New! View the April 2021 Content Updates. Read More

Review: Determining Vivaldi's Privacy Browser Status

/ data privacy, web browsers, review

Vivaldi openly markets itself as a privacy browser that has a cool UX with native productivity tools.

Perhaps two of its biggest "selling points" are its native ad/tracker blocker and its tab management features.

Does it offer anything more than this? Can it be considered a privacy browser?

ATH aims to find out.

Overview

This is the Vivaldi browser at a glance...

PROS

  • Feature packed: Tab management and customization options
  • Good Built-in Ad/Tracker blocker ()
  • Compatibility with Chrome Web Store extensions

CONS

  • Part open-source, part closed-source (this might be an issue for some)
  • Yet another Chromium browser (this might be an issue for some)
  • Utilizes some Google services/components ()More info
  • "Unique identifier" and telemetry/data collection concerns ()More info

What is Vivaldi?

The Vivaldi browser officially came onto the scene around 2016. It was created by the company Vivaldi Technologies.

What's interesting about Vivaldi is that it "forked" (using this term loosely) from Opera - the former founder/CEO of Opera Software, Jon von Tetzchner left Opera and started Vivaldi.

Like some other privacy browsers, Vivaldi has grown over the years. It is built on Chromium, which is open source. But its UI code source remains closed-source.

Vivaldi places a lot of emphasis on incorporated features (such as tab management) and "privacy," - privacy mostly in the form of its built-in ad/tracker blocker and the browser's privacy policy.

vivaldisite

Download Vivaldi

Before downloading

Availability

Vivaldi is available across a fair amount of different platforms; Windows, macOS, and specified Linux distros. It even features support for ARM-based Debian machines.

For mobile, Vivaldi is available only for Android.

Requirements

I wanted to note that specific requirements details for running this browser were surprisingly hard to find...

Launch and set up

First up...

Don't try to read the Terms of Service from the installer. It will crash, like so:

TOSfail

Ideally, you should read a privacy policy and/or terms of service agreement before you download a piece of software... But you should still have the chance to easily read it prior to clicking the install button.

Install is easy and fast. During/immediately after the install, Vivaldi makes DNS requests for the following domains:

  • update.vivaldi.com (x2)
  • chrome.google.com
  • s.w.org
  • downloads.vivaldi.com
  • clients2.google.com
  • vivaldi.com

startDNS1

startDNS2

That's a handful of queries/connections for just a start up, which in of itself might turn some users off. I'll do my best to break them down...

The domain update.vivaldi.com is Vivaldi's update server. This is where the browser updates come from. As for why it tries to connect 2 times on this first launch is anyone's guess. Granted, it could be that the first connection timed out.

Connecting to chrome.google.com and clients2.google.com is a natural red flag for many privacy-conscious users. This is most likely because, well, Google has trampled over user privacy for years.

Vivaldi doesn't have Chrome API keys. Ultimately, this means that when using Vivaldi's Sync service, the browser "phoning home" your sync data home directly to Google is not a concern.

But its chromium core still relies on a handful of Google components such as Google Safebrowsing, Download protection, and Spellchecker.

NOTE: Google pulled API keys for Chrome-only API features for third-party browsers on March 15, 2021. Source: the Chromium Project

These components can be found at vivaldi://components.

With that said, if other chromium based browsers like Brave and Ungoogled Chromium can virtually eliminate all background connections to Google - why can't Vivaldi? They actually have an explanation on their blog.

vivaldi.com is queried because the browser comes with Vivaldi's website set as the default homepage.

Lastly, s.w.org is a domain related to the CMS WordPress. WordPress can serve widgets from this domain, so it seems that some of the default widgets with this browser are served via WordPress.

This is the welcome screen on first launch:

vivaldiwelcome

From this screen you can choose to import data from other browsers installed on your machine, enable Vivaldi's native ad/tracker blocker, pick a theme, choose tab positioning, and trying other features in Vivaldi such as note taking.

Features

We'll dive into the privacy and security features of Vivaldi here. We'll also cover any other special and/or unique features the browser has.

Privacy

Built-in Ad/Tracker Blocker

One of Vivaldi's main selling points as a "privacy browser" is that it features a built in ad/tracker blocker.

There are 2 modes to Vivaldi's ad/tracker blocker:

  1. Block trackers

and

  1. Block trackers & ads

When the blocker is configured to (1) only block trackers, it will permit ads themselves to show. Occasionally, ads will be blocked even when its in this mode because of the nature of some ads and their tracking technologies; I found this to be the case in my experience:

trackblock1

The second option, (2) blocking ads and trackers, is the more "aggressive" version of Vivaldi's blocker. It blocks known ad and tracker domains.

In comparison with the other mode, I didn't notice much of a difference in terms of quantity of ads blocked from view. However, I did notice it blocked more known ad/tracker domains:

trackblock2

Despite this mode being more "aggressive," I didn't experience much site breakage during my tests.

Overall, I found that Vivaldi's tracker blocker is pretty good - rivaling that of the Brave browser's tracker blocking solution. The biggest advantage Vivaldi's blocker has over Brave's is that it's easy to see what trackers/ads Vivaldi blocked:

trackblockcnt

End-to-End Encrypted Sync

Vivaldi has sync-ing capabilities.

It is important to understand that this is a Vivaldi service - it's not linked to Google or your Google account as is the case with Chrome's Sync-ing features. You must create and utilize a "Vivaldi account" in order to use Sync. Use of the Sync feature itself is voluntary.

Vivaldi's Sync feature allows you to Sync the following across multiple devices:

  • Bookmarks/"Speed Dials"
  • Settings
  • Passwords
  • Autofill data
  • History & Renite sessions
  • Notes

Vivaldi's Sync service provides end-to-end-encryption for its Sync Service, which maintains the integrity of the data while it's in transit.

Vivaldi's Sync service functions under a slightly different privacy policy from the browser. Here are some key highlights from that policy:

  • Vivaldi will store data that you sync for up to a year from the last you use the sync service. You can request deletion of your data prior to this year being up.
  • Vivaldi can access your information - this access is restricted to a "limited number" of Vivaldi employees/service providers
  • Vivaldi will transfer your information to third parties as dictated by law
  • Vivaldi stores some metadata alongside sync data which can include the user account, date/time using sync, date/time of last sync connection, type of entry, and the identifier of the device where a sync entry was created.

Please reference Vivaldi's Sync Service Privacy Policy for more information.

Security

Browser Engine

Vivaldi uses Google's Chromium engine, which is shared by many browsers today. Currently, Chromium is the most popular browser engine available.

Updates

Vivaldi is updated very frequently. New updates coincide with security patches released by Google for the Chromium framework itself. This is important because Chromium being the most used browser engine also means its a prime target for exploits.

Vivaldi's updates also fix bugs, improve quality of life, and periodically adds/builds on new features within the browser.

Other

Tab management

Simply put: Vivaldi has some of the best tab management around. Hands down.

Vivaldi handles tabs in so many ways that just about any user is bound to find a custom method that works for them:

tabmang

Tabs can be placed at the top, left, right, or bottom of the browser.

Additionally you can configure the likes of active tab width, tab stacking, overall tab display, and fine-tune tab positioning.

The different options can help your workflow, your focus, and improves your overall browsing experience while using Vivaldi - so much so that it's hard to not include this even in this more privacy and security-focused browser review.

Customization

Vivaldi has a ton of customization options baked right into the browser - without immediate need for downloading anything "third-party."

From directly within the browser, you can:

  • Customize window appearance - status bar, address bar, and new window background image
  • Change themes - there are 9 preloaded themes to choose from (including the default), theme scheduler, set different themes for private windows
  • Tabs (as described above)
  • Panel positioning
  • Configure quick commands and keyboard shortcuts
  • Configure mouse gestures
  • Search engines

Again, the above is native. Keep in mind that you still have the flexibility of installing third-party extensions, if you wish.

Additionally, for what it's worth, the customization integration is pretty slick on all fronts - nothing seems too terribly out of place.

The GOOD

Feature-packed

There's no doubt that Vivaldi boasts a ton of features. Many of these features aren't necessarily privacy and/or security focused, but some users can probably appreciate them.

Additionally, since Vivaldi has so much baked into it, something is bound to appeal to someone.

Vivaldi's biggest "privacy feature" is its native ad/tracker blocker. Overall, Vivaldi's ad/tracker blocker provides pretty good tracker protection both by itself and straight out-of-the-box.

With that said, please keep in mind that you'll still get better tracker protection from a trusted extension such as uBlock Origin.

Also, as I mentioned earlier, the tab management in Vivaldi is a great feature. You can micromanage your tabs if you so choose. I think the biggest advantage is choosing positioning and incorporating tab stacking, which makes all your tabs easily accessible and easier to see.

Vivaldi also has the ability to:

Sync to other devices;

vsync

Take notes with built-in note taking;

notes

Utilize user-defined mouse gestures/keyboard/"quick command" shortcuts;

shortcuts1

shortcuts2

shortcuts3

and play the 80's inspired browser game, Vivaldia (accessed via typing vivaldi://game into the address bar):

vivaldia

So, yes, again - there's probably something for someone.

CWS Extension Compatability

Even though Vivaldi aims to limit dependency on third-party extensions, Vivaldi is compatible with Chrome/Chromium extensions.

This is a big benefit to all users who download/use extensions for whatever reason. This is also a big benefit for its users' privacy because this allows trusted, privacy-enhancing extensions to be used in the browser.

What's more is that you can install extensions manually, without the need for Google's Chrome Web Store. Learn how here.

Customization

As I described above, there are a lot of settings to play around with in Vivaldi. You can mix and max these different customization settings to get the precise look and feel you want from this browser.

This could appeal to many users because it can allow them to feel as if the browser is truly "theirs." There's also the fact that since these customization options are native to the browser, there is less dependency on third-party extensions.

Less dependencies on third party extensions - especially those that only offer "customization" options, ask for nonsensical permissions, and/or aren't proven to be trustworthy - can benefit privacy and security in the long run.

These types of extensions can sometimes silently collect data on your browsing/usage habits and then send this data to wherever, which would be a gross violation of your privacy. So, Vivaldi aims to minimize reliance on third-party extensions, which in some ways is a benefit to its users' privacy.

The BAD

Uses some Google Services/Components

Again, I want to say that Vivaldi doesn't have Chrome API Keys, so there's no definitive "phoning home" to Google servers.

With that said, Vivaldi depends on a number of Google components:

googley2

and dependencies:

googley

googley3

What's more is that Vivaldi has initiated DNS queries to Google servers. Again, not to necessarily send all your data to Google, but to use Google's Chromium APIs... AKA: Google's dependencies and components.

It's hard to tell exactly what data is collected - but going off how Google likes to operate, we can assume that whatever connects to Google servers gets scoured for any morsel of data... which is the core issue of using Google anything.

gooapis

The issue with these dependencies lies with the fact that by enabling them, you and your data can become subject to Google's privacy policies - not just Vivaldi's. This holds especially true if you use any Google service or have a Google account.

Put simply, Google's privacy policies are notorious for being terrible for end user (AKA: your) privacy.

There are other browsers out there that have successfully stripped their Chromium-based browsers of Google components and dependencies, and run just fine. Some of these Chromium browsers include:

  • The Ungoogled Chromium Project strips base Chromium of all possible phoning home/remote connection(s) to Google, which includes Google components, services, and other dependencies.
  • The controversial Brave Browser "replaces" many of Google's services/dependencies with its own versions - ex: "Safe browsing" in Brave is a Brave service as opposed to a Google one.
  • Microsoft Edge, even though not recommended for use due to many privacy concerns, replaces many Google components/dependencies with its own versions. Referencing this image:

edgechrome

Therefore, I know that it's trivial for the Vivaldi developers to simply disable these Google dependencies, versus relying on them.

Telemetry concerns

Over the years, some Vivaldi users have raised concerns over possible data collection/telemetry from the browser.

Recent concerns stem from this section of their browser privacy policy:

When you install Vivaldi browser (“Vivaldi”), each installation profile is assigned a unique user ID that is stored on your computer. Vivaldi will send a message using HTTPS directly to our servers located in Iceland every 24 hours containing this ID, version, cpu architecture, screen resolution and time since last message. We anonymize the IP address of Vivaldi users by removing the last octet of the IP address from your Vivaldi client then we store the resolved approximate location after using a local geoip lookup. The purpose of this collection is to determine the total number of active users and their geographical distribution.

In short, that means that Vivaldi has a unique identifier for the installation on your device, their servers receive a connection at least every 24-hours from your Vivaldi installation, their IP anonymization is limited, and they store this data for an unclear amount of time.

What's perhaps the most concerning is the combined use of a unique identifier and the limited IP anonymization (only anonymizing the last octet: 192.168.243.xxx, where the xxx is the only masked part).

It would be less of a concern if they chose to do one or the other - not both. You can get reasonably accurate location data from just the first two octets of the IP address (192.168.xxx.xxx) alone. Since they already store a unique identifier, others may argue that they should only collect the first octet of your IP address if they need to capture any IP information at all.

Fortunately, from my use of the browser, I didn't notice any excessive background connections - so that's favorable for their no tracking/data collection claim. At most, I can raise a red flag due to the browser's connections to known Google servers (which again, is a whole separate issue), but at the same time I doubt that they're spoon-feeding telemetry data directly to Google.

Occasionally, I noticed that Vivaldi will query its update server update.vivaldi.com. Unfortunately, like many other browsers, you can't easily stop Vivaldi from automatically checking for updates. This isn't necessarily a "bad thing," but it would be nice to have the option to disable automatic updates even if only temporarily.

In the end, the presence of a unique ID, collection of some device data, and the once-in-24-hour remote connection to Vivaldi's servers may not sit well with some users and their corresponding threat models. Just like the automatic checks for updates, it doesn't look like you can opt-out of this either.

Please reference Vivaldi's Browser Privacy Policy for your own evaluation.

Defaults are not privacy friendly

Despite Vivaldi marketing itself as a "privacy browser," it falls short on two fronts:

  1. Availability of privacy-friendly features

and

  1. The defaults of privacy related settings.

Focusing on the first point - Vivaldi has minimal privacy friendly features built into the browser itself. Sure, it has a pretty good ad/tracker blocker... but what else? I couldn't really find anything else that couldn't be easily found in any other browser (such as cookie management)...

You can argue that Vivaldi's Sync service is another privacy feature, but that's nearly totally reliant on its sync service privacy policy. Granted, the syncing process is end-to-end-encrypted, which protects your information in transit from your browser and Vivaldi's servers and back again.

Again, what else is there? Hardly anything more - and that is the core of this issue.

On to the second point - Vivaldi's default settings are pretty far from privacy friendly:

  • WebRTC is enabled and set to broadcast your IP address by default.

webrtc

Now keep in mind that since Vivaldi is built on Chromium, WebRTC can't be outright disabled, so that part isn't a fault in Vivaldi itself. However a "privacy browser" shouldn't be set to broadcast your IP address via WebRTC connections by default.

Vivaldi's default WebRTC handling leaves you wide open to WebRTC exploits and leaks, which can compromise your privacy.

This setting should be set to anonymize the device's IP address by default.

  • Vivaldi is set to accept all cookies and only block third-party cookies in Incognito mode:

cookies

To be fair, in this day and age, tracking cookies are on their way out, but they're still out there. Plentifully.

Ideally, Vivaldi would implement a better cookie handling solution - or at least make the Chromium defaults more privacy friendly. Blocking all third-party cookies and/or consider only accepting cookies for a browser session should be the bare minimum.

Most of the Vivaldi's "privacy features" seem rested in Vivaldi's privacy policy. I say that this isn't enough to be called a "privacy browser."

  • Enables Google services such as Safe browsing by default:

As mentioned earlier, Vivaldi incorporates and relies on a lot of Google services and dependencies.

I understand that Chromium is built and maintained by Google, but if you're going to include Google services in your "privacy browser," then you should disable most (if not all) of them by default. Simply linking to your privacy policy isn't enough.

Using Google services subjects the user to Google's privacy policies, of which are not friendly to user's privacy. We understand that you're (in reference to Vivaldi) isn't "tracking you," but that doesn't mean Google's dependencies aren't doing so.

  • If you happen to skip Vivaldi's initial welcome screen, then the ad/tracker is disabled by default.

This is just an annoyance more than anything else. Inattentive users might not notice that the ad/tracker blocker is initially disabled.

Sure, some will say that the likes of Mozilla Firefox lacks default privacy friendly settings - this is true. The difference here is that Vivaldi barely offers any true privacy features outside of its ad/tracker blocker and its browser privacy policy.

This inability to "harden" Vivaldi in the same way you can "harden" Firefox and its corresponding forks (such as Waterfox) is indeed an issue.

This specific issue gets worse when looking at the default settings in Vivaldi - especially since it markets itself as a "privacy browser."

Final thoughts

Overall, Vivaldi is a decent browser.

It's packed with a lot features that will prove useful for many users. The ability to take notes from within the browser and the tab management is fantastic.

However, I think Vivaldi places too much of an emphasis on its privacy policy in order to consider itself some type of "privacy browser." The browser simply under-delivers when it comes to privacy related settings and the currently enabled defaults.

Because of this, it's hard to label it a "privacy browser." If anything, I would considerate it a simply alternative browser that happens to have a good native ad/tracker blocker built in - since that's about the only truly "privacy" feature it has.

There's also the issue of its dependency on so many Google components and services. While some of these services/dependencies such as Autofill and Safe Browsing can be disabled, the more intricate components are either hard to disable or require modification to the source code.

Thankfully, Vivaldi can handle many Chrome extensions - so installing recommended, trusted, and privacy enhancing extensions such as uBlock Origin and LocalCDN should harden it some.

However, I would still recommend browsers such as hardened Firefox and Ungoogled Chromium for those who are looking for the best "privacy browsers" currently offered.

That concludes avoidthehack's Vivaldi review.

As always, stay safe out there!

Next Post Previous Post