I’d Rather You Not Use an “AI Browser” Just Yet
Every new technological innovation has its respective product hype cycles; the latest in AI is agentic browsers. Agentic browsers are touted as efficiency tools, capable of summarizing or filling information on your behalf with the latest AI models. At its face, the prospect of automating your digital chores is appealing. But new technologies present new security and privacy concerns, and AI browsers are no exception. Coverage of novel AI browser vulnerabilities is widespread, with recommendations from companies like Gartner that they be barred from use, given the breadth of existing and potential shortcomings. Nevertheless, I’ve read far too many articles that suggest AI browser protections are adequate, and I feel obligated to strongly and clearly recommend you not use them and why.
Understanding the Core Risk
AI agents are not the same as AI models. Agents orchestrate model actions for a user. In agentic browsers, AI agents scan webpages to inform models upon orchestration. However, AI agents treat every item on a webpage as legitimate input, and malicious actors can hide content capable of hijacking an agent’s directions - an attack method known as “prompt injection.” As Simon Willison points out, prompt injection is only one part of a lethal trifecta of agentic insecurity, the other two being insecure tool calling and over-permissioned agents. The latter two elements of this trifecta fall downstream of prompt injection; insecure tool calling allows agents to invoke local or online services without proper safeguards, while over-permissioned agents have more access than necessary to other components of your browser or desktop, allowing malicious prompts to exploit system files, APIs, or personal data.
In October, Brave’s security team published a report that highlighted widespread susceptibility to prompt injection across popular AI browsers. With an AI browser, a visit to a GitHub or Reddit page can misdirect your agent into leaking your emails, transmitting your passwords, or other sensitive information. We have yet to solve this problem.
Privacy Theatre
An investigation into AI browser assistants by researchers at University College London and UC Davis found that popular agentic browsers often send entire webpage content, including form inputs and user-entered data, to remote servers - regardless of the sensitivity of that data. Some of these browser agents not only retained this sensitive information, but shared it with third-party companies as well.
For a user trusting Perplexity or OpenAI, this raises serious questions: Where is the data going? Who has access to this data? How long is it stored? Often, such details are opaque or entirely missing. That opacity undermines any “privacy guarantee.”
Even privacy protection measures, like the privacy snapshot feature of Perplexity’s Comet browser, are, at best, performative. Perplexity’s privacy tool only governs what you choose to save, not what the system collects or infers while you use it. The browser still sends your queries, page visits, and interaction data to Perplexity’s servers for processing, and those requests can be logged, profiled, or used for model improvement regardless of whether you toggle their “private mode.”
I would be remiss if I didn’t point out that by their CEO’s own admission, Comet is designed to “track everything users do online to sell ‘hyper personalized’ ads.”
Ultimately, AI browsers act as data collection mechanisms. Agentic browsers conveniently circumvent protections like Cloudflare’s robots.txt, a measure to prevent AI model companies from scraping data from webpages. If agentic browser providers actually cared about privacy, they would be shipping their browsers with tools like CONFSEC or similar trusted execution environment-based technologies to assure users’ data privacy and security. They do not, because user data collection is the product.
Responsibility is Placed on Users
Brave’s steps towards agentic browsing are most promising. Last week, Brave announced a release of its “AI browsing mode” as a feature for its Nightly beta browser.
Rather than hide the dangers posed by agentic browsing, Brave’s team says explicitly: agentic browsing is inherently dangerous, prompt injection remains “a systemic challenge,” and any rollout must be gradual, opt-in, carefully sandboxed, and open to reports from security researchers.
Brave implements important mitigations: AI browsing runs only in isolated profiles (separate cookies, cache, login state), only after explicit user invocation; an “alignment-checker” model monitors AI outputs before execution; internal pages and flagged domains are off-limits; and all AI features are optional and off by default.
That kind of openness - acknowledging risk, designing for safety, and welcoming external scrutiny, is in sharp contrast to the hype-driven launches from Perplexity and OpenAI. Brave has set the standard for agentic browsing best practices, but with the outstanding risk of prompt injection, the onus is still on users not to enter sensitive data into their agentic browsers.
Conclusion
If you care about your privacy and security:
- Don’t assume that an AI-powered browser, even if marketed as privacy-first, is safe. The structural issues of prompt injection, data exfiltration, opaque backend handling remain.
- Prefer tools that minimize trust surfaces and maximize transparency, open-source or explicitly audited, opt-in, with clear data handling policies.
- Advocate for stronger standards: explicit data collection consent, full disclosure of data flows, or data privacy altogether with tools like CONFSEC.
- If, despite everything I have covered here, you want to try agentic browsing, do not log in to sensitive services or input sensitive data - this is experimental software with unresolved vulnerabilities and poor data collection policies.
As with any AI tool, in redesigning the browser for the AI age, we must do so with respect for privacy, transparency, and trust baked in - that is not where these tools are yet. For now, steer clear of AI browsers.
