

Microsoft: Google Chrome doesn't respect your privacy - stanleydrew
http://arstechnica.com/microsoft/news/2010/03/microsoft-google-chrome-doesn-your-privacy-microsoft-google-chrome-doesnt-respect-your-privacy.ars

======
jerf
"'Watch a demo on how Google Chrome collects every keystroke you make and how
Internet Explorer 8 keeps your information private through two address bars
and In Private browsing.'

[Install Microsoft Silverlight logo]"

I'm using Linux. There's something a little off about that pitch. "Come, let
us show you how evil our competition is. Please install our massive runtime
with which we intend to completely take over the web." Yeah, I know it's not
all directly comparable, but still... off.

~~~
DenisM
Well, what is your preference then? "Please install this other bloated runtime
from Adobe that actually DOES have a chance of taking over the web"? Or how
about "here's the video that only 10% of the web users can see, runtime or
not"?

------
SamAtt
I'm not sure how I feel about the first claim (having just read the article)
but the author misses the point. Whether it sends the information to Google or
Bing it's still the violation of privacy is the fact that everything you type
is being sent somewhere. In fact it's made worse by you being able to use
other search engines because it means other companies could abuse the
information even if Google doesn't.

Again I'm not saying I agree with Microsoft. In all honesty anyone who uses
Chrome should realize this is happening (since it uses the Google auto
complete when you start typing and so would have to send keystrokes back). But
it's something to think about.

~~~
stanleydrew
The problem with Microsoft's accusation is that IE8 does the exact same thing,
just not when you type in the address bar. You have to type in the search bar
in IE8 for every stroke to get sent to Bing.

~~~
stanleydrew
Not sure what the downvote is for. From the article:

"The same behavior occurs in IE8, but only in the search bar. LePage is only
correct in his assertion that IE8 does not send information to anyone when the
user types into the address bar."

~~~
dutchflyboy
Well, when you put it in the search bar, your intention is to send the
information to the search provider, after all, that's the whole point of the
search box. However, with Chrome, as the two boxes are merged, the
autocomplete function sends every keystroke to the search provider even when
you wanted to go to a website directly, information that the search provider
doesn't need at all and that is maybe private.

------
Tichy
How many users change the search behavior? I think the accusation has at least
some basis. And I am pretty sure Google is collecting data.

------
axod
All the settings are there right in the [Privacy] section for users who care.

The fact is, most users just want it to work - something the IE team would do
well to pay attention to.

~~~
briansmith
Where's the setting to separate the address bar and the search bar?

~~~
cryptoz
Why do you actually need two separate text boxes? If you don't type a valid
URL, your text becomes a search. You can easily pick which search engine to
use, if you don't want Google logging your searches.

Does the combination search/URL bother you for some reason?

Edit: If you're worried about the silly auto-suggestions issue, just uncheck
the setting in the "Under the Hood" options tab: "Use a suggestive service to
help complete..."

~~~
briansmith
This was the whole point of the first half of the video. I want auto-suggest
on for web searches and off for everything else, as explained in the video.

~~~
axod
Most users don't see a real distinction though.

Either they stuff an address in the bar and it 'works', or they mistyped it or
didn't type a valid URL, and it shows them the google results, and they click
on the thing they wanted.

So I think yours is a niche usecase. In any event, probably best for you to
just disable auto-suggest, and bookmark <http://google.com> :/

~~~
briansmith
"Most users don't see a real distinction" is why Microsoft's design is so
smart. It protects the user's privacy more often, without the user having to
really think about it. And, at the same time, it lets users use auto-suggest
for web searches, which is very useful.

I do agree that I am in a niche, in the sense that I care about maximizing
online privacy enough to discuss it and try to improve it. But, privacy is not
a niche feature, and people who don't know about privacy problems/solutions
still deserve privacy.

------
paulgb
It's been a while since I first installed Chrome, so I don't remember exactly,
but doesn't it prompt you to let you know about this? Despite some of the
privacy allegations against Google in the past, I've found they've always been
very clear about privacy implications with using their downloadable desktop
software. The Google toolbar, for instance, warns you explicitly when you
enable features (like Page Rank meter) that would result in information being
sent to Google.

------
btipling
Does Google even maintain non-anonymized logs of search suggestion lookups the
way they maintain logs for regular search results?

~~~
jules
Anonymized in what way?

------
metamemetics
Of course it sends information back to google, that's how autocomplete works!

The real question is, do they still store urls typed if you disable 'Collect
usage statistics' ? I would hope not, but this article doesn't address that.

~~~
briansmith
The point of the video is that IE8 separates the address bar from the search
box, so that nothing gets sent over the network when you are just typing in a
URL or searching your history. Some might argue that the IE8 design is worse
from a usability standpoint, but it seems clearly better from a privacy
standpoint.

Back around IE4 or so, everybody was bashing Microsoft on privacy, because if
you typed something that wasn't a URL and pressed ENTER in the address bar, IE
would do a MSN search automatically.

~~~
metamemetics
Knowing the type of information someone searches for on the internet will tell
you WAY more about them than the URLs they TYPE. To access specific sites,
many people use bookmarks\links anyway.

Microsoft's argument is akin to saying: Beware of using the new electrical
mixer! It includes the option to use electricity, and electricity can cause
electrocution. Use our hand operated mixer instead, it does not have that
risk.

For this article to bee considered to have any substance, Microsoft would need
to claim 'This specific electrical mixer causes electrocution' aka 'Google
circumvents it's option to disable submitting usage statistics by exploiting
the auto-complete feature to store a copy of your browsing history'. They are
not making that claim.

------
please
so having just one input for url and search was not such a good idea, for
privacy.

~~~
paulgb
To me, the advantages outweigh the costs, though. If I want to search for
something without Google knowing about it, I can jump to incognito mode.

~~~
stanleydrew
This occurs even in incognito mode though.

~~~
babar
Incorrect. Incognito mode does not use the search provider's autocomplete
results.

~~~
stanleydrew
Interesting. I hadn't noticed that, but you are right. I only get suggestions
for searches I've made during my incognito session (so stored locally in the
browser's memory) or for pages in my history for that session.

------
myaccount
While this may be true, it sounds like FUD (fear, uncertainty, and doubt)
coming from Microsoft.

------
tbrownaw
So does this mean that IE lacks a phishing filter? ;)

~~~
briansmith
More importantly, is something that Microsoft could do to make IE's phishing
filter work better at protecting users' privacy? After all, you can disable it
if you don't like it, but having it off just increases your vulnerability to
another kind of privacy problem.

It is a similar problem to OCSP vs. CRLs for X.509 (SSL/TLS) certificates.
CRLs are better for the end-user's privacy in the sense that the protocol
doesn't tell the CA what websites the user is actually browsing, while OCSP
(as implemented today) does. But, OCSP allows something more like real-time
certificate status checks, and CRL information will almost always be more out
of date.

