
Never connect to ProtonMail using Chrome - dredmorbius
https://old.reddit.com/r/ProtonMail/comments/9yl94k/never_connect_to_protonmail_using_chrome/
======
codedokode
I would make the advice more general: avoid dealing with Google.

Recently I had to install Hangouts app on the Android phone (it was easier
than using it on desktop because I don't have the latest Chrome). One has to
register a Google Account in order to use it, and I had to answer a lot of
questions as if I was applying for a visa, including a phone number (of course
I used a fake number) and date of birth. Then the app displayed a terms of
service page with boring legal text. But I noticed that there was a small
button to show more details, and when I clicked it, the page expanded and I
saw checkboxes (lot of them), most checked by default, like "share my location
with Google" or "record web & app activity". Of course, I turned all of them
off and thought that I am smarter than a typical user that would not even see
these checkboxes.

It turned out, I have been tricked too.

First, the Hangouts app somehow added this newly created account into all
other Google Apps, so Google Play (which I have never used before) has started
itself up and said that I need to update several apps (no, I don't) and then
Mail App said that I got an email (this boring kind of email they put into
your inbox upon registration). Also, Hangouts app added this new Google
Account into the phone settings. And enabled sync for everything - including
contacts.

Luckily, I mostly use phone as a dictionary and it didn't have any personal
information - but if it had, it would be irreversibly copied into the Google
Cloud.

These settings are not easy to find. For example, to learn about sync, you
have to go to Settings -> Accounts -> click word "Google". Only then you will
see that your data are being uploaded to Google. Google doesn't even give a
warning, let alone asks you whether you really need it. To disable location
tracking you need to notice a tiny button at terms of service page or find it
at the settings. I am sure that most of users don't even realise that they've
agreed to be under constant surveillance by Google.

I must admit, Google is good at sucking data out from people and deceiving
them. After all, it employs smartest people on the planet.

~~~
Steve44
This looks like a good reminder that Google isn't just a loose bunch of tools,
they have developed a full integrated ecosystem.

If it's not what you want then it is overly intrusive and exceptionally hard
to manage so you control just the functionality and personal security you
want.

Most end users, I think, just want something to work and are happy for all the
magic to just happen. When you embrace it a lot of what it does is very clever
and very useful. Most people I know who have embraced it just find the
integration fantastically useful and don't have most of the concerns the more
technically aware people do.

~~~
SiVal
I find I can replace just about everything Google makes except for Google Docs
& Google Sheets. I wish I could find self-hosted, open-source versions of
those, which I would install on my own server. I can just use desktop apps and
sync the files through my server with git or rsync when I'm the only user (but
using multiple clients), but as you're saying about the general public, for
sharing with friends and family, Google's solution works so much better....

~~~
ensignavenger
Maybe LibreOffice online would fill the role? It is still pretty new, but
showing great potential. [https://www.libreoffice.org/download/libreoffice-
online/](https://www.libreoffice.org/download/libreoffice-online/)

~~~
SiVal
Sorry I'm late getting back to this, but thanks for the suggestion. I hadn't
heard of an online version of LibreOffice, so I'll definitely check it out. I
really hope there will be a way to have the benefits of server-based word
processors and spreadsheets without handing our private data to people whose
business is profiling us.

------
rinchik
If you care about privacy these days:

Remote self-destructible VM for browsing with Firefox in incognito mode (only
sites you NEED to, that REQUIRE JS), through multiple VPNs over multiple
proxies.

Everything else is command line HTML parsers (also on different, remote VMs),
or API endpoints (HN API as an example?).

Need email service? Self-hosted, tiny email-server somewhere in eastern
Europe. DDNS etc.

Local machine is always clean. Imagine you had to have iPad as your primary
work machine? Very similar spiel.

Good thing is that most of it can get into a habit very quickly and most
tedious parts can be automated :)

Keeping it up offline? Cash-only, prepaid phones (these give you internet
access as well, 80$ no contracts, activate, use 20GiB until the end of the
month, discard the phone, destroy and repeat), prepaid debit for "card
required" purchases.

Easy-peasy! no idea what people are complaining about....

~~~
cpv
why eastern Europe?

~~~
Maxion
Heh, the Netherlands is enough. No one gets stuff from some of those vps
providers.

~~~
krageon
Except the government and the police, just like every other country.

~~~
rusk
With heaps of oversight and red tape.

~~~
tinus_hn
Both the government and the police oversee themselves, the secret service has
access to whatever they want and the tax office is even allowed by the courts
to demand whatever they want. It’s for security and if that doesn’t work it’s
for the children.

------
ohthehugemanate
RTFA - the user discovered that chrome was sending all text from all webpages
to the translate service.

The advice in the thread isn't "never connect to protonmail using Chrome."
It's "don't use Chrome".

100% agree. Firefox is so good now, there's really no excuse.

~~~
morganvachon
And if you don't like Firefox Quantum for its own egregious privacy issues,
you can use Waterfox. The next major Waterfox release will have all the speed
enhancements of Firefox Quantum without the privacy issues.

~~~
sjwright
What are Firefox Quantum's egregious privacy issues? All I'm aware of is the
encrypted DNS experiment which is a huge, unqualified privacy win. I'm not
aware of anything it does that's objectively worse than the privacy
catastrophe which is the status quo.

Perhaps you are angry because it doesn't send your DNS requests in the clear
to Google's 8.8.8.8 service? Perhaps you are angry because you don't like
encrypted communication protocols?

~~~
morganvachon
Perhaps you are making assumptions without merit?

Off the top of my head, forced telemetry (even if you turn it off in
about:settings some stuff gets reported back to Mozilla); Pocket and Sponsored
Tiles, the former sends Mozilla the URL and form data for every site you
visit, the latter has complete access to your browsing history so it can show
you "relevant info"; Adobe DRM and Encrypted Media Extensions (some people
don't like any DRM in their browser, I don't have an issue if it's trustworthy
but you're asking so I'm listing); and a minor, easily corrected nitpick but
they went back to Google as their default search engine. My problem with that
is every update (so far) ignores user settings and changes it back. This can
lead to unexpected unwanted searches via Google.

~~~
sjwright
Literally all of these are (debatably) controversial from a PR perspective,
not from an actual privacy perspective. Most of them aren't even privacy
issues, which suggests to me that you haven't even researched them.

More generally, if any of these things actually offend you, I'm sorry to tell
you but you're not the audience for a web browser—after all, general web
browsing is far, far worse. Every website you visit gets your IP address and
your user agent string. Ooooh noooo.

------
taneq
I don't understand how this is related to ProtonMail. It reads more to me like
"never use Chrome [if you care about all of your web content being sent to
Google]". Sure, ProtonMail is likely to have personal, private stuff in it but
so does a bunch of other things, eg. internet banking.

~~~
chmod775
It's related because that translate feature was disabled for those languages,
but Google Chrome decided to disregard that specifically on ProtonMail and
send the whole thing to Google servers anyways.

~~~
ampersandy
Where does the post say anything about it being disabled for those languages
or that Chrome "specifically" ignored this on ProtonMail?

It just says they had to turn off the suggest translations feature, which
would apply to all sites/languages.

~~~
gpvos
_> translation had been disabled for both French and English websites_

------
marcinzm
Chrome is fun, today I learned you cannot turn off auto-complete for a page in
chrome. Possibly some really creative hacks can do it but those seem to be
"fixed" every so often as well. Which is great when you're building a HIPAA
compliant page and would prefer that people's medical information not get
cached by chrome (and then uploaded to their cloud storage if you're logged
in).

~~~
stedaniels
URLs should not contain PII data. That is a very bad design.

[Edit] I've got the wrong end of the stick it seems.

~~~
marcinzm
Where did I say URL? I'm talking a POST based form.

Put a value into it a text field and Chrome will helpfully save it for future
auto-completion. Then it'll upload it to your account on their cloud if you're
logged into an account. How do you think it's able to fill out your name,
address, etc. on all those web forms?

~~~
stedaniels
I'm sorry. I'm out of date it seems. I thought autocomplete="false" worked for
non authentication/non common fields. I'll have to check this out in the
office later.

~~~
rusk
It looks as though Google have gradually eliminated support for this because
"reasons" [https://stackoverflow.com/questions/30053167/autocomplete-
of...](https://stackoverflow.com/questions/30053167/autocomplete-off-vs-false)

------
IAmGraydon
If you care about privacy, you really shouldn’t be using a browser that was
created by a company that makes its money by learning everything about you and
reselling it to the highest bidder.

~~~
myko
> and reselling it to the highest bidder.

This isn't a thing that Google does

~~~
ceejayoz
It sorta is, via ad targeting.

~~~
gipp
No it isn't. It's the difference between "Here's some money, please show this
to young Democrats" and "Here's some money, please give me a list of young
Democrats." That's a pretty damn big difference.

~~~
lucideer
> _That 's a pretty damn big difference._

There's certainly a difference. I'm not sure it's a very big one though.

The latter is an extra problem in a few specific areas:

1\. your foremost fear is a bad actor getting your private details (e.g.
identity fraud / doxing). These are legitimate fears, but certainly not a
primary likelihood in the majority of cases.

2\. discrimination based on background checks (jobs/loans/etc.). Also
completely legitimate, though background checks tend to be plenty invasive in
isolation these days anyway, so I'm not sure how much of a negative impact
Google's data would potentially add here.

Other than these specific threats, the two seem exactly equivalent for most
reasons people are concerned about privacy.

~~~
gipp
Can you name some of those reasons? Because they seem very non-equivalent for
almost any reason I can think of.

~~~
lucideer
This is an odd question. If you can think of reasons where they're non-
equivalent, why not state those reasons in your comment?

You're asking me to give counter-examples to examples/explanations you haven't
given.

~~~
gipp
Well, that's pretty much my problem. The only reasons I can think of would
pretty much be the two you've already listed (and explicitly said it's not
equivalent for those purposes).

This isn't some gotcha thing, I'm trying to understand these concerns better,
because I really don't. I'm not asking for "counter-examples" to anything, I'm
just asking for examples. It's not an odd question.

~~~
lucideer
Ah, ok, apologies; I didn't realise those two items I listed were your only
reasons.

The main reasons people are concerned for privacy, I would say, are around
influence and personal autonomy. There are plenty of people (many of them on
HN, I've read many comments here to this effect), who want to cede decision-
making about their own consumption to service-providers. There is an
attractive convenience to this. Privacy advocates are typically not these
people, and are concerned not just for their own individual autonomy, but also
often motivated by broader societal concerns like those discussed by Pariser
(obviously a hot topic right now w.r.t. Trump and Putin), as well as less-
political aspects of selective exposure theory around societal trends.

------
cromwellian
When I visit a website in a foreign language I've never translated before,
Chrome asks my permission to translate the site, it doesn't do so
automatically. You could argue they could give you more details on what it
will do when you click the 'Translate' button, but to argue they shouldn't
offer the feature as a permission-requested option at all seems pretty
extreme.

I read a lot of foreign websites, and the built-in translate feature (which
you can request in the right-click menu, or from the Toolbar) is a life saving
feature, like, literally, I've been traveling, and Chrome built-in ability to
translate helped in a medical emergency.

~~~
rocqua
Question is, how does it know to ask?

If it is based on analysis done by the local machine, no problem. However, if
it is based on analysis done by google servers, big problem!

~~~
mschuster91
> Question is, how does it know to ask?

The html tag has a "lang" attribute, and the server itself can send a Content-
Language HTTP header. Most CMSes these days set one or both once multi-lingual
is enabled.

Additionally the browser can utilize the OS or it's own spellcheck word
database: check every word in every dictionary and the dictionary with the
most matches is likely to be the relevant one.

~~~
giancarlostoro
> Additionally the browser can utilize the OS or it's own spellcheck word
> database: check every word in every dictionary and the dictionary with the
> most matches is likely to be the relevant one.

Every word seems excessive, especially if a page has an excessive amount of
text on it.

~~~
rocqua
I have noticed that 'certain' sites that obfuscate titles by homoglyphs are
recognized as vietnamese by chrome. That seems like something based on the
actual content of the page.

------
reaperducer
I just don't understand how so many people in the HN community, who are so
vocal about privacy, turn around and use Chrome.

Don't feed the beast.

~~~
anfilt
I have been using Firefox since version 1.0. I don't understand the desire to
use google's browser. However, why would even trying view secure data in your
web-browser... Not even just Chrome. Things may get cached ect... Although,
Mozilla has been doing things that I find annoying at times. Like adding
pocket ect...

 _Little Rant_ Although, I have looked at some of the other forks. What I find
more depressing is how few up to date browser engines exist. It's a sign that
web standards are getting too complicated. We already going to have a 3rd
version HTTP as well... Both HTTP/2 and potential HTTP/3 are based off of work
from google. Those protocols are a lot more complicated than HTTP. So it's
much harder for a small group to implement them. That's just the protocol
layer. Let alone JS, HTML, CSS, and all the other little things. It's like big
companies keep bloating the standards. The result is the browser is probably
one more complicated pieces of software regularly use.

What ever happened to "KISS".

~~~
AlexCoventry
> I don't understand the desire to use google's browser.

It was the only browser with a decent Javascript sandbox, at least until
recently. Wikipedia claims Firefox got a sandbox _this month_ , but I think
I've seen earlier claims:

> Until November 2018, Firefox was the last widely used browser not to use a
> browser sandbox to isolate Web content in each tab from each other and from
> the rest of the system.[120][121]

~~~
raarts
Also it was the only browser where every tab ran in its own process so a crash
would only take down that tab.

~~~
ntauthority
Microsoft's browsers got this functionality pretty early as well (I believe
around the IE9/10 timeframe), though they of course had and still have
numerous other issues that would make them undesirable for regular usage.

------
blibble
the language detection is done client side; many years ago I pulled the code
out to use it in another project!

presumably she had "automatically translate" on...

~~~
sixothree
what are the rules that cause a page in your own language to be translated?

~~~
Buge
Whenever I visit a non-English page I get a popup saying "do you want to
translate this page". I assume the user in this case clicked the "Always
translate" button.

------
leetbulb
This is a really awesome project: [https://github.com/Eloston/ungoogled-
chromium](https://github.com/Eloston/ungoogled-chromium)

I've really tried to use Firefox... Chrome just runs so much smoother,
especially for media.

~~~
nil_pointer
Vivaldi is a nice de-Googled project, a Chromium fork with all (?) Chrome
plugins working on it.

~~~
midasz
Yeah Vivaldi is pretty nice, and is updated frequently. I use Firefox and
Vivaldi as my main browsers now. I don't have the energy to completely de-
Google myself (yet) but this is a start.

------
dr_win
Isn't problem simply with the user (his wife)? She had enabled auto-
translation and didn't notice.

Similar thing would happen to anyone with email account setup to forward all
emails to a public mailing list or something of that nature.

------
jackallis
if this shocks you or anyone then you dont't know G-world. Remember, it's
their world and we just live in it. Anytime you connect to G-world via any of
their services, they "own" everything you send over it.

i just dont understand why people go "no way" over this kind of things -- it's
google for F sake.

------
app4soft
1\. _If you WANT be public, upload videos to 'own' YouTube channel, post in
'own' blog on Blogspot_ — use Google.

2\. _If you WON 'T be public_ — don't use Google! Keep _uBlockOrigin_ &
_uMatrix_ in your web-browser always turned ON or use _Links_ [0] as default
browser!

As for me, I want manage 'own' YouTube channel ( _spoiler!_ ), but I will
newer use 'own' GMail or other Google's services for serious things non on
home PC, non on Android mobile.

P.S.: How many of you has LinkedIn profile? ;-)

[0]
[https://news.ycombinator.com/item?id=16191843](https://news.ycombinator.com/item?id=16191843)

------
Klonoar
Can't ProtonMail just solve this with a meta tag...?

<meta name="google" content="notranslate">

~~~
whoisjuan
I don't think that's the point. The problem here is that we seem ro forget
that by using Chrome, Google has direct access to absolutely everything we do
on the internet.

Go to
[https://myactivity.google.com/myactivity](https://myactivity.google.com/myactivity)
and you will see all the things they track. It's bizarre.

The one that pisses me off the most is that they track the apps that I open by
binary name and I own an iPhone and use Safari. I don't even know how the fuck
they do that.

~~~
tokyodude
I'm heavily into Google and have 2 Macs and 4 iOS devices all signed in using
Google apps. I don't see any iOS app activity in that link you posted except
Chrome and Google Maps. Can you tell me where I can find other iOS app
activity you mentioned?

~~~
whoisjuan
They just appear there. In my bundle view I have logs like the following:

"Used com.shazam.Shazam"

"Used com.teamblind.blind"

It seems they log app usage for apps that have some sort of Google SDK
installed or are serving Google AdSense. Definitely not all the installed
apps, but several.

------
po
I wish I knew how to effectively communicate to people not to copy paste
sensitive data into translate.google.com whenever they need a translation.

Even some dedicated translation apps that you install on your desktop actually
upload everything to a 3rd party server for translation. I would love a list
of local-only translation software that were close to as effective as the
various online options... or even online but with a good data policy.

------
ahoka
"But the conclusion is frightening : it means that the content of every
webpage visited using Google Chrome is sent back to Google."

This is how it always worked and the number one reason I'm avoiding Google
Chrome.

~~~
viraptor
This neither is nor was true though. In this context pages are sent only if
you are on a page which looks like it could be translated and you request the
translation. That's a long way from "every page"

~~~
pbhjpbhj
In another thread here the OP is quoted as saying Chrome sent the data even
when translation is disabled.

~~~
viraptor
Disabled for specific languages. That means either: the page was misclassified
as a different language, or there's a bug affecting those preferences, or it
was a user mistake and the translation was turned on.

------
goodbyehorses
I've been going through Google Analytica courses a bit recently, just because
I'm interested. It is frightening how many techniques Google uses to gather
meta-data and how much you can make out of it all. Thanks for sharing this, I
use ProtonMail myself but avoid google all the time, one more reason to do it.

------
dpacmittal
My opinion about Google has completely changed in last few years. More scary
than Chrome's monopoly is Android. Android is basically a black box. It's very
hard to find what apps have access to what on the device. We desperately need
a third competitor in mobile space.

------
egberts
Analysis of web browser and ProtonMail: don't.

Source:
[https://eprint.iacr.org/2018/1121.pdf](https://eprint.iacr.org/2018/1121.pdf)

------
JoshMnem
Is Google Chrome sending browsing history and webpage content to Google (via
Google Translate) even when sync is off? I didn't see anything about that in
the settings.

~~~
secure
Webpage text is only transmitted when you have Chrome translate a page.

Language detection happens offline using
[https://github.com/google/cld3](https://github.com/google/cld3)

------
techtriyo
Nice info. [https://techtriyo.com](https://techtriyo.com)

------
ccnafr
lol... you mean never enable auto-translate. If you use a similar plugin with
Firefox, it's the same exact thing.

------
piocho
Have you got an answer from PM staff ?

------
Havoc
So much for “Don’t be evil”...

They really have as an Organisation lost the plot on what’s acceptable.

------
husamia
does google use static server addresses to break our privacy? could I
blacklist those addresses at the OS/router level?

------
auslander
Google is an Ad company, 80% of its income is from serving Ads, mostly
targeted Ads.

So any Google software is serving this goal - phishing as much user data as
possible. That is Chrome, Android, GMail, iOS Google Maps, iOS Gmail, Google-
Analytics scripts on websites, Google DNS, any software written by Google.

Don't.

------
gaius
I’ve said it before: Chrome is a data collection app with a built-in web
browser to keep you entertained while it does its real job.

~~~
gundmc
Source?

Google makes Chrome because they can default the URL bar to search on Google
without paying Traffic Acquisition Costs (Google pays browsers _a lot_ of
money to have Google be their default search).

Google only makes money from Chrome by driving more traffic to their profit
centers (like Search). And it works really, really well.

Chrome itself is not monetized and does not collect client data. Please,
provide evidence to the contrary.

~~~
gaius
_Please, provide evidence to the contrary._

Uhhh, this whole article is literally about Chrome exfiltrating personal data
to Google... all the evidence is above.

~~~
gundmc
No, it isn't. This isn't even an article. It's a reddit post from a French
user who had configured Chrome to automatically translate French (this is not
a default behavior) and was then horrified when Chrome tried to translate his
web page.

Maybe Chrome incorrectly detected French as the language, but we have no way
of knowing because they didn't post any screenshots or additional information
about the alleged event.

~~~
int_19h
> It's a reddit post from a French user who had configured Chrome to
> automatically translate French (this is not a default behavior)

First of all, the option was not to automatically translate. It was to
_suggest_ to automatically translate. Which is the default in Chrome for all
languages other than whatever the system language is. Now, the whole thing
about "suggest" is that it shouldn't just blindly translate, but ask first.
But in this case, apparently, it just translated anyway.

And second, the user specifically said that they disabled translation for
French. Which is almost certainly true, as anyone who is not a native English
speaker but uses an English OS and browser can testify (you get bugged by
Chrome about whether you want to translate every time you open a website in
your native language, so after the first 2-3 times you click "Never").

------
vectorEQ
don't use web browsers, they can see the web pagess you can see :O:O:O:O

~~~
vectorEQ
you might seem this is shocking, but it make the request and parse the content
handle the encryption for you. literally access to all of the bits! :O really!
if u care about privacy don't use web browser!

------
dredmorbius
To what extent is this a browser extension model bug?

------
qwerty456127
> But, on her computer, my mail appeared like it has been translated from
> French to English then to French again... After a bit of fiddling, I
> discovered that disabling the "suggest to automatically translate a website
> in a foreign language" option solved the issue... That every email, even in
> ProtonMail, is sent to Google even if, in this case, the translation should
> not happen (translation had been disabled for both French and English
> websites so there was no reason to think PM would be translated).

Sounds like a bug. I am going to disable the translation feature now, I never
use it but have never bothered to turn it off completely.

~~~
devoply
It's a bug but what is to stop Google from sending everything you type in any
textbox to Google? Have they said anywhere that they won't do such a thing?
Completely trivial to do and extremely useful in providing data about you to
Google that they could potentially never look at and use to train AI.

~~~
delibash___
And what's to stop Mozilla from doing so? Or any other browser?

~~~
squarefoot
The simple fact that Firefox is Open Source, therefore auditable, while Chrome
is not.

ps. Nope, Chromium is not Chrome.

~~~
SmellyGeekBoy
So use Chromium?

~~~
josefx
Chromium already got caught side loading a black box binary plug-in after it
was installed. One of the chrome devs. even made it clear that it worked as
intended as the DRM support it implemented was core to the Chrome product and
saw no reason not to silently download and execute it. So it is the same as
chrome, only run it if you unconditionally trust Google.

