> We want to build features that users want, so a subset of users may get a sneak peek at new functionality being tested before it’s launched to the world at large. A list of field trials that are currently active on your installation of Chrome will be included in all requests sent to Google. This Chrome-Variations header (X-Client-Data) will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation.
> The variations active for a given installation are determined by a seed number which is randomly selected on first run. If usage statistics and crash reports are disabled, this number is chosen between 0 and 7999 (13 bits of entropy). If you would like to reset your variations seed, run Chrome with the command line flag “--reset-variation-state”. Experiments may be further limited by country (determined by your IP address), operating system, Chrome version and other parameters.
> This ... header ... will not contain any personally identifiable information
> a seed number which is randomly selected on first run ... chosen between 0 and 7999 (13 bits of entropy)
They are not including any PII... while creating a new identifier for each installation. 13 bits of entropy probably isn't a unique identifier iff you only look at that header in isolation. Combined with at least 24 additional bits[1] of entropy from the IPv4 Source Address field Google receives >=37 bits of entropy, which is almost certainly a unique ID for the browser. Linking that browser ID to a personal account is trivial as soon as someone logs in to any Google service.
> Experiments may be further limited by country (determined by your IP address)
They even admit to inspecting the IP address...
> operating system, Chrome version and other parameters.
...and many additional sources of entropy.
[1] why 24 bits instead of 32? The LSB of the address might be zeroed if the packet is affected by Googles faux-"anonymization" feature ( https://news.ycombinator.com/item?id=15167059 )
> > Experiments may be further limited by country (determined by your IP address)
> They even admit to inspecting the IP address...
I don't think that sentence admits what you say? Chrome could be determining which experiments to run client-side.
Of course, when you visit a Google property, they needs must inspect your IP address to send a response to you, at a minimum. That goes for any site you might choose to visit. The existence of sufficient entropy to personally identify a site visitor is not a state secret. They do not need this chrome experiment seed to identify you, if that's a goal.
Yeah, it's not a "state secret" but it's not common knowledge either. Their privacy policy says that specific header can't be used to identify you, but fails to mention it can be combined with other information to make browser fingerprinting trivial.
If you don't know how all this works, which is true for most human beings, their privacy policy might give you the wrong impression.
> says that specific header can't be used to identify you
That's not what it says. It says the header won't contain PII, which is true. It can be linked to PII, but so can literally every bit of information you send to Google while logged into or otherwise using their services. A disclaimer to this effect would not have any purpose.
That's the whole point. Using any Google service means they can easily personally identify you, that's what the privacy policy should explain.
That's their policy towards privacy, you don't have any. For some reason I can't fathom, you claim mentioning this in their privacy policy "would not have any purpose". Instead of honesty, their privacy policy is a wonder of public relations where it seems like they care deeply about protecting your privacy.
We disagree about the purpose of privacy policies. I believe that privacy policies should describe how data will be used, not how it could be used. I just don't think a policy describing how data could be used is very useful, because it's going to be the same for all services.
Under this formulation, Google's policy is (presumably, lacking any data to the contrary) honest with respect to this value.
"I believe that privacy policies should describe how the data will be used, not how it could be used."
Google's policy does not tell the user how her data will be used by Google's customers. The policy states Google will use the data to "provide better services". That is deliberately vague. That is the "purpose", but how exactly is the data used to achieve that purpose. There are no specifics with which a user could object.
Google does not only serve the search engine user, the email user, the YouTube user, etc. Its business is not free services. As such the policy is misleading as to what are the "Services" it may use the data to improve. Google's business is providing online ad services.
The truth is that Google collects data to provide better services to advertisers. The policy reads as if it only collects data to provide better services to users. The "free" services are just bait to draw users in. The data is collected to improve online ad services.
> The truth is that Google collects data to provide better services to advertisers.
I understand that that is what you believe, but I do not think this is factually true about the data collected from this Chrome header. I believe that Chrome team collects it in order to understand the impact of Chrome experiments on performance.
> I believe that privacy policies should describe how data will be used, not how it could be used.
This is key. If you subscribe to the "how it could be used" version, then even say possessing an android phone would be a violation of the privacy policy. Which is absurd.
Per your observation, I would argue that the intent of the privacy policy as quoted above is pretty clear. When the policy says that the identifier doesn't contain PII, I believe that is meant to convey that it will not be used to identify you. But it's true that that use is not explicitly excluded. I'm not a lawyer so I couldn't tell you if being weasely in this way would count as fraud or not. Otoh, I suspect that Google is actually abiding by the spirit of the policy they wrote because honestly they have little to gain and much to lose by violating it.
If I log in to my Google account once, they can associate that browser id with my account. Even if I log out, clear my cookies (and probably use the incognito mode), Google will be able to identify and follow me all over the Web.
I don't know about your PII thing, but it's personal data under the GDPR.
AIUI GDPR restricts the handling and use of PII, not its existence. So it's PII under GDPR. Is Google misusing it? If so, that's an issue. If not, then it's kinda pointless to observe that it's PII under some possibly distinct legal definition than the one Google is using in its privacy policy.
I don't math very much, but I would guess the intersection of these sets of people is nil: people who 1) use VPN to avoid tracking by Google 2) still log in to Google services from one of their networks and not the other 3) use the same Chrome profile on both. But suppose some small number exist who adopt this illogical and contradictory pattern of behavior. If Google is using this token for the purpose of tracking this tiny set of people when the vast majority could be tracked more easily via conventional means, it would imply that they are far more competent than I give them credit for.
> They are not including any PII... while creating a new identifier for each installation. 13 bits of entropy probably isn't a unique identifier iff you only look at that header in isolation. Combined with at least 24 additional bits[1] of entropy from the IPv4 Source Address field Google receives >=37 bits of entropy, which is almost certainly a unique ID for the browser. Linking that browser ID to a personal account is trivial as soon as someone logs in to any Google service.
Now this is interesting. If without that 13 bits of entropy, what will Google lost? Is it because of this 13 bits then Google suddenly able to track what they were not? If the IPv4 address, user-agent string, or some other behavior is sufficient to reveal a great deal of stuff, we have a more serious problem than that 13 bits. I agree that 13-bit seed is a concern. But I am wondering if it is a concern per se, or its orchestration with something else. Of course, how/whether Google keeps those data also matters.
>Now this is interesting. If without that 13 bits of entropy, what will Google lost? Is it because of this 13 bits then Google suddenly able to track what they were not?
At the very least, having those 13 bits of entropy along with a /24 subnet allows you to have device-level granularity, whereas a /24 subnet may be shared by hundreds of households.
... which is crazy unrealistic, since it's "PII" that can only stay "private" by collective agreement of every node in the network, but no accounting for the reality of network architecture in passing law, I guess.
Maybe a deep expectation of anonymity while accessing a worldwide network of cooperative machines is something people should stop telling the public they should expect?
Under GDPR you can use all the PII you reasonably need to provide expected services, you don't even need separate consent. But, if you have PII, the moment you use it for other purposes, or obtain/retain/share without proper cause, you are breaking the law.
IMHO, that is very reasonable.
Real world example - giving your phone number and information to your car mechanic / doctor / bank teller / plumber is reasonable. Using that information to score girls or ask donation for a puppy shelter would be considered improper.
I totally agree, and I think the GDPR is also reasonable in that it allows you to use the IP address for essential security reasons, such as blocking bad actors based on IP address - it doesn't say "thou shalt not track IP addresses", it says you need consent if you're going to use it for anything that isn't essential for security or in your end user's best interest.
Or they can stay 'private' by not being stored or correlated with other user data. GDPR doesn't apply to the network itself, it applies to whoever is using it.
"Stored" is definitely the purpose of a router. "Correlated" can be necessary for debugging routing issues (or client-server connection issues that are tied to the intermediary fabric near the client doing something weird; hard to determine if an entire subnet is acting up if you aren't allowed to maintain state on errors correlated to IP address).
I care. I care that I even if I log off, even if I use a vpn, even if I go into incognito mode, they still can associate my requests with the account I initially logged in.
The problem is any website can do that. Incognito-bypassing fingerprinting is difficult to prevent, unless you use something like uMatrix to disallow JavaScript from everything but a few select domains.
This is a collection of random-ish unique-ish attributes. Any collection of such things can be used to track you, like installed fonts, installed extensions, etc. If this were just a set of meaningless encoded random numbers, then it's essentially a kind of cookie, but that's not what it is. This is (claimed to be) a collection of information that's useful and possibly needed by some backends when testing new Chrome features. It tells servers what your Chrome browser supports. The information is probably similar to "optimizeytvids=1,betajsparser=1".
So, the only question is if Google is actually using this to help fingerprint users in addition to the pragmatic use case. It certainly could be used that way, and it's possible they are, but they have so many other ways of doing that with much higher fidelity / entropy if they want to. If this were intended as a sneaky undisclosed fingerprinting technique, I think they would've ensured it was actually 100% unique per installation, with a state space in the trillions, rather than 8000.
Yes, this could be so sneaky that they took this into consideration and made it low-entropy to create plausible deniability while still being able to increase entropy when doing composite fingerprinting, but I think it's pretty unlikely. Also, 99% of the time they could probably just use use Google Analytics and Google login cookies to do this anyway.
Maybe one actually useful non-advertising usage could be reCAPTCHA ?
If you read carefully, it says nowhere than there is the limit to 8000. There is this limit of 8000 only if you disable usage statistics / crash reports.
Sorry about that, too late to edit it now. That is an important detail. If there are 32 or more different feature flags, then that's 4 billion unique states, which would be an effective fingerprint.
I still think it's pretty unlikely they're using it in that way or would in the future, and I think Google fuzzing this for those who opt out of telemetry is probably a signal of good faith in this instance. They realize the privacy implications and provide a way to disengage, even if they don't intend to abuse the information.
But of course the potential for abuse always remains. And the potential for (arguably) non-abusive tracking, like the possibility of it being used for bot detection by reCAPTCHA, as you say.
reCAPTCHA is the most abusive type of tracking. Google simply denys you usage of captcha if you do not give them enough personal information. It doesn't matter if you enter the captcha correctly 20 times. It won't let you in.
This is part of the bot detection, though. It's probably not "not enough personal information", it's "this truly seems like it is unlikely to be a legitimate device/person", due to the huge datasets they're working with. Same with Cloudflare and Tor. Once you operate a security service anywhere near that scale, you start to understand there are inherent challenges and tradeoffs like these,
reCAPTCHA increasingly doesn't even give me a captcha. Instead, they simply deny me from even trying; They send this instead of the challenge:
<div>
<noscript>
Please enable JavaScript to
get a reCAPTCHA challenge.<br>
</noscript>
<div class="if-js-enabled">
Please upgrade to a
<a href="[1]">supported browser</a>
to get a reCAPTCHA challenge.
</div>
<br><br>
<a href="[2]" target="_blank">
Why is this happening to me?</a>
</div>
They probably don't like my non-standard user agent string and they definitely don't like that I block a lot of their spyware, but reCAPTCHA used to work properly for many years with the same/similar browser configuration.
Normally you would only expect to be identified and tracked when using Google services when logged in. The significance of this post is that they would be able to identify and track you across all your usage of that browser installation regardless of if you've logged out, or say in an incognito window.
Yes you are missing something important. Once they've tied the browser ID to your personal account they can track you across all google properties, even the ones that you didn't log into.
Unless you're running some extension that emulates FF's container tabs or something, it logs you into all G services. It would matter, though, if this header is still sent in incognito sessions.
I still don't understand. When I log into gmail, it logs me into all Google services. If I am worried about being tracked, surely my first mistake is logging in in the first place? Or visiting in the first place? After all, even if I click "log out," I'm only trusting Google that they unlinked the browser state from the account. If I trust them to do that, I don't see why I shouldn't trust them to ignore this experiment flag from Chrome, or at least not use it for tracking. If I don't trust them to avoid using the experiment state, I don't really see how you can trust them for anything.
Anyway, if you're not building Chrome from source, then you have to trust that they aren't putting anything bad in it. And if you are building chrome from source, you can observe that they only send this experiment ID to certain domains, and they already know who you are on those domains anyway.
I think the argument is they have other methods like cookies they could also use. The fact you trust them not to use those methods extends to this form of tracking.
That's basically saying "even if you opt out, we'll still try to track you, just not as much." Very unpleasant, but then again I'm not surprised to see this attitude from Google.
How many people will actually run chrome with a cli flag? It would be pretty impressive if every single person reading this thread did, but it probably won't even be that. Most people don't even touch their settings.
13 bits of entropy is far from a uuid (but to get it to that you need to disable some more settings, which again very few people do), but it's still plenty good enough to disambiguate individuals over time.
It is an abuse of Chrome's position in the marketplace. Google is using their powerful position to give themselves tracking capabilities that other online players can't access. It is a major competitive advantage for Google.
can't alternate browser makers who base on chromium simply disable that portion? like, I expect identifying users was a key business concern in moving Edge to Chromium. Is there something (other than work) preventing them from making it so it'll report back to microsoft-owned domains instead?
Is it because Google's webapps will have their own a/b tests which use experimental features only available in Chrome perhaps?
I mean personally I think they should do client-side feature detection and be back to being standards compliant and not creepy. The only reason why I'd consider such a flag is because they optimize the payload server-side to return a certain a/b test, but even with that they could do the default version first, do feature detection, and then set a session cookie for that domain only that loads the a/b test.
My other Thought was that they test a feature that is implemented across Google's properties, e.g. something having to do with their account management.
So they build a personal back door to a feature that they've chosen to remove for everyone else? Because of it's potential for abuse, yet the very same company is somehow abusing it in a way more sinister way. Antitrust can't come soon enough.
Chrome will only block cross-site cookies that don't use HTTPS and the SameSite=Lax flag. It's easy for trackers to user HTTPS and SameSite=Lax. This Chrome change is mostly intended to protect against Cross Site Request Forgery (CSRF) attacks, not to block trackers.
Couldn't the Chrome installations receive a request from Google that says "Do you want to try out a new thing?", and couldn't the Chrome installations say yes with a certain probability? The only difference I can see is that the subset of users that are guinea pigs couldn't be the same in each test (if Google wanted that the subset is always the same).
Everybody imagine going back 15 years and tell yourself that you're using a web browser made by the parent company of DoubleClick. Your 15 year ago self would think you're a moron (assuming that 15 years ago you were old enough to know what DoubleClick was).
I always believed that tech-savvy people using Google Chrome are morons. It's the perfect blend of Google being evil trying to force it to everyone, the browser being dumbed down to masses so much it's missing the most basic features, and I guess privacy concerns too when using browser from advertising company.
Kind of true. The whole internet was much more of a toy back then. Tracking was not viewed so maliciously as now. Heck I might have even been convinced by a hard sell "this will help your favorite sites maximize their revenue".
I can only speak for myself, but myself from 15 years ago would not have cared so strongly about the choice of browser. I believe I was using the newly-ad-less Opera at the time, and new/cared little about the company making it.
TL;DR I think whoever posted that is trying to bury the UA anonymizing feature by derailing the discussion.
What I'm seeing is an RFC for anonymizing parts of User-Agent in order to reduce UA based fingerprinting, which improves everyone's privacy, that's a good thing!
Then I see someone comments how that could negatively impact existing websites or Chromium-derived browsers, comments which are totally fair and make an argument that may not be a good idea doing this change because of that.
Then someone mentions the _existing_ x-client-data headers attached to requests that uniquely identify a Chrome installation. Then a lot of comments on that, including here on HN.
To me that's derailing the original issue. If we want to propose that Chrome remove those headers we should do so as a separate issue and have people comment/vote on that. By talking about it on the UA anonymizing proposal we are polluting that discussion and effectively stalling that proposal which, if approved, could improve privacy (especially since it will go into Chromium so then any non-Chrome builds can get the feature without having to worry about x-client-data that Chrome does).
I think the concern is that this disarms Google's competitors while keeping them fully-armed.
Ads are a business, and they are Google's business. They are how they make money. And like all businesses, they are competitive. Tracking is a way to make more money off online advertising. By removing tracking from their competitors while keeping it for themselves, Google stand to make a lot of money off this change.
Their motivations are not honest, but they're pushing them as if this is the high road. It isn't. It's the dirty low road of dominating the online ad business, made possible by their dominance in the browser market. And it's always been the end-goal of Chrome browser.
I think this is a common strategy of big players at any industry.
First, they do some dirty thing to gain a competitive edge when the industry is still new and unregulated. Later they develop an alternative way to achieve the same competitive edge, and then criticize other players for doing an old way, saying they should be "mature and responsible".
See also first world countries industrializing/modernizing & becoming rich/lifting people out of poverty using industrial techniques that pollute heavily, then "going green" and criticizing other players (India, China) for doing the same thing, saying they should be "mature and responsible".
Not really. "Going green" is a radical new concept for humanity that goes counter to all incentives and instincts and only recent developments have shown that painful measures are necessary. It was not a trick to get rich at other peoples expense.
India and China are suffering from their own pollution and have incentives to "go green" all by themselves, not because the West demands it.
Green technology is often high tech and tech that is accepted in Western markets and is helping to lift people out of poverty through market mechanism, not finger pointing.
Finally the first world got rich several generations ago. We are not related in any way, shape or form to any real or perceived sins of our grandfathers. Any such idea is old testament biblical theology.
"Going green" is a relatively new concept, even for Western countries. By 1960 the West was seriously polluting its environment, but also extremely affluent and highly developed. There was far more of a gap between the average American and someone in Asia or Africa compared to today. The West polluted the developing world in the same way it polluted the Hudson or Cuyahoga.
It's not really about pulling up the ladder, but a recognizing that growth doesn't have to mean completely destroying the planet. It's more about where the standards are set and what is socially acceptable or understood.
> It's not really about pulling up the ladder, but a recognizing that growth doesn't have to mean completely destroying the planet.
It's not recognizing anything, because it hasn't been demonstrated that growth is still compatible with not completely destroying the planet. It's deciding to not destroy the planet, and if that means pulling up the latter then golly gee sucks to be anyone who isn't up yet. We sure hope there are other ways up, but that's not much consolation.
They should be mature and responsible, the west should have been, too, and has a long way to go.
We both are probably distant cousins due to our relation through Ghengis Khan, but that doesn't mean I should be bitter that I can't make my fortune by pillaging half the world like my distant ancestor did to great effect. It might be easy to make a fortune pillaging, but that doesn't mean I deserve to pillage because someone else did (or does), and I think I am in the right in detesting the scattered bands of warlords left in this world who do make their living by pillaging.
Just yesterday I had to disable anti fingerprinting I'd enabled in Firefox because despite having a solid IP and and existing cookies to login to Google, it's security system rejected me, even after answering security questions. Turn off fingerprinting and I could log in.
So, this is a round about way of agreeing with the hidden dark patterns that Google are bringing to the web. It must stop.
All the more reason to keep bad actors in containers isolated from the rest of your web browsing. Google can fingerprint me all they want if that gets their rocks off, all they'd see is my gmail inbox that they see anyway.
Much of such discussions demonize the company, but we need to look broader. Google is a public company and its shareholders, since they share the company, are also to be pointed out. Discouraging such behaviour is better done by the shareholders by dumping shares since Google could very well argue that if it didn't work to maximize ad revenue, it would not be operating according to fiduciary responsibility principles. (IANAL .. just thinking out loud)
Doing unethical things because "We had to so the shareholders would make money" is such a cop-out. I see it just the opposite way. You have a duty to do things ethically so that in the long run customers continue to want to use your product. So that governments don't start going after you for the unethical things you do. So that other businesses will trust you and continue to work with you.
Here's an example: Huawei. They've reached out to me saying they'll pay me more than my employer and my commute will be shorter. No effing way. I'm sure I could make them a lot of money, but they're history of unethical behaviour is an instant deal-breaker for me. Others will, sure, but in the market of labor they're going to have a reduced supply because I'm surely not alone in this attitude.
I'm with you on the shareholders being complicit in the behaviour (through ignorance or inaction in a lot of cases), but unfortunately I'd guess 90% of said shareholders wouldn't be aware of the scummy tactics Google have undertaken, similar to Microsoft I'd say, outside of the IT/HN realm.
It's unfortunate. Profit of their shares is the only thing a lot of people look at (and willfully ignore anything else unless it slaps them in the face/becomes a major mainstream media event).
"I think the concern is that this disarms Google's competitors while keeping them fully-armed."
Pretty sure that was their main reason for helping push https-everywhere. A good idea generally, but hurt every other entity trying to do tracking more than it hurt Google.
That's sort of a fragile assumption though. I mean, yes, there's enough specificity in this number that it could be used (in combination with other fingerprinting techniques) to disambiguate a user. And yes, only Google would be capable of doing this. So it's abusable, in the same way that lots of software like this is abusable by the disributor. And that's worth pointing out and complaing about, sure.
But it's not tracking. It's not. It's a cookie that identifies the gross configuration of the browser. And Google claims that it's not being used for tracking.
So all the folks with the hyperbole about user tracking for advertising purposes need to come out with their evidence that Google is lying about this. Occam says that, no, it's probably just a misdesigned feature.
> Google claims that it's not being used for tracking
> Occam says that, no, it's probably just a misdesigned feature.
Allow me to introduce to you "mabbo's razor": If someone can make money by doing X and it's impossible for anyone to tell whether or not they are doing X, then they are probably doing X or else will as soon as you believe they won't.
While I agree with some of your comment, I feel like it’s harsh to paint the whole chrome enterprise with that brush. Chrome was about freeing the world of a truly terrible web browser and a lot of devoted devs have spent a lot of time working on it. There’s an advertising aspect that it’s right to call out, but I think on the whole it was done to make the internet better, because the internet is google’s business too.
EDIT I just wanted to point out that a load of people have poured their lives into making Google Chrome the amazing bit of software that it is and suggesting that the end-goal has been entirely about supplying ads does a great disservice to their personal contributions.
These aren't mutually exclusive things. The people working on Chrome were and are highly motivated, intelligent and passionate people, some of whom I call friends, who want to see the web become a better place. In that regard they have succeeded massively.
But by this point, Google has dropped billions of dollars on salaries for those developers to build Chrome (call it >500 devs, >$200k salaries, >10 years). Google is not a charity. They didn't build Chrome with the intent to lose money on it. Everything else Google made that wasn't profitable is gone now, and yet here Chrome stands. Because it is an indirect profit center.
And you've pointed out the real issue: Chrome was about freeing the world of a truly terrible web browser. 'Was'. But it did that! So what is it about now? Why would Google continue to pour money into it if they didn't expect to extract more money out of it in the future?
You can make the world better and make money while doing it. Ideally, that's what we all are doing.
It wasn’t some noble mission to free the world. Chrome was always about Google controlling the client side of the web to guarantee their advertising access to web users. The ability to extract additional data from the user was a nice bonus.
The way I see it, both of these can be (and most likely are) true. Intentions of the company aren't usually the same as intentions of individual contributors (or even whole teams). The Web is Google's business - the more stuff happens on the Web, the more money they can eventually make of it. Advertising is how they make most of that money, so this is what they're protecting. But beyond that, Chrome answered a real need and a lot of hard-working people made it into a best-in-class browser.
"Chrome was about freeing the world of a truly terrible web browser "
Chrome is about establishing more control over the web to further the business objectives of Google and Alphabet.
The problem with this belief of Google as some kind of 'benevolent actor' is a function of the new kind of branding they helped introduce, something that an entire generation of particularly young people are being duped by.
'Brand' used to be the image that companies presented - it was a decision, a marketing tactic, usually invented by agencies. Google was one of the first to change that, to effectively 'internalize' the brand so that they (staff, even leaders) really kind of believed their own kool-aid. There's an incredible aura of 'authenticity' to this; when leaders really believe their own schtick, it rings more powerfully. (This is an issue for another thread.)
But Google has proven that in the long run, they're just a regular company. I don't think they are bad actors, and in the big picture, they're better than most. But, they're just a self-interested entity: they will do whatever is in their power and which is also legal, to leverage their incumbency and stymie competition.
Stress quotes. That is just one of the possible devices to achieve that.
I see a lot of that here, people misunderstanding basic speech/writing conventions. Maybe giving the op the benefit of doubt, assuming s/he knows what s/he is doing, can help avoid some of those.
>which improves everyone's privacy, that's a good thing!
Except it does not affect Google, because Google has this install ID to use both for tracking and preventing ad-fraud.
Which means Google competitors are terribly disadvantaged, as they cannot use that.
Which not only reduces market diversity (contrary to TAG philosophy) but represents a significant conflict of interest for an organization proposing a major web standard change.
These issues are very relevant to the original proposal, especially in light of the fact that Noone outside of Google is terribly interested in this change. Any time a dominant player is the strongest (or only) advocate for a change that would coincidentally and disproportionately benefit its corporate interests, the proposal should be viewed very skeptically.
> Except it does not affect Google, because Google has this install ID to use both for tracking and preventing ad-fraud.
So when Apple releases a privacy feature, that doesn't affect them as a business, we praise the feature or we say "except it doesn't affect Apple" and somehow try to argue how the feature is less valuable because of that?
Apple is not engaged in illegal data harvesting to gain a competitive advantage over other services in the same space. Google's collection of personal data with the x-client-data header without user consent is illegal under GDPR.
GDPR treats an IP address as personal data. The data is not transmitted through an anonymizing network, so Google has access to the user's IP address when they receive the data.
Anything that is associated with personal data also becomes personal information, therefore Google is transmitting personal data without user consent, which is illegal.
Asking for consent is not required under GDPR when the data collection is needed for a service to function. This is not the case here, Google services function without receiving that header, the data is used by Google to gain a technical advantage over other web services.
No it doesn't. GDPR only treats IP address as personal data if it is associated with actual identifying information (like name or address). Collecting IP address alone, and not associating it with anything else, is completely fine (otherwise nginx and apache's default configs would violate GDPR), and through them basically every website would violate GDPR.
Edit: and furthermore, even if it did (I see conflicting reports), if you collect IP Address and another pseudonymous ID and don't join them, the ID isn't personal data.
IOW, the theoretical capability to make changes to a system to use info in a non-GDPR compliant way doesn't make the information or system noncompliant. You actually have to do the noncompliant things.
> Collecting IP address alone, and not associating it with anything else, is completely fine (otherwise nginx and apache's default configs would violate GDPR), and through them basically every website would violate GDPR.
See my comment about consent not being required when the data is needed to provide a service. Logging is reasonably required to provide a service.
> and furthermore, even if it did (I see conflicting reports), if you collect IP Address and another pseudonymous ID and don't join them, the ID isn't personal data.
The transmission of data is already covered by GDPR, you don't have to store the data to be bound by the law.
See my edit. There's conflicting information on this. A dynamic IP, for example, isn't directly related to or relatable to a specific natural person without other context.
But even if that's the case, if you don't tie the pseudonymous ID to the IP, it isn't personal data. As far as I can tell, the transfer rules you reference are about transferring data out of the EU, and can be summarized as "you can't transfer data to a non-EU country and then process it in a way that violates the GDPR". Article 46 notes that transferring data is fine as long as appropriate safeguards are in place[1], and article 47[2] defines what constitutes those safeguards (in general, contractually/legally binding agreements with appropriate enforcement policies).
This goes back to what I said before: The theoretical capability to do noncompliant things doesn't make a system GDPR-noncompliant. You have to actually do noncompliant things to not comply.
> > and furthermore, even if it did (I see conflicting reports), if you collect IP Address and another pseudonymous ID and don't join them, the ID isn't personal data.
> The transmission of data is already covered by GDPR, you don't have to store the data to be bound by the law.
This cannot be the actual correct interpretation of the GDPR, because under this logic _all_ IP packets on the public internet (made by/to EU citizens) are covered by the GDPR because you are transmitting data alongside an IP address.
There has been an EU court ruling on this exact question of whether dynamic IP addresses count as personal data even in contexts where the website operator in question does not have the means to associate it with an individual but another party (such as an ISP) does. The Court of Justice of the European Union has ruled on this and it does count as personal data. [1]
Furthermore, GDPR itself specifically refers to online identifiers in Article 4 as falling under the definition of personal data[2] and then clarifies in Recital 30[3] that IP addresses count as online identifiers in this context. There seems to be no legal ambiguity in the EU on this topic at this point, but I would be not surprised to see parties who are not GDPR compliant pretend otherwise indefinitely.
Interesting, TIL. That doesn't change the major point I was making though, which is that an anonymized identifier (such as the 13-bit ID under discussion) isn't personal info, even if it might have originally been collected along side data which is personal info. If I give you said 13 bit ID, you need other info to back out a single person, the anonymous ID corresponds to multiple IPs.
I think you're still missing the point. Google transmits personal data to their servers without user consent. The value of x-client-data is personal data, because it is associated with an IP address during transit, due to how HTTP requests work. The nature of the data, what is being done with it on the server, and the location of the server are all irrelevant in this instance, the only important part is that personal data has left the browser in the form of a request, and it reached a Google server.
This data collection would only be exempt from GDPR if the data would be required for the service to function, but that is not the case with x-client-data.
> The value of x-client-data is personal data, because it is associated with an IP address during transit, due to how HTTP requests work.
This is not correct. The x-client-data is not personal data. x-client-data associated with an IP address is personal data. As soon as you separate the client-data from the IP, the client data stops being personal data. IOW, the tuple (x-client-data, IP) is personal data. But x-client-data on its own isn't personal data, because it cannot be used to infer the IP on its own.
I don't know where you're getting this "if two pieces of data ever touch and one of them is personal data the other one is now also contaminated as personal data". It's not true. That would make the existence of anonymous data (which the GDPR specifies as a thing) practically speaking impossible to have on the web, since all requests are associated with the IP on receipt. (or actually even worse, it would make the process of anonymizing data impossible in general, since the anonymization process associates the anonymized data with the original personal data).
To be precise, the GDPR defines anonymized data as "data rendered anonymous in such a way that the data subject is not or no longer identifiable.". The x-client-data header is exactly that. The subject of the header is not identifiable by the x-client-data header alone. Therefore the header is anonymous and not subject to strong GDPR reqs.
For the client data header to be personal data, you'd need to describe a scheme such that, given an x-client-data header, and only an x-client-data header, you could identify one (and only one) unique person to whom that header corresponds. You're welcome to come up with such a scheme, but my intro CS classes taught me that bucketed hashing is irreversible, and with 8192 buckets, you're not going to be able to uniquely identify anyone specific.
> That would make the existence of anonymous data practically speaking impossible to have on the web
For almost every type of data that is true. Transforming or substituting data doesn't make it anonymous; the patters in the data are still present. To produce actually anonymous data you have to do what the GDPR instructed: corrupt the data ("rendered anonymous") severely enough that the "data subject is ... no longer identifiable". You need to do something like aggregate the data into a small number of groups such that individual records no longer exist. Techniques like "differential privacy" let you control precisely how "anonymous" your data is by e.g. mixing in carefully crafted noise.
> 8192 bucket
While others have pointed out that this isn't actually limited to 13 bits of entropy for most people, there are at least two reasons that field is still very personally identifying. First, "x-client-data on its own" never happens. Google isn't wasting time and money implementing this feature to make an isolated database with a single column. At no point will the x-client-data value (or any other type of data they capture) ever sit in isolation. I used the IPv4 Source Address as an example because it will necessarily be present in the header of the packets that transport the x-client-data header over the internet. Suggesting that Google would ever use this value in isolation is almost insulting to Google; why would they waste their expensive developer time to create, capture, and manage data that is obviously useless?
However, lets say they did make and isolated system that only ever received 13 bit integers stripped of all other data. Surely that wouldn't be personally identifiable? If they store it with a locally generated high resolution timestamp they can re-associate the data with personal accounts by correlating the timestamps with their other timestamped databases (web server access logs, GA, recaptcha, etc).
> you'd need to describe a scheme such that, given an x-client-data header, and only an x-client-data header, you could identify one (and only one) unique person to whom that header corresponds
You should first describe why google would ever use that header and only that header. Even if they aren't currently using x-client-data as an identifier or as additional fingerprintable entropy, simply saving the data gives Google the option to use it as an identifier in the future.
> You need to do something like aggregate the data into a small number of groups such that individual records no longer exist. Techniques like "differential privacy" let you control precisely how "anonymous" your data is by e.g. mixing in carefully crafted noise.
Correct, and another anonymization technique (in place of differential privacy) is k-anonymity. In k-anonymity schemes, you ensure that in any given table no row corresponds to any fewer than k individuals. Why is this useful? Well let's say you have some, say, 10-15 bit identifier. You can take a request from a user that contains information that might when combined, be identifying. Say: coarseish location (state/country), device metadata (browser version, OS version), and coarse access time (the hour and day of week). Combining all 3 (or 4 if you include the psuedonymous ID) is enough to uniquely identify at least some users. Then let's say you also track some performance statistics about the browser itself.
But any single piece of data (plus the pseudonymous ID) is not enough to identify any specific user. So if you use the psuedonymous ID as a shared foreign key, you can join across the tables and get approximate crosstabs without uniquely identifying any specific user. Essentially, if you want to ask if there are performance differences between version N and version N+1, you can check the aggregate performance vs. the aggregate count of new vs. old browser version, and with 8K samples, you're able to draw reasonable conclusions. And in general you can do this across dimensions or combinations of dimensions that might normally contain enough pieces of info to identify a single user.
This is essentially the same idea as differential privacy, although without the same mathematical precision that differential privacy can provide. (By this I don't mean that the data can be re-identified, just that differential privacy can be used to provide tighter bounds on the anonymization, such that the statistical inferences you can gather are more precise. k-anonymity is, perhaps, a less mathematically elegant tool).
Specifically, I'm describing k-anonymity using x-client-data as a Quasi-identifier in place of something like IP or MAC address. You can find those terms in the "See Also" section of the differential privacy wiki page you linked. Google is mentioned in those pages as a known user of both differential privacy and k-anonymization in other tools.
Hopefully that answers your question of why Google would want such a thing.
> simply saving the data gives Google the option to use it as an identifier in the future.
Yes, but that doesn't mean that they're currently in violation of the GDPR, which is what a number of people keep insisting. I'm not claiming that it's impossible for Google to be doing something nefarious with data (although I will say that in general I think that's an unreasonably high bar). Just that the collection of something like this isn't an indication of nefarious actions, and is in fact likely the opposite.
This is the equivalent of a protest, people are objecting to Google's illegal data harvesting practices in places that receive engagement, since that's the most effective way to get the word out and warn others.
Google's reasoning that this is not personal data is meaningless in the face of GDPR, which considers an IP address personal data. Google has access to the IP address when they receive the data, therefore they are transmitting personal information without user consent and control, which is illegal.
Basically all users opening the browser will contact www.googleapis.com to get a unique "Protected Media Identifier", without opening any web page and even before any ToS/EULA is accepted (and there is no user consent either).
I think the Widevine CDM request is needed for the service to function, though they could certainly delay it until a website requires DRM. GDPR allows the use of personal data without consent when it is required to provide a service for the user.
The personal data collected with the x-client-data header is not required for Google sites to function. Google uses the data to gain a technical advantage over other sites on the web, this is why the data collection in this case requires consent.
Whether consent is legally required or not, as a user I want that service, whatever it is, to not work until I consent to the exposure of my personal data. Given that it apparently has something to do with DRM, I would be disabling the service anyway.
The poster is the author of Kiwi browser, which unfortunately is closed source [0], but I have reason to believe he is familiar - as I am for the Bromite project - with all the (sometimes shady) internals of the Chromium codebase; it is indeed off-topic to discuss the header issue there but I would say that there is no explicit intention to derail it (and no advantage), just incorrect netiquette.
The Google employee argues that through UA-CH Google wants to disincetivise "allow" and "block" lists.
After many years of testing HTTP headers, IMO this really is a non-issue. Most websites return text/html just fine without sending any UA header at all.
What is an issue are the various ways websites try to coax users to download, install and use a certain browser.
Another related issue with Google Chrome is users getting better integration and performance when using Chrome with Google websites than they would if they used other clients. ^1 Some make the analogy to Microsoft where it was common for Microsoft software to integrate and perform better on Microsoft Windows whereas third party software was noticably worse to integrate and perform on that OS.
This leads to less user agent diversity. Users will choose what works best.
UA diversity is really a more important goal than privacy, or privacy in Chrome. The biggest privacy gains are not going to come from begging Google to make changes to Chrome. They could however come from making it easier for users to switch away from using Chrome and to use other clients. That requires some cooperation from websites as well as Google.
Those other clients could theoretically be written by anyone, not just large companies and organisations that are dependent on the online ad sales business. It would be relatively easy to achieve "privacy-by-design" in such clients. There is no rule that says users have to use a single UA to access every website. There needs to be choice.
For example, HN is a relatively simple website that does not require a large, complex browser like Chrome, Safari, Firefox, etc. to read. It generates a considerable amount of traffic and stands as proof that simpler websites can be popular. Varying the UA header does not result in drastic differences in the text/html returned by the server.
1. Recently we saw Google exclude use of certain clients to access Gmail.
As long as web developers continue to create (app-)sites that only work in the latest versions of Chrome(and Chromium-ish) browsers, giving users little effective choice over what browsers they can use, this sort of abusive behaviour will continue. The sort of "feature-racing" that Google engages in is ultimately harmful for the open web. Mozilla struggles to keep up, Opera surrendered a while ago, and more recently, Microsoft seems to have already given up completely.
I feel like it's time we "hold the Web back" again. Leave behind the increasingly-walled-garden of "modern" appsites and their reliance on hostile browsers, and popularise simple HTML and CSS, with forms for interactivity, maybe even just a little JavaScript where absolutely necessary. Something that is usable with a browser like Dillo or Netsurf, or even one of the text-based ones. Making sites that are usable in more browsers than the top 2 (or 1) will weaken the amount of control that Google has, by allowing more browsers to appear and gain userbases.
This proposal would not accomplish what you intend. By slowing the adoption of open web technologies, developers and users would lean more heavily on mobile apps, which are also under Google's control considering Android's huge market share.
Developers who want to level the playing field need to develop sites that fully support Firefox and other browsers that are not based on Chromium. Users who want to see a more open web need to use Firefox and non-Chromium browsers, and complain to developers who don't properly support them.
I wish, but that's not what most people want. Hell, it's not what designers want. Thinking back to the Myspace days, people would have the worst websites imaginable. Granted, that was all done with little more than HTML and javascript, but I have little doubt what they would have done with things like HTML5 and even more javascript.
The last decade or so has really reinforced to me that we all ignore or are ignorant of fundamental structural problems with most of the systems we rely on - with us wanting them to "just work."
We're all guilty of this, we just see it up close for the things that we're building and chide others who don't care. Meanwhile we ignore other fundamental structures of modern society.
There's got to be a balance between every website looking exactly the same and fading out of my memory with one identical hamburger menu after another and dancing babies on geocities.
Are there really that many popular extensions not available on Firefox? I may be just one anecdote, but I think I'm pretty typical, and I've found the transition to Firefox to be quite pleasant, and uneventful.
Popular - no. Essential - yes. Case in point - my bank (top 5 in my country) which uses Chrome plugin for security purposes, you need it to create digital signature. So once a year I HAVE to install Chrome (key expires every year) and then delete it. I've also found at least one payment processor not working in Firefox, my city portal for public transport and several small sites. The worrying thing is the trend - with Firefox share dropping below 10% recently it will be abandoned more and more.
My issue is with certain sites that typically either uses non standard Javascript apis that only work in blink or relies on non standard behavior of standard components (numeric form inputs was mentioned here yesterday).
HTML is not enough. It’s why templating languages / libraries were invented, and it’s why SPA’s are so popular. There’s a difference between “sites” and applications. The web has been trending toward supporting applications more and more for a very long time.
The only thing that will make people who want to preserve the content-web happy is if we split the protocols somehow, and that will never happen. This is not likely to change ever.
I havent had js on by default in years. Using a js enabled browser is a drastically worse experience.
suckless surf lest you enable js with a hotkey on a per-process basis if you really want it for something, but 90% of the time, I just close the tab that wants to waste my time.
I think we at HN have a particular responsibility to keep the web free and open. This really is an arms race and only those of us building the tech have the power curtail FAANG's overreach. It might me time to choose a side and firmly push your work toward open web friendly tech.
What article? The link is a github issue. And it's not like you referenced anything of that anyway. It's more like it just triggered you to output a general rant. So again: Care to elaborate?
> Making sites that are usable in more browsers than the top 2 (or 1) will weaken the amount of control that Google has
You do realize/remember that Google is also a search-engine company, one that only stands to benefit (in terms of increased capability of advertising targeting) from a web that's simpler, and therefore more machine-legible.
I’m not so sure about that. Google has the resources, a simpler web makes it easier for competitors, seems like google is already quite competent at machine reading just about everything, even sometimes things that you can’t fond/visit. Domination by web-apps is the equivalent to widening the moat.
Credits to the ungoogled-chromium project [0] for the patch [1] which is also used in Bromite since 15 February 2018 to prevent this type of leaks; see also my reply here: [2]
This seems like a cut-and-dry case of getting caught in monopolistic behavior. The code is right there. The Chrome codebase has special features for Google’s own web properties.
I hope all these AGs suing google have some good tech advisors. It’s hard to keep track of all the nefarious things google has been up to over the past decade.
> This seems like a cut-and-dry case of getting caught in monopolistic behavior. The code is right there.
???
Is "Darn, their browser only gets to track me on their own websites; if Google were playing fairly, they'd send the tracking header to all websites so I can be tracked more and have less privacy" the argument you're making here?
And it's debatable that this header is actually serving a tracking purpose at all. Being limited to their own web properties cements it as a diagnostic to me. What use is a tracking header that only gets sent to domains they already know you're visiting?
You realize that whenever a user visits a page that uses AdWords, AdSense, or login via Google, they download a script file from one of those domains, right?
So a user can log into Google and then log out, tying that header data to whatever PII Google has attached to them, and future visits to any sites using those and probably other services can be attached to the individual, despite them having intended to be logged out of Google services.
All I’m saying is the optics are not good. This is the kind of code you could show a jury. A high schooler who took “intro to CS” could understand what it’s doing.
It’s literally a conditional attached to a list of strings comprised solely of google advertising domains and hosts that distribute scripts from those domains.
When you’re talking about anti-trust, it doesn’t look good. Will this be a nail in the coffin? Unlikely. Will it help Google with its legal trouble? Definitely not.
Security flaw? Surely some entity is squatting youtube on some TLD?!
If there is a country TLD of X where Google owns google.X but entity Y owns youtube.X then entity Y gets the X-CLIENT-DATA header information. See usage of IsValidHostName() in code.
Note this would be a privacy flaw which is not covered by the Chrome Rewards program (which only covers security flaws) so I haven’t bothered logging it as a bug since I don’t want to waste my time verifying it for nothing!
If you strace chrome on linux it also picks up /etc/machine-id (or it did back when I looked), which is a 32 byte randomly generated string which uniquely identifies you and on some systems is used as the DHCP ID across reboots.
First I thought reading /etc/machine-id would be expected if Chrome uses D-bus or pulseaudio libraries which depend on D-bus, and /etc/machine-id is part of D-bus. But no, they really use it for tracking purposes.
And in a sick twist they have this comment for it:
std::string BrowserDMTokenStorageLinux::InitClientId() {
// The client ID is derived from /etc/machine-id
// (https://www.freedesktop.org/software/systemd/man/machine-id.html). As per
// guidelines, this ID must not be transmitted outside of the machine, which
// is why we hash it first and then encode it in base64 before transmitting
// it.
In fairness, the guidelines they reference suggest you do exactly what the comment says they're doing (assuming they're keying the hash). The guidelines seem explicitly written with the idea that unique identifiers _derived from_ this value are not similarly quarantined, provided that you cannot take the derived value and "reverse" it back to the original identifier.
This ID uniquely identifies the host. It should be considered "confidential", and must not be exposed in untrusted environments, in particular on the network. If a stable unique identifier that is tied to the machine is needed for some application, the machine ID or any part of it must not be used directly. Instead the machine ID should be hashed with a cryptographic, keyed hash function, using a fixed, application-specific key. That way the ID will be properly unique, and derived in a constant way from the machine ID but there will be no way to retrieve the original machine ID from the application-specific one.
I think it doesn't make much sense to protect it because in popular Linux distributions an unprivileged user can access such identifiers as MAC addresses of network interfaces, HDD serial numbers etc.
> If a stable unique identifier that is tied to the machine is needed for some application,
Ideally there should be no stable identifiers accessible to untrusted applications.
> which is why we hash it first and then encode it in base64 before transmitting it.
This made me chuckle. "As per the rules, we'll put on a boxing glove before we punch your lights out". You wont get privacy, but at least there is some security!
"Tracking purposes" is such a weasel word, when we're really talking about device management in an enterprise setting, and this code only gets activated if the root/administrator user has installed a token file on your computer.
When puppeteer first came out I was nervous to use it for scraping because I could totally see Chrome pulling tricks like this to help recaptcha in identifying the bots. I’m still not convinced they aren’t.
True, more precisely - 16 bytes, 32 hex characters. Your link is in agreement "The machine ID is usually generated from a random source during system installation or first boot and stays constant for all subsequent boots." And See https://wiki.debian.org/MachineId at least one distro uses it for the DHCP ID.
Now you are nitpicking. Your new link says exactly this “ This broadcasts the machine ID (hashed with a known fixed salt) over the LAN as the unique client identifier part of the DHCP protocol. (Other DHCP clients tend to use MAC addresses for this.) It also broadcasts the machine ID locally on each link as part of Ethernet LLDP, if enabled.”
It is far from nitpicking to point out the gross inaccuracy of conflating one particular software with an entire operating system. systemd-networkd is not Debian.
I'm surprised this hasn't gotten any mainstream tech press attention. Chrome's Privacy Whitepaper describes a number of privacy-questionable nonstandard headers which are only sent to Google services. Just try searching for X- here:
> On Android, your location will also be sent to Google via an X-Geo HTTP request header if Google is your default search engine, the Chrome app has the permission to use your geolocation, and you haven’t blocked geolocation for www.google.com (or country-specific origins such as www.google.de)
> To measure searches and Chrome usage driven by a particular campaign, Chrome inserts a promotional tag, not unique to you or your device, in the searches you perform on Google. This non-unique tag contains information about how Chrome was obtained, the week when Chrome was installed, and the week when the first search was performed. ... This non-unique promotional tag is included when performing searches via Google (the tag appears as a parameter beginning with "rlz=" when triggered from the Omnibox, or as an “x-rlz-string” HTTP header).
> On Android and desktop, Chrome signals to Google web services that you are signed into Chrome by attaching an X-Chrome-Connected and/or C-Chrome-ID-Consistency-Request header to any HTTPS requests to Google-owned domains. On iOS, the CHROME_CONNECTED cookie is used instead.
PII concept is not the same for everyone/everywhere. For GDPR we have:
> Article 4(1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
If this chrome browser ID is matched against a (for example) google account, then they can track every single person. And that is just a couple of IDs, let alone all the quantity of data they have.
It's against GDPR to not be clear about this kind of ID. If my browser has an unique ID that is transmitted, then this ID can be coupled with other information to retrieve my identity and behavior, so it should be informed (in the EU).
EDIT: TD;LR, hiding behind "there is no PII in that ID" is not enough.
I'm sure there is someone out there who takes these kind of things seriously. Not me. I use firefox for that matter.
> And what if they put this in the browser's T&C?
Then the rest of GDPR applies: a clear message about the browser sending this info has to be shown, explaining why, with who they'll share it, the time they will keep this info, plus no auto opt-ins, the possibility of asking Google (or whatever) all the info relative to this ID and the option to cancel all the data, etc.
This is why I consider the GDPR to be unrealistically broad in its definition of PII; it denies even innocuous feature-mode-distinguishing headers intended to allow for bug-identification of massively-distributed software installs.
If I'm given a forced choice between "more privacy" and "better software quality" I'm going to lean towards "better software quality."
Me too. Then a breach happens and someone with a straight face tells you: "we take your privacy very seriously", asking apologies, because the breach used some of your data to push some political campaign or to bother you with spam/extortions because that night you were watching some porn.
Programmers should stop pushing buggy or incomplete software as is, and start releasing software that works. Otherwise upper levels have an excuse to do all this "experience" telemetry, and we all are smart enough to see the consequences of a data breach.
> Programmers should stop pushing buggy or incomplete software as is, and start releasing software that works
If you demand a perfection-of-function guarantee from something as complicated as a web browser, you'll never get a web browser with more features than the ones released in the '90s (and I'm not even sure we'd be that far along by now).
If I'm given a forced choice between "more privacy" and "the software ever having the features I want to use" I'm also going to lean towards "the software ever having the features I want to use." And we know this is true for users in general because of the number of users who had Flash installed back-in-the-day in spite of the fact that it allowed a total bypass of the browser security model, because it had features that the browser lacked otherwise.
Instead of giving my privacy away, I prefer software like anything that you have installed from a CD-ROM back in the 90's and didn't needed a weekly update. Games, 3D-Studio, Autocad (to name a few) were more complex than a web-browser (a today's web-browser) and didn't needed a weekly update or the hunger for user-requested features, let alone dialing home because. The world worked relatively fine without the up-to-date wankery we see today.
They were also buggy and could crash their resident OSs all the way to a stuck state, and if they did, the solution was "Try not to trigger that bug again."
Software quality has significantly improved in the era of easy patch access and auto-patching.
Holy Jesus. Those things were chock full of security holes. If you used a web browser that arrived on a CD ROM you'd be advertising massive pwnability.
In fact, you could easily simulate this by using last year's Firefox.
Hard to say, but not necessarily a great example; exploits on software are a function both of attack surface / complexity and installed userbase (i.e. nobody bothers to see if lynx is pwnable because a zero-day against that browser will be worth, what, twenty bucks to gain access to the five people who use it?).
Probably not very long. Even with a small attack surface, if half the world uses it, the zero-days are valuable. Links is still vulnerable to
* application-layer attacks (it is still an HTTP client and HTML parser, and the protocols themselves are complicated to implement soundly, even if the newest features aren't included)
* protocol attacks (is links immune to buffer-overruns triggered by intentionally-malformed queries? Probably not, since it has no total-soundness verification. And the source code isn't open-source so )
* good old-fashioned UI spoofing (is links' UI design immune to allowing web pages to show an image that tricks the user into thinking they're looking at the links UI itself?)
In this thought experiment, any successful attack has massive value so we can expect bad actors to be hammering on the system and finding most such exploits available on the application.
> In this thought experiment, any successful attack has massive value so we can expect bad actors to be hammering on the system and finding most such exploits available on the application.
Precisely, and because of that, with 50% people using it, an orders of magnitude smaller attack surface and a mostly fixed feature set (you could at least have a LTS version), just how many vulnerabilities are there to find? How many man-years of work until there is nothing¹ left to find? Do you think that just any code has exploitable vulnerabilities, you just need to look hard enough? And with each fix, you can repeat that ad nauseam?
With the current browser development efforts, would we end up with a 100% formally verified browser, including its dependencies, networking, and maybe even relevant parts of a linux kernel?
Judging by the change log[2], links is currently developed by 1 developer and occasional contributions.
¹ Nothing of sufficient importance, frequency and lack of reasonable mitigations like not clicking on browser look-alikes, server-side CSRF protections, etc.
That's understandable, but it isn't what most people want---developers or users alike.
Browsers aren't just thin-clients to support HTTP protocol and HTML rendering. They've grown to adopt a new distributed computing paradigm, not unlike UNIX and its descendants grew to support a new multi-user-cum-multi-process paradigm. The things web development offers---location agnosticism, platform agnosticism, combined multimedia interaction, a workable security model for multi-source aggregate-component content---are eating software development, and the browser is becoming the OS of the modern era. We know users want this because users were willing to use Flash (even though Flash broke out of the security model of the old browser).
There'll always be a place for small text-based pages much as modern computing will always have a place for command-line tools, but the genie is out of the bottle and it won't be put back in.
This it outrageous. Browsers are user-agents, not advertising accelerators. They should hide as much personal identifiable information as possible. This is exactly why using a browser from an advertising company is not a good idea. They use it to improve their service... The lie gets old...
This comment was sadly written in Chrome, since I need it for testing...
edit: pretty much exactly 10 years ago they already tried their shit with a unique id. We should have learned from that experience.
"We want to build features that users want, so a subset of users may get a sneak peek at new functionality being tested before it’s launched to the world at large. A list of field trials that are currently active on your installation of Chrome will be included in all requests sent to Google. This Chrome-Variations header (X-Client-Data) will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation."
While this header may not contain personally identifiable information, its presence will make every request by this user far more unique and thus easier to track. I do not see Google saying they won't use it to improve their tracking of people.
One click while logged into any Google property will be enough for them to permanently associate this GUID with your (shadow) account, they know it, and they know you know it too
So, an extremely unique identifier for tracking purposes, that effectively no one knows exists, and no one knows can be changed at all?
With an obscure white paper that allows Google to claim they comply with the law because "they totally offer a way to change that and they even published that information to the web for anyone to find"?
Until we are deployed enough that users don't have a choice...
Now that Google has cornered the market for Internet browsing, they're using that foothold to change how it works to suit their dominance. This is why they are not concerned about per-site tracking that Google Analytics does, as long as THEY as a company have direct browser-based tracking, they no longer need to provide tracking services to other private companies to know what is trending everywhere. This is also probably why they're trying to kill ad blockers and certain browser privacy extensions.... But they won't really matter to Google if everything is done at the browser level to begin with from now on. :/
If they make moves to scale back [free] Google Analytics, which they probably will at some point, it will only highlight this ideal... They may turn to selling their privately collected metrics and qualitative studies to companies after Google Analytics is rendered useless, and then that's unadulterated monopolistic profit for them and shareholders...
There's also the subset of all of us who must use Chrome because <solution X> needed for work requires said browser. Google's dominance through Chrome extends to the whole ecosystem. Same thing with Apple inside their own (which is nowhere near a monopoly at 10-15% market share worldwide, thus totally fair game by comparison).
They might and I used to be one of them, but now I use Google on Firefox isntead, because DuckDuckGo no longer yields useful results. The number of times I don't go "oh ffs, fine, !g" has been in steady decline over the last year, and at this point I've given up.
Why do people still dredge up Google's historical "don't be evil"? It's not been applicable for half a decade now, and even in 2015 when it was officially removed from the last company documents, it was already a dead phrase.
Google had already cornered the market back in 2012, when it surpassed every other browser, with an absolute majority dominance (>50% market share) achieved way back in 2015.
"There’s no point acting all surprised about it. All the planning charts and demolition orders have been on display in your local planning
department in Alpha Centauri for fifty of your Earth years, so you’ve had plenty of time to lodge any formal complaint and it’s far too late to start
making a fuss about it now"
13 bits of entropy is not an extremely unique identifier.
The first three letters of your first name have more bits of entropy than that. It would be quite a trick to uniquely identify you by the first three letters of your first name.
I fear the factual incorrectness isn't mine: the random string used is 13 bits of entropy only if usage statics is disabled, which isn't the case by default. By default, it uses an unspecified entropy (and you can bet real dollars that it'll be more then 13 bits worth).
FWIW, it looks like that's a test case -- it is not part of Chrome itself. They most likely just wanted an example of a third-party website, and could have used any non-Google site there.
Yes, But they tested Yahoo of all websites to make sure they don't send tracking data, and not an unrelated website like wikipedia or archive.org. The only non-google test case too I might add.
It's a test case I wouldn't read too much into it. Maybe it's evidence of a massive anti-trust conspiracy at google, but it could very well be because it's the first domain that came to the programmer's mind at the time.
I wasn't aware of this, but it still seems like a thread worth pulling on. You're assuming, right? The reason I ask is that using any third-party company seems inappropriate. Even more so when Google has plenty of domains of its own to test against. Even more so when it is against a media/advertising company. And again, even more so against a company that changed from Google to Bing to power their search function. It seems to be an inappropriate or poor choice, doesn't it?
There's no smoking gun here, but I don't think that concern might be dismissed out of hand. It might be good to see what Yahoo's take on this. This could even evolve into participation by the US Attorney General. I'd like to know more, either way. Like if Yahoo was independently added to the list at a later date, or if it was there from the start?
The functionality is the functionality: it targets the header to Google sites. If there's a legal issue it really stands or falls there, not on the presence of another company's domain in the tests. There's nothing Yahoo-specific about what Chrome is actually doing.
I've long seen it almost as a tradition to use yahoo for things like testing if the internet is working, e.g. "ping yahoo.com". I suspect this isn't much more than that.
It's an arbitrary test string, not evidence of evil intent. A sufficiently uncharitable interpretation can make anyone's writing look evil. It's not so.
Don’t forget that even if the number is varying only in an interval of 0 and 7999, this means without cookies a unique chrome installation can be identified if multiple users are using the same IP, like residential houses with families, etc. — that way it is possible to determine the unique amount of devices inside a house.
>that way it is possible to determine the unique amount of devices inside a house.
There are exceptions I guess. Imagine 8000 households in which couples live. Both partners own the same MacBook model. In 1/8000 cases Google would think there is only one person.
It seems like a reasonable time to bring up the reformer project 'ungoogled-chrome' [1]. I have used it and new versions of Firefox for over 3 years and have seldom had to jump back to `Googlified Chrome.` Do know that installing via `brew` [2] means no - standard browser auto-update. Which in this case, makes sense to me.
Aside: It seems to me the realist punk / anti-the-man software one can work on is a user respecting browser. I don't work on these, but I am very grateful for those out there who do.
Right-click in the Name column, select "Save all as HAR with content". Then grep for the headers, e.g.,
sed -n '/headers\":/,/\]/p' example.com.har
While running Chrome, try
ps ax |grep -o field-trial-handle[^\ ]*[0-9]
Handle to the shared memory segment containing field trial state that is to be shared between processes. The argument to this switch is the handle id (pointer on Windows) as a string, followed by a comma, then the size of the shared memory segment as a string.
Also, can try typing "chrome://versions" in the address bar
I think extensions can filter out the x-client-data header, though Google should definitely make this data collection opt-in.
GDPR is very clear about this data being personal information [1], since Google has access to the IP address on the receiving end, which has been repeatedly tested in courts as being personal data.
Google is engaging in personal data harvesting without user consent and control, and no amount of mental gymnastics presented in their privacy whitepaper [2] will save them in courts.
But unless you changed IP, and other machine characteristics they'll be able to link the machine-id with an alternative fingerprint (cf amiunique/panopticlick).
That would mean they are actually not tracking you (via that method at least) in private mode. I was just about to investigate how or if they were tracking in porn mode.
Is this at the "Chrome" level, or baked in at the "Chromuim" level? And therefore also an issue for Brave, Opera, Vivaldi, new-Edge, and anything else jumping on the browser engine monoculture?
It appears that chrome based Edge does not send this header. I've switched to firefox for everything I can switch, perhaps it time to use Edgeium over chrome for anything else.
Lol, is it news? I mean, it worked like this as long as I can remember, privacy conscious users were complaining for years, helplessly watching as Chrome market share grows, but nobody really cared, so... And now, suddenly, people act like this is big news and they are outraged by such blatant and unexpected(!) intrusion into their privacy.
Wow. I don't even know how I feel about it anymore.
I use (sometimes/often) mitmproxy and remove or change suspect headers. It is also nice to remove all the fb, google and more crap from the html. And much more. It is a lot of work not to break a website. I don't know whether I am more trackable or not - this is the 'only browser' without x-client-data header.
I've always assumed that everything I install tracks me through some unique ID. That's arguably wrong for typical Linux packages, but being right just once is enough to justify the assumption.
And for Google, it's arguably foolish to think that they don't.
Can you test it in Microsoft's new Edge browser based on Chromium? I'm very curious about that. (I don't know how to test such a thing myself, sorry :S)
I dropped chrome a long time ago and switched to Brave. Does Brave have these same issues, considering it uses webkit for it's rendering engine? Am I just being paranoid?
With that said, one can simply filter out these analytics with a c:\Windows\Systems32\Drivers\etc\hosts -> pointing to 0.0.0.0 or PiHole solution (https://pi-hole.net/), yes?
I mean, this is probably not the holistic solution, but this is why we have a firewall, vpn, antivirus, filters to just keep DNS in check, yes?
Yes, you can if you are willing to block google.com, android.com and youtube.com.
doubleclick.com might not be terrible for most, though.
Interesting enough, it does not add headers when accessing a country specific google domain in the EU - such as google.de or google.fr.
Is that GDPR kicking in - with a nod the the brexiteers given that google.co.uk gets these headers... ?
There are certain sub-domains that block certain things that keep most of the bad guys at bay, but to some extent yes. This is a fringe case of those activities, but being paranoid is not a bad thing these days, considering the level of red team activity and bad actors probing your network / computer / devices.
Not shocking. I never trusted Chrome, and never switched over to it. I never understood that Firefox hate. I never thought it was "slow" like so many complaints I have seen. Apparently Firefox is fast and amazing again, I certainly think it is better than it was a several years ago, but again even several years ago I didn't ever think it was slow.
The sad part is that most times Google violates your privacy, it's just some PM who thinks having some data will be super important and in most cases they're wrong.
Caveat here is that in 99.99999% cases it's also the case that nobody ever looks at your individual file but the fact that they could is bad enough.
By the way, if you use Chrome and Google as a default search engine, Google gets a signal from your browser (with cookies) every time you open a new tab. You can check it with DevTools.
Irrespective of whether you use any other google products, if you use chrome google can now track you over any property that uses google ads, recaptcha, etc.
The header is inserted by the browser after any extensions run, and google pins google properties so you can have an intermediate proxy that strips the header, so they gain persistent tracking of all users across most of the web?
If it wasn’t a tracking vector why do they limit it to just google ads, etc? Why not other ad providers as well?
This is another instance that google doesn’t care about users privacy and track without their consent by using chrome installation Id. This probably might be against GDPR, so Chrome installed base in Europe multiplied by per day fine, hopefully runs into a years revenue of google.
Another lesson don’t trust for profit companies with privacy protection especially advertising technology company like google with motto like don’t be evil or organize world’s information designed to mislead.
Honestly, it's 2020, even if your technical understanding is so low that you have no idea what a "browser" is, you know that Google will do anything in it's impressive power to track down everything you do with legal or illegal means.
Thanks to Snowden, this is no longer a conspiracy theory. It's a fact.
Google should be fined for this but they probably won't be.
Not sure why this is being downvoted. It hits the nail on the head. If you are concerned about privacy around advertising then using a browser from the biggest online ad company is short sighted.
Quite a lot of reasons. I assume you asked that because you're thinking it's used to gather information on its users. That could be one of the many reasons. At least initially it was because Mozilla/Firefox didn't want to adopt a multi-process architecture.
In terms of strategic reasons, as a company that depends on people browsing on their websites other reasons are obvious: avoid lock in that could be pushed by third-party browser makers/competitors (say IE becomes the most popular and it implements proprietary extensions that work only on their websites[1]), ensure there exists a fast secure browser so that people can keep browsing even if everyone else stops making good browsers out there.
[1] Now before you go ahead and point out how Google proposes HTML/HTTP features that get implemented in their browsers and on the server side, all such features have public specification and source code, so anyone else could implement them too. This is very different from the IE days of yore, where MS was extending IE through ActiveX. ActiveX was developed in house and they were releasing binary plugins/SDKs to develop ActiveX plugins, effectively maintaining full control over it (one would have to develop ActiveX compatible technology from scratch if they wanted it open source, with Chrome all they have to do is fork the source code).
so that you don't have to pay royalties to other browsers for being the main search engine.
I mean you have to pay one less. And if you have the most used browser, you save a lot.
In the good old days everyone and their grandmother just sideloaded their malware toolbars with freeware crap like picasa or maps or outright bundled their bloatware with the system like Google still does for Android.
When Chrome was first developed, browsers and the web were relatively slow, and slowing down due to the popularization of Javascript and heavier websites.
Google's worked on a number of technologies to make the web faster; Chrome (and V8), their own DNS, image and video compression technologies, AMP, HTTP/2 (SPDY), HTTP/3 (QUIC), webserver plugins (mod_pagespeed), benchmark tooling (Lighthouse), and extensive guides on website speed optimization.
The reason is simple; faster internet = faster browsing = more page views = more ad impressions + more behaviour tracking data points. And it's a win-win for Google as well, because it earns them goodwill (well, except for AMP); especially at the time Chrome was a breath of fresh air compared to Firefox, and it's taken a lot of time and effort just to keep up, with mixed results (to the point where a number of manufacturers have just given up and adopted Chrome's renderer).
This sounded harder to do than it was in my experience. I figured the alternatives to their products would be less polished. But I switched to Firefox and honestly prefer it to Chrome. (They allow extensions on Android, meaning adblock, which is a game changer for me.) DDG for search is great. Protonmail for email is fine, etc. There isn't much in the Google ecosystem that I miss tbh.
The only thing I have problems finding something that works is Google maps. As an Android user there are a few different options but Google did make a damn good maps app.
IP address inspection has been getting a large amount of attention recently. It is considered a privacy violation, yet it is required to determine location, so devs know which privacy laws apply.
GDPR only applies in Europe, and CCPA only applies in California. How is one meant to determine which set of laws applies inside a piece of software without being able to determine location?
A waste of time (don't bother) answer is : Just apply maximum privacy everywhere and you won't have to worry about it... The response is always going to be - Many free tools you use are funded by advertising etc and advertising depends on being able to know where someone is, at least to the country level. Cutting off location and therefore revenue is not going to give people the software they want.
Other facts that usually matter - only 1-2% of people want to pay for private software. Everyone else wants the free option. Source : my apps.
No, Mozilla needs to keep focusing on Mozilla and trying to make it better than Chromium. Competition is essential. They're the only ones left other than Apple now that Microsoft has given up.
Well Mozilla burnt my trust in them over the last couple of years ... maybe Brave?
Some don't like their model to tip content providers but they seem - and I've not made rigorous enquiries here (please inform!) - to be a relatively trustworthy mod of Chromium!?
Mozilla Corp isn't a charity, gets several hundred million $USD from Google, pays 7-figure wages, manipulates is users to achieve commercial aims, ... you're saying it's not a commercial entity?
Am I correct to understand that this backdoor tracking of individual users applies to the standard Chromium browser (i.e., the non Eloston ungoogled-chromium) as well as the Chrome browser?
If so, its incredibly consistent with Google's surveillance capitalist business model.[1] Wow. I'm thankful for Firefox.
For every single claim Google makes about being pro-privacy, their definition of privacy ("data shared between you and Google and no one more") is implicit.
It's a surveillance company that makes proprietary software to sell you ads. As soon as you get that into your head, you'll be much less shocked.
"We personally get to track you" is not a unique stance, and it's far from a backdoor. It's just another vile move from a surveillance company that's pretty explicit that that's their goal.
Sure, the general pattern of behaviour is familiar, but I didn't know about this specific manifestation, and now I do. What's the use of being so dismissive about specific information on which one can act?
I haven't read this carefully enough to decide exactly how bad it is, but one thing seems clear to me:
From what I see many techies are now aware and upset, and hardly anyone seems to want to defend Google anymore.
I consider it more likely than not that Google will take some real beatings in the years to come. Kind of like Microsoft was fined by the US and EU, forced to advertise for competing browsers and ridiculed by Apple ads. On a case by case basis I think some of this will be well deserved, some less so, but few outside of employees and shareholders will cry.
I also guess a lot of people, including certain owners and many in management hasn't deciphered the writing on the wall yet, and in that case it whatever comes next will be surprising.
When I moved into IT almost 10-15 years ago, Google was one of the companies that I adored (in a kind of naive way, but nevertheless..).
Working at that company has always been a dream of mine. They had the reputation for hiring the best of the best engineers, with great benefits and work culture.
Meanwhile I'd hate to apply for them. Everything they do in terms of tracking, etc. has become so vile and almost evil that even Microsoft has a better standing among my peers..
Would love to hear some insight from ex employees on what changed on the inside of that company, but from the outside it doesn't even seem to be the same any more.
Maybe they're just worse at hiding it..
As an Xoogler, my experience is that one thing changed, and one thing didn't.
The thing which changed is that Google operates on a much, much larger scale than anything imaginable back in the late 90s when they first started. In 1999, nobody had any inkling about the cloud and SaaS revolution that was about to come. Nobody knew that everything was about to move into web apps and cloud services, which permit and require(?) tracking in ways, and on a scale, no one had thought possible. (Require with a question mark because - ad tracking aside - what little I know of frontend development includes that they need to be able to see certain information, like your browser type, in order to provide effective services.)
The thing which didn't change is the mindset of the engineers building the services. On average, Googlers tend to be much less concerned with personal privacy than an equally educated consumer, and much more interested in the features and services they can build for themselves and others which happen to require huge amounts of personal information to function. In other words, a typical Googler is more likely to think, "Oooh, having a personal digital assistant is great! If I give Google access to my email inbox, it can suggest tasks, automatically add calendar invites, and do other cool things."
The problems we're seeing now come when the engineers working on advertising products have that mindset and access to Google-scale information. They don't consider it a problem or a violation because they don't mind targeted ads, they don't mind giving up their data in exchange for services, and they don't (want to) understand why people who aren't them might object.
It's a lot more complicated than that because Google, while the largest and arguably most effective, is not the only player in this game. There are a lot of other corporate and social influences at play. This is just to answer the question about what changed at Google.
> They don't consider it a problem or a violation because they don't mind targeted ads, they don't mind giving up their data in exchange for services, and they don't (want to) understand why people who aren't them might object.
And worse, they never thought to ask. Most users never really had the opportunity to provide informed consent.
Seems to equally apply here though. Many people are perfectly fine with targeted ads in exchange for free useful services. I would even propose the majority (otherwise these services wouldn't be popular in the first place!).
> > > Most users never really had the opportunity to provide informed consent.
> Many people are perfectly fine with targeted ads in exchange for free useful services. I would even propose the majority
I feel like these two remarks should be taken together, and not in isolation. My straw poll of a few non-technical folk in a highly-technical firm is that they're broadly unaware of these kinds of things (but everyone has anecdotes...)
Speaking for my own perspective, I was perfectly fine with Gmail when it first launched (1GB of free email storage in exchange for a computer scanning my mail and showing me text adverts on the side? DEAL!), mostly because in 2003 I had no idea what my data was worth (individually, very little. in aggregate along with eevryone else's? $GOOG indicates it's in the ~trillion range). Facebook? For sure! Have my favourite books, albums, movies, tv shows, all my photos, why not?
It took many years before the implications of that decision that we (collectively) made came through. Not everyone has the bandwidth to focus on this, and so it just becomes background noise.
> > and all it would take was a disregard of the sanctity of personal privacy
;)
I would have been aghast if you had told me 30 years ago that by now our movements, purchases, letters, phone calls, photos, rolodex, walkman, television, and more would all be connected to a central database and used to produce models to coerce us into changing our behaviour.
Eh. One of the things Microsoft was actually punished for was bundling IE, and it didn't help that they were actually hostile to other browsers as proven by the fact that their documentation pages would work if Opera faked the IE headers.
Googles pushing of Chrome and disregard for other browsers across their web properties comes dangerously close in my opinion.
I think that Googles' push is even worse. Just think about how many possible devices Microsoft could target back in the days. 300-500 million devices maybe?
Google not only invaded desktops in the past decades, but completely owns the Android platform, which comes bundled with Chrome and Google as the primary search engine. Desktops with Chrome plus the Android platform must be far more than 2-3 billion devices.
Well, I'm an ex employee. Actually nothing has changed inside the company. "Tracking" as you put it isn't perceived as evil, it never has been, and for good reasons. The only thing that's changed is people's perception of the company and - very recent post 2016 political issues aside - that was mostly driven by a sustained campaign by an angry media industry that wanted money (see: link taxes).
Firstly, if tracking usage statistics or activity was actually evil then everyone would hate it, desperately try to stop it and have tons of stories about the horrors of it.
In fact what Google sees is:
1. Web apps are extremely popular although they all keep server side logs that reveal every button click, every message you type, every email you send, every search you do. Users routinely migrate from thick client apps that give great privacy to web apps that give none whatsoever without batting an eye.
Hacker News readers in particular should understand this. It's overrun with Silicon Valley types who build their entire livelihoods around "let me run this program for you as a service". There's nothing special about Google in this regard. The entire software industry has moved away from privacy in the last 20 years because ...
2. Users rarely if ever use privacy features when they're provided, even when they're heavily promoted. In fact, despite all the noise, hardly anyone cares. For the vast majority convenience wins over privacy every time. But not just convenience, also ...
3. Security trumps privacy. People say they like privacy, but they hate getting hacked and tend to blame the service provider if it happens. They have very little patience for explanations of the form "yes this attacker was obviously not you and yes we had enough data to know that, but we didn't use any of it ... for your own good!"
4. Users can't and won't give accurate feedback about what they value or what their actual experience of using an app is like. This means A/B testing is critical to avoid making bad business decisions. The heavy reliance on experiments and data driven decision making is one reason tech firms tend to steamroller their legacy competitors.
Google hasn't become evil over time. It's been doing A/B tests, keeping server logs and writing unused privacy features since the company first began. All that's changed is it got big and rich, so people - rightly - started to think about its power more. But the hypocrisy is strong. The world is full of companies collecting and using data for the benefit of their customers. It's really only Google and Facebook that get the vitriol.
Most people use default settings and have no idea about the software they are using at all. "everyone would hate it" assumes people know about these things, but they do not. Don't use this as a point.
ad 3), you make it sound as if it was one xor the other. This is sometimes the case to some degree (like checking urls for phishing sites), but far from always.
ad 4), it is not my problem as a user that you have trouble doing tests. If you need information for your business, then spend the money and effort to acquire it. Do not abuse your users without care. Your business case is not more important than people's privacy. And if others do this to gain an advantage over your business, don't whine, sue them.
When I was involved in user tests we had a lot of trouble due to our ethical concerns, but we did not consider dropping these concerns.
edit: I may add that I'm German. We were taught about the value of privacy in our history. "boring statistics about religion" led to the murder of hundreds of thousands of Jews. Disregard for privacy led to the atrocious human rights violations in Eastern Germany. I cannot understand why Americans, who explained this to us Germans after WW2, apparently forgot all about the _reason_ for privacy.
"everyone would hate it" assumes people know about these things
It's based on direct experience of these tradeoffs.
Firstly, yes, people accept the defaults most of the time. They expect those defaults to be convenient and secure. But even when forced to click through screens that literally won't let them proceed until they consider their privacy settings, they don't care and routinely opt in to data sharing because it's more convenient.
Believe me, Google has tried everything in this space. Every combination of popup, click through, interstitial, notification, endless usability studies. Everything. New products that use user data in clever ways get instant uptake on the order of hundreds of millions of users with virtually no promotion at all. Privacy-oriented features get nearly none despite heavier promotion. To the extent people don't know about privacy settings it's because they do not care.
I know this goes against the tech industry zeitgeist or groupthink. It's unpopular to spell this out, but that's why it's important to do so. Way too many companies and engineers are working on dead-end privacy projects that address an imaginary market demand.
you make it sound as if it was one xor the other. This is sometimes the case to some degree (like checking urls for phishing sites), but far from always.
It's not 100% always, but it's hard to come up with cases where privacy and security aren't in tension.
For instance, one of the reasons you can't build truly end to end encrypted consumer services is people don't want to swap public keys. It's more hassle and nobody has it, so every end-to-end encrypted service has a big central key directory ... which makes the encryption pointless, as the service can still decrypt conversations on demand. That's not the only problem but it's a big one.
Another problem is people expect password reset. You can't build a service without password reset or else you'll have an angry mob at your door demanding their accounts back. If you say, sorry, there's no password reset because the data is all encrypted and we can't get it back then you'll lose your market position. Hence why iPhone backups are unencrypted.
It's not hopeless. Google get the most pressure on these topics so they've been coming up with some of the best solutions. Their Titan architecture is quite innovative in this space, although we'll see what happens when people realise "I forgot my PIN, please verify my identity some other way" doesn't work anymore.
And if others do this to gain an advantage over your business, don't whine, sue them.
I'm afraid this is extremely naive. There is nothing illegal about running user tests, server logging and gathering metrics. And don't talk about GDPR to me. It's a meaningless law that is so badly drafted it affects nothing. You can do basically anything if it's justified by a genuine business need, and understanding customers is an absolute need of any business.
But if the EU under German direction decides to interpret the GDPR such that it bans making convenient and secure software, then so what? America crushes the EU in the software business already. It will simply extend its lead. American startups will learn "don't open offices in Europe and you're OK" and so the EU will continue to degrade its own economy, continue to have no tech startups of note and the USA's more sensible approach to privacy will continue to be the only one that matters.
"boring statistics about religion" led to the murder of hundreds of thousands of Jews.
At the risk of going full Godwin on this thread, that's a severe mis-understanding of your own history. No wonder Germans have such strange approaches to internet privacy if that's what you're being taught. Americans haven't "forgotten" the reasons for wanting privacy, they just don't think spreadsheets were relevant to what happened. And BTW I'm not American.
So: Nazi-ism wasn't enabled by the collection of statistics. They would have hunted down and eradicated groups of people all the same. We know this because communists hunted down threw huge numbers of anti-communists into concentration camps, although being anti-communist isn't a birth trait and that fact existed in no statistical databases. They didn't need Big Data because they had a large network of ideologically motivated informers and collaborators instead: just like Hitler did.
Finally, I'll say that going from "Google runs A/B tests to learn if a new feature is popular" straight to "sue anyone who does this because they're directly leading to Jew murder" is really quite offensive and shows no sense of proportion. Google is not enabling the Third Reich. It's just doing what any boring old city shop does when they experiment with putting different items on sale, or experiment with different layouts of the stores. The fact that it's online changes nothing.
I think it's key that I never see any kind of comparative behavior. Does Amazon do this, does Facebook do this, do private platforms do this? How does this compare to tracking done by apps? Based on my experience and knowledge, Google falls on the ethical side of the spectrum among its peers.
I get ads from Microsoft now (in app in some cases, other free services). I know this is a Mac/Linux heavy forum, but I would also love to see how this tracks with Windows telemetry (to the point made about security). I am sure that every Windows 10 install has higher fidelity fingerprinting sent with telemetry.
What has changed is how easily people can be manipulated on social media and how they can be programmatically orchestrated with much less effort than before 2000-2005.
Your points are sound, but I'm puzzled by your last line:
>It's really only Google and Facebook that get the vitriol.
The way I read it, it seems as though it's unfair that they get away with doing questionable stuff when "others do worse". Why yes, if you have nefarious intentions but no power to act them out, people are going to throw less "vitriol" at you than if you do act them out.
Thats right. Is google the most evil? Well, no, I really don't think so. But they exert a lot of evil to the world because of their size, power and ubiquity more than others. Same with Facebook and Amazon.
I always keep in mind the motto Google carried when they stepped in: "Do no evil". I used to love Google back then, but they were something else.
They killed good products that people loved, they abused their trust, they are what they are not because they keep on innovating but because of their current size. They killed a lot of small fries who in aggregate could have given us a lot more value.
What I mean is that offline businesses have been running experiments to see what works forever. They run a billboard campaign in city X and run a slightly different one in city T to compare the results. They count customers as they come through the door. They issue loyalty cards that people sign up for in their millions, making a special effort to share data with giant supermarkets because they're (effectively) given a share of the resulting revenue increase.
Nobody cares or talks about any of these things. But when Google does the online equivalents, it's suddenly the next coming of Hitler (literally, look at the comment I replied to above!).
This isn't really proportionate, it doesn't make sense, and it's quite offensive to people who work or used to work at these firms.
> 1. Web apps are extremely popular although they all keep server side logs that reveal every button click, every message you type, every email you send, every search you do. Users routinely migrate from thick client apps that give great privacy to web apps that give none whatsoever without batting an eye.
I think people here might be shocked at the amount of surveillance going on in the most basic web apps. Lots of telemetry like you describe and other ambient data is being captured all as part of the terms and agreements you probably clicked through with the website. Google is not alone in this.
Oh it will get worse. Youtube will be riddled with ads every 5 minutes or so. Will take the cable tv path soon. The good news is that their greed will eventually crash themselves.
Hey, i dont mind a little ad here and there even though I give 0 fucks about any product being advertised. But the quantity is becoming hard to process without adblockers. Had they not taken the full evil mode path I’d have considered paying for youtube.
I think im better of weaning myself off almost completely. Or alternatives...
You complained that it was hosted on Google specifically. I tested that Chrome specifically copies the canonical URL and not the location bar URL when I share that AMP page, which doesn't fit your narrative.
Also, the reason the AMP page is faster is that it prerenders above the fold from a SERP, not due to total page weight.
AMP is, hosting aside, a problematic project when it comes to Google's business ethics.
And the differences in rendering speed were negligible, to my eyes. IIRC from the dev tools, it was about 1/10th of a second difference to get readable content.
AMP is basically gobbling up other contributor’s content and shamelessly profits at the expense of the content owner. As an end user I also don’t like amp. Im on duckduckgo now
> And the differences in rendering speed were negligible, to my eyes
Reread my previous post. You didn't load it from a SERP. That's what AMP is useful for, instant loading from link aggregators.
> AMP is, hosting aside, a problematic project when it comes to Google's business ethics.
How, especially considering that Google's browser does not share AMP URLs? Is RSS a problematic project? How about GTFS or microdata? All three give the user a better experience at the expense of the publisher.
Per research tests which look at load times and abandonment, under 1 second has the same retention as instant. So, AMP provides no practical benefits here.
> How [is AMP problematic]?
A large number of electrons have been spilled on this topic. I recommend reading one of those. It really comes across as an attempt to argue in bad faith by ignoring these well-distributed (especially on HN) concerns; even worse to try and paint RSS and similar as harmful.
> Per research tests which look at load times and abandonment, under 1 second has the same retention as instant.
Citation needed.
> A large number of electrons have been spilled on this topic.
Most of those electrons have been spilled by people who do not understand what AMP does, which included you until you had read the GP post. Those arguments are nonsensical to somebody who does understand what AMP does.
> even worse to try and paint RSS and similar as harmful.
I do not think RSS is harmful, but your stated reasons for claiming that AMP is harmful apply equally well to RSS. Your argument is therefore inconsistent with itself.
There's been more than a few departures at Google recently. You have the profile departures of C-level execs; You've had prominent open source folks leaving projects like Angular. While some attrition is personal circumstance, you have to wonder how much is attributable to the changing identity of Google itself.
There is little point trying to correct misinformation about Google on Hacker News anymore, because people will just make up more tomorrow, and it will get hundreds of upvotes if it looks vaguely plausible.
So, people who want to dislike Google will find everything they need to confirm their biases here.
IIRC it's not that long ago that trying to criticize Google here on HN was an exercise in futility.
I won't say that the current situation is perfect but I can see why. In my view Google had earned the current criticism by hard work:
- mismanagement of services people loved to the point were Google always running 3 different more or less incompatible message services, while closing services east and west has become a meme,
- shoving other ideas down people's throats (hi identity and real name part of Google+)
>From what I see many techies are now aware and upset, and hardly anyone seems to want to defend Google anymore.
Be careful, most of us on HN are part of a very small echo chamber. "What you see" is a small, non-representative portion of "techies". If it wasn't Firefox wouldn't be at sub-5% in general usage surveys and AMP would've died years ago.
> From what I see many techies are now aware and upset, and hardly anyone seems to want to defend Google anymore.
From what I've seen is it's like it's always been: people are upset for a day or two and then continue to not care, and continue to (directly or indirectly) support the evil they were upset about. It's incredibly difficult to get even geeks to support a cause if it requires more than pressing a like button or posting a comment.
Also, it's not like Google's wrongdoing are recent news. Anyone remember Google Watch (the site)? People have been warning and predicting things since very long ago, yet the geek crowd never seems to hesitate to embrace the next soon-to-be evil company and their proprietary offering.
I see people recommending Firefox, but I'll say that for mac users Safari is a very usable browser too. It's quite fast, and to my knowledge is not collecting/sharing my personal data with apple. https://www.apple.com/privacy/
These days I only use chrome for the g-suite tools that seem to require it to avoid mid-meeting crashes.
Safari is horrible for HTML5 games. Dealing with all sorts of issues to the point where I've more or less given up and just tell my Safari players to use something else.
Some of my front-end colleagues like to tell me that Safari is the new
IE 6. Not in terms of the market domination (that's Crhome for you),
but in terms of dragging the front-end back with unimplemented features,
quirks, and bugs. The amount of hacks they have to add just to
support Safari is uncomfortable.
No, they are confusing developing for Chomium first and not testing on all browsers.
Safari is behind in terms of W3C features. But implementing unsupported features does not mean you are hacking to support Safari. They should look into the progressive enhancement principle and CSS @support feature.
I'm strictly talking about the canvas and audio implementations, forcing me to use all kind of different hacks just to get a reasonable FPS in Safari. Audio I've given up on long time ago and don't get me started on Mobile Safari.
Safari on iOS is great. Safari on Mac is underwhelming and sucks.
My biggest gripe is I can’t update it without updating the entire OS. Also, dev tooling is really bad. God help you if you ever need to unregister a service worker.
For non-developers, which is most people, those are non-issues. Safari is excellent for the things that matter: speed, power usage, and integration with the rest of the Apple ecosystem.
I have not. I don’t think they have any extra dev tools though; it’s just the later version of the browser (which, granted, may include improved dev tools). And you still need to be on latest macOS to run it.
But thanks for the tip on the preview releases; I’d forgotten about those. I’ll check them out.
If you haven't used Firefox in a while you should really give it another chance. It has vastly improved in terms of CPU and battery usage. It also has a lot of great privacy-enhancing features like tracking protection enabled by default and extensions like Facebook Container make it trivial to prevent tracking even further.
As someone who had repeatedly tried to make the jump to Firefox, it _finally_ stuck after quite a few attempts. (CPU and laptop heat issues were problems for a while, now they aren't!)
I second this; keep trying even if it isn't for you after a few times, it was worth it to keep trying, officially Firefoxer :)
I love FF and have gone back you it for the last few months, after using chrome for years, CPU and battery usage is great now, but coincidentally I've been getting these weird hangups on my laptop.
So yesterday I opened up my activity monitor with 6-7 tabs (including 1 youtube tab in a separate window) open I found FF using ~12gb of memory on my MBP. Then to get a comparison, I opened the exact same tabs in a chrome browser (separate window for youtube and all) and found it using under 1gb of memory. This may be is an exceptional case, but for now I just don't have the memory to run FF with docker and dev environments up too.
Thank you! Someone said that finally. I really tried hard to like Firefox. But it just really doesn't replace Chrome for me. Maybe it's the ecosystem, extensions, user experience, I'm not sure but the browsing experience is never really the same on FF.
The one thing that keeps bugging me is the widgets in Firefox (Ubuntu 18.04) look super-dated -- reminds me of NCSA Mosaic and makes me want to close it. Can they please update their widget library?
Yes, there is definitely a performance advantage especially on mobile. see for example some benchmarks for brave browser, and also a couple of recent tests for desktop browsers.
The conclusion of the linuxreviews article doesn’t really make a strong case for any major difference between the browsers —
It is hard to declare an absolute winner. Brave and Chromium, seem to be the overall winners but Pale Moon, SeaMonkey and Firefox are not bad choices if you never visit pages with fancy WebGL or WebAssembly ever. Chromium may be the best choice if you watch a lot of video on a laptop if your distributions Chromium package has the hardware video acceleration patches.
Is there definitive proof that all of the Google stuff is really out of a naked Chromium install? I remember reading stuff about it being impossible to wholly untangle Google's stuff from it.
"those binaries that cannot be removed do not contain machine code."
I'm not sure what's meant by them not containing machine code, but it does seem like some of the binary blobs are retained that can't be built from source or substituted.
Honestly, I'd just switch to Firefox to be safe, though Ungoogled-Chromium does automatically set a lot of sane pro-privacy defaults that you'd have to manually change in Chromium/Firefox.
Is there a quick summary of what major site/features that will be unavailable in Chromium vs. Chrome? I assume, for example, that 'netflix' will be prominently on that list. Thanks.
I use Chromium; you can still Netflix. It does, however, require installation of "WideVine", which is an opaque, closed, binary blob. (But you're getting that with Chrome, too, I believe.)
You can also do Netflix in Firefox, through exactly the same mechanism.
I think Mozilla is a horrible leadership spending money on all the wrong things and I'd rather lose my job than donate to them. But, in all fairness, they're still way better than both Microsoft and Google. At least Mozilla isn't actively trying to make my life worse every single day.
Please don't respond to a bad comment with another one. That just makes the thread worse. Doubly so for personal attacks, which are a bannable offence on HN.
What was so bad about my comment? Saying that I don’t support Mozilla/Firefox or just not being anti-Google enough?
Also, the guy that you’re responding to simply said that I seemed angry. How is that a personal attack? Somebody else responded that I’m ruining the Internet and somehow that’s not flagged?
"You seem very upset", "I suggest going for a walk", "Take a couple deep breaths", "Calm down", and even "It's just a browser" are patronizing personal comments that cross into insulting. Even worse, "By the way, what sites do you work on? I'd like to make sure to avoid them." is an ugly personal attack. I'm delighted that you didn't take offense at any of that, but that puts you above the 99th percentile of non-offense-taking. We can't pitch moderation at that level!
I wish it were obvious, but no, we don't care (I mean we really don't care) whether HN users support Mozilla or Firefox or Google or hate them. The only thing we care about [1] is whether the stories and comments on this site gratify intellectual curiosity. Most for-or-against rants of that nature don't have much curiosity in them. They're more like sports fans yelling at each other. That's great in its way! It's something to do. It gets juices flowing. But it's not really the kind of discussion we're going for here. By the way, although I don't frequent sports fan sites, I'd bet a lot of money that users there feel like the mods are biased against their team.
To be honest, I didn't really think your comment was that bad. It broke the site guidelines by being a name-calling rant. But it was so over-the-top that to me it felt more exuberant than mean, and that's actually not the kind of thing we're trying to eliminate here. Meanness is. The reason I didn't spell this out in my reply to Shaaaaaaare is that their comment really did break the site guidelines badly, and this is much too subtle a distinction to have gone into in that context. Much better to say: even if the other comment was really bad, you still can't post like this. In other words, two wrongs don't make a right, just as mothers have always said.
Given the purpose of the x-client-data header, I'll be shocked if Mozilla doesn't have a similar header for feature-enable-identification to do its own tracking of bugs at scale.
... and if it doesn't, they're developing their browser with one hand tied behind their back on quality assurance relative to alternatives.
Firefox should definitely be used, but donating to Mozilla is a mistake. They waste a lot of it, their executive compensation rates are way too high (especially given that MoCo just laid off employees), and Mozilla still hasn't kept up with promises they gave years ago (that Pocket is still proprietary being a notable and depressing example).
Donate to smaller developers of software you use, it'll go a lot further, and they'll probably put it to better use!
Donations go to Mozilla "the non-profit organization" rather than Mozilla "the corporation".
Mozilla (the corporation) has the typical/bad corporate structures and ridiculous executive compensations. Mozilla (the corporation) had the layoffs. Mozilla (the corporation) bought Pocket with money that comes from deals with search engines.
That being said, though...
> Donate to smaller developers of software you use, it'll go a lot further, and they'll probably put it to better use!
... is still a great point.
(Updated this because "Mozilla, Org" and "Mozilla, Inc" were inaccurate)
I think the Mozilla Foundation is starting to look a lot like a sinecure employer for friends of friends in the non-profit biz.
Here are a few seemingly similar titles listed on their leadership page[0]:
VP, Advocacy
Director, Digital Engagement
Director, Communications
VP, Global Programs
Director, Partnerships
Director, Events and Training
Interim Director, Leadership Programs
The Mozilla Foundation controls and owns the Mozilla Corporation, and the executive structure looks more or less the same. Baker's compensation has been inversely tied with performance, and she runs both.
Owns, yes. That is radically different from "funds", though.
Not going to dispute anything about executive structure or Baker's compensation and (mis)management, but a lot of people here are acting like donations either go directly to the corporation or funnel to it through the actual recipient of the donations, but there isn't really any evidence being presented.
'Tied' in relational contexts is generally used to describe a correlation, relation, connection, or a consistency between events in the English language. It can—but does not have to—describe a contractual relationship, and it does not generally describe one except in very specific and obvious cases, e.g. what one would expect to be true: "bonuses are tied to performance milestones."
> Baker's compensation has been inversely tied with performance
No reasonable person would assume that a person's comp structure from Company would be contractually bound to increase as Company's performance decreases. At which point, the interpretation of "tied" would swing towards generally accepted usage, i.e. "there's a potential relationship between these two things."
ameister14 suggested "associated with" would've worked better, and that's true. But "tied" isn't technically wrong.
That's malarkey. Tied is not exclusively used to imply a "contractual relationship," and that's (if anything) a minority-usage of the idiom of tied to/with.
I think you probably should have used 'associated with' instead of 'tied to' as when discussing remuneration contractual ties is not a minority usage of the idiom.
I'm not Kick, but while you're correct that "associated with" would've been better for clarity, no reasonable person would assume that "inversely tied" describes a contractually mandated drop in performance for an increase in pay (my other comment here links to dictionary.com and thesaurus.com, both good references for this discussion). Couple that with the generally accepted usage of 'tied' and the usage by Kick was correct, if perhaps ambiguous to a narrow population.
Kick's usage is correct except within the business world and especially financial and executive populations, which, while admittedly narrow, are what we were discussing. When you say that an executive's pay is tied to the company's performance, within these communities it's generally understood that this is a contractual relationship.
ex. "John's salary is tied to performance - if the company is valued at over 100 billion, he'll get another 5% stock" etc.
or "bonuses are tied to performance milestones"
If you are simply observing that an executives pay rises while performance falls, associated is a clearer term.
That still doesn't answer why should I donate to Mozilla the non-profit? What do they do with my donations? According to another post they don't use them to fund Firefox or presumably any project run by the corporation side.
As I see it if I wanted my donations to go to political or other activism there's more direct and better organizations to donate to with less middle management involved.
* supporting a diverse group of fellows working on key internet issues [looking at them they all focus on advocacy and social issues rather than working on things like Firefox]
* connecting open Internet leaders at events like MozFest
* publishing critical research in the Internet Health Report
* rallying citizens around advocacy issues that connect the wellbeing of the Internet directly to everyday life.
Or in other words, exactly as the HN comment said, none of it goes to corporation projects but rather privacy and social advocacy.
edit: I'm guessing the Foundation actually takes money from the Corporation to fund itself since the financial statement seems to cover both, anyone know if that's the case?
I agree, I never understood that argument. We have a fairly large and wonderful kids hospital that looks for donations and some of my friends said they wouldn't donate because their CEO makes 500k and he should donate his money instead.
I had to explain you want to recruit great talent, and that 500k is less than he could make some place else.
Right. What people actually want is some form of income equality, which would bring executive level salaries in line with their actual worth. You're not going to achieve that by starving non-profits of executive talent in the meantime.
I respect you a lot, but how is what Mozilla's doing in regards to that at all respectable? It's not "starving them of talent" to not increase Baker's pay as Mozilla is laying off employees? She's been there since (almost) the beginning, and the performance of Mozilla has gotten worse over the last decade.
I'm responding to the general complaint that executives at large non-profits are paid too much, and therefore the non-profit is not using money wisely, and so should not be donated to. There's a certain pool of people who are qualified to run companies of these sizes, and in order to attract that talent, you need to pay a competitive wage. The non-profit-ness of the company can be a factor, but like it or not, money is a major motivator, and will affect what kind of talent you can recruit. The problem isn't that a given non-profit executive is overpaid, the problem is that all executives are overpaid.
This isn't a Mozilla problem, it's an income equality problem. Punishing Mozilla by restricting the size of the pool from which they can recruit won't solve the problem.
I can't speak to the current Mozilla executives' performance. I'm not qualified to judge that. I will say that browser market share seems a poor metric, especially given the reach and pocketbook of Mozilla's primary competitor.
I bet a non-profit like that could find many qualified executives for much less money. There's an amazing amount of talent in the middle of most org structures that never make much past $100k/yr. I'm certain that a handful of these people would excel if given a chance and promoted to the top.
This doesn't happen because most boards are a good ol' boys club where networking matters, not because of a lack of available talent at a price point.
Our local YMCA pays the Executive Director $400k/year. The child care workers make $11.50/hr + free membership. (ie. minimum wage) The Y is great, but I'm not donating anything to them.
Do you care how Apple pays its executives when you shell out 3-4k on their laptops or 1-2k on their phones? The OP just said that Firefox is a great piece of software available for free, and they deserve to be compensated (in form of donation). Now, I'm totally on board with you that they waste money, that's not even debatable.
Which ones? Eich donated like $1000 to a political group that (I would hope) most of us disagree with, but Eich != Mozilla, and he was removed because of the backlash
Riseup is absolutely with Mozilla's mission statement, though, and all things considered pretty good:
"Riseup provides online communication tools for people and groups working on liberatory social change. We are a project to create democratic alternatives and practice self-determination by controlling our own secure means of communications."
They have an actual anarcho-communist star in their logo and their website features revolutionary imagery and policy statements like "all labor is valued equally" and "the means of production should be placed in the hands of the people".[0]
I'm sure it's a fine organization if you subscribe to their views. I do not, and I'd rather not fund them, directly or indirectly.
I don't share their views, but I'm thrilled that their project exists and very happy with Mozilla donating to help improve their email client security, since it's a major player in the pro-privacy ecosystem. If I had to agree with the philosophical beliefs of everyone I gave money to, I'd starve.
If I donate to a FOSS project, I want the money to go into the development of their software and not turn into some proxy funding of other projects and organizations - especially not ones I disagree with. In fact, I think that's a pretty reasonable expectation.
I did not know about riseup (or Mozilla funding them) and parent provided insightful information about them. Given the funding structure of Mozilla, I could see this being a red flag for donations for some organizations/individuals.
The Riseup Collective is an autonomous body based in Seattle with collective members world wide. Our purpose is to aid in the creation of a free society, a world with freedom from want and freedom of expression, a world without oppression or hierarchy, where power is shared equally. We do this by providing communication and computer resources to allies engaged in struggles against capitalism and other forms of oppression
>> We do this by providing communication and computer resources to allies engaged in struggles against capitalism and other forms of oppression
Better yet, donate to Brave who doesn't share the same conflict of interest as Mozilla does with Google, as Google is Mozilla's #1 source of income. Best of all you get a browser just as fast, if not faster than Chrome because it's Chrome without all the junk.
While Brave not taking the "Search deal with Google" route is commendable, you shouldn't donate to it, either.
Venture-funded for-profit startups don't need donations, and again, donations will be more heavily felt by the people maintaining the software you use every day that isn't created by behemoths.
They're already getting more than enough to fund development with the Google deal, which they've shown no willingness to let up on, despite it seriously compromising user privacy. Donating to Mozilla at this point is just encouraging organizational bloat.
I guess we'll have to agree to disagree (which is fine!). I'd rather continue donating to them to show there are funding sources outside of advertising, which is a business model I despise.
There seems to be a huge problem though: for some reason it seems they aren't allowed to use donated funds for what I thought was the main reason for Mozillas existence: development of the Firefox web browser.
Instead donated funds seems to go to outreach etc.
I have nothing against outreach but if this is the case I'd rather donate to such organizations directly (or rather increase my monthly donation to Amnesty International).
Sure. I guess to me that feels like an implementation detail. I like Mozilla and I want them to exist so I give them money. If they stopped making Firefox, I would probably stop giving them money. But whether my money goes to Firefox development is up to them, they know their financial arrangements better than I do. I understand if you don't agree with that policy.
So I pay for Pocket Premium as it is wholly owned by Mozilla as a way of diversifying their income away from search and donations. I like and use pocket and get something in exchange for my money (which makes me more likely to keep a rolling payment going on). II know it’s not open source, but tbh that doesn’t hugely bother me given that Firefox itself is.
Does anyone object to this indirect way of funding Firefox? Does it cause indirect harm by making them prioritise pocket over Firefox?
I've spent a lot of time considering Pocket Premium but the price point is just too high. Maybe if they roll in features from feedly and have a really nice RSS reader.
I also hate spending money on news that isn't going to journalists.
Well that’s why I factor it in as a donation to Firefox instead of paying for the features (which I agree with you the price point is way too high for what you get).
Mozilla Corporation is a for-profit company. Depending on the legislation it is sometimes forbidden to take donation, or at least very difficult/limited for company.
Mozilla Foundation is the non-profit organization (and they do take donation).
Sorry, I can't bring myself to trust them after pocket, mr. robot, and of course the time they fired that guy for having a fetish. I might use their browser product if it ever seems like it'll be better for my needs but I'm certainly not giving them money.
I don't understand why Google and some other tech companies use their users as involuntary, unpaid guinea pigs. No consent. No opt-out.
What's the motivation? Is it simple laziness because they don't want to deal with wetware? Is it afraid that if people knew what was happening they wouldn't be happy? Google has eighty brazillion employees it can test new features on.
> I don't understand why Google and some other tech companies use their users as involuntary, unpaid guinea pigs. No consent. No opt-out.
It's crazy to me to think about when I was in college (in the mid aughts), I was doing a lot of research into Native American cultures. The amount of releases, paperwork, and other hoops you had to jump through in order to just interview subjects was pretty daunting.
The fact we have become involuntary research subjects without any protections as a research subject or easy way to opt out of these companies data collection (which itself is an ongoing form of research) is staggering to thing about.
"Scientists run tests on guinea pigs. A/B testers run tests on me. Therefore I am a guinea pig. Guinea pigs have no rights. Therefore A/B testers are taking away my rights."
I've never been a fan of this particular type of logic and reasoning (or lack thereof).
In the tech world, maybe. But not in the real world.
For example, one of the colleges I went to was in an area with a lot of pharmaceutical companies. My friends would A/B test drugs for the companies. They made enough money to pay for college. But it was all completely consensual, with contracts and disclosures, etc...
Companies in the increasingly morally bankrupt SV bubble just test on people without letting them know about it. That's the problem.
Like it, or not, these companies believe the terms of service at the bottom of the page suffice for your consent. We really need this problem to be tackled on many levels (legal precedents that terms don't matter, education, encouragement of good alternatives, etc.)
Until that time, folks in the SV bubble will just keep doing this. Companies that can operate only from the US are effectively untouchable when it comes to regulation. Big companies like Facebook get caught a bit because they have offices, but many no name companies acting as data brokers, etc. don't have a presence and are hard to deal with.
Bias up front: I work at Google but am not speaking for Google.
> involuntary, unpaid guinea pigs.
I don't see how this is involuntary. You are choosing to use the product. If you choose to use the product, yes, you may be exposed to features that the product has. If you don't want to be exposed to those features, the way to opt out is to not use the product.
> What's the motivation?
It lets the company incrementally roll out and test features in real-world network configurations at scale. As far as I know, almost all tech companies do this.
Let's say you're Fapplebooglezon and you have an idea to put kitten emojis on the "Buy Now" button. Before you ship that, you want to make sure that:
1. The feature works correctly. It doesn't crash or have significant performance problems.
2. Users, in aggregate, like the change. No one wants to ship a "New Coke" debacle. It's bad for the company (they lose money) and bad for users (they don't like the product).
3. Your servers and network can handle the consequences of that change. Maybe users will be so excited that they all click "Buy Now" twice as much. You need to make sure your servers don't crumble under the increased load.
These are reasonable things that benefit both the company and users. So the way features and changes are usually shipped is like:
1. The feature is implemented behind some kind of flag. [0]
2. "Fishfooding" [1]: The team developing the feature starts using it. This gives you some feedback on "does the feature work correctly" but that's about it. The team owns the feature, so they are biased in terms of its usability. And they are on a privileged network and not a large enough population to verify how this affects the distributed system.
3. "Dogfooding": The entire company starts using it. This starts to give you some usability feedback because now people who don't have a stake in the feature are being exposed to it. But it's still skewed since employees are likely not a representative user population.
4. "Canary": The feature is enabled for a randomly selected small population of external users. Now you start getting feedback on how the feature performs in the wild on real-world machines and networks. The percent of users is kept small enough to not crush the servers in case anything goes awry, but you can start getting some performance data too.
5. "A/B testing": Now you start collecting data to see how behavior of users with the feature compares to users without it. You can actually start to get data on whether the feature is good or not.
6. Assuming everything looks OK, you start incrementally rolling it out to a larger and larger fraction of users. All the while, you watch the servers to make sure the load is within expected bounds.
7. Once you get to 100% of users and things look good, you remove the flag and the feature is now permanently enabled.
> Is it simple laziness because they don't want to deal with wetware?
Google, like most other companies, also does lots of user testing and user surveys too. But that doesn't give you insight into the technical side of the question — how the feature impacts the behavior of your distributed system.
You may not be aware of this, but this kind of in-the-wild product testing is something almost all businesses do, all the time. Food companies test new products in grocery stores in selected cities [2]. Car manufacturers drive camoflaged prototypes on the road [3]. Restaurant chains tinker with recipes to see how sales are affected. There is absolutely no guarantee that the Coke you're drinking today has the same ingredients as the one you had yesterday.
You seem to think this is some nefarious scheme, but it's just basic marketing. You want to make a thing people like, so you make two things and measure which one people like more. People "opt in" and "consent" by using the product. If you don't want to be a "guinea pig" when McDonald's changes their French fry recipe, don't buy the fries. If you don't want to test out new Chrome features, don't use Chrome.
I don't see how this is involuntary. You are choosing to use the product
It's involuntary because it's not informed consent. Google doesn't tell people up front or in any meaningful way that this is happening.
That's like saying "Oh, that steak was covered in the chef's experimental hot sauce that we didn't list on the menu? Well, too bad, you chose to come to this restaurant."
> It's involuntary because it's not informed consent.
I think you're making an analogy that doesn't logically apply. "Informed consent" is a property of healthcare administration. When you're putting drugs into someone's blood stream or cutting them open while anaesthetized, yeah, you need to make damn sure you're doing the right thing for them.
> the chef's experimental hot sauce that we didn't list on the menu?
Likewise, when you're serving food that someone will ingest and which may cause allergic reactions or food poisoning, again the bar is pretty high to make sure you are treating people safely.
But we're talking about using a free piece of software. If Chrome changes the color of their tab bar, no one is going into anaphylactic shock. When Facebook adds a new button on the sidebar, there is little risk of that inadvertently severing someone's carotid artery.
>I think you're making an analogy that doesn't logically apply. "Informed consent" is a property of healthcare administration.
No, it is used in healthcare, but it is by no means exclusive to that domain.
And the European Union clearly has a different opinion when it comes to the use of personal data:
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."
If I use a bunch of older Chromes from portableapps, are those affected by feature testing, provided I've disabled google update but I'm not behind a firewall?
In other words, is feature polling just hard-coded or it is bound to a specific installation?
Thing is the TV's you're only half the customer. That's why the TV's have gotten so cheap, the extra revenue stream from selling data. You can't even buy a dumb TV any more.
I agree completely, that's what's so messed up with this "freemium" model that's so popular these days. If companies need to develop the ad-ridden version with tons of tracking to monetize free users anyway, what's the incentive for them to turn it off for paying users?
It's not like 99% of them are going to care and/or notice anyway, and if anything it would be more work to test and maintain a different version of the code without trackers.
Just pay for the things you use people, and block everything you can with browser plugins. This model needs to die.
This is a meaningless cliche. Just because users of Google products don't pay in cash to use them doesn't change the fact that Google has to attract the users to their platform in the first place, and keep them there.
I don't understand your group. The company that offers everything for free for the price of privacy and you also give them money?
If I was paying for a service that didn't respect my privacy I wouldn't give them my identifying payment info as well. Your fingerprint is connected to all of the credit data providers. If you didn't pay they had to guess or connect you another way.
Google employees are not a random sample of their user base, so such experiments would be meaningless.
See the fiasco where they broke Terminal Services last year as an example of what can go wrong even when doing experiments on the whole user base.
Also consider how to measure the usage of web features Google's own websites don't use, but are popular on e.g. intranets in Korea.
A/B testing isn't bad, it's a good thing. People are notoriously not very good at giving feedback. Experiments and usage statistics let you get the ground truth about what they really value, and what's really working.
Google employees are not a random sample of their user base, so such experiments would be meaningless.
This is a lazy argument. Google isn't some scrappy tech startup where 90% of the employees are programmers. Google has legions of lawyers, mailroom clerks, accountants, travel coordinators, janitors, cafeteria workers, middle managers of all stripes, and so much more. Thousands and thousands of people it can test on without violating the privacy of the general public.
A/B testing as implemented in industry is
-evokes emotional responses eerily similar to those evoked when gaslighting is noticed
-uncompensated
-inconsistent with any semblance of established research ethics
-generally non-consensual
-completely undermines trust
I'm not normally one to make a big deal about this sort of thing, but there is a reason research ethics exist. If one can't be trusted to even attempt to follow ethical research protocols, one damn well shouldn't be trusted with anything important.
Your user's time and information is not yours to share. Whether you bury it in the fine print or not.
Microsoft Vista was a Windows 7 beta, and was "necessary" to basically experiment on the entire Home market, to make the product stable enough for enterprise.
Although Window 7 may have been one of the most complex software deployments in history, needing to support decades of poorly written drivers, while making the system both stable and compatible.
>Microsoft Vista was a Windows 7 beta, and was "necessary" to basically experiment on the entire Home market, to make the product stable enough for enterprise.
That claim is directly contradicted by the fact that there's Windows Vista enterprise edition[1]. Vista is also supported for a full 10 years just like 7, which would be strange for something that was supposed to be an "experiment".
Do you understand what licensing is? That's one of the underlying aspects that's important with software and why you can't treat it like other things you buy. I'd add it's also why things that adopt software-style licencing models are bad too.
A company creates a licence with terms and you agree to use the licence under those terms by using the software. The terms are difficult to change unless you have leverage. The only party other than the company is often the regulatory authority. Regulation is limited in the US at best when compared to the EU. If you are from the EU then you probably assume the US works similarly, but most Americans don't recognize issues like this one. When they do, it's hard to fight the incumbents and make something opt-in, or ban it outright.
> What's the motivation? Is it simple laziness because they don't want to deal with wetware? (the start of your first paragraph applies here too)
It's fairly simple. The motivation is making correct decisions based on the gold standards of decision-making that some people aspire to. The model is not dissimilar to clinical trials where a treatment is given to some individuals and not to others. The hope is that this form of experimentation removes bias and let's the product manager make the best decisions.
Based on this thinking it is not possible to test with just Google's employees. For many decisions, the bias will be significant, and ultimately the belief is that worse decisions will be made for users.
I'm trying to convey that in as neutral way as possible. I think this can be a useful technique, but I think that there is little discipline and accountability in the wider software world compared to medicine. You have PMs who'll routinely just run an A/B test longer to collect more data (that's better, right?), but invalidate their results, just to please management.
If anyone is going to implement this approach then I'd trust Google to implement it effectively to meet their needs. They do it on a large scale across their products and have many layers of people to ensure it's effectively meeting their needs. As stated in the previous paragraph, this doesn't mean that other people do it right, or that everyone in Google does it right every time. I'm sure they've had a fair share of failed experiments.
Nope, no one understands licensing. Which means that arguments grounded on "The user accepted the terms!" has a shaky ethical foundation. Not necessarily a shaky legal foundation, although that wheel seems to be turning.
Ahh, the good ol' "Firefox is too slow for me to consider it" statement. Is there any evidence that Firefox is slower then Chrome other than old lingering memories of Firefox being slow ten years ago?
I have used both Firefox and Chrome and I can't subjectively tell that one is significantly faster or slower than the other. To be fair, I only have a handful of extensions and rarely have more than ten tabs open at a time, so my use case may be atypical.
I love that Firefox exists and Quantum is an amazing step forward, but Firefox still regularly runs away with gigabytes of RAM and hung worker processes. I have no problem with long-lived Chrome sessions but I need to restart Firefox ~daily. It's not bad memories of 10-years ago.
I've been using Firefox as my daily browser at work, home, and on my mobile devices, and I've literally never had issues with Firefox taking up too much RAM. Chrome on the other hand was always one of the main culprits when my computer(s) would start to slow down.
This is the problem with anecdotal evidence; everybody's subjective experiences are slightly different and further colored with their own biases, so you can never get hard facts out of it.
I've been using FF for a couple of months and I get huge random CPU spikes on my MBP that go away once I restart it. It works fine on my iMac and Windows tower though albeit JS execution seems slower (I mostly work on front end stuff).
It also seems to consume more battery on Android than Chrome although I admit I've never made any serious testing.
Could it be because people who like their browser tend to tell others about it? I have absolutely nothing to do with Mozilla but I think the internet would be a better place if more people used Firefox.
Firefox isn't too slow, but you might be talking about how Google optimise their sites for Chrome at the expense of Firefox's performance through browser sniffing.
It's not odd at all. It's what the folks at Mozilla do. They jump in to every thread to push Firefox and Rust and make people think it's more widely used/better than it is.
Not everything is a conspiracy. I'm not a Mozilla employee, have never been one (probably never will be one). Firefox is awesome, fast, and extensible. It's my daily driver for all of my machines.
Side question: I've been trying to switch to firefox as my main browser but one thing is holding me up. When I'm using a private window, cookies are not shared between private tabs. I can see the advantage to that behavior, but is there a way to share them so that I can be logged into the same site in multiple private tabs? Unironically, I haven't had any luck googling this problem.
If you open a new tab from an existing tab, your session persists across tabs. So, for example, middle clicking on the Hacker News logo will preserve your HN session across tabs.
Huh, this is how I expected it to work and it does work for hacker news but it doesn't work for one site I want it to work for. I'll have to dig deeper, thanks.
You can make as many separate containers as you like, where each tab shares the cookies with all the other tabs in that container. For example, I have a Facebook container that only shares with Messenger and none of the other tabs. I can see it works because sites that are logged in on one container are not logged in on others. It's easy to right-click and reopen a tab in one of your other containers.
I think most people who advocate Firefox are not Mozilla employees. I am for sure not one, I do not even like Mozilla, but they are a much lesser evil compared to Google. And I think having multiple competing browsers is vital for preventing the internet for becoming a walled garden owned by some big corporation.
> It's a unique ID to track a specific Chrome instance across all Google properties.
> Really curious about your opinion, especially after the GDPR explicitly forbidding such tracking. Moreover, it doesn't make sense to anonymise user-agent if you have such backdoor.
I don’t appreciate your link to a third-party reader here, because you’re implying that the contradiction of HN’s style guidelines (code formatting is for code) is somehow made acceptable by the existence of an app that reformats it for only a few readers.
If I switch to an app rather than ask the person to stop, the other HN mobile users who use a browser rather than app will continue to suffer. ”Use an app” is not an acceptable choice.
I visited my family a couple of weeks ago and was shocked when my father told me that his phone 'received' some of our photos. I checked and a huge chunk of whatsapp photos that were backed up by my wife's phone had ended up in my dad's Google Photos account. I discounted it as my wife accidentally sharing the whatsapp folder with my dad but now I'm not so sure.
Yup, that's one of the issues you'll get with interlinked accounts; in this case, Whatsapp backs up / stores photos automatically to your phone's photo gallery, and said photo gallery is automatically synchronized with the cloud.
I don't know exactly what's going on with your wife's / your father-in-law's accounts though, are they sharing Google accounts, photo albums, or were the photos shared in the same whatsapp group?
> are they sharing Google accounts, photo albums, or were the photos shared in the same whatsapp group?
None of these. They don't share any accounts. I don't share any account with my father either. Me and my wife use the shared galley feature. The photos that ended up on my fathers phone were shared by me and my wife with each other on whatsapp. I suspect either mine or my wife's gallery somehow "leaked" into my fathers even though none of the accounts have any connections AFAICT. Probably we clicked some share button somewhere accidentally but I couldn't find any shared galleries on any of our phones.
If you really want to help, suggesting an accurate and neutral title, preferably using representative language from the article itself, is a great way to do that. We don't know enough to get it right in every case, even when awake.
> We want to build features that users want, so a subset of users may get a sneak peek at new functionality being tested before it’s launched to the world at large. A list of field trials that are currently active on your installation of Chrome will be included in all requests sent to Google. This Chrome-Variations header (X-Client-Data) will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation.
> The variations active for a given installation are determined by a seed number which is randomly selected on first run. If usage statistics and crash reports are disabled, this number is chosen between 0 and 7999 (13 bits of entropy). If you would like to reset your variations seed, run Chrome with the command line flag “--reset-variation-state”. Experiments may be further limited by country (determined by your IP address), operating system, Chrome version and other parameters.