> We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API. We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.
However, I think a fundamental issue arises if you are going to pay people to see ads: What if someone forks Brave, and creates a browser which blocks all Brave ads, while pretending to click on them?
Neither of the two solutions I can think of are pleasant ones: you either need to somehow verify that that ads are viewed by a human (i.e. CAPTCHAs), or use DRM-like mechanisms to hide a token in Brave’s brinary, so that only “honest” browsers can get paid.
> It added it had received the microphone data only as code rather than audio, and that it could match that code with audio data from a match.
That sounds funnily absurd to me. By that line of argument, even sound is not really audio. After all, it's being encoded as air pressure waves :-)
EDIT: Pardon my ignorance. Based on Google Translate's translation of their statement [1], it seems that they are using some kind of perceptual hashing which is quite interesting.
HSTS is trying to protect against a specific kind of Man-in-the-Middle (MITM) attack: when the man in the middle pretends that the website you are trying to access does not support HTTPS.
I believe trying HTTPS first wouldn't help: the MITM would refuse your connection, and your browser will try HTTP after that.
With HSTS, the server tells your browser that it is going to support HTTPS for a while. Now, if your first connection to server is secure (no MITM), from now on your browser will know that this particular domain supports HTTPS. So, it will know something fishy is going on if a MITM tries to pretend otherwise.
If whoever develops and hosts the service gets to limit what is allowed, then why Google shouldn’t censor its search results?