Browser Scoring / Analysis / Ranking — Sovereign-Grade Privacy Stack (Final)

1) Final Scoring Framework

Weights (locked)

Weights are tuned to penalize structural capture (telemetry, ads, embedded AI, tokenized attention) more heavily than convenience. Convenience remains visible but intentionally de-emphasized.

FOSS / supply chain — 20% Telemetry / Ads / AI — 25% Anonymity / Fingerprinting — 15% Security / patching — 15% Sovereign alignment — 20% Deployment / stack fit — 5%

Scoring each criterion = 0–100 Composite = weighted sum Interpretation = adversarial, not convenience-optimizing

Criterion A — FOSS governance, reproducibility & independence (20%)

Open licensing, forkability, independence from FAANG/VC/ad-tech. Extra credit for verifiable or reproducible build practices where clearly documented (e.g., Tor/Mullvad/GrapheneOS ecosystems). Sources: Tor Project, Mullvad Browser, GrapheneOS

Criterion B — Telemetry, ads & AI (defaults) (25%)

Default telemetry, experiments, background pings, ad-tech integration, tokenized ad markets, and embedded AI/LLM features that introduce new data flows and product gravity toward “browser-as-platform.” Sources: Mozilla telemetry controls, Firefox 148 release notes, Mozilla AI controls, Brave Leo, Brave Rewards (BAT)

Criterion C — Anonymity & fingerprinting resistance (15%)

Uniformity against fingerprinting (e.g., letterboxing, UA spoofing, first-party isolation), storage isolation, and only browser-enforced network anonymity (Tor). Sources: Tor fingerprinting protections, Mullvad: “similar fingerprint for all users”

Criterion D — Security & patching (15%)

Engine hardening (Chromium vs Gecko), sandboxing/site isolation, exploit mitigations, and practical patch cadence (fork bus factor). Sources: Vanadium repository, GrapheneOS discussion (engine hardening)

Criterion E — Sovereign-stack alignment (20%)

Penalizes tokenized attention/ad economies and “AI browser” as core roadmap; rewards minimal-contract posture and low surface area for behavioral instrumentation. Sources: Brave Rewards (BAT), Brave Leo, DuckDuckGo (optional AI), DDG Microsoft carve-out removal

Criterion F — Deployment & stack fit (5%)

Platform coverage and fit with hardened OS layers (notably GrapheneOS) and Tor/VPN stacks. Intentionally low weight. Sources: GrapheneOS, Tor: iOS limitation + Onion Browser

Weight signature (visual)

Segment widths represent the weight distribution across criteria (A–F). This is not a “score bar”; it is the weighting skeleton.

2) Final Ranking (Composite Scores)

#1

Tor Browser

Tor network FP uniformity Low telemetry

93.7/100
#2

Mullvad Browser (desktop)

Tor-class FP No telemetry VPN-layer dependent

90.5/100
#3

LibreWolf (desktop)

Telemetry stripped Firefox fork No AI platform

86.0/100
#4

Vanadium (GrapheneOS)

Security apex Chromium hardening GrapheneOS-only

85.2/100
#5

Cromite (Android + desktop)

De-Googled Chromium Built-in blocking Fork bus-factor risk

84.5/100
#6

Onion Browser (iOS)

Tor routing WebKit constrained iOS stopgap

84.0/100
#7

ungoogled-chromium (desktop)

No Google services Manual hardening Binary provenance matters

80.0/100
#8

Firefox (all platforms)

Telemetry by default AI controls (148) High deployment

62.8/100
#9

DuckDuckGo Browser (all platforms)

Search/ads model Optional AI Historic carve-out

55.5/100
#10

Brave (all platforms)

BAT rewards Ads platform Built-in AI

53.8/100

3) Full Scoring Table (0–100 per axis)

Composite weights (A–F)

A=FOSS 20% · B=Telemetry/Ads/AI 25% · C=Anon/FP 15% · D=Security 15% · E=Sovereign alignment 20% · F=Deployment 5%

#	Browser	A FOSS 20%	B Tele/Ads/AI 25%	C Anon/FP 15%	D Security 15%	E Sov 20%	F Deploy 5%	Composite	Core links
1	Tor Browser	95	98	100	88	90	80	93.7	Download · FP defenses
2	Mullvad Browser	90	95	95	85	90	75	90.5	Overview · FP/no-telemetry statement
3	LibreWolf	90	95	80	78	85	70	86.0	Project site
4	Vanadium	90	92	60	95	90	60	85.2	Repo · GrapheneOS
5	Cromite	95	90	65	75	90	80	84.5	Repo · Releases
6	Onion Browser	90	95	75	70	90	50	84.0	Tor: iOS constraint · Project site
7	ungoogled-chromium	85	90	60	80	80	70	80.0	Repo · Binary warning
8	Firefox	80	35	70	85	50	95	62.8	Telemetry · AI controls · 148 notes
9	DuckDuckGo Browser	70	45	50	75	35	90	55.5	Downloads · 2022 tracker issue · Carve-out removed
10	Brave	65	35	80	90	10	90	53.8	Rewards (BAT) · Leo AI · P3A

4) Browser Profiles (Full Detail)

1) Tor Browser — 93.7 / 100

Reference implementation for anonymity and anti-fingerprinting: browser-layer uniformity plus Tor network routing. Fingerprinting defenses include letterboxing, user-agent spoofing, and first-party isolation. (Tor support)

Composite 93.7

Tor Project Download Install notes

Score breakdown

FOSS / supply chain95

Telemetry / Ads / AI98

Anonymity / FP100

Security / patching88

Sovereign alignment90

Deployment / fit80

Why it ranks first

Browser fingerprint uniformity is an explicit design goal (letterboxing, UA spoofing, first-party isolation). (source)
Network anonymity is enforced by Tor routing, not left to external VPN configuration. (source)
Low platform capture gravity: no token economy, no ad exchange embedded into core product, no “browser-as-AI-platform” as roadmap center.

Constraints & tradeoffs

Security posture differs from hardened Chromium: Tor Browser is based on Firefox ESR; Chromium-based engines generally lead on sandbox/exploit mitigation depth, but Tor’s overall anonymity model targets different failure modes.
iOS: Tor Project states there is no Tor Browser for iOS; Onion Browser is recommended, constrained by Apple’s WebKit requirement. (source)

2) Mullvad Browser (desktop) — 90.5 / 100

Built in partnership with the Tor Project: aims for Tor-class fingerprint uniformity without Tor routing. Mullvad states telemetry is removed and that the browser aims for a similar fingerprint for all users. (overview, download page statement)

Composite 90.5

Overview Download

Score breakdown

FOSS / supply chain90

Telemetry / Ads / AI95

Anonymity / FP95

Security / patching85

Sovereign alignment90

Deployment / fit75

Core properties

No telemetry is stated as a design choice. (source)
Fingerprint unification is explicitly stated: “appear as one” / similar fingerprint for all users. (source)
Network anonymity depends on external stack choices (VPN or other routing); Tor network routing is not built in. (source)

Constraints & tradeoffs

Desktop-only: Windows/macOS/Linux distributions provided via Mullvad downloads. (source)
Strong fingerprinting defenses can reduce compatibility on some sites (a structural consequence of uniformity and reduced API surface).

3) LibreWolf (desktop) — 86.0 / 100

Independent Firefox fork focused on privacy, security, and user freedom; explicitly targets tracking/fingerprinting protections and aims to remove telemetry and data collection. (LibreWolf)

Composite 86.0

Project site

Score breakdown

FOSS / supply chain90

Telemetry / Ads / AI95

Anonymity / FP80

Security / patching78

Sovereign alignment85

Deployment / fit70

Why it lands top-tier (desktop)

Explicit goal set: stronger protection against tracking and fingerprinting plus removal of telemetry and data collection. (source)
Absence of embedded ad market/token economy; no “AI browser platform” center of gravity stated by the project.
Firefox-engine diversity preserved while stripping Mozilla telemetry defaults.

Constraints & tradeoffs

Gecko/Firefox sandboxing and exploit mitigations are generally less hardened than Chromium-class sandboxes on many platforms; fork patch cadence remains a realistic risk surface relative to upstream. (Context: GrapheneOS discussion)
Desktop focus: cross-platform coverage is narrower than mainstream browsers.

4) Vanadium (GrapheneOS) — 85.2 / 100

Hardened Chromium for GrapheneOS; provides both WebView and the user-facing browser, depending on GrapheneOS hardening layers. (repo, GrapheneOS)

Composite 85.2

Repo GrapheneOS

Score breakdown

FOSS / supply chain90

Telemetry / Ads / AI92

Anonymity / FP60

Security / patching95

Sovereign alignment90

Deployment / fit60

Why it ranks high

Exploit resistance is the defining trait: hardened Chromium plus GrapheneOS OS-level mitigations. (source)
Minimal product platform gravity: no ads/token/LLM product suite embedded as a core monetization layer.
Acts as WebView for GrapheneOS, extending hardening to app browsing surfaces. (source)

Constraints & tradeoffs

Anonymity/fingerprinting defenses are not Tor-class; design center is “secure baseline,” not “blend into a crowd.”
GrapheneOS-only context strongly shapes the score: outside GrapheneOS, Vanadium is not a general cross-platform option. (Context: GrapheneOS)

5) Cromite — 84.5 / 100

Chromium fork based on Bromite with built-in ad blocking and explicit privacy focus; available for Android (multiple architectures) and also Windows/Linux builds. (repo)

Composite 84.5

Repo Releases

Score breakdown

FOSS / supply chain95

Telemetry / Ads / AI90

Anonymity / FP65

Security / patching75

Sovereign alignment90

Deployment / fit80

Core properties

Explicitly positioned as “Chromium fork … with built-in support for ad blocking and an eye for privacy.” (source)
High alignment due to absence of ad market/token economy/LLM platformization as product center.
Solid Android fit for de-Googled Chromium behavior where GrapheneOS is not the baseline OS.

Constraints & tradeoffs

Fork patch cadence and maintainer bus factor remain the dominant risk surface for security scoring (inherently smaller security pipeline than upstream Chromium).
Not designed for Tor-class fingerprint uniformity; mitigations exist, but uniform crowd fingerprinting is not the core architecture.

6) Onion Browser (iOS) — 84.0 / 100

Tor-powered iOS browser recommended by the Tor Project due to the absence of Tor Browser on iOS; constrained by Apple’s WebKit requirement. (Tor support)

Composite 84.0

Project site GitHub App Store

Score breakdown

FOSS / supply chain90

Telemetry / Ads / AI95

Anonymity / FP75

Security / patching70

Sovereign alignment90

Deployment / fit50

Core properties

Tor Project recommendation for iOS: Onion Browser is open source and uses Tor routing; WebKit prevents parity with Tor Browser protections. (source)
Open-source codebase documented on GitHub. (source)
App Store distribution is the primary iOS channel. (source)

Constraints & tradeoffs

Hard platform constraint: iOS browsers must use WebKit, limiting fingerprinting defenses and low-level browser hardening. (source)
Acts as the best-available Tor-like option on iOS, but iOS remains a structurally constrained environment for high-risk anonymity.

7) ungoogled-chromium (desktop) — 80.0 / 100

Chromium “sans dependency on Google web services,” intentionally preserving Chromium’s baseline experience while removing Google integrations. (repo)

Composite 80.0

Repo Binary provenance warning

Score breakdown

FOSS / supply chain85

Telemetry / Ads / AI90

Anonymity / FP60

Security / patching80

Sovereign alignment80

Deployment / fit70

Core properties

Design goal: remove dependency on Google web services while retaining Chromium experience. (source)
No embedded ad-token economy; no first-class “AI browser platform” posture.

Critical caveat: binary provenance

The contributor binaries page explicitly warns that binaries are community-submitted, generally not reproducible, and authenticity cannot be guaranteed. (source)
Security score assumes disciplined sourcing (distro packaging or self-build), not arbitrary third-party binaries.

8) Firefox (all platforms) — 62.8 / 100

Major open-source browser engine with broad deployment. Penalized here for telemetry-by-default and explicit expansion into AI-enhanced browser features (with centralized AI Controls / kill switch introduced in 148). (telemetry controls, AI controls, release notes)

Composite 62.8

Firefox Telemetry doc Studies

Score breakdown

FOSS / supply chain80

Telemetry / Ads / AI35

Anonymity / FP70

Security / patching85

Sovereign alignment50

Deployment / fit95

Telemetry & experimentation channels

Mozilla documents “technical and interaction data” collection and provides opt-out controls; also notes separate pings/channels (e.g., DAU ping). (source)
“Studies” (Shield) can auto-enroll users who meet criteria, controlled by a setting. (source)

AI controls / kill switch (148)

Firefox 148 adds an AI Controls section in Settings to manage AI-enhanced features. (source)
Mozilla states the AI Controls section provides a single place to block current and future generative AI features, while allowing per-feature management. (source)

9) DuckDuckGo Browser (all platforms) — 55.5 / 100

Cross-platform privacy browser tied to search/ads economics; penalized for structural dependency on partner contracts and expansion into optional AI features, plus historic Microsoft tracker carve-out controversy (later removed). (downloads, 2022 issue, removal)

Composite 55.5

Home Download Contract carve-out

Score breakdown

FOSS / supply chain70

Telemetry / Ads / AI45

Anonymity / FP50

Security / patching75

Sovereign alignment35

Deployment / fit90

Historic Microsoft tracker carve-out

Reports in 2022 described Microsoft trackers being allowed due to a search agreement. (source)
DuckDuckGo later removed the carve-out for Microsoft tracking scripts, per TechCrunch reporting. (source)

AI feature expansion (optional)

DuckDuckGo markets “chat privately with popular AI chatbots (optional)” on its homepage. (source)

10) Brave (all platforms) — 53.8 / 100

Technically strong privacy features, but structurally centered on an ad platform and tokenized attention economy (BAT) plus built-in AI assistant (Leo) and product analytics (P3A). (Rewards, Leo, P3A)

Composite 53.8

Brave Rewards (BAT) Leo AI Browser privacy policy

Score breakdown

FOSS / supply chain65

Telemetry / Ads / AI35

Anonymity / FP80

Security / patching90

Sovereign alignment10

Deployment / fit90

Structural reasons for low alignment score

Tokenized attention economy: Brave Rewards lets users earn BAT for seeing ads in Brave. (source)
Built-in AI assistant: Brave Leo is “built right in your browser.” (source)
Product analytics: Brave documents P3A (privacy-preserving product analytics). (source)
Rewards identifier: Brave’s browser privacy policy describes a “Rewards Payment ID” when Rewards is enabled. (source)

Technical strengths (acknowledged)

Strong default privacy controls are promoted by Brave as core product features (tracker blocking, fingerprinting protection, etc.). (source)
Chromium base + active development yields strong patch cadence and exploit mitigations relative to many forks.

5) Cluster View (Structural Read)

Cluster A — Sovereign-grade tools

Tools centered on anonymity, fingerprint uniformity, minimized telemetry, and low platform-capture gravity.

Tor Browser — Tor routing + Tor-class FP defenses. (source)
Mullvad Browser — Tor-class FP uniformity without Tor routing; no telemetry. (source)
LibreWolf — Firefox fork removing telemetry/data collection; privacy-first defaults. (source)
Vanadium — hardened Chromium baseline integrated with GrapheneOS. (source)
Cromite — de-Googled Chromium fork with built-in ad blocking. (source)
Onion Browser — iOS Tor-like option recommended by Tor Project; WebKit constrained. (source)
ungoogled-chromium — Chromium sans Google services; binary provenance is critical. (source)

Cluster B — Telemetry / AI / ad-stack gravity

Browsers with stronger platformization and contract-driven or ecosystem-driven incentives: telemetry channels, AI integration, and/or tokenized attention/ad market logic.

Firefox — telemetry channels and AI Controls in 148 reflect an “AI-enhanced browser” direction (with centralized off switch). (source)
DuckDuckGo Browser — search/ads model + optional AI; historic Microsoft tracking carve-out (since removed). (source)
Brave — BAT rewards + ads platform + built-in AI assistant + analytics system. (source)