Brave, the crypto-friendly, privacy-first browser has been earning affiliate commissions by redirecting certain search queries to crypto companies via affiliate links.

Unlike the “opt-in” principle by which the company abides—advertisements are optional on the browser and pay out cryptocurrency to anyone who views them—Brave never asked its 15 million monthly users about these redirects.

A firestorm erupted today after twitter user Yannick Eckl, who goes by “CRYPTONATOR1337,” noticed that when Brave’s users searched for Binance, the browser automatically redirected to an affiliate version of the URL, which Brave profits from. 

Brave had recently partnered with the crypto exchange; Binance’s CEO, Changpeng Zhao, had also expressed support for Brave on Twitter.

The squall blossomed into a full-on storm after Dimitar Dinev, Managing Director of JRR crypto unearthed yet more redirect links. Digging into Brave’s GitHub page, Dinev found that Brave also redirects its users to the websites of Ledger, Trezor and Coinbase.

Brendan Eich, CEO and co-founder of Brave, immediately apologized when the breach was publicized. “Sorry for this mistake, he tweeted about the issue, which, he added, has since been “fixed.” 

“We will never revise typed in domains again, I promise,” he said; “I’m sad about it, too.” 

Eich has not responded to Decrypt’s request for further elaboration. 

In his defense, which Eich tweeted, he said that Brave is “trying to build a viable business.” Currently, it makes money by offering its users privacy-first ads that pay out in cryptocurrency. 

“But we seek skin-in-game affiliate revenue too,” he said. To do this, Brave must bring its users to exchanges through widgets and also look for revenue deals, “as all major browsers do.” 

He said that these redirects never revealed any user data to the affiliates, in keeping with the privacy-first agenda of the browser. Of the Binance redirect, he said: “That code identifies us, it’s a Binance affiliate code, one fixed value for all users. It is not identifying you. Anyway, we’re removing it.” 

Additionally, Eich argued that none of this was hidden: it’s been in the source code for months. 

Critics of Eich argued that he was apologizing simply because he got caught. 

Others still think that Brave has compromised its integrity. “You made THE mistake. This is probably the biggest reason why everyone chose Brave over others,” tweeted the pseudonymous “crypto.bi”.

Without the affiliate links, Eich indicated that the company would struggle to survive. And “our users want Brave to live,” he said.

Source: decrypt