Hacker News new | past | comments | ask | show | jobs | submit login
Chrome exempts Google sites from user site data settings (lapcatsoftware.com)
1320 points by arm 9 months ago | hide | past | favorite | 492 comments

Along with sign-in-to-sync, AMP, URL hiding, upcoming manifest v3, Google is doing their best to benefit advertising and data collection. As the market leader in ads, it is textbook anti-competitive behavior, but the courts will have to decide if it is legally.

I'm kinda happy they are doing it more and more. Just waiting for the last straw that breaks the camel's back.

This isn't the highly visible anticompetitive behavior which might cause a backlash. Regular people, or even journalists or judges won't even understand what cookie clearing on exit means.

If there's antitrust sentiments towards Google, it needs to come from some where else.

On the other hand, a corporation cannot be allowed to continue its anti-competitive practice just because the subject is too complex for an average person to comprehend.

Techology isn't going away and is becoming ever more important. It seems obvious to me that we will need cross-domain specialists to handle cases such as this in the future -- someone with both a legal and computer science background.

From https://scienceandsociety.duke.edu/learn/ma/ & https://scienceandsociety.duke.edu/learn/ma/jdma-program/

> Many of the most important challenges confronting the legal profession lie at the intersection of science, technology, law, and policy. Emerging science and technologies, such as AI, big data, social media, genomics, and neuroscience, demand an interdisciplinary approach and visionary leadership. Students in the JD/MA in Bioethics and Science Policy program spend their three years at Duke focusing on these intersectional problems and preparing themselves for a seat at the table in these discussions for decades to come and earn an additional degree while doing so.

This is something I've often called a retreat into complexity. Classic example: food corpo gets flak for putting something nasty into their products. They then switch to using an alternative that's just as harmful, just with harder to spot effects.

> This is something I've often called a retreat into complexity.

Thanks, I'm using this from now on.

I disagree. This sort of double standard is a very clear-cut and easy to understand case of abusing a dominant market position.

I wager that Google will be very quick to declare this a bug and fix it ASAP.

Here's what Google said when this same "Clear all Cookies except Google Cookies" issue happened back in 2018:


This 2018 CNET article has more details:


Yep, though specifically because it’s harming Google’s competition rather than users.

People understand perfectly well when you abstract it by one level: Google's web browser ignore's some of the user's privacy settings on sites Google owns.

> Regular people, or even journalists or judges won't even understand what cookie clearing on exit means.

It's been almost 30 years since the Cypherpunks. When billions of dollars or existential business threats are at stake, regular people are motivated to find a technically-knowledgeable peer for advice. There have now been several generations of financially successful tech entrepreneurs, some of whom move in non-tech circles.

Chrome is one thing the DOJ is using to push its case against Google.


Although politicians and the court does not understand the cookie, That doesn't mean we won't have a backlash. It just doesn't guarantee the backlash is technologically sound. EU's cookie law, for example, is just stupid from the pure technical standpoint.

It's your computer that store a cookie to local storage. It's your computer that decide to send back previously stored cookie. And they're crying like they don't have a consent.

> It's your computer that store a cookie to local storage. It's your computer that decide to send back previously stored cookie. And they're crying like they don't have a consent.

Fortunately, EU regulators understand that non-technical users exist and need protection from abuse.

Except your computer doesn’t know what the purpose of a cookie is, in order to decide what to do with any particular cookie.

Neither does the user, not by themselves anyway. Only the website knows really.

Antitrust action against Google is much more likely to come from the EU than from the US.

Combined with the latest twitter bout of censorship, the hammer is going to hit tech soon... very hard. They are running out of friends on both the left and right.

What are some ways in which Twitter is anti-competitive or acting like a monopoly?

These types of social interactions aren’t fungible. There are a finite number of viable social interactions to be discovered. Once discovered, network effects push towards consolidation to one platform offering that experience.

If you consider “social media” as a market, it has healthy competitive landscape. If you consider different styles of social interaction as separate markets, they’ve cornered markets. I don’t see competition in these spaces. Facebook != Twitter, and I feel that is why both can exist. Behemoths in neighboring spaces opt to buy a social experience instead of trying to compete with their own.

The missing piece, IMO, isn’t regulation around “censorship” for these platforms. It’s regulation that results in a rich market of products around a single style of social interaction. Example: regulation around interoperability.

The social media companies are arguing that "social media" is not an industry by itself. They certainly aren't going to have to argue that they don't have a monopoly on a specific genre of social media.

This 100%, well put.

Within businesses, people have evolved far past market definitions where widget x¹ competes with widget x². Our political savvy as consumers would improve if we could see that as well.

For example, why would Google approve a product like Stadia? What does it compete with? Nintendo, yes but not really, since so many Stadia players have a Switch also... just like most of us have Facebook and Twitter accounts. But maybe they're true competition is Netflix? Social media? Users are giving Google their time = data = insights = further monopolistic advertising power.

I am not sure exclusively is a requirement for being considered competition. Netflix and Disney Plus are competitors but that doesn't stop me from subscribing to both.

Can you please elaborate a bit more on the fungible interactions part? I am not sure I understand that bit.

Suppose Tesla tomorrow becomes the sole manufacturer of battery powered cars. However, the good (dirty?) old petroleum based cars are still out there and on the road (not a lot but still). However, everyone wants an electric car in future - will that make Tesla a monopoly?

How will it be different or same in this case of Twitter or Facebook?

It has to do with interchangeable goods. Typically, only interchangeable goods are in competition. I.e. if I want paper towels, I can buy Brawny or I can buy the store brand. I may have a preference towards one or the other based on price or performance or something else, but if the store is out of one, I'll just buy the other and move on with life.

A petroleum based car is largely interchangeable with an electric car, assuming we're talking one that will probably comply with environmental regulations over it's lifetime. I might prefer an electric car because of the environment, or to support the movement, or whatever, but at the end of the day, a petroleum car still gets me where I'm going. Tesla is unlikely to become a monopoly because even in the electric vehicle space, there are interchangeable goods. I'm not intimately aware, but it sounds like there are a couple other companies that make competitive models.

Where that interchangeability can get weird and not so clear is on a more specific market, where users don't necessarily have a choice. Tesla is the only company (afaik) that makes a fully electric truck. You could possibly argue that Tesla has a monopoly on fully electric trucks; I think the question becomes, are other goods interchangeable? Is a petroleum truck interchangeable? Is a fully electric SUV interchangeable?

Applied to social media, each of the major social media networks offers or encourages a substantially different type of social interaction. Twitter is largely for piecemeal content, and is largely more public than other forms of interaction. It leads to really high levels of engagement, and lots of flame wars. Instagram is all about photos, people go for the glamour. Facebook attempts to make you engage with your network more, I find people share more personal information there. Reddit is more anonymous than the other two, and builds around the concept of communities, which are featured more prominently than the other platforms.

I think we all agree nobody has a monopoly on social media. The question is whether it's possible to have a monopoly on a particular form of social media. Are Reddit and Instagram interchangeable for you? They aren't for me, so I would say that they aren't in competition and as such, the existence of Reddit doesn't prevent Instagram having a monopoly any more than the existence of Chiquita does.

"Social media" is an incredibly diverse category of services. Deciding the monopoly status of a company based on the health of competition in social media is like deciding whether to break up Standard Oil based on the health of the entire raw materials goods sector. It's not a granular enough measure, because it contains several non-interchangeable goods. If Standard Oil jacks up the price of oil, I can't just go buy iron instead; I can't put steel in gas tank. Likewise, if I get pissed off at Facebook and decide to quit, I can't just go somewhere else. My 80 year old grandma is on Facebook, teaching her to use Twitter is going to be a problem, and I generally don't know if I want to expose my grandma to the cesspool that Twitter can sometimes be. The services are not interchangeable to me, so Facebook has a monopoly on that service. My choices are to play by their rules, or to just bow out of the experience entirely. Let's say we ignore the legal technicalities of a monopoly for a moment; doesn't the outcome look remarkably similar? If this doesn't count a monopoly, it seems to lead to the same place, and perhaps it's non-monopoly status is due to a flaw in the law, rather than being expected behavior.

"Being a monopoly" isn't illegal; abusing a monopoly position is what gets you in trouble. What does Twitter do that would be considered abuse of their monopoly position on Twitter-like social interaction?

I’m not suggesting they’ve violated laws. I’m suggesting new regulation targeting “censorship” might not be the best approach. They’ve cornered a medium of communication. People are upset by their moderation policies. By breaking the users out of the Facebook silo, through regulation, you can create a marketplace of experiences where there was once a monopoly. Each experience comes with its own moderation strategy.

Based on what I see people complain about in twitter the criticism is on a different axis: selective and inconsistent application of rules to appease whatever group they are worried at the moment.

In terms of regulations this is within reach of possible changes to how the notorious section 230 is applied.

I recommend https://www.youtube.com/watch?v=O1OhE4w0TAU for a competent commentary.

I don't think he understands the Streisand effect in this context. It was inevitable either way that the majority would hear about the fake Hunter Biden story the ideal case for both the truth and for Biden is that people hear about it in the context of it being fake crap being propagated by an unreliable source instead of having it laundered through a million and one personal contacts who can rightfully claim to be sharing a legit piece of news.

“A lie will go round the world while truth is pulling its boots on.”

C. H. Spurgeon,

Whereas a truth is may be amplified by ineffective blocking a lie may be irreparably damaged if the truth gets there first.

Regarding 230 the primary author of the statute disagrees with Thomas.


Justice Thomas is the Giligan of the supreme court.


>Why was this? It is because Thomas is not a conservative but, rather, a radical—one whose entire career on the Court has been devoted to undermining the rules of precedent in favor of his own idiosyncratic interpretation of the Constitution.

Personally this sounds like an intensely editorial decision on Twitter side then.

Anyway what I was referring to was how Twitter's moderators decided to restrict this news based on it being obtained through hacking, but few days ago had nothing against Trump tax story that was based on illegally obtained documents.

I had a problem with the Biden hard drive story because I believe its a lie. I have no reason to believe the tax story was anything but honest. Twitter's difficulty is not wanting to admit why they censored it.

> What are some ways in which Twitter is anti-competitive or acting like a monopoly?

You don’t have to be anti-competitive or abusing a monopoly to be the target of regulation.

twitter isn't doing those, they're losing friends through censorship. which they legally have every right to, but the powers that be are now campaigning to change that legal protection (exemption? sinve no one understands the second amendment)

You’re allowed to say whatever you want and I’m allowed to sue you if you tell lies about me. Twitter and other social media platforms are made exempt from this because they are hosting other people’s content and they’d be sued into oblivion if they could be held responsible for what everyone posts on their service. But as soon as they start censoring whatever they want, they aren’t a true public platform anymore, the content you see is what they want you to see. So they should also be liable to civil suits if the information they allow to disseminate is not true. This isn’t about the second amendment, IMO.

They were NEVER a public platform they were always a private company. Its a commonly repeated untruth that as soon as they start moderating they cease to be protected. Nothing could be further from the truth 230 specifically protects their right to moderate.

People advocating that position usually have a very specific idea about how they want sites to be moderated, but section 230 is about not treating platforms as if they're the speaker when one of their users posts illegal speech, regardless of moderation. Of course, politically biased speech is not illegal, so it's really about punishing platforms for moderation somebody doesn't like.

A more reasonable target for a 230 carve-out would be recommendation algorithms. Those aren't merely passively hosting user-generated content, but actively selecting what they think you should see to keep you engaged with the platform. Featuring content rather than showing it ordered by some simple criterion like time should be treated as editorializing rather than moderation. If a human editor decides to feature lies I tweet about you on their "best tweets of the week" page, you may be able to sue them for libel. If twitter's algorithm shows lies I tweet about you to a large audience, you currently can't.

Arguing that the recommendation algorithm is editorializing is an argument for the choice of algorithm being an instance of free speech which would be protected from such meddling.

I don't think current law and understanding of same allows any major changes to how we treat platforms. I tend to think that any major changes in the law are liable to be for the worse because even well meaning law makers seem to possess a mostly incompetent perspective on tech.

The algorithm would have free speech protections under such a scheme, and it's likely courts in the US would conclude that it does under current law. Those do not necessarily extend to repeating lies that I have published about you, which are not protected as free speech.

The company has a free speech interest in choosing the algorithm to make it clear. Lies might be protected speech but 230 makes it very clear whom you are allowed to sue regarding those lies. Wishing the law was different doesn't change the law.

What twitter is accused of is of applying its rules unfairly and with bias.

Section 230 protect the right to moderate within bounds.

To use the actual text, it indemnifies them from lawsuits arising from:

> any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected;

So long as their actions are in good faith, and the content can be lumped into "otherwise objectionable" (as I'm sure most anything could), they are well within Section 230 protection. Even if they have an implicit bias in their moderation. Even if they have an explicit bias in their moderation that they put in their ToS. It specifically says "that the provider or user considers obscene...", which explicitly states the bias of the provider is considered.

The only way Twitters moderation could remove their Section 230 protections is if they did it in bad faith. If they were doing it specifically to try to lose Trump the election, that might count as bad faith because it has nothing to do with limiting access. They are, however, free to remove everything he posts because they find him to be objectionable. Or to remove things they think they are objectionable. Or to only remove violations of their ToS when Trump does it, because they find him or his past patterns objectionable. Or because they find it more likely to lead to flamewars, etc on the site when he does it. Etc, etc, it's mostly a hypothetical because you have to prove bad faith, which is hard unless someone is dumb enough to write it in an email.

The following is my uninformed opinion, you can probably skip it; I recommend https://www.youtube.com/watch?v=O1OhE4w0TAU for a competent commentary.


Twitter violating its own ToS and/or promises to the users sounds like an example of bad faith. (This would not apply if Twitter's marketing was 'Fuck you! we do whatever we want', instead they promote themselves as a fair platform)

Moreover the entire exemption does not apply when the `provider` is not a provider but is actually a publisher using editorial discretion. (for example if twitter decided to ban false statements in tweets this would clearly put them outside of section 230 immunity)

I would recommend citing legal scholars instead of YouTube personalities. The person you are quoting its a Canadian lawyer of no meaningful repute who gave up his legal career of a paltry decade to become a YouTube influencer. He has never even been licensed to practice law in the United States.

His opinion is out of sync with what legal scholars and indeed an what an author of the law says the law means.

Just on a laymans reading of the text good faith isn't given in some universal context of fairness or fair play it is given in the sentence.

> any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected;

Good faith herein means actually because they found it objectionable not for some ulterior motive.

In order to assert that the removal wasn't protected under 230 you would be asked to prove the contents of the minds of the decision makers that the removal was NOT because they found it objectionable. They could literally argue that they found the effort to influence the election itself objectionable and suppressed it therefore and be safe within the boundaries of the law.

In fact good faith .... otherwise objectionable is so broad as to encompass virtually any removal for any reason

Furthermore finding that one removal wasn't protected under 230 wouldn't magically dispel all legal protection it would mean for the purpose of THAT removal someone could sue them if they had just legal grounds.

I don't believe your source provided one.

Personally* I have doubts[1] about this reasoning, in that it doesn't cover how this would not apply to the New York Times.

I can agree with your interpretation that where the protection of section 230 applies companies would be allowed to remove basically whatever they want.

But there need to be a criterion distinguishing why Twitter can claim this immunity while newspapers cannot. The rights granted need to have some kind of obligation.

From what I understand the people that are trying to attack this immunity have mostly given up with the argument "Twitter monopolized a space for discussions so it should be held to constitutional standards like telephone companies" or "social media platforms are clearly acting as publishers of their content" and are rather trying to push "social media companies falsely promised open forums to users and content creators only to hit them with draconian rules once a monopoly was established" (had facebook (or youtube) had the same ToS since its inception it would have never become a monopoly).

With this last argument the entire question of section 230 is sidestepped.

As far as I understand it will not actually accomplish anything soon; a lawsuit on these premises was successful against Patreon, but those were very special circumstances.

[1] https://slatestarcodex.com/2013/04/13/proving-too-much/

* I am even more remote from the US than a Canadian lawyer, but I do not see my role as telling the courts what they should do, but rather as someone that is trying to understand what is happening and trying to develop informed opinions.

You say you doubt my reasoning but substitute none of your own save for a stale youtube link to the diatribe of a non entity and a link introduced but then neither explained nor contexualized.

I honestly don't know entirely what it is trying to express. "Proving Too Much" seems to be a complete non sequitur I have no idea what you fallacy you are suggesting is expressed by the prior or any other post on this subject.

>But there need to be a criterion distinguishing why Twitter can claim this immunity while newspapers cannot. The rights granted need to have some kind of obligation.

You can institute new obligations as soon as you buy your own congress critter and get them to write new laws. If you believe such obligations are already expressed in law kindly cite the statute and section.

The distinction between the print copy published by the New York Times and say reddit/twitter/facebook is literally that this is the distinction the law makes. It doesn't have to make sense to you to be the law of the land. Particularly the short comprehensible section already the primary topic of discussion.

If you want to dig into why it seems relatively obvious. The finite first party content is dear and expensive and the act of curation is already inherently an expectation. Asking a publication to take legal responsibility for what they publish is a tolerable and reasonable burden.

Reddit/Twitter/Facebook solicit users to produce a veritable ocean of content for which they offer users a chance to communicate to their fellows and a small amount of server time which per unit is paid for by a slightly larger income from ads provided with that content.

Legal responsibility for content shared between you and I would be a herculean task, impractical, intractable, and expensive that would leave them with little choice but to cease operations.

Indeed few people actually want this what they want is 230 to be used like a club to keep people like twitter from shaping the conversation despite owning the property on which you expect discussion to take place and no law providing such a right to someone else's megaphone.

If you don't like it start your own website.

What I was trying to say is that there is a continuum between the New York Times kind of editorial control and Reddit/Twitter/Facebook moderation of content.

I am not saying that section 230 should not apply, I am saying that, to my knowledge, under current laws if a social media company decide to apply excessive editorial control (let's say twitter decides to only allow factually true tweets) they would lose the protections granted by section 230.

> The rights granted need to have some kind of obligation.

By "need" I meant that I believe these obligations already exist in laws.

> Proving too much

By proving too much I meant to say that since section 230 does not apply to newspapers the law must make a difference between them. To my understanding this difference is editorial control.

Finally I am not trying to have a debate over this, I am only trying to understand better the issue; I clearly have a side/bias, and I am trying to learn more about the many other facets of the issue.

> By proving too much I meant to say that since section 230 does not apply to newspapers the law must make a difference between them. To my understanding this difference is editorial control.

Instead of guessing what the difference is why not read the very short section 230? The difference is that 230 specifically deals with the web. The difference isn't editorial control its literally that the law directly speaks to the web. I would suggest in half the time required to watch the video one could read 230 twice over. This misunderstanding directly stems from concerning oneself with bad secondary sources.

>, I am saying that, to my knowledge, under current laws if a social media company decide to apply excessive editorial control (let's say twitter decides to only allow factually true tweets) they would lose the protections granted by section 230.

It's a short law read it.


There is no clause that specifies that a company even can in a blanket fashion "lose protection" in such a fashion.

First relevant section.

        (c) Protection for “Good Samaritan” blocking and screening of offensive material
        (1) Treatment of publisher or speaker

        No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

This is completely without qualification.

Second relevant section

        (2) Civil liability

        No provider or user of an interactive computer service shall be held liable on account of—

        (A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected;


        (B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph (1).[1]

It says you can't be held liable for blocking something in "good faith" Nowhere on earth does it suggest that any action will cause you as an actor can lose protection under this act. It just says that no action taken in good faith can result in you being held liable for that particular act.

This means that in order for a party to sue they would have to prove both that they were blocked in bad faith AND completely aside from this title they possessed a legitimate cause to sue.

To be completely clear someone could post on reddit the libelous allegation that you ate babies causing you to lose your job at the day care a clearly obvious cause of action and then the ceo of reddit could personally block your profile to keep you from running against him for mayor of your little town. A judge could agree that your content was blocked in bad faith and you STILL wouldn't be able to sue reddit for the baby story.

If you don't like that reddit or facebook or twitter blocked your story your problem becomes finding a legal right to exercise your legitimate freedom of speech VIA their platform.

The DMCA has existed for 24 years longer than some readers here have been out of diapers and I can no platform has been censured yet for removing deplorables in a nation full of both deplorables and lawyers. It seems likely none ever will without a new law not a new interpretation.

Interesting :) in this context I still do not understand how this would not apply to the New York Times.

If I had to guess I might point at employer liability or contract laws, but it might be a discovery for another day

It applies to the New York Times comment page or indeed places where they offer people who don't work for the times a place to communicate. When someone who is paid by the times writes an article for publication they are responsible for that work.

It's DEFINITELY not about the second amendment.

I don't know, maybe content recommendations systems could be considered weapons...

They have every right to do it legally and you're right that the rules will probably change. People say "just go and make another platform" but Google literally tried and failed to make their own (Google+). If they cant do it who really can? Its not happening or it will take centuries/enormous resources to gain traction and compete. So we are left with an oligopoly that is censoring in lockstep and that's an issue for all sides because eventually its not them, its you, with time (amongst other issues). I think the platforms are a huge threat to democracy personally and I hope the new rules are meaningful and not just a knee jerk makeshift reaction.

Social media platforms are mature enough that half hearted efforts like Google’s won’t work.

But tiktok and Snapchat work. You know: real sustained efforts. Instagram launched 9 months before google plus. That should give you an idea of the landscape that google operated in. Instagram— with 13 employees at acquisition in 2012– works.

Google isn’t a determiner of what works. They’re one of the laziest implementers of new services/startups.. they literally throw something out there and try to coast off their name. In markets where the customers are mostly satisfied, lazy stuff like that doesn’t create a winning product.

Sometimes a narrow lane is found in social media in general, but I would argue the competition is still minimal or non existent for crossing lanes. For instance Twitter and snapchat and Tiktok are very different. I view the social media landscape as an oligopoly rather than monopolistic and they rarely cross into each others territory. Also the rate of new meaningful competitors just is not occurring fast enough when a democracy like the US has elections every 4 years. Theres a mismatch in competitor lane crossing and the rate at which democracy operates. Theres been what...2 or 3 major new social networks with limited scope that dont really compete with each other in 20 years on the western side? Its just not enough to make an impact and give people choice especially as we see them act in tandum.

Google+ just wasn't very good, the argument that no one else can do it doesn't sit right with me because google was half assing that from the beginning.

I think those are the optics because it never took off so it looked half-assed but they made an effort (Google+ was also launched a long time ago so it looks antiquated by todays standards). Maybe a better argument is that its been decades and nobody is meaningfully competing with facebook or Twitter in their respective categories even though there is tremendous economic incentive to do so. Network effects are very difficult to break. When the president is on Twitter nobody wants to be on Bob's basement network. Its locked in a feedback loop.

Follow up comment here because Ive apparently reached my limit for a while: I believe you. I still think a Google half-ass is going to be a stronger effort than another start ups full out stab at it. Facebook is the biggest "country" on earth almost by a factor of 2x with 2.7 billion people. Its just other worldy large and difficult to compete with especially today. But I get what you're saying.

I was following pretty heavy at the time, and unfortunately "made an effort" looked pretty poor to me. You are right network effects are difficult and if google wanted to throw it's full weight behind the problem instead of just dipping their toes they had the capital to shift opinion. I think this is far more likely google didn't have the will to make that a fully focused problem.

That argument of "just go and make another platform" is misled anyways: Even if I build another platform: Twitter is still the primary communication channel of the US President. Which means that all secondary users (interested citizens, journalists, ...) hang out there as well. Thus whoever they block there or not has an impact, even if my competitor has a few hundred million users.

A separate platform requires a compelling story. Google proves merely that money and dev talent aren't enough no matter how much you have of either or both.

I agree that the second amendment is often debated as to its intended (or proper) meaning, but I think you're talking about first amendment protections here.

The powers that wont be are complaining about censorship but as we all look back on the last 4 years and all the dead people the people running the government for the last 4 years are more apt to ask social media why they didn't do more.

This may not directly relate to monopolistic behaviour - but I remember once (pretty recently) when Jack/someone in his team revealed a screenshot of an interface in their backend that literally allows them to control public mood and opinion- such as trends, shadow banning, etc. To me, that is scarier than just being a monopoly. Imagine, you pull the right switches during an election campaign that could sway public opinions in the last minute (regardless of the political party you support). How they aren't under serious scrutiny after releasing such interfaces to the public is a grave concern to me.

I have even stronger concerns about Murdoch's media empire. Whatever Twitter might or might not be doing is child's play compared to what Murdoch is definitely doing.

Yikes—what are some examples?

Except Murdoch has significant competition.

Is competition enough to avoid that manipulation?

Twitter and Google are not the same... At all.

Congressmen may not realize this.

From watching the past several times they've been called before congress, it's abundantly clear that several congressmen (mostly from one party) do not.

That twitter “censorship” is them finally applying their user acceptance policy to even the most powerful.

Heh, way to make this a political issue and shoehorn in a completely unrelated topic.

And who even is "they"? The entire tech sector? FAANG? Or just whoever makes the rounds in the news at any given point?

In general, the issue of "Big tech companies have very large influence and are unchecked"

I'm afraid the lobby money will keep buying them extra straws.

As long as the political "contributions" still flowing into the right politicians, you can bet if there is any change, it will be adding more regulation that is too expensive for small players comply.

I'm, sadly, not so sure that straw will come any time soon. Major tech companies have been under fire for years now and nothing managed to break them. Not saying it'll never happen but monumental shifts like that can take decades to pass.

There were plenty of last straws. The missing piece is a powerful enough entity that has interest in regulating them. No, despite the GDPR the EU is not that.

This actually seems to me like a fairly blatant breach of multiple important aspects of GDPR on the part of google.com and youtube.com

Are there not serious fines for companies saying they opted you out of this kind of data collection and then not actually abiding by your requests?

France Sweden and the UK is already in on that action, Im sure others will follow.

Exactly, compared to what could be the maximum fine, there are no high profile cases. This is the point, GDPR is as useful as much as it is enforced, which is lackluster at best. We are not talking about a one off, for example Google has been continuously violating GDPR for years at this point.

GDPR entrenches big tech. Costly regulation always benefits the incumbents.

Not being able to set a "home" in maps unless I consent to be spied is another shitty behavior from Google.

And another shitty thing is that I can't tell them to omit certain websites from my search results, while at the same time they insist they need my information "to improve my experience".

This is exactly it. There's nothing personalised about Google search results. It doesn't show what I want to see, it shows what they want to show me.

I'd like a search engine where I have some input on the ranking of sites shown to me. Some sites are crap and I never want to see them, other sites are ranked low but often have info I'm interested in.

Even just let me vote my search results up or down on relevance. I can vote on everything else, why not this? (Though ideally, I'd love to be able to devise my own algorithm for these things.)

Does DuckDuckGo have this capability? If it doesn't, it should, and that would be awesome.

Filter out: Pinterest, YouTube, WikiHow, and all the other garbage SEO farms.

Duckduckgo doesn't have builtin. It wouldn't be easy without essentially tracking you, which is the opposite of their claims.

However there is a browser extension you can install. It's either endorsed or developed by duckduckgo.

I've found that I can do that in both DuckDuckGo and Google by adding, for instance: -pinterest -ebay -amazon -wikihow to my query.

My theory is that such a feature would take away too much power from Google being able to control the "sorting" of the search results and it would pull away the veil of what they really do (or don't do). I think the bulk of the common search queries and information on the web (that isn't exotic and super-unique) is accumulated at any one point by a handful of websites (think 100-1000-10000?).

It's highly conceivable that one could get a completely novel and diverse web and search experience if we were to exclude those concentrated websites entirely from search results. At that point, google can no longer slide on just showing the top results from a tiny subset of their index, and would be forced to always show results from the entire index. As opposed to now where 99.9% of the time, they mostly show you results from that smaller subset and 0.1% of the time show you the rest (that is of course only if you have a super-specific query or you force them with some of their remaining search modifiers).

You can do this with uBlock Origin filters, e.g.:


there used to be a google provided extension to do this, personal blocklist

they stopped providing it for some reason...

I liked it for blocking quora/pintrest/w3schools/...

Still there https://chrome.google.com/webstore/detail/personal-blocklist...

I just tried it for W3schools and it worked

that's some other random extension with a similar name whereas the original one was by Google themselves

personally I don't want some random third-party having the ability to exfiltrate my google cookie via an auto-updating extension

> personally I don't want some random third-party having the ability to exfiltrate my google cookie via an auto-updating extension

Driven by the same motivation, I've first adapted a userscript [1], but later replaced it with simple uBlock Origin filters:

[1] https://github.com/darekkay/config-files/blob/master/userscr...

You can do things like "brexit -express" in search or get an extension if you want that in all searches?

Or more specific -site:quora.com

I worked around that by briefly enabling history, setting the Home address and then immediately turning history back off. Obviously not ideal but it solved the problem for me.

> turning history back off

What does that achieve? They still receive your data, unless you are logged off and not using any google software.

What data? The location history feature in only on briefly while you are setting your Home location and once you turn it off again it stops collecting it. You also can go into your Google account and verify what information (if any) was collected in that window and delete it if you really feel that strongly about it.

This is really just Google using hostile UX to badger people into enabling location history and (in their eyes - hopefully) leaving it on.

Google collects Android users’ locations even when location services are disabled


That's distinctly different than the location/web history that Google pesters you to enable in order to set the Home location.

It might still be processed in aggregate, but they stop associating years of precise locations to your account.

I’d be surprised if they don’t follow that wish just for PR and legal reasons alone. The fewest people will actually opt out or if they do accidentally opt back in since the “enable web and location data” action appears anywhere from Maps to Google Home setup.

Just did this. Thanks

Why would you want to tell Google where you live anyway? Can you not just save your home as a regular starred place?

A better question is “why should Google be allowed to use your self-assigned home for purposes that you as a user haven’t consented to?”

> user haven’t consented to

User consented to "personalization of experience", and that's all it is. Personalised ads.

Those aren’t related things though?

Tongue in cheek

Google already knows anyways, using the map to set home is just for user convenience.

Yes. Imagine thinking you can hide your place of residence along with using google location services.

UnifiedNlp for the win :)


Do you think that solves the problem? What if 4G operators sell your information to data brokers, which then sell that information to Google?

Are 4G operators allowed to give away (or more likely sell) your data like that?


I want to tell Google where I live so I can say "ok Google, navigate home" and get directions home without having to touch my phone. If there's a phrase that gets hands-free directions for starred items without having to say the whole address, Google doesn't make that easy to figure out.

I know you said Hands Free.

My solution is a shortcut on my homescreen to my address, or somewhere close.

One click is worth it and for someone who pays more attention than most to the windscreen, safe enough for me.

Everyone who uses their phone while driving thinks they're one of the few who can do it safely, whether they're fully engrossed in a text conversation speeding down the freeway, or tapping an icon while stopped at a traffic light. Deep down, I think that too. That's why I can't give myself excuses to do it.

The location of the "Home" could be stored in the device locally.

Home and work are very "special" cases in that it's someplace most people regularly go to and from. So the app sends you personalized driving alerts/reminders, traffic updates, etc. There are definitely reasons for it, it's just not worth it to some. Others just have no idea that some of these nice goodies are helpful and not eerie and "privacy invading". So what if Google knows where I live and work? Frankly, that's something the government should know anyways, and it's failing abysmally judging by the amount of crime it's missing.

Apple Maps doesn’t do that thankfully.

I like declarativeNetRequest and think that the tradeoffs are reasonable, especially after the last revision[2]. Ad blocker extensions are a major security risk, and this fully eliminates the risk without breaking most of the functionality.

Adblocker extensions need full access to all network traffic and all it takes is a single person's account or machine to be compromised to get access to millions of browsers. Chrome extension compromises are a somewhat common occurrence - see [1] for a recent example.

I want ad blocking without giving the extension access to my cloud accounts, bank statements or company intranet.

My current solution is to use the ExtensionSettings[3] Chrome policy to blacklist extensions from particularly sensitive domains like accounts.google.com, my bank and the company intranet, but it's a clunky solution - I still want tracking and ad scripts blocked on those!

[1]: https://news.ycombinator.com/item?id=24803740

[2]: https://blog.chromium.org/2019/06/web-request-and-declarativ...

[3]: https://support.google.com/chrome/a/answer/9867568?hl=en

There's a lot of hyperbole and exaggeration thrown around the subject of manifest v3 and declarativeNetRequest, but everything we've seen so far suggests that it really is an attempt to restrict ad blockers to a level Google is comfortable with (the level of Google's existing partner, AdBlockPlus).

Some relevant points:

- Google still hasn't raised the rules count like it announced last year in the blog post you linked. The current API is still limited to 30k rules. (the dynamic rule count is ridiculously low too)

- Even if the rule count were unlimited, having a static list of rules handicaps more complex algorithms like those used in uBlock Origin, that aren't limited to "if URL in URL_LIST then block". For instance, a Levenshtein-distance-based algorithm can't be implemented with declarativeNetRequest.

- Manifest v3 doesn't seem to prevent extensions from examining traffic, just blocking it. So Google's stance that its API is against data mining, not ad blockers in particular seems hypocritical.

- Similarly, its stance that the proposed API is more efficient is extremely dubious. Modern WebAssembly has close-to-C++ performance, meanwhile ads and analytics are one of the biggest source of slowdowns of the modern net. The idea that restricting adblockers would improve performance in the general case is absurd.

Overall I have the same view of adblockers as I have of pirate sites: they're very convenient for me and I like to have them, but I don't begrudge corporations for doing everything they can to get rid of them. In a world where most of the internet is funded by ads, I understand why Google would want to find ways to make adblockers just a little less powerful.

But Google's insistence that it isn't doing exactly that, and that its API is technically motivated, reads as corporate nonsense. They haven't responded at all how I'd expect them to if the whole controversy was just a misunderstanding.

> Even if the rule count were unlimited, having a static list of rules handicaps more complex algorithms like those used in uBlock Origin, that aren't limited to "if URL in URL_LIST then block".

Google is deeply afraid of machine learning based ad blocking. You can only camouflage ads so much before they don't serve their purpose. Forcing ad blockers to use a primitive blocking method prevents smarter ad blockers from being built.

> - Google still hasn't raised the rules count like it announced last year in the blog post you linked. The current API is still limited to 30k rules. (the dynamic rule count is ridiculously low too)

Manifest v3 is still in development, so I'm assuming that this simply hasn't happened yet. It definitely needs to fit uBlock Origin's default rule set and I don't see them backtracking on the 150k announcement.

> - Even if the rule count were unlimited, having a static list of rules handicaps more complex algorithms like those used in uBlock Origin, that aren't limited to "if URL in URL_LIST then block". For instance, a Levenshtein-distance-based algorithm can't be implemented with declarativeNetRequest.

This is the explicit trade-off that is being made. I'll gladly accept this limitation in exchange for not having to trust the ad blocker extension.

> - Similarly, its stance that the proposed API is more efficient is extremely dubious. Modern WebAssembly has close-to-C++ performance, meanwhile ads and analytics are one of the biggest source of slowdowns of the modern net. The idea that restricting adblockers would improve performance in the general case is absurd.

The blog post explains this - the issue isn't the (in the case of uBlock, carefully written and very fast) extension code, but the IPC overhead in routing all requests through the extension. The Chromium teams loves metrics and they wouldn't make this claim without having substantial data to back it up - it's not a matter of opinion, but objectively quantifiable.

> - Manifest v3 doesn't seem to prevent extensions from examining traffic, just blocking it. So Google's stance that its API is against data mining, not ad blockers in particular seems hypocritical.

The blocking version sits in the critical path, the non-blocking one can be called asynchronously. This is consistent with their reasoning.

With Manifest v3, blanket host permissions are going away, which addresses data mining extensions and would make the existing blocking webRequest API impractical: https://twitter.com/justinschuh/status/1138889508512866304

One point, Google regularly makes false announcements about unpopular changes. When they changed search results to better hide which ones are ads they announced they’d backtrack on it, then didn’t. When they started hiding parts of the URL they backtracked on it, waited a few months, then re-implemented it. When they decided “don’t be evil” isn’t really appropriate for them any more they said it’d only apply to Alphabet not Google, then waited a few months, then applied it to Google.

> the IPC overhead in routing all requests through the extension

The case has never been made that this is the issue of why wesites take long to load nowadays, and rather the finding is that content blockers help significantly page load speed.[1]

You seem eager to uncritically accept Google claims while leaving out the views of the critics.[2]

* * *

[1] https://www.debugbear.com/blog/2020-chrome-extension-perform...

[2] https://www.eff.org/de/deeplinks/2019/07/googles-plans-chrom...

There's no good reason for us to not be able to have 150k (or unlimited) rules now. The fact that we have this completely arbitrary and far too low restriction clearly shows that Google is not making even a passing attempt to enable adblockers to do their job.

> Ad blocker extensions are a major security risk

This is only true in the sense that an all-purpose browser is "a major security risk". That is to say, it's not true in any coherent sense.

Yes, the ad blocker needs to be trustworthy, and there are a variety of approaches for furthering that goal.

> Adblocker extensions need full access to all network traffic and all it takes is a single person's account or machine to be compromised to get access to millions of browsers.

Again, you could say the same about the browser itself. Even if it were infeasible for extension developers to implement more security safeguards, that would be a flaw in the Chrome Web Store, not in the concept of web extensions.

A trivial "backspace to go back" extension needs access to all sites. Fraudsters buy semi-popular extensions and load them up with tracking and link rewriting malware, unhindered by Google.

Their continued "refinement" of the core ad blocker APIs while all these abuses and deficiencies go unaddressed is extremely suspicious.

> A trivial "backspace to go back" extension needs access to all sites.

Yes, this is bad and a big security risk. I don't use any extensions that request this permission. My company even pushes a Chrome policy that outright blocks them.

Manifest v3 fixes this by taking away blanket <all_urls> permissions. This would break ad blockers, so they add declarativeWebRequest and remove the blocking webRequest API that would be useless anyway.

Chrome is a security risk. Blocking extensions because "security" is just taking away control from the user. Why should Google be the arbiter of whether something I install is secure or not?

Almost any browser extension is a security risk, because it can inject JS code into web pages.

If the tradeoffs were reasonable, ad blocker developers would voluntarily use the new API without Google forcing them.

the other way to keep extensions away is to use chrome's profile feature

I have one for banking, for example, with zero extensions

As far as I can see, Manifest v3 addressed all the major concerns. It was a developmental spec and they adapted it based on feedback. What problems still remain that you take issue with?

> It was a developmental spec and they adapted it based on feedback.

I wonder what they've actually addressed. It looks like this was just lip service:

> Additionally, we are currently planning to change the rule limit from maximum of 30k rules per extension to a global maximum of 150k rules.

Source: https://blog.chromium.org/2019/06/web-request-and-declarativ...

16 months later the limit is still 30,000.

Source: https://developer.chrome.com/extensions/declarativeNetReques...

To give some context, it looks a clean installation of uBlock Origin would require nearly 80,000 rules.

> 79,972 network filters + 39,856 cosmetic filters

Where have you seen any source that isn't Google or Microsoft say that it "addressed all the major concerns"?

And what exactly has changed in the past year to do so?

My understanding is that webRequest blocking is deprecated and a limited size static list will replace it. No?

Edit: spec still shows ~35,000 total block entries, far too few. A medium sized marketing firm could, on their own, set up 70,000 distinct s3 bucket URLs, or a large one could easily justify that many distinct domains. Many existing block lists and uBlock's dynamic (uncountable) behavior far outstrip these limitations. This spec will break the back of ad blocking for good, and Chrome engineers and PMs know it.

Spec: https://developer.chrome.com/extensions/declarativeNetReques...

Google is the one that made the changes in response to feedback. If you're rejecting them as a source of those changes, then you're setting impossible goal posts.

The changes included greatly increasing the rule list size, allowing dynamic rules, not requiring the list be included in the manifest (for independent updates), and the ability to adjust some network headers.

As I said, they addressed all the major concerns that I saw raised.

How about the (fairly critical) ones raised by the authors of uBlock?

uBlock currently has ~75,000 rules. That list isn't getting smaller, so which 50% of the rules would you cut?

In a few years, which 2/3 of the rules would you cut?

How is this a win for consumers? How have they addressed those major concerns?

Edit: That was stock, I just added a few lists and passed 100,000 network filter rules. Please explain to me slowly, as if I were a child, how a static limit of 30,000 rules is a bigger number than 100,000, and why my computer with 128GB of RAM memory can't possibly support more than 30,000 rules?

If that's the case, why is Safari already worse than manifest v3, already hiding URLs, already promoting Apple News (more anticompetitive than AMP), and not even offering the ability to clear storage on exit?

Because Safari is a niche player. Anti competitive behavior matters a lot more when you have a stranglehold on a market than when you are just a bit player.

Safari is far from a niche player on mobile. The last few US projects I’ve done were over 50% iOS safari.

The question is why would Safari do those things if they help advertising giants?

That's not for me to answer, but for Apple I guess. Maybe someone who works there can shine a light on this. Speculation about the URL bit would probably center on Apple tending to put form over function. Promoting Apple News -> because it cost them a lot of money to get it in the first place and they are trying to recoup that money. Not that I would ever even look at it, I don't think a hardware manufacturer is the best place to get my news fix.

The URL hiding thing is probably because it looks pretty and they think it reduces phishing.

I doubt that there can be much of a legal angle: the defense would be to think of Chrome as a client software for Google services. That client software can additionally interact with many third party services if they follow open web standards, but why should that have legal implications on how it interacts with their own services? It's a very dissatisfying situation.

Would you like your car to follow some laws or anything goes? What if it’s nearly the only car you can buy in the US?

We’re talking about access to the internet, something that people are increasingly acknowledging as a primary need. Regulations will follow.

Web standards are not laws. Would I be outraged if a car's design language would follow some aesthetic conventions (another set of "rules" that are not laws) but not others?

I'm certainly not happy with how Google is using their position, but is it illegal? Should it be? Even a Pixel phone can install and use Firefox. You might perhaps make a case out of how all SDK WebViews end up being Chrome (-ish), but as long as a third party app embedding their own web view would not be rejected by Play, that's still more open than significant other parts of the smartphone market. Sure, Google is using a position of power and everybody who isn't a major shareholder shouldn't exactly be happy about it, but itvit abusing? In a way assailable on legal grounds?

Rather than ask “is it illegal” you can ask “is it anti-competitive” and it almost certainly is.

[Article author here] A few notes:

1. I tested with many different sites and configurations in order to narrow down the issue. The screenshots in the article are just a small sample of my tests, for illustration.

2. I'm not logged into Chrome or any Google services. I've gone through chrome://settings and disabled everything Google-related. Nonetheless, although I'm not using those Chrome features, this issue obviously could be related to the existence of those features in Chrome.

3. My goal in publishing the article was to get the issue fixed ASAP. I'm a browser extension developer, so I'm constantly testing with different browsers, including Chrome, Firefox, and Safari. It wasn't my intention to start a browser war.

4. I believe that Chrome is entirely open source, so I hope that someone familiar with the code base will take a look at this issue. The sheer size and complexity makes it a bit daunting for an outsider, but since Chromium has been adopted by other browsers such as Brave and Edge, there are outside developers already working on it.

4. Chromium is open-source, while Chrome is not.

Hmm. It seems to be mostly open source though? I found a document about differences on Linux, and I didn't see much. https://chromium.googlesource.com/chromium/src/+/master/docs...

Chromium is the open source bit, Chrome is Chromium plus a bunch of proprietary changes that google adds. You can run Chromium- it is a browser by itself- but it's not the same thing you'd download and run if you grab Chrome.

The "proprietary changes that google adds" are API keys[1], branding, and external plugins like Flash/Widevine. Other than those, the source code is identical.

[1]: https://www.chromium.org/developers/how-tos/api-keys

> Other than those, the source code is identical.

How do you know, and how can we prove it?

You could decompile, inspect, and debug chrome if you must, but doing something so easily viewable and auditable would be a huge blow to their reputation.

TIL. Are there any downsides to running Chromium instead of Chrome?

Chromium has no auto-updater on Windows and macOS. Unless you have a package manager that compiles updated versions for you, you're better off using Chrome.

I use Firefox. But, I'd be willing to install a version of Chrome if it came without all of the Google garbage pre-installed. I was hoping that maybe Chromium could fill this role.

There's a project that does exactly this. (I can't comment on the quality or the trustworthiness.)


I have used it in the past but now I use Chromium instead as a Chrome replacement since it is more stable than ungoogled-chromium.

I use Firefox as my primary browser and Chromium for testing things for Chrome. The only downside to Chromium is you have to update it manually by downloading the package and dragging it to your applications if you use Mac. Other than that, it works perfectly. I trust Chromium more than Chrome if I want to let it run in the background.

I was wondering about number 4. Does Chromium currently have the same behavior?

Yes, Chromium has this same behavior.

ungoogled-chromium is a project that removes Google integration from Chromium. Here is the patch they use to remove this special treatment of Google sites:


Eh, so doubleclick.net, ad network extraordinaire, gets special treatment as a "Google host" as well? Eww.

Google owns Doubleclick since 2007, shouldn't be a surprise.

Thanks! That's surprisingly short.

Now the question is how those IsGoogle functions are used in storage handling.

Thanks for addressing this - #2 would have been my guess.

Did you report it in the Chromium bug tracker? (https://bugs.chromium.org/p/chromium/issues/list)

From my experience, they tend to look at those sooner or later.

From my experience, they tend to ignore those forever, and then they use the fact that the bugs haven't been touched in a long time as an excuse to close them as WontFix.

> My goal in publishing the article was to get the issue fixed ASAP.

could be "by design"

Of course it is, and the naivety of webdevelopers that continue justifying a “chrome first” workflow is beyond irresponsible at this point.

Not that I agree with it, but I think the argument is that any workflow but Chrome-first is naïve. Hacker News' righteous fury won't do much to change the fact that 2 in 3 people use Chrome.

They never said naïve, they said irresponsible.

Of course something can be irresponsible for many reasons but I think there is a solid argument that making a website that works better in Chrome than other browsers is morally irresponsible because you are encouraging more users away from more open browsers. (Which I guess is mostly Firefox at this point? :'( )

Over the last few months I have had ~30,0000 visits to my website, almost entirely from HN, and I was disheartened to find that 52% of visitors were using Chrome[1].

Given the pro-open-web and anti-FAANG sentiments that's shared on HN I had expected slightly different results.

[1]: https://simpleanalytics.com/vishnu.tech?start=2019-10-18&end...

Worth remembering is that the commenters on the site are the minority. There are a lot or lurkers on HN (possibly orders of magnitude more lurkers than commenters), so "the pro-open-web and anti-FAANG sentiments that's shared on HN" may be a vocal minority.

The people commenting probably varies a lot depending on the topic, too. There are certain topics where you know what the comments are going to be like.

There's no reason to believe that lurkers have substantially different behavior than commenters. More likely is that those who use firefox are more passionate and informed about browser issues.

Commenters are extreme outliers. Only a tiny single-digit percentage of forum readers online ever comment. HN is also a highly regarded, particularly alienating site with a strict tone expected from commenters. I'd imagine the ratio of lurkers to commenters is 100:1.

I imagine the ratio is even smaller. HN is a often a particularly uninviting place to comment on.

No it isn't you are incorrect. I now present my essay on why you are incorrect. Now we argue for hours on semantic differences and then call it a draw. And then dang shows up and gets mad that the comments aren't following the rules shown on that really, really ugly and vague faq guidelines page.

Lurking is a substantially different behavior than posting.

Wow this comment is getting downvoted a lot. I think I wasn't clear with what I meant. What I meant is that there's no reason to believe that lurkers have big difference in which browser they use.

Commenters by definition have substantially different behavior than lurkers: they comment.

Furthermore, people tend to be louder about things they perceive as threats, such as corporations dominating the internet. Those who comment about those threats are likely to be the same ones taking active steps to mitigate them.

I'm surprised that it was so low. I work in tech and I don't know anyone who uses anything other than Chrome.

I'm using Safari by default simply because Chrome is a CPU hog on my machine and I can notice my PC heating up considerably faster when running it.

I considered Firefox and tried to switch for a month before but the recent reorg + the stuff about their top officer pay makes it seem like it's a cushy position some people entrenched themselves in and the org is completely lost - the browser experience was inferior and I don't have sympathy towards them so why bother.

Chrome has plenty of forks so I try to run those on other platforms.

Yeah I’m amazed how many Mac users use Chrome when it’s such a resource hog. Safari has better privacy and battery life as well. Maybe people use Chrome syncing or something and that’s why I don’t understand but it seems like they went out of their way to get a worse experience.

Chrome has such a myriad variety of extensions that using Safari is simply not feasible.

1. uBlock Origin - the content-based blockers on Safari are not nearly as good 2. Zotero connector - for my academic work 3. Session Buddy - for saving sessions 4. Proxy switcher - for selectively using my uni proxy for academic resources

and so on...

Do you really want to allow a myriad of extensions access to your web browser data? I can understand if you have a couple you like but personally I find extensions only make Chrome slower and I don’t trust most of them because of the deep access you need to grant. I’d just as rather turn my proxy on for a minute at the OS level and not have a permanent extension running in every single Chrome tab.

All of the extensions I use are open source (not that that counts for a lot, but I still tend to take a look at the repository before I install them).

I could see using Chrome on a desktop Mac maybe, but yeah it obliterates the battery on my MBPs so badly that it's impractical to use unless I'm alright with being tethered to the wall.

It's kind of exasperating how low of a priority efficiency is with both Chrome and Firefox.

I was trying to switch my wife to use safari on chrome (because battery usage), but her argument is that "safari does not display favicons near here bookmarks" and it's big no-go for her. Makes you think about reasons of regular users when choosing browsers.

That's so interesting. I'm very computer literate, and a huge reason I couldn't stand Safari is because it didn't show it didn't show favicons in the tab bar. I typically have dozens of tabs open, and really need some way to tell them apart quickly -- such as favicons showing up. (I did find a hack to do it, but didn't love it.)

You might ask her to try again. Safari 14 actually shows favicons, and that is such a welcome relief.

It shows favicons on tabs but not on bookmarks bar.

Chrome arguably is more secure with better sandboxing.

It goes back and forth. As of a couple years ago, Safari sandboxed the network process which Chrome did not do. Chrome also sends a significant amount of personal data and usage data to Google and potentially other parties which significantly harms the supposed security. Having an always on data feed of the users actions (to enhance your advertising business) is not good security practice.

A ton of sites work better with Chrome than Safari because engineers often don’t put in the 20 min it would take to fix minor issues with Safari and build only for Chrome on the Mac.

Lots of people can't test Safari because they don't have Macs.

They could test other WebKit browsers though.

It happens occasionally but “a ton” is probably overstating it. Any major website that doesn’t work on Safari for Mac and iOS is going to get bug reports pretty quickly unless it’s a Google product and they just don’t care

According to the article, its privacy is worse. Also, its implementation of ITP leaks more information when it is enabled (the default) than when it is disabled.


Your linked article is some Google researchers reporting some bugs in Safari which were mostly patched a year ago. It seems like they disagreed about whether some were patched initially.

That doesn’t mean Chrome is more secure. They literally install user tracking and tie you to your Google account so they can advertise to you and better sell things. There is nothing secure about a browser built to monetize your data and send it to the cloud for analysis and machine learning. Meanwhile they have their share of bugs as well. What do you think about this one which is more recent?


A vulnerability in Google’s Chromium-based browsers would allow attackers to bypass the Content Security Policy (CSP) on websites, in order to steal data and execute rogue code.

The bug (CVE-2020-6519) is found in Chrome, Opera and Edge, on Windows, Mac and Android – potentially affecting billions of web users

That Chromium bug has been fixed for monts. The Safari bugs in my article still haven't been fixed, causing users to leak more information in the default Safari setup than users who have disabled ITP and much more than users of other browsers, who have working tracking protection. As Justin Schuh pointed out, the changes that Apple made to Safari did nothing to address the issues discovered in the paper.

It’s one bug. Sure if it’s still open (the article was from January) then that’s not good but Chrome has thousands of open bugs as well and likely some that would give me pause. The fact that Google is the one giving Apple a hard time might indicate a bit of an agenda since it’s their competitor..

Google literally sends your browsing habits from pages visited to mouse movements to their servers where they link it with your other Google info like Gmail, Google Calendar, and Google Maps GPS tracking via your phone. Google products “leak” all the users data back to the mothership as a feature. And Chrome users tend to use a lot of random extensions which means the data usually leaks to a lot of unknown third parties as well (see DataSpii for one example which effected millions of Chrome and Firefox users)

So yes let’s expect higher standards from all browser developers. But realistically Apple likely fixed the bug or has a very good reason why it’s difficult to entirely patch yet. Google has had many extended data leaks as well but they actually build tools to gather your data up in the first place which makes it that much riskier should it get stolen or misused by Google or Google employees.

> It’s one bug.

It's a security bug that leaks information about the user. It reduces privacy for the user to any website they visit. Chrome and Firefox fix these security bugs immediately upon learning about them. Safari does not because it had hyped ITP and is more interested in security theater, which makes for great marketing, than actual security.

I don't know why you are trying to redirect the conversation to services that can be accessed from any browser. The topic of discussion is which browsers are more secure and offer better privacy.

Yeah Google would never sacrifice user privacy...

Guess what story popped up when I logged in today? https://www.tomsguide.com/news/chrome-google-site-data-speci...

“Chrome won't clear your Google and YouTube data — even if you tell it to

Browser retains site data in defiance of privacy settings”

Every week there is a new scandal with Chrome privacy and usually it’s Google to blame and not a bug. I’m sure they’ll tell us this was another honest mistake that tracked billions of people for ten years but NEXT time they’ll put our privacy first. Meanwhile we all know our data has been the goal since day one and Google Chrome is the Trojan Horse to get the tracking onto our computer

You realize that the article you linked to is about the exact same thing as TFA, right? Then you must also realize because I've already told you that Safari doesn't even give you the option to clear data on exit right? That makes it strictly worse for your privacy.

The particular issue mentioned here turned out to be a bug that affects more than YouTube and Google. https://bugs.chromium.org/p/chromium/issues/detail?id=127340

> Chrome has plenty of forks so I try to run those on other platforms.

Safari’s Webkit engine has plenty of browsers using it — in fact IIRC Chromium began as a fork of at least part of it — eg. GNOME Web/Epiphany, Luakit, Surf, et. al.

The only thing that annoys me about Safari is that there's no way to disable or configure alternate search engines for the omnibar. Sending mistyped intranet urls directly to Google (or DuckDuckGo) search is a huge privacy hole.

Lots of us do. Firefox is my browser on all my devices. I do use Chrome when visiting Google Docs which I assume is deliberately sabotaged on Firefox though.

I found Firefox to work fine on google docs tbh. It used to be slower, but haven’t had an issue in probably a year

It really depends on which part of google docs you're using. Trying to use the presentation system with Firefox is an awful experience for example.

On my 2015 Mac, both Docs and Maps perform significantly better on Chrome, and I keep it around for these 2 use cases.

Might just be that Google doesn't test on Firefox and also maybe are "to smart for their own good" coming up with out of the box solutions that can be more likely to fail to begin with. Maybe I'm being overly optimistic, but I kinda read myself as saying "they probably just don't give a sh!+."

It's not deliberate; it's lack of investment. Docs is complicated enough that the small deviations in browser implementation add up---to make something as complex as Docs not work in Firefox, all you have to do is be willing to publish without hating new features on FF end-to-end tests.

I have never used Chrome and use Safari with GDocs. It seems fairly functional to me. What is the sabotage scene you are talking about?

I have a different experience with that: on a current MBP, Google office suite software (docs, slides, agenda, mail etc) regularly uses 100% cpu in safari for no apparent reason, and clearly also has some memory leaks were single tabs bloat to 2-3 gig memory... Have to kill the the threads manually. I would say it’s fairly unoptimized / pushes you to chrome

I second the experience of the other commenters. Keep it open long enough and it sucks up all the resources in non-chrome browsers. I also include Google Slides in my experience btw. It is more severe with Slides than docs.

I strongly agree with you, most of the time I feel that non-Google browsers including Safari is somehow blocked or slowed down.

It's more lack of optimization. We could alternatively put the blame on Mozilla's doorstep for not optimizing FF's engine to run Docs better.

I work in tech, and people are very surprised to hear that I use IE. When they ask, I tell them it's because I do not like where "modern" browsers (and software in general, but that's another can of worms...) are going. IE11 is the latest browser to have things like user stylesheets and per-zone security configuration by default. It's a small rebellion, but nonetheless an act of opposition to the increasing corporate monopolisation and bloat of the web.

Almost everybody in my office of designers/developers uses Firefox.

One can be anti-Google and still use Google products. The browser is an exceedingly important piece of software. For some people, the cost of switching to something other than Chrome is too great. Maybe Firefox doesn't work well. Maybe they hate Safari. Maybe their favorite extensions aren't available. Whatever the reason, the cost of switching is greater than the price they put on their anti-Google stance. And that's okay.

Personally, I switched from Chrome to Firefox a long time ago. But I still use plenty of other Google products. I'm overall anti-Google, but I'm not a religious about it. I disconnect from Google where I can, and support products that match my views when I can.

If anything, I'm surprised the percentage of non-Chrome users your site encountered was as high was it was. Makes me kind of hopeful.

Aren't Opera, Edge and Brave pretty much drop-in de-googled replacements for Google Chrome?

From my figures on 100k visitors from a few days ago it is 21% for Firefox an 40% for Chrome, not bad

A lot of people likely use a work laptop and have to use Chrome at work - due to internal apps that only work on Chrome.

People say one thing and do another. That's the most consistent rule of human behavior prediction.

Firefox can be kind of annoying to use on HN, at least if you post often.

I use Firefox for most of my personal browsing other than Fastmail's webmail interface, and most of my general work browsing.

I use Chrome for a lot of testing and development at work and for dealing with PayPal. These things all get separate profiles, and Chrome handles multiple profiles better than Firefox. Yes, I know about Firefox containers, but I need separate bookmarks and history. Containers just deal with cookies and maybe cache.

I've been tempted to switch to Chrome for at least HN and Reddit because I tire of dealing with Firefox's spell checking. It regularly tells me things are spelled wrong that are not (such as "webmail" in this comment). It's not just that it is terrible that irks me--it is that it is inexplicably terrible.

What I mean by inexplicably terrible is that they are using Hunspell. That's the same open source spelling engine that is used by Chrome, and LibreOffice, and MacOS. Those all have great spell checking. I thus infer that Firefox's problem is not an engine problem. It's a dictionary problem. So why don't they they grab the ones LibreOffice uses?

Here are some words that came up in comments of mine either here or on Reddit that Firefox incorrectly told me were spelled wrong. Each one interrupted my writing flow as I had to stop and go look it up elsewhere to make sure that I had it right.

> all-nighter auditable automata blacksmithing bubonic cantina commenter conferenced epicycle ethicist fineable inductor initializer lifecycle micropayments mosquitos pre-programmed preprogrammed prosecutable responder solvability spectrogram splitter subparagraphs subtractive surveil tradable transactional tunable verifiability verifier

There's an issue in the Bugzilla for reporting misspelled words. I've reported all of those there so they should eventually be fixed. I'm not sure how long that takes.

Here's a bunch I indirectly reported earlier, that are now fixed:

> "ad infinitum" anonymized backlit bijection commoditization else's handwrite heliocentrism merchanting natively photosensor plaintext pre-fill preload prepend resizable scoresheet surjection unrequested

(Indirectly because I asked about them on /r/firefox, and someone responded telling me about the Bugzilla issue, which he had already added them to).

Here's my list of ones I have not yet reported:

> ballistically chewable counterintuitive exonerations mistyped phosphine programmability recertification shapeshifting tradeoffs webmail

I get 63% Chrome, 26% Safari, 5% Firefox, 2% Edge.

Safari is healthy 31%, nice

A tangent but, a lot of google's sites disobey browser standards and rules like for example sound autoplay on load. When you visit https://santatracker.google.com/ or youtube, it automatically plays sound without any user interaction, which is impossible for non Google sites to do

Google disobeys their own standards in MUCH worse ways. This year they are pushing a reduction in Cumulative Layout Shift (CLS). https://web.dev/cls/

But they purposefully use CLS in Search to increase clicks on Ads https://twitter.com/andyhattemer/status/1262564268890820609

> But they purposefully use CLS in Search to increase clicks on Ads

You present this as a fact, but it would be absurd that Google would use such a cheap and easily detected trick to increase CTR. It would be bordering on ad fraud and I'm sure that Google, of all companies, knows better than that.

Occam's Razor says that this is a stupid async content loading bug, which they subsequently fixed. I've never seen this happen and when I just tried it without adblocker with that exact search term, it didn't - the page loaded with the ad.

> You present this as a fact, but it would be absurd that Google would use such a cheap and easily detected trick to increase CTR.

3 years ago and I wouldn't believed it at all but around 2 years ago I saw it happen consistently with a colleague at the desk next to me.

I cannot say for sure that it wasn't an extension in his browser but I can say for sure that I think Google has been really busy tearing down the mountains of trust they had before 2007 - 2009.

Similarly, thanks to async ad loading, gmail replaces first two items in my email list with ads with such a convinient delay that I accidentaly click on the ads more often than I would like to. Occam's razor would say that if it can bring more money, it is not accident.

Accidental clicks are invalid clicks according to Google's own documentation[1][2].

For this to not be an accident, one would have to assume that Google actually makes more money from those invalid clicks, and that someone decided that yep, rendering ads asynchronously was a decent and legal approach at increasing advertising revenue, and requested the GMail team to implement it.

This kind of corporate misbehavior is not unheard of, but I just can't imagine it happening at Google.

It's much more likely that this is just unfortunate UX design to "improve" rendering performance without considering users on slow connections.

(I can reproduce this one just fine in desktop GMail - on the first render of the "Promotions" tab, the ads render asynchronously)

[1]: https://support.google.com/google-ads/answer/42995?hl=en

[2]: https://www.blog.google/products/ads/preventing-accidental-c...

"No you don't understand: invalid clicks are things that happen on other peoples properties. You definitely meant to click that ad in gmail. We know, we're google, you can definitely trust us about this"

'Unfortunate UX design to 'improve' rendering' is the plausible-deniability they can use to justify this.

> This kind of corporate misbehavior is not unheard of, but I just can't imagine it happening at Google.

I definitely can, I don't think anywhere is immune to this once you reach a certain scale. They have a profit-motive to make money, they will absolutely try and get away with as much as they possibly can.

For example, the scourge of "people also ask" at the top of search results, that appears synchronously where the top result was a second ago, and has a randomly-generated container ID to prevent easy blocking. Not an ad, but, equivalently, content that I didn't ask for but that Google, for some reason, clearly really wants me to click on.

Happens to me all the time, it's either complete UX heresy or ad fraud.

The android gmail app is horrible with this. They load a couple of your emails above ads so that the ads start on the second or third row.

And the re-ordering happens as your mails and the ads are loading! You might be about to tap your email, then the ads load in and you suddenly click on an ad. Or you want to tap the top row, but the app decides to put a different email above the ads and you end up tapping into the wrong mail because it was reordered just before the tap.

I've also never seen ads in the Gmail app. Maybe it's because of G Suite.

There are ads on the Gmail app??

> [...] which is impossible for non Google sites to do

No, they don't. This is false. It's a mechanism called Media Engagement Index, Google properties have zero advantage, and any site can get a high score.

Chrome ships with a preloaded MEI assembled from global telemetry data, which is then trained locally:


You are technically true. It just happens that Youtube is the dominant video platform and gets pre-loaded in the default seed.

Would they have made the same choice of preloading a default seed if they had no properties in the seed ? who knows

The whole point of Chrome is to push the web ecosystem forward such that Google can build better products on top of it.

This is part of the plan, but I find this angle to give too much credit to Google.

Once they reached a dominant ad network position their whole strategy has been “advancing the web is advancing our revenue”, and it bled into mobile to the point where building and maintaining a whole ecosystem for free makes sense as long as they stay the search and ad engine of choice (that’s the only thing they’ll fight to impose).

Chrome is built in the same optics: push forward the web and webapps as long as search is theirs.

The whole point of Chrome is to push the web ecosystem towards Google such that Google can exert more control over it.

Exactly. They were tired of Microsoft doing it badly and realized they couldn't build on someone else's platform.

When you visit a Netflix content URL it automatically plays sound and moving pictures without any user interaction! Evidence of Google owning Netflix?

I read somewhere - I believe on HN actually, some time ago - that a number of high profile sites were exempted from this restriction, Netflix among them. Really, wasn't this a thread right here on HN, saying that this was anti-competitive, oligopoly essentially, making any other sites of smaller competitors and upstarts automatically worse off? I'm sure someone will be able to provide a link...

There are other examples where only the large sites benefit while everybody else has to play by stricter rules: "EU Parliament bans geoblocking, exempts Netflix and other streaming services" -- https://www.dw.com/en/eu-parliament-bans-geoblocking-exempts...

EDIT: User teraflop posted a link to the list of "sites that are allowed to autoplay video even without any prior media engagement" right here in this thread https://news.ycombinator.com/item?id=24818178

This is not actually true. There are no shortage of random news sites that auto-play sound. Reddit does too. Does Google own all of them?

Reddit and Twitter starts video with muted sound on my browser (Edge).

My guess from someone who had to develop a web video player at work, many websites will attempt to autoplay the video with sound and if it fails, it's easy to catch the failure event, they will mute the video and try again.

I'm talking specifically about Chrome. There's no web standard that says what a browser must do about autoplay requests, and Chrome permits a large number of sites to autoplay with sound on.

Web browsers are also capable of determining that autoplay on technically-not-load-but-automatic counts as autoplay. (There's even text in the spec about it.) In particular, they can tell whether it is in response to a user action/gesture on the site or not.

Chrome has some special logic about autoplay. The following page describes them, but I feel like it's a bit more complicated in more recent versions of Chrome.


Wow, this is terrifying. I am a big supported of Google and dislike the recent attacks on FAANG, but this is shocking to me. If they are exempting themselves from this, what else could they be doing?!

The comment implies that this is somehow hardcoded just for Google sites, which is not true. Autoplay is allowed for sites with a high enough media engagement index. You can check chrome://media-engagement.

The media engagement index is based on a user's past activity on a site, but Chrome has a special list of "preloaded" sites that are allowed to autoplay video even without any prior media engagement.

The preloaded list is in the source code (https://github.com/chromium/chromium/blob/master/chrome/brow...) but it's encoded as a finite state automaton that makes it a bit difficult to enumerate the list of whitelisted domains.

I made a small Python script to unpack the DAFSA in preloaded_data.pb.

Here is the code: https://gist.github.com/NeatMonster/e9cdb01441a3cd842e6a20fd...

And here is the plain-text list: https://gist.github.com/NeatMonster/e9cdb01441a3cd842e6a20fd...

One has to wonder whether they intentionally obfuscate this list. It sounds like they “trained” a browser, and captured the resulting state. I’m sure you can argue this makes things more fair (we trained it using real world behavior!), but I really can’t give them the benefit of the doubt anymore.

It's generated by a Python script [0] from a list of URLs, but the input list doesn't seem to be included in the Chromium source (only the binary output of this tool).

[0] https://github.com/chromium/chromium/blob/615d5eed47c10d8890...

> The pre-seeded site list is generated based on the global percentage of site visitors who train Chrome to allow autoplay for that site; a site will be included on the list if a sizable majority of site visitors permit autoplay on it. The list is algorithmically generated, rather than manually curated, and with no minimum traffic requirement. With the implementation of the autoplay policy for Web Audio in M71, Web Audio playback is also included in calculating the MEI score for a given site.


Will this not have some kind of self-reinforcing behavior, as the measurements are biased towards sites that are currently unmuted by default?

According to the MEI it actively measures user behavior and one of the most important measures is that a video is unmuted. From the document:

“The MEI is meant to allow media heavy websites (e.g. YouTube, Netflix) that rely on autoplay for their core experience. It is a non-goal to allow websites with a “good media behaviour” to autoplay without restrictions”

It doesn’t sound too good, and still doesn’t really explain how everything is seeded.

If it's a FSA can someone at least convert it to a regular expression or some other more readable format?

Is there no way to decode it

neatmonster wrote a script to decode the list and then shared links the results here:


Take a list of top X websites and enter it in every one.

The preimage space is finite and easily enumerated.

And media engagement is based on an opaque set of factors that just so happen to give top authority to Google sites.

The source code is public.

That doesn't mean it's easy to parse.

Amazing. I once built a web app with autoplay, which worked for me, probably because I was using the app a lot which gave it high media engagement, but didn't work for others, and I never figured out the problem until now.

Well that's a nice way to say that its allowed for youtube and very few other sites... possibly none.

These are the kind of tricks a shady company would do. So disappointed what Google is doing to the web the last few years.

I'm not so sure of that. My top sites by media engagement are: Spotify Twitch clips Youtube Twitch Eurosport Netflix The Independent Discord

It isn't obvious to me from this that Google are privileging their own sites above others here

Not "very few other sites", it's around 700 sites: https://news.ycombinator.com/item?id=24819473

For what it's worth, Netflix has a higher score on my machine than YouTube.

I loaded the page and went through a few actions, but I cannot see anything in chrome://media-engagement about it

I do see Santa Tracker in mine, it gave it a score of 0.05, the same as the web of my high school and less than say knowyourmeme.com which sits at 0.1

they have always had whitelists for friends inside of chrome

outlook (via web) also seems to be able to play sounds, like meeting notification sounds in firefox.

That site doesnt even load in my browser... I only see the Google wave (Firefox mobile v6x)... but on the other hand, there are Firefox extensions that make websites load as if you were using Chrome.

Loads for me on Firefox 81.1.3 on Android. It did take a little bit to load, so might just be your internet connection.

It did load this time but no sound

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact