2025 connection count data [3] aligns with our packet-level findings. Their Edge count of 48 startup connections maps to our observation of the largest cold start traffic of any browser [3].

Limitations

Platform inconsistency: Three browsers were tested in Linux VMs, four on native macOS. The native macOS captures include operating system traffic (OCSP, iCloud, NTP) that's absent from the VM captures. We identified and noted these, but some contamination is possible. The ideal setup would test all browsers on the same platform, which ARM64 browser availability prevented.

Single run: Each browser was tested once. Network conditions, CDN routing, and server-side A/B tests could affect results. A repeat test might produce slightly different numbers, though the domain lists and relative rankings would likely hold.

No payload inspection: We captured packet metadata (DNS queries, TLS SNI, packet counts) but did not decrypt HTTPS payloads for this study. We know Chrome contacted content-autofill.googleapis.com 42 times, but we did not inspect what was in those requests beyond what Google's documentation describes [9]. Future work with mitmproxy could reveal payload contents where certificate pinning allows.

Browsing automation: The open -a and osascript automation for native macOS browsers opened URLs in new tabs rather than navigating in the same tab. For VM browsers, xdotool typed URLs into the address bar. Both approaches are valid but produce slightly different browser behaviour (tab count, memory usage).

Default settings only: Every browser was tested with its out-of-the-box defaults. We did not disable telemetry, change privacy settings, or install extensions. Whether opting out actually stops the traffic is a separate question.

Start page variability: Safari and Firefox load content from third-party sites on their start pages (Siri Suggestions and Pocket respectively). The specific sites loaded may vary by region, time of day, and user. Our captures reflect what loaded in the UK on 23 April 2026.

What you can do

Chrome with default settings contacts dozens of vendor domains, loads ad infrastructure during idle, and has no built-in tracker blocking. Edge contacts even more vendor domains and, while its Balanced tracking prevention blocks some third-party trackers, still loaded 54 ad-tech domains in our test. Switching to Brave eliminates most of this. Switching to Tor Browser eliminates all of it, at the cost of speed.

For those who can't switch browsers, the minimum steps are: disable telemetry and crash reporting in settings, install a tracker blocker extension (uBlock Origin where supported), and turn off autofill if you don't use it. These won't achieve what Brave or Tor do architecturally, but they reduce the surface area.

For a broader assessment of your browser's privacy posture, try our Privacy Checkup tool, or see our full browser comparison for detailed grades across all major browsers.