The Case Against Browser Sync
By Ketan Patil · July 9, 2026 · 10 min read
Nav0 doesn't have sync. No sync chain, no account, no encrypted vault in someone's cloud. If you use Nav0 on two machines, they don't know about each other.
Normally when a browser is missing a feature that every competitor ships, the roadmap says "coming soon." Ours says never. That's not us putting a brave face on a gap in the product. It's the most deliberate decision in Nav0, and it's worth explaining properly — because sync is the one place where every browser that markets itself on privacy quietly breaks its own promise.
Every "Private" Browser Runs a Sync Service
Here's the part that should bother you more than it does. Look at the browsers people recommend when you ask for something private:
| Browser | Account required | Where your data goes | Encryption |
|---|---|---|---|
| Firefox | Mozilla account (email) | Mozilla's servers | End-to-end, keys derived from your account password |
| Brave | No account — a "sync chain" code | Brave's sync servers | Client-side encrypted |
| Vivaldi | Vivaldi.net account | Vivaldi's servers | End-to-end, separate encryption password |
| Chrome | Google account | Google's servers | Encrypted, but Google holds the keys unless you set a passphrase |
| Safari | Apple ID | iCloud | End-to-end for some categories, more with Advanced Data Protection |
Firefox is the browser Mozilla positions as the independent, privacy-respecting choice — and it ships a cloud service that receives your history, bookmarks, passwords, and open tabs, gated behind an email-verified account. Brave blocks trackers by default and talks about privacy constantly — and operates sync servers that its browsers upload encrypted browsing data to. Vivaldi, beloved by power users who distrust Big Tech, requires a Vivaldi.net account and stores your synced data on its servers.
To be clear about the crypto: these three do it well. Firefox Sync derives encryption keys from your account password so Mozilla can't read the contents — which is why resetting a forgotten Firefox password without a recovery key wipes your synced data. Brave encrypts client-side before anything leaves the device. Vivaldi uses a separate encryption password that Vivaldi says it never sees. This isn't Chrome, where the default sync mode leaves Google holding keys it can use — and Google connects that to everything else it knows about you.
But notice what all of them have in common, good crypto or not: they operate servers whose entire job is to receive your browsing data. The most sensitive dataset you produce — where you go, what you save, what you log into — flows continuously off your device and into infrastructure someone else controls.
That's not a side effect of sync. That is sync.
What Sync Actually Is
Strip away the product language and sync is three things bundled together:
- An identity. Something durable that links your devices — an email-verified account, or at minimum a shared secret. Your browsing stops being anonymous local state and becomes your account's state.
- An upload channel. A background process in your browser whose job is to serialize your history, bookmarks, passwords, tabs, and settings, and transmit them to a remote server. Permanently. On a schedule.
- A remote copy. A second instance of your entire browsing life, living on hardware you don't control, under a jurisdiction you didn't choose, governed by a policy document that can change.
Any one of these would be a red flag in a product that promises to collect nothing. Sync is all three, presented as a convenience feature with a toggle.
And once the pipeline exists, everything about the vendor's position changes. A browser without sync is a product: they ship you code, you run it, the relationship ends there. A browser with sync is a service: there are servers to fund, uptime to maintain, terms of service to enforce, abuse to manage, and — the important one — a growing pile of user data to protect, forever. The vendor didn't just add a feature. It changed what kind of company it is.
"End-to-End Encrypted" Is Doing a Lot of Work
The standard answer to all of this is encryption. It's E2EE — the vendor can't read it, so the server is irrelevant. This is where the industry has done its most effective convincing, so it's worth slowing down on.
End-to-end encryption is genuinely good engineering, and I'm not going to pretend otherwise. But applied to browser sync, it carries three loads it can't quite bear.
The vendor writes both ends
"End-to-end" means encrypted on your device, decrypted on your other device, opaque in the middle. But who wrote the code at each end? The same vendor that runs the middle. Your browser auto-updates silently, which means the code doing the encrypting can change under you at any moment — a compromised build pipeline, a government order to serve a modified client to one user, or simply a bug in key handling, and the E2EE guarantee evaporates without anything visibly changing. You're not trusting math. You're trusting every future release of the client, indefinitely.
This isn't paranoia about any particular vendor. It's the trust model. E2EE moves the question from "can they read my data?" to "will every version of their software, forever, refuse to?" That's a much weaker guarantee than it sounds like in a feature list.
Metadata doesn't encrypt
Even a perfect E2EE sync server learns things: that you have an account, which email it's tied to, how many devices you own, when each one comes online, from which IP addresses, how often your data changes, and how much of it there is. Your bookmark contents are opaque; the rhythm of your digital life is not. We've written before about how much a browser can observe without reading a single page — sync metadata is the same problem, relocated to a server, tied to an identity, and retained.
Recovery flows and defaults betray the keys
Real-world crypto fails at the edges. Chrome's default sync mode is the obvious case — encrypted, but with Google holding usable keys, and the genuinely private passphrase option buried where almost nobody finds it. But even the good implementations have to answer the recovery question: what happens when a user forgets their password? Every answer weakens something. Firefox's honest answer is "your data is gone" — cryptographically correct, and so hostile to normal users that it creates pressure for recovery keys, backup codes, and account-restore flows, each one a new path to the data. Convenience and key custody pull in opposite directions, and sync products exist to sell convenience.
A Server That Doesn't Exist Can't Be Breached
Here's the asymmetry that settles it for me.
Every sync server is a standing target. It holds, by design, the concentrated browsing data of every user who flipped the toggle. It can be breached by attackers, compelled by courts, quietly accessed by a rogue employee, or repurposed by an acquirer with a different business model. Maybe none of that ever happens. The vendor's security team is probably good. But the possibility is permanent, because the data is there.
Now run the same threats against a browser with no sync:
- Breach the server? There is no server.
- Subpoena the account data? There are no accounts.
- Compel the vendor to hand over a user's history? The vendor has never possessed it.
- Acquire the company and monetize the data? The data doesn't exist anywhere the company can reach.
This is the difference between a policy and an architecture. "We encrypt your data and promise not to look" is a policy — it holds as long as the company's incentives, ownership, jurisdiction, and codebase all hold. "Your data never leaves your machine" is an architecture — it holds because there is nothing to look at. A promise can be broken by one bad quarter or one court order. An absence can't.
That's why I'd argue sync is flatly incompatible with a "collect nothing" position. The moment you operate sync infrastructure, the honest description of your browser becomes "collects your data, encrypted, and promises not to look." That may be an acceptable trade for some users! But it is not nothing, and calling it nothing is how the industry has blurred a real distinction into mush.
How Sync Became "Table Stakes"
None of this is a secret, so why does every privacy browser ship sync anyway? Because somewhere in the last fifteen years, sync stopped being evaluated as a privacy decision and started being scored as a checkbox.
Read any browser review or comparison chart: sync sits in the feature matrix next to tab groups and reader mode. A browser without it gets dinged for "lacking basic features." Google normalized this — Chrome's growth was propelled by the signed-in, synced-everywhere model, for reasons that had everything to do with its ad business — and every competitor concluded they couldn't win switchers without matching it. The privacy browsers matched it with better crypto, which let everyone keep the checkbox and the privacy story at the same time.
The result is an industry-wide sleight of hand: "your data is end-to-end encrypted" gets heard as "your data stays private," which gets remembered as "your data stays yours." Three different claims, in descending order of truth. It's the same mechanism that convinced people incognito mode makes them invisible — a technically-scoped guarantee, marketed until it sounds total.
And the deeper cost is that the local-first alternative disappeared from the conversation. The question every review asks is "how good is this browser's sync?" The question almost nobody asks is "why does my browser need a cloud service at all?"
Living Without Sync
The honest concession first: sync is genuinely convenient, and if you live across three devices, its absence is real friction. I'm not going to pretend otherwise — I'm going to argue the friction is smaller than remembered, because each thing sync bundles has a better-scoped replacement:
- Passwords never belonged in your browser's cloud in the first place. A dedicated password manager — Bitwarden, KeePass, take your pick — syncs credentials across every device and every browser, with a vendor whose sole job is credential security, not one that also holds your history. This is a strict upgrade, not a compromise.
- Bookmarks export and import as a plain HTML file — a format that has worked across every browser for decades. If you want them continuously synced, put an exported file in a folder watched by Syncthing, which syncs device-to-device with no server in the middle. Your bookmarks cross your own Wi-Fi, not a vendor's cloud.
- Open tabs — the "continue on your phone" trick — is sending yourself a URL with extra steps. A link in your messaging app or notes app of choice does the same job without a persistent identity binding your devices together.
- History is the one with no great cross-device answer, and my genuine position is that it shouldn't have one. Your 2am search trail on one device does not need to be replicated onto every machine you own. Un-synced history isn't a limitation. It's compartmentalization — the thing privacy people usually want.
The pattern: sync's convenience comes from bundling — one account moves everything. The privacy cost comes from the same bundling. Unbundle it, and each piece of data gets a tool scoped to exactly that job, and no single party gets the whole picture.
Why Nav0 Will Never Ship Sync
Nav0 collects zero data. Not "zero data except the encrypted kind," not "zero data unless you enable the convenient thing." Zero. Your bookmarks, history, and settings are files on your disk, and Nav0 has no server for them to go to — not for sync, not for telemetry, not for anything.
Sync is therefore not a missing feature we haven't gotten to. It's on the list of things Nav0 deliberately does not do, for the same reason there's no telemetry and no account system: the feature is the data collection. You cannot operate a service that continuously receives users' browsing data and also claim to collect nothing, and we're not interested in the encrypted middle ground where the claim technically survives but the data still leaves your machine.
If you need heavy multi-device sync, Nav0 might honestly be the wrong browser for you, and Firefox — with a recovery key you store safely — is a defensible pick. But if what you actually want is a browser where the question "what happens to my data on their servers?" has no meaning because there are no servers — that's not a product tier. That's just how Nav0 is built.
You can't leak what you never had.
Frequently Asked Questions
Is browser sync safe if it's end-to-end encrypted?
End-to-end encryption is real protection, but narrower than the marketing suggests. The vendor writes the client that does the encrypting and can change it in any silent auto-update, recovery flows and weak defaults can undermine the keys, and metadata — when you sync, from which IP, on how many devices — is not encrypted. E2EE sync means trusting the vendor's code, servers, and processes indefinitely. Data that never leaves your device requires none of that trust.
Do privacy browsers like Firefox, Brave, and Vivaldi sync my data to their servers?
Yes. Firefox Sync uploads encrypted browsing data to Mozilla's servers and requires a Mozilla account. Brave Sync uploads client-side-encrypted data to Brave's sync servers, joined via a sync chain code. Vivaldi Sync requires a Vivaldi.net account and stores encrypted data on Vivaldi's servers. All three encrypt the content well — but all three operate cloud services that continuously receive their users' browsing data.
How do I sync bookmarks and passwords without browser sync?
Passwords belong in a dedicated password manager such as Bitwarden or KeePass, which syncs credentials without tying them to your browsing history or your browser vendor. Bookmarks can be exported and imported as standard HTML files, or kept in a folder synced device-to-device by a self-hosted tool like Syncthing. Open tabs can be moved between devices by sending yourself the link. Each piece of data gets a purpose-built tool instead of one vendor getting everything.
Why doesn't Nav0 have sync?
Because sync requires a server that receives your browsing data, and Nav0's core promise is that no such server exists. The moment a vendor operates sync infrastructure, "collects zero data" becomes "collects your data but promises not to look." Nav0 keeps bookmarks, history, and settings local only — no account system, no upload channel, and no stored data to breach, subpoena, or sell.
Nav0 is a minimal, privacy-focused browser that collects zero data. It's open source, free, and built on the belief that your browser should do one thing well: let you browse the web. Get started.
