Hacker News new | past | comments | ask | show | jobs | submit login
Researchers say MS Edge's telemetry has worst privacy of any major browser (winbuzzer.com)
365 points by based2 7 days ago | hide | past | web | favorite | 96 comments





Worse than Chrome? That must have taken some doing then.

Ah, here is the key in the article:

"Notably, the study did not look at the web services provided by each of the companies, which also included Google, Apple, Brave, Mozilla. The focus was on the browsers themselves, rather than the ecosystem as a whole, which shows only one important part of the puzzle."

That explains it. Is Brave even 'Major'?


It’s en vogue to complain about Google, but the stream of data flowing into Microsoft is incredible and who knows if or how it is being used.

They have better competitive intelligence capability than any other company. Microsoft knows the org chart of millions of companies better than they do, knows who talks to who both in email and voice in some orgs, and knows where people work and where they move at work.

The telemetry sent up for Windows and Office is pretty comprehensive and invasive as well.

I wonder what they do with it. I see no evidence of improved product quality.


complaining about google is nothing like the whims of fashion. google is a legitimate threat to privacy and liberty, and that should be laid bare repeatedly so we don't get complacent and forget.

facebook as well, to a slightly lesser extent. microsoft is trying to compete on that front (poorly) and should also be called out.

it's not an either-or proposition, but an all-of-the-above one.


You forgot to say why Google would be a bigger threat than Microsoft, which is annoying given the person you are responding to clearly listed the reasons why Microsoft is actually collecting more informations than Google.

Also, Microsoft has a much worse historical record than Google regarding protecting their users. For instance, at a time when Microsoft was happyly complying to every rules required to be allowed to do business in China, Google decided to not comply and close its offices in that country, all in the name of privacy.

So yes, bashing Google in the comment section of an article about Microsoft Edge misbehavior certainly sounds like the whims of fashion, if not of organised business propaganda.

edit: beating Android keyboard to oblivion


> You forgot to say why Google would be a bigger threat than Microsoft

Microsoft wants you to use their spreadsheet software.

Google is a significant gatekeeper to information which influences what we know and the opinions we form. And that information is increasingly first party, e.g. YouTube, the Play Store.


No. Microsoft wants to control corporate and government identity, client compute and server compute.

Google is mostly about the consumer.

Between Linked-In and O365, they have the ability to target their B2B marketing or facilitate surveillance more than any other organization on the planet. Google knows all sorts of things about me, but Microsoft knows who the government official handling a critical matter is, knows who their secretary is, and knows who the lobbyists, applications or service providers.

Google may be evil, but Microsoft isn't some white knight. They are hard competitors well placed to unseat traditional enterprise players.


It seems you can’t say anything on the internet without someone interpreting it with rigid binary thinking. Fine then. Microsoft isn’t great either. Google does some good things. News at eleven.

> Microsoft wants you to use their spreadsheet software.

... and windows OS, visual studio, sql server, azure, linkedin, github, bing, skype, etc which all collects data on you. Also, I love that you dismissed their office suite as just "spreadsheet software". It's only the world's ubiquitous office suite used everywhere in the world.


The idea behind that comment seems to have been: "MS has a known motive: they want to sell you software and make money. This is a business model I understand, and can deal with being on the other end of." The same argument is used in iOS vs Android debates: why isn't it the same shit, different smell? Because Apple sells you hardware, and Google sells You.

The glib terseness of the comment is a metaphor for the relative harmlessness of the business model. Not indicative of the actual product selection or annual revenue.

I think, anyway...?


Pretty much, yes.

It’s not so much that Microsoft or Apple’s business model is harmless—I certainly wouldn’t describe them that way—but their business models and their forms of influence are comprehended by most people.


> MS has a known motive: they want to sell you software and make money.

And the idea behind my comment was : They also want to sell you. Bing, linkedin, github, etc aren't selling you software. Also, windows OS has ads now.

https://www.theverge.com/2017/3/17/14956540/microsoft-window...

> Because Apple sells you hardware, and Google sells You.

Apple also sells you. They sell you to music, movie, etc industry in order for the industry to support apple's platform.

> The glib terseness of the comment is a metaphor for the relative harmlessness of the business model.

Which I showed was wrong.

It's insane the amount of microsoft and apple support on a tech platform. I guess all the money that microsoft/gates spent on PR truly worked.

> I think, anyway...?

I don't think you thought things through too well... Your argument was basically google sells chromebook/hardware so everything else they do is fine.


> Apple also sells you.

By that logic, a shopping mall “sells you” to retail stores. A cinema “sells you” to movie studios. Etc.


Only those shopping malls and cinema chains that get you to sign up for something and get your info and have tracking capability. What do you think AMC Stubs A-List program is about?

Apple is worse than AMC or shopping malls since they have much more identifiable data on you ( even more than google in many respects ) and use that to sell you. Not just your data but recommendations/etc.

Apple sells you in the same way google/facebook/microsoft/etc sells you. Collectively and individually.

In the past shopping malls and cinemas used to sell you collectively to retail stores and movie studios. Now many of them can sell you individually to retail stores and movie studios. Something really has gone wrong when there is support for Apple on a tech forum. Usually apple just preys upon non-tech people who like overpriced shiny things. It's strange the amount of "support" apple and microsoft gets nowadays.


Oh, I didn't realise you're just spinning conspiracy theories. If any of that were true, we'd know about it. There would be leaks from employees of the companies who are receiving this data from Apple.

Wow, I was totally not being hyperbolic and I really did think Microsoft only made spreadsheets.

Thanks for that.


> Also, Microsoft has a much worse historical record than Google regarding protecting their users.

Google literally forces you into ad transactions. Their entire business model is based around coercing users into giving up their attention to businesses without your consent. This includes critical services such as youtube premium which is $15(!) to just remove the fucking ads. They don’t even offer this for their other services. So no, I can trust google as far as I can throw them.


Microsoft will make tons of money without spying on users and setting up "anonymous" profiles of peoples personal tastes, behavior, buying patterns, and other personal information. Google will make significantly less money if they don't spy on users. Its not about Google, its the domain itself. Advertising is a scummy business. Google brags about their advertising targeting capabilities, which simply cannot exist without spying on users. It beats me why anyone would think an advertising company would be pro-privacy. Their goal is to setup a toll booth on the internet by inserting themselves between the user and the content they want to actually get to. I'm waiting for Google to buy all the display companies and show a perma ad-box on the monitor itself. (haha.. I hope I didn't give t hem any ideas.. maybe I shouldn't even be making the joke.. :P )

>Microsoft will make tons of money without spying on users,

and they will make even more money by spying on users and selling that data. EvilCorp is not known for leaving money on the table. Google chooses to give away their products to lure people into using them. M$ has the luxury of having the users pay money for their products while also giving up the same data.


Actually there's been evidence that repeatedly hearing certain types of news makes people less sensitive to them. In other words, if people constantly hear about GOOG or MSFT being privacy concerns in the 21st century, those people will think of it as the new norm. Sad, but true.

that's definitely a valid concern, but i'm not sure we've reached that point. the constant pressure is certainly needed to get these companies to innovate away from products based on invasiveness and surveillance, or to have new companies pop up to out-compete them.

Maybe people want to get their sense of priorities first.

One of my guesses is security. The story behind the discovery of MS08-067 reads like a strong argument in favour of some telemetry. The TLDR is that someone at Microsoft noticed a strange crash in some telemetry bucket, and it turned out to be a wormable zero-day. There's a write up at https://docs.microsoft.com/en-us/archive/blogs/johnla/the-in..., for those interested, and even though that story is twelve years old by now the general premise still stands.

Yep. Every year the Windows security team catches 0days that are under development from the crash logs telemetry and is able to patch them before they're mass exploited.

Edge is nothing compared to defender ATP telemetry. For those with it, they also know every site you go to (outside of edge),every program you open,every file you interact with and much more.

They do a lot with it froma security perspective but I reckon they have plenty other uses for it as well.


It's nice to hear this mentioned. Just Windows by itself is a privacy nightmare. It's always amazed me that it isn't talked about alongside other companies and software with privacy issues.

and they own linkedin and github...

Microsoft doesn't have eyeballs like Google and Facebook do. Even if they have the data, they aren't a central point of the internet (search) or the prevailing social network (Facebook). The monetization to serve ads isn't there.

It's very likely that they sell that data to the US intelligence community.

One good example is Skype which they bought two years after rumors surfaced [1] that the NSA offered billions for solutions that can wiretap Skype calls. After they've bought it, they removed end to end encryption as well as the peer to peer system, sending all content over Microsoft servers.

It's a bit better if it's "only" shared with the US intelligence community instead of anyone who names a price for it, but obviously still not really good for privacy.

[1]: https://www.theregister.co.uk/2009/02/12/nsa_offers_billions...


No major video conferencing setup has peer to peer video because that is an ‘innovation’ patented by VirnetX.

I'm pretty sure Whatsapp/Facetime is P2P for video calling. But I'm not sure about a video conferencing solution i.e. a multi-party/group call. I have a service that sniffs packets going in/out of my home network which maps the remote IP to a registered ASN and the Lat/Lon coordinates. All of my Whatsapp sessions have been tagged with the name of the ISP at the other end and the right position coordinates. Not Facebook's/Apple's.

Prior art on peer to peer video conferencing from 1992: https://en.m.wikipedia.org/wiki/CU-SeeMe

I doubt Virnetx’s patent is particularly strong.


> Apple responded by petitioning the PTO to invalidate these four patents. Through these various proceedings (and others initiated by additional interested parties), the PTO has invalidated every patent claim VirnetX has asserted against Apple, finding all either anticipated or obvious.

https://www.supremecourt.gov/DocketPDF/19/19-832/126835/2019...

The four patents in question:

* https://patents.google.com/patent/US7418504B2/en

* https://patents.google.com/patent/US7921211B2/en

* https://patents.google.com/patent/US6502135B1/en

* https://patents.google.com/patent/US7490151B2/en

Sadly though, that decision by the PTO was partially reversed by the courts:

https://appleinsider.com/articles/19/07/09/virnetx-reverses-...


What? So my self-hosted P2P WebRTC is in violation of a patent? And the companies I set these services up for too? Are all the others (zoom, go-to, uberconf, jitsi, etc) just not doing P2P?

IIRC P2P doesn't scale beyond a few participants because all the streams are going to all participants. Centralized can reduce bandwidth and number of data exchanges

Maybe, I've had 10 in a room w/o much issue - but my team is all on good pipes. It's not a webinar.

But scale is a different (easier?) problem/risk than patent troll.


Centralize on the peer who hosted/called the meeting?

I think Skype P2P relied on super nodes which had the best bandwidth and processing

Their patent is BS. It's obvious, and probably has prior art too.

Tell that to Apple who just had to pay them about $500 million in a final judgement.

Aren’t software patents unenforceable in Europe?

Microsoft operates Bing and Bing Ads. Nowadays they are also serving ads in Windows 10 itself.

Market share is irrelevant, the incentive is there.


I haven't seen any ads in Windows 10. Is that a special version?

They exist in the free version of Windows 10 (without a serial key). They're embedded in all sorts of places, including Solitaire.

Not only in the free version.

I have a licensed Windows 10 at home installed from scratch, ISO downloaded from Microsoft. Before configuring it, yes, it had ads in it.


You have never seen the messages on the lockscreen or the preinstalled windows store apps in the start menu?

I've never seen ads on the lockscreen- and pre-installed crapware has been with us forever. I'm on home edition- it came with the laptop (toshiba satellite, for completeness)

To be clear if your lockscreen is the changing pictures there are messages on those that are "ads" in the sense that they can take you to promoted sites. Same with the built in Windows search. If web search is not disabled anything not found on your computer launches a bing search which like google search as results as ads.

Oh the text that when I click it searches for something like "grand teton national park wyoming".

I guess that's technically an ad, but my goodness it that the least intrusive ad I've ever seen. Wish all ads were like that.


It is nothing like the pop ups and pop unders of yore but still, you pay a license to use the operating system. There should be zero ads.

Agreed. I guess I just never clicked anything so didn't notice.

The crapware installation was never built into the OS before. That makes a difference.

MS does run at the heart of most businesses though. No ads, but potential for other sources.

> Microsoft doesn't have eyeballs like Google and Facebook do

[Citation needed]


The sentence you cite seems unrelated to "Worse than Chrome?". Google's web services have lots of tracking, but Chrome itself (like Firefox and Safari), according to this article, doesn't send a persistent tracking UUID, while Edge and Yandex browser do.

> Chrome itself (like Firefox and Safari), according to this article, doesn't send a persistent tracking UUID

According to the article:

> Edge also sends the hardware UUID of the device to Microsoft and Yandex similarly transmits a hashed hardware identifier to back end servers.“

But Chrome also sends Chrome installation ID in X-Client-Data [0], which looks pretty much like hardware UUID.

[0] https://news.ycombinator.com/item?id=22236106


I recommend brave to all my non technical friends and family. Of all the options it has the best out-of-the-box privacy settings. If Firefox's rise in the late 2000s taught us anything it's that being the recommended choice of technical people can spur on pretty big growth.

You can't really grow any more from >90% share currently. Chrome has won and you effectively just helping it to cement its monopoly by promoting Chrome-Pretending-To-Be-Not-Chrome. I understand that you do it with good intentions but the end would be zero privacy Googlenet. The only question is not "if" but "when".

I'm worried that is only true in the absence of a competing marketing budget. When nobody was pushing browsers, we had a voice. Now, it's hard to compete with the indoctrination of pervasive advertising of other browsers.

There is something much more concerning that nobody is mentioning:

Microsoft Edge removed encrypted sync. This sync data can include all of your browser history, which is arguably a much more serious privacy violation.

Chrome allows you to set a separate encryption passphrase for syncing your preferences & history to Google's servers. Edge does not allow this.


This feature (end-to-end encrypted sync) is huge for privacy, and nobody knows about it. It's never mentioned when people talk about privacy issues in browsers. It seems like people don't actually care to do slightly inconvenient things that will improve their privacy, they just like to be outraged about it on the internet.

> Chrome, Safari, and Firefox, meanwhile, tag requests with identifiers, but that information is reset when the browser is re-installed. All send details of the webpages visited to the backend via auto-complete, but with verifying identifiers. Chrome is, in this case, are persistent, while Safari’s are ephemeral and Mozilla doesn’t have identifiers at all.

First it says, Firefox tags with identifiers, then it says, Mozilla [Firefox] doesn’t have identifiers at all. What explains this apparent contradiction?


I think what they meant to say is Firefox has identifiers but they do not have persistent identifiers.

to me it seems they may think firefox and mozilla are two different things.

Or perhaps Brave was supposed to be one of those items?

Clearly, the article needed editorial proof reading in a few spots.


The paper is here: https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf. Should we change the URL to it above?

The comments are pretty tied to the claims of the current article at this point.


Note there's Microsoft's reply here: https://winbuzzer.com/2020/03/20/microsoft-responds-to-resea...

Apparently this hardware identifier is used to be able to comply with gdpr data deletion requests.


Nonsense. You have to track people in order to know that you are not tracking some people?

I don't understand Microsoft's angle with all of their telemetry in products like Windows, VS Code, Edge, etc.

Microsoft's biggest businesses are;

* Azure

* Software licensing fees (Windows/Office/etc)

* Gaming stuff (XBox, etc)

None of these benefit from having tons of data on their customers. Some of them might even lose sales because of it (do enterprises want their data sucked up into the cloud when using Office or Windows).

Bing Ads make up such a small amount of Microsoft's income that they're pretty much irrelevant.

It seems to me that the rational thing would be to take the Apple approach. Use privacy as a feature that Google can't copy. Take advantage of the fact that one of their biggest competitors is mostly funded by targeted advertising and go where they cannot.

Since Microsoft is not doing that, and they're not stupid I must assume that I am missing something.


What a world we could live in if Microsoft was a privacy champion. It would make a massive amount of fans.

Title is not ideal - suggest change to "Researchers say MS Edge's telemetry has worst privacy among major browsers"

We've changed it above.


I'm guessing you want to point out the top comment?

Reddit user CobraCabana wrote:

> This article isn’t about the telemetry data it’s about the identifiers.

> Edge sends over a unique identifier for the hardware

> Chrome and safari send one based on installation instance. Chrome persists the identifier safari doesn’t

> Firefox doesn’t send any identifier.


Site posts article about browser privacy while asking if they can send you notifications.

At least they ask.

Thanks, OneSignal.

It just makes up for their lack of a major search engine. I'm pretty sure it's safe to say Google knows more about you than Microsoft.

I'm starting to think Google PR's favorite channel is the editorial content advertisement.

In Microsofts defense - this could simply be due to the authors inability to address the multitude of different data exfiltration surfaces in FF and Chrome

Am I missing something or the paper is not linked? Or are my ad-blockers blocking something on the page.

Also, how are the virtualized tabs tracked?


the company behind the ad and spyware infested Windows 10 continued that abuse with their new browser?

I'm surprised, I really am


And I need to remind you that we’re talking about Out the Box here, not with add ins and extensions. Brave is capable of installing any extension found in the Chrome web apps page so you probably could tweak it further.

Why does this article keep resurfacing everywhere? I've seen it on /r/technology multiple times. I refuse to believe it. Chrome has to have the most telemetry: it is produced by an ad company after all. Of all organizations maintaining major browsers, Google is the most incentivized to collect data. Follow the money.

I don't necessarily agree with your argument - I think it's a perfectly reasonable conclusion that either Microsoft and Google could have worse telemetry in their browser.

That said, I noticed the strange behavior around this article as well. I've seen it pop up multiple times in various content aggregators, and the /r/technology mods even removed the post that I happened to notice and comment in.

I'm not sure why, it seemed like a completely reasonable article on its face. But maybe there's something underhanded going on behind the scenes?


Google's primary business is telemetry: I'd be shocked if they were worse at it than Microsoft. But I'm willing to accept you might disagree with this point.

Regarding the second point: And I think we agree here, the article is odd. It definitely seems like there's an anti-Edge narrative trying to achieve mindshare.

I should have decoupled my original comment, and only discussed the circulation of the article, as that's more concerning.


Google’s primary business is telemetry? Explain!

A means to an end for serving relevant ads, their bread and butter.

Their bread and butter is search ads, my dude. They don't need telemetry for that. They have search keywords. Almost all of their revenue comes from there and the margin there is huge.

What source suggests Google’s AdWords ads distributed across the entire web (all the AdWords sites that aren’t SERPs) don’t leverage telemetry and don’t drive meaningful revenue?

My guess: Everyone uses their services anyways, so they have no need to put as much telemetry in the browser.

Google also only needs to put enough telemetry in their browser to correlate your browsing with the other data they already have.

For pages visited, they likely get this for free for a good chunk of users who opt in to sync. What other interesting telemetry data is there?

I think chrome is a good browser as long as your careful about which settings you toggle and you can live with the vendor having a mild incentive for adding new settings with bad (from a privacy pov) defaults. In return, you arguably get the most secure browser.


Which is basically zero. They do that just fine without telemetry. GA is ubiquitous.

The worst telemetry of any major browser so far, son.

Since most researchers are unable to see the future, it's generally accepted that such studies are done on the present and/or past.

Because it's not possible to see that every version of Windows has invaded your privacy more than every previous version, nor is it possible to extrapolate that they're going to continue down this path unless something stops them.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: