Hacker News new | past | comments | ask | show | jobs | submit login
Is Google Locking Down Chrome to Resist the Rise of Chromium Based Browsers? (itsfoss.com)
85 points by hirundo on Feb 26, 2021 | hide | past | favorite | 48 comments



This article makes no sense, and Google isn't "locking down Chrome".

Google is removing proprietary Google services like sync from Chromium.

Which honestly makes 100% sense. Chromium is supposed to be a bare-bones open-source browser. Other browsers can build on it, and they do. They can provide their own sync capabilities and everything else.

If you want to use Google services, wouldn't you already just be using Chrome?

So this seems like a positive development, untangling Google-specific features from the Chromium project.


It's called "lock-in". First give users the service for free, then limit where they can use it and move some features to the subscription only area. When users have reached a certain amount of people. BOOM! Forced subscription or forced usage of a certain proprietary software (Chrome) to use the service. The same thing is happening to Windows 10.

Fun fact: Google is stealing your data if you use Chrome via many ways. Among them is a software called software_reporter_tool that scans your hard drive and other stuff.

Here's another example: You can find it here: chrome://settings/searchEngines?search=search This is the default search engine: "{google:baseURL}search?q=%s&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:iOSSearchLanguage}{google:searchClient}{google:sourceId}{google:contextualSearchVersion}ie={inputEncoding}"

This is what google actually need to make a search: "https://www.google.com/search?q=%s"

Notice the difference? Google is abusing its position as usual.

People want sync to function since they have a google account but they don't want the privacy and security violations that come with using Chrome.

I'm hoping EU will step in soon. It's monopoly behavior to remove sync from Chromium. It's free after all so what is google butthurt about? Oh right, they can't track and collect user data since that's the first thing devs remove in their Chromium fork.


I'm sorry but whatever you're talking about has nothing whatsover to do with the issue at hand.

Google isn't charging subscriptions for sync. Chromium isn't even really designed to be an end-user product, but a bare-bones browser application that other browsers can build features on top of. It's browser market share used directly is... 0.06%. Less than a tenth of a percent.

And to say that users are forced to use Chrome to use their browser sync settings feels pretty... backwards? Sync is a Chrome feature. It's like complaining Microsoft forces you to use Excel if you want to use Microsoft's pivot table functionality. It's simply a product feature. Not a lock-in mechanism.

As far as I can tell, you're... arguing that users should be allowed to use other browsers (like Firefox and Edge?) but have them sync with their Google account? Even though Mozilla and Microsoft already provide their own sync feature? And which would further entrench Google accounts?

I'm truly confused. Product lock-in is a real thing, but this has absolutely nothing to do with it.


> Product lock-in is a real thing, but this has absolutely nothing to do with it.

Many people install Chrome on the Desktop because it allows them to sync with their mobile Android devices. Yes, you can install Firefox on your phone too, but fewest people do that.


The problem is that sync is a "Google feature" and not a "Chromium feature" that any server can implement. Why can't I switch my sync from Google to Mozilla or Your Startup?


Microsoft did.


> If you want to use Google services, wouldn't you already just be using Chrome?

Would you make the same argument if those services were Google search, Gmail, or Youtube?


Yes, if Chrome had Gmail, etc integration built into the client I would prefer that not be in Chromium.


Those are just websites.


First, many people log into non-Google services using their Google account. If you can't log into it from a third party browser, you'd have to keep using Chrome even if you didn't want to.

Also there is speculation that with browsers blocking third party cookies, Google might eventually perform ad tracking via the browser, via your Google account. Websites that live from ads like news websites will notice this and block users who are not logged into Google, as they don't add revenue. So eventually it might be possible that large parts of the web become inaccessible to you.


I personally don't use Chrome or a Chromium based browser and I have zero problems logging into other non-Google services using my Google account. The fact that my browser of choice doesn't "know" about it (natively) and doesn't display this in its own UI is of no consequence (except the positive ones of why the eff would my browser even _need_ to?)


> many people log into non-Google services using their Google account

Is that actually affected by this change? i.e. have they prevented you logging into Google at all from this browser?


no


> If you can't log into it from a third party browser, you'd have to keep using Chrome even if you didn't want to.

Oauth is browser agnostic, right?


Yes but Google blocks browsers that don't belong to the group of "large" ones for "security" reasons:

https://developers.googleblog.com/2020/08/guidance-for-our-e...

https://security.googleblog.com/2019/04/better-protection-ag...


If you're creating your own browser you are not going to start with CEF. You're going to take the Chromium source code and build from there.


Blocking non-Google users would be nonsensical. News sites currently have tons of non-revenue adding users. The problem they're trying to solve isn't "How do we block these people?"—it's how do we monetize them.

This is why the real shift you're seeing in media right now is back towards subscriber models. Ads are still providing the lion's share of revenue, but as someone whose worked with many media companies, I can tell you that nearly everyone is obsessed with growing their paying subscriber base.


The problem is that Google is removing services that are key to Chromium use for many users. I wouldn't consider this locking down, or removing services (though it is technically that). Instead I would consider it cutting Chromium off at the knees.

I suspect, but have no evidence, that this is in reaction to Microsoft basing the newest version of their browser on Chromium.

The solution is to use an Open Source browser, such as Firefox or some other alternative. That's going to require more developers though to pitch in and help get feature parity in their favorite Open Source browser.

I also have some concerns there, as the Firefox CEO Mitchell has said Mozilla tends to focus more on money. We've seen indicators of that recently with sponsored search. I remember the old AOL Browser and AOL Email, and the ads. I hope not, but could see Mozilla implementing ads in the Firefox UI area.

What I'd like to see is a browser that is built of swappable components working around a browser microkernel consisting of a web engine (Servo?), a JavaScript engine (Deno?), a plugin framework that works via messaging and can support various msg protocols (with two ref impls:ZeroMQ and Matrix). Think something like the Eclipse RCP, but for the Browser and Web browsing.

If this sounds interesting, send me a message. That's not an ad, I am interested in gauging the interest in a project like that.


> The problem is that Google is removing services

> The solution is to use an Open Source browser

Seems to me the solution is to use 3rd party services that are not tied to the browser at all.

For example I manage passwords with 1Password, not Chrome's or any other browser's sync services. And I use bookmarking services like Pocket which aren't tied to any browser.

Using independent services made by companies that care about their reputation (and therefore the quality of their product) makes a lot more sense to me then putting all your eggs into a single browser basket.


I agree, and I'd like to see a unified way of connecting to those services. These services are in a way plugins, so I could see it being handled by having a plugin framework that's capable of handling in-app plugins via something like ZeroMQ, as well as external plugins (remote services or from other apps) via something like Matrix.

Essentially, a key part of the idea is to create an Open Source project that is a browser construction kit rather than a browser. Then anyone can choose what components they use. Big brands can release branded sets of components that include proprietary components if they want - but users won't need to use those to have a safe, secure, and rich browsing experience.


> The solution is to use an Open Source browser, such as Firefox or some other alternative.

Serious question: Why is Chromium the default in any open source operating system? For all the talk about how Google has their own interests with regard to the web in general, and more specifically Chromium, why do Fedora/Arch/Mint/Raspbian (even Debian uses Firefox by default) include it as a default?

I realize you may not be equipped to answer this question directly, but I've been wondering this for some time, and the question seems germane to your point.


> I suspect, but have no evidence, that this is in reaction to Microsoft basing the newest version of their browser on Chromium.

I don't think it's this. As far as I'm aware, MS removed basically every Google integrated service from the new Edge before shipping it. They implemented their own profile syncing service, and I don't believe they support click to call anywhere (or at least they didn't when I last used the linux beta).


If Mozilla can't build a browser with a $60M/yr from Google and other funding, how can you can build one from scratch without funding?


With donated labor contributions from hundreds of engineers interested in an open web where users have privacy and control their own data and perhaps crowdfunding down the road. It's a big dream. Heck, maybe it's a pipe dream - but it's still a dream worth striving toward. Maybe I don't build the entire staircase, just a couple steps (Open Source browser building blocks others can run with). The next person then builds a few more and shores up the existing ones, the one after that does the same, and so on. Eventually you might just have a staircase. Servo is one of those steps. So is Deno.


> Google is framing this change as an attempt to limit third-party access to Google services.

Apparently accessing your own data using unapproved software makes you a 3rd party.


No, it makes the maintainers of the unapproved software a third party, able to access your account using source code that does whatever they want.

You didn't even try to review the millions of lines of code you installed, did you? And if you found out after the fact that those maintainers were using your password to do bad things, what legal recourse do you have? Running "apt-get install foo" or "npm install bar" gives you a variety of disclaimers, but no contracts with the maintainers and no rights.


I didn't review the millions of lines of vim code either, yet notepad.exe lets me use it to edit passwords.txt and banking_details.txt just fine.


There are two differences.

1. NPM is being actively exploited and IMHO remarkably often; some of the third parties that are blocked by this policy are known to be malevolent.

2. I'm afraid my familiarity with Windows is somewhat limited. As far as I know Notepad has no responsibility for carrying out any sort of access control. That it carries out no access control is somewhat irrelevant if it is not intended to do so in the first place.


But you can firewall (in 10 different ways) notepad.exe. You control what notepad has access to. You can access anything notepad.exe can bypassing notepad.exe. You cannot effectively firewall your browser, because you don't control the backend. You cannot bypass the backend of a piece of cloud software.

This is a generic problem with cloud software. Any cloud software has access to your data AND YOU DO NOT. To a certain extent it even has access to your data in other apps (e.g. getting your mail address). It's a way to (currently usually partially) transfer ownership of everything you make with software, and your own data from the user to the creator of the software.

This obviously an extremely negative development in the long run, but people seem quite keen on just accepting it ...


> That it carries out no access control is somewhat irrelevant if it is not intended to do so in the first place.

That's circular logic - Google's access control is OK because Google intended to do it? Do the users get a say in whether these APIs are intended to do access control?


It's not circular. You may classify internet-accessible APIs into three top-level-classes:

1. Ones that perform no authentication.

2. Ones that perform authentication and place some trust in the client software (for example, the client software would be able to copy the user's private data without the user noticing).

3. Ones that perform authentication and place no trust in the client software.

IMO, all three are reasonable, depending on purpose. The APIs in question are in the middle group, and AFAICT couldn't easily be redesigned to fit the third group. And trusting client software that includes an undefined set of NPM packages is unwise, or worse than unwise.

My logic isn't circular. I am simply saying that restricting the client software is reasonable because the for these APIs, the client software is in a position to betray the user's trust. There is an effective difference for these APIs between trusting the client software and the server/user trusting each other.


It’s not our data, it’s Google’s. They are looking at this as a third party to their data and don’t want us granting access to the data we give them.

I think this all falls down to information and data not really being ownable in a physical sense, so it’s just different legal structures and company policies.


I’m sure that’s how Google sees it, but it’s most definitely the users’ data. Google’s “company policy” is to be user hostile and leverage their monopolies for maximum anti-competitiveness.


Good point, I was trying to state Google’s position.

I want control over my data, the data I “own.”

But practically speaking this is impossible and I assume that anything I interact with produces data that’s owned by someone else.

So while I want to own my data, if I use Chrome then Google makes their own data from my behavior and it’s theirs, not mine. To stop this, I have to stop the data being transmitted. That’s hard, but not impossible.

Once it leaves my control (laptop, computer, whatever) it’s no longer mine.

That’s what I mean about it being so squishy. And there’s lots of scenarios trying to understand what’s right. If I take a picture of you in the grocery store, it’s not your data. It is certainly rude. It might violate privacy. But the data is mine even though you are the subject.

If I am a private eye and follow you around noting everywhere you go, the data isn’t yours, the data is mine.

This is why I think that laws need to define ownership and privacy and use. So we can better regulate as a society.

I still want some control on data about me, even if I don’t own it.

In the US the consumer lost almost every case and that’s why stuff like 1970’s Fair Credit Reporting Act [0] allows credit bureaus to collect information about people and do stuff with it even though many people don’t like it. Effectively merchants “sell” data on people to credit agencies who collate it, analyze it, and sell insight (eg, FICO scores) and all that data are owned by people who aren’t the subjects.

[0] https://en.wikipedia.org/wiki/Fair_Credit_Reporting_Act


I agree that once you give someone your data, it becomes "theirs" and they can do what they want with it (logistically speaking). Interestingly enough, the executable that runs Chrome is also data that the end user "owns" once they put it on their system. This is the argument for bypassing DRM.

The system is setup to screw the consumer. Most people probably do consider the data they're giving to Google's cloud services to be theirs, most may even assume that Google isn't doing anything nefarious with it, or using access to build up anti-competitive moats. Sadly, most people probably won't care that much if they do find out the truth as the service and frictionless flow are more valuable that privacy.


>Apparently accessing your own data using unapproved software makes you a 3rd party.

That's been pretty clear since Google rather stridently informed me a third party app had access to my data during a security check: the app was Chromium.


I'm so glad google locked me out of my account. Every day their service just looks more and more abusive.

Rip the band-aid off, your life will be better for it.


no, the "unapproved software" accessing your data is third-party access. that's like the definition of third-party.


Building the whole browser ecosystem on Google code is absurd. Even while Chromium is usable for now, they can lead the project in whatever direction they want. If you don't want that, you should be supporting Firefox.

The paragraph at the end of this article saying Firefox is in favour of censorship comes from one badly worded article afaik and has nothing to do with development. So you use browsers based on Google? Seems like terrible logic


This seems to track pretty close to Google's recent moves in the Android ecosystem to move more and more functionality into Google Play Services packages and not in the AOSP.

As it is a corporation in the business of providing value to its shareholders, I can understand why Google is trying to maximize its profit potential in these projects. However, I think it is really important to give visibility to these moves and for developers (particularly of open source projects) to understand that Google maintains these projects for its own benefit and not for the good of any perceived "community". Once again, this is the status-quo for for-profit businesses, so I am not exactly trying to criticize Google for this. That being said, I do think that Google's (increasingly tarnished) reputation as a champion of open source work is largely undeserved because of their tendency to pull stuff like this.

This whole episode is also an example of why it is important to pay attention to the licensing and availability of the whole tech stack for a project. If functionality relies on a central server (that cannot be easily replaced/self-hosted that should be a huge red flag for anyone contributing to the ecosystem. (Looking at you, Canonical, and your Snap Store shenanigans...)


> Once again, this is the status-quo for for-profit businesses, so I am not exactly trying to criticize Google for this. That being said, I do think that Google's (increasingly tarnished) reputation as a champion of open source work is largely undeserved because of their tendency to pull stuff like this.

This seems like "damn if you do damn if you don't" situation. Android OS and security upgrade is a mess just because OEMs are not willing to provide upgrades to customer in timely manner. That's one of the reasons a lot of functionalities have been moved to Google Play where customers can easily get updates of different components of Android even if the OEMs are unwilling to do so. Sure, this also serves business purpose of Google. But it's not the whole truth if we omit the OEMs and Android OS upgrade situation.


It’s easily possible to provide updates and keep it open source. Google did that in the past just fine with many AOSP apps, and even the android webbrowser parts are updated that way, and still open source.

Google just used it as an excuse to make these parts of the OS proprietary.


Good riddance. I hate Big$G creepily tracking all of my internet search history from Chromium by default unless I explicitly turned it off.

But its cute that people still think that Big companies contribute to Open Source because they want to "give back". Hell no ! It has been about reaping free, complex technical labour, monopolies (chrome, kubernetes) and marketing for hiring devs.



I wish we had less corporate-owned alternatives to Chromium and WebKit. I’m surprised there’s less in the true open source space along these lines.


Chromium is actually a far more open project than most people imagine.

As well as being open source, it also accepts outside contributions (android does not for example), developers talk in public mailing lists, and even leadership positions in the project can, and often are, taken by non-Google people.


Well it's Google. So yes.


Short answer: Yes.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: