1. Chrome is the only major browser not to support the Do Not Track header. Google is also the browser vendor whose bottom line would be most impacted if users could easily opt out of tracking. Coincidence?
While I welcome folks from the Chrome team to weigh in on the reasons for this, my own understanding is that adoption of this feature is being blocked by Google's Mountain View based policy team, and is not a decision that is in the hands of engineers.
Compare this to Chrome's absolutely spectacular record in the area of security, where folks like Adam Langley and Chris Evans have been able to ship innovative features that haven't worked their way through the standards process. Examples include HTTPS certificate pinning (that recently led to the discovery of MiTM attacks against Iranian users using the DigiNotar certs).
In the area of security, Chrome's engineers deploy whatever they think will help users. In the area of privacy, Google's lawyers and lobbyists are calling the shots.
(Also, there still isn't a working API to let others support DNT in Chrome. An API exists, I think, but it is quite buggy, AFAIK)
2. Blocking 3rd party cookies by default. Apple defaults to blocking 3rd party cookies, Chrome does not. Both are derived the same webkit core (yes, I know there is different code now), but when Google decided to create Chrome, they went with a different default than the one that Apple had already used -- one that hasn't led to websites breaking for Apple users.
Again, which browser vendors' bottom line would suffer if Chrome users could not easily be tracked? Google.
Let me be clear - I don't think that Chrome is engaging in any sneaky shenanigans to directly track users. No, that would be too obvious. Instead, Chrome just makes it easy for Google's other services to track users, when they stick with the deaults.
The Chrome team has already addressed this issue. The problem with Do Not Track is that it isn't clear what it blocks and what it does not. It is also pretty useless as most websites that survive using ads will never support the Do Not Track headers, so it's a faux solution to the problem. Google already offers a browser extension (Firefox, Chrome and IE) to block Google Analytics. Last but not least, there is a dashboard on Google to know what Google ads know about you and the possibility to delete this information.
I think what's really bad is that DNT headers offer a false sense of privacy when in fact no websites respect the headers. Google's alternative solutions have the upside of being very clear about what they accomplish for your privacy.
Instead of supporting a header that millions of consumers are already sending, you instead offer a browser add-on for analytics, and "keep my opt outs" for ad network opt out cookies.
The signal sent by a consumer setting the DNT flag in their browser is just as clear as a consumer installing your analytics opt out plugin, or obtaining the doubleclick opt out cookie.
You could, right now, respect the DNT header as you currently respect your own opt out mechanisms, but you don't.
I get that Google is not a charity. I get that Do Not Track (or any other mechanism that makes it easy for consumers to avoid tracking) threatens your bottom line. What I would prefer though, is honesty.
Please just admit that you want to make it difficult for consumers to opt out, and that a single, easy to use mechanism built into the browser is something you want to avoid at all costs, even if that means you are ignoring millions of consumers' intent.
2. Google's participating openly in http://www.w3.org/2011/tracking-protection/ to work out what DNT means in a detailed sense, so that when users send a header, either via a checkbox or via an extension, there's agreement about what the practical impact is. I'm not sure it's reasonable to expect much more than that right now.
Keep My Opt Outs is largely political propaganda, or if you will, privacy theater. It gives your DC people something to talk about when they testify before Congress or the FTC. It allows them to say, "look, we do offer users the ability to opt out", while knowing that few users will seek it out and turn it on.
Compare, for example, the 5% of Firefox users who have enabled DNT, vs. the 62k users of KMOO. That number of users is pathetic, given how many people use Chrome.
2. Since when does something need to have gone through the standards process for Google to ship it in Chrome?
Consider, for example, what Adam Langley wrote when he added support for DNSSEC certificates to Chrome:
"I'm also going to see how it goes for a while. The most likely outcome is that nobody uses [this feature] and I pull the code out in another year's time." See: http://www.imperialviolet.org/2011/06/16/dnssecchrome.html
Google's approach to security (and in many other areas) is to iterate, quickly, see what works, and if it doesn't, kill it off.
Likewise, Chrome supports an early draft of WebSockets. The spec isn't finalized yet though. Google added support to a draft spec, and then will update Chrome to the final spec once it is done. See: http://blog.chromium.org/2010/06/websocket-protocol-updated....).
It seems to only be in the area of privacy where Google wants to wait until technologies have gone through the slow standardization process. In the mean time, while you wait for things to work their way through the W3C, Google's ad business continues to build detailed behavioral profiles on Internet users.
The longer the W3C takes, from Google's perspective, the better.
Look - I get that it must be frustrating to be a privacy engineer working on Chrome, when upper management won't let you deploy serious privacy enhancing features to users. I get that it must be embarrassing to work on the only browser that doesn't support Do Not Track (usually, IE is last to the party). What I don't get, is why you tout features like KMOO and Google's involvement in the W3C process as though you expect them to be taken seriously.
Google is not committed to enabling users to easily protect themselves from Google's widespread collection of their private data. To argue otherwise is foolish.
On my home network, Google, Facebook, and Twitter compete for the most web tracking next to my ISP's own capabilities. Traffic weighted, Facebook is now the leader in my household.
"So what about the rest? Two advertising companies took overt steps to respect the Do Not Track headers sent by browsers like Firefox, Internet Explorer, and Safari, which we just learned is actually a step beyond NAI's baseline requirement. Another 10 companies went even further by stopping the tracking and removing the cookies altogether (and just for interest's sake, it's worth noting that Google falls into this category)."
When a consumer visits Google's opt out page (where you obtain a doubleclick.net opt out cookie), or gets one via the NAI, the doubleclick.net tracking ID is deleted.
Google does not support the DNT header.
Chrome's cookie code isn't derived from other code in WebCore; it's implemented in the platform layer. And it's intended to be as compatible as possible with the majority of the web. As for the privacy implications of third-party cookies, I think Michal covered the reality of the situation extremely well: http://lcamtuf.blogspot.com/2010/08/cookies-v-people.html
As a Firefox user who disables 3rd party cookies, this actually does break some sites. Signing in with your Google account to various blogs becomes impossible. Buying tickets online to the local puppet theater becomes impossible. That sort of thing.
Firefox takes a totally different approach to blocking cookies than IE/Chrome/Safari.
Firefox blocks the setting and transmission of cookies by/to 3rd parties.
The other browsers just block the setting of new cookies by 3rd parties.
An example of what this means:
A Safari or Chrome/IE user who has turned on 3rd party cookie blocking visits facebook.com in a 1st party manner (by visiting the facebook home page). He/she then visits CNN, where facebook is present as a 3rd party (via the like button). Even though that user has opted to block 3rd party cookies, their stored facebook cookies will be transmitted to facebook when it acts as a 3rd party, because the cookies were first set as a 1st party.
In comparison, when a Firefox user who has turned on 3rd party cookie blocking visits CNN, facebook has no idea who they are.
No one is visiting doubleclick.net as a 1st party, which means if Google turned on the Chrome/Safari style 3rd party cookie blocking, it wouldn't be able to track users for behavioral advertising (interestingly, Facebook could still do so). Were this to happen, I guess Google could always move away from using doubleclick.net and put everything under the google.com domain, which would get around this.
Mozilla's method of 3rd party cookie blocking does indeed cause collateral damage, which AFAIK, is why Mozilla hasn't turned it on.
Google doesn't have the same excuse for allowing 3rd party cookies, since Apple users don't suffer broken sites when they browse. (If the Flash fiasco has shown us anything, it is that websites will bend to Apple's will, and change whatever breaks in order to allow Apple users to visit their sites).
Regulating the technology is, and always will be, a waste of time. If people don't want the tracking done, they need to outlaw it, regardless of technology implementation.
Well, sure, but that's not relevant for purposes of this discussion. ;) The fact that I use the browser and turn off third-party cookies is the relevant part.
> The other browsers just block the setting of new cookies
> by 3rd parties.
Ah, interesting. That significantly reduces the value of that setting, as you point out.
I suppose we could look into blocking the setting of such cookies by default and only the sending when the pref is flipped. I'll file a bug, thanks!
Simple as that.
In the area of security, Google recognizes the importance of setting safe defaults. See: "99.99% of Chrome users would never change the default settings. (The percentage is not an exaggeration.)"
Having an option to block 3rd party cookies, but then hiding it in the chrome://flags/ menu is essentially worthless for most users.
Privacy enhancing technologies need to be easy to use, preferably, enabled by default.
I agree on the cookies issue, though. Things like "Allow local data to be set (recommended)" make me kind of sad.
Notice that "allow local data to be set" and "block third party cookies" are not mutually exclusive settings in preferences...which is good, because they can be and tend to be used for very different purposes.
If you want to block all data from being stored, that's fine (and web APIs are great in that they are designed to be individually denied and let a page detect that they have been), but I definitely disagree that first party storage enabled by default (and even "recommended") is lamentable.
Did someone make a detailed analysis of what info gets sent to google on a default install of chrome?
It is also the reason why I have Chrome updates permanently disabled - I don't trust Chrome enough to let it run anything in a background.
I'm pretty sure all the browser bugtrackers require an account to file a bug.
Do enlighten me how can I file a bug report against Chrome if I don't have and don't want to create a Google ID.
The behavior you expect out of Chrome is just simply not what its actual behavior is.
Asa Dotzler from Mozilla corrects some of your misconceptions here: http://news.ycombinator.com/item?id=3034450.
This is hooking the application so you don't have issues with sniffing SSL.
It effectively helps you to man-in-the-middle-yourself.
Edit: in Chrome 15 (beta) just found an option "Encrypt all synced data". Yay!
Filed a bug report: http://crbug.com/97939
BTW anyone in Mike's position still may not be privy to everything that is done with the data, as some data collection and sharing may be subject to national security orders that that most employees are not allowed to know about. So any statement his team makes about this should be couched with "to the best of our knowledge."
The data collected is available for you to peruse at chrome://histograms/
All the data that Google collects is subject to the privacy policies at http://www.google.com/intl/en/privacy/, and Google of course complies with SafeHarbor regulations (http://en.wikipedia.org/wiki/International_Safe_Harbor_Priva...)
OR if you don't opt in to anything and you simply type some things into your Chrome Omnibox which get sent to Google for suggestions, or if you don't opt in to anything and you simply mistype a URL and that send data to Google for more helpful error pages, or if you don't opt in to anything and Google's phishing and malware service collects sites you're visiting. Oh, and where you don't opt in to RLZ, but you get it anyway.
As I said on Twitter, I'm not really bothered by these things, but it's disingenuous to pretend they don't exist or to respond to peoples' privacy concerns by insisting that aggregate usage stats is the only information Google collects.
> As I said on Twitter, I'm not really bothered by these things
Well I hope not, considering if you replaced parts of your comment:
"if you don't opt in to anything and you simply type some things into your [Firefox search bar] which get sent to Google for suggestions, or if you don't opt in to anything and you simply [type a malformed] URL [into the AwesomeBar} and that sends data to Google for [a search page], or if you don't opt in to anything and [Firefox queries of] Google's phishing and malware service collects sites you're visiting"
it still applies. and Mozilla essentially sells that information by selecting a third party default based on some non-transparent bid process :P
Personally, I'm just sick of the FUD, especially in comments on an article asking to stop the insinuations and actually list problems so they can be fixed. There are and probably always will be defaults some people disagree with (and feel are doing users a disservice since users rarely change defaults), but there is a world of difference between that and "I don't need to give evidence, I can just feel it. We all know Chrome is etc etc"
This is why the search engine is different in different locales; for example Yandex has way better Russian search results than Google, and hence is the default search engine in the Russian localization of Firefox.
At least they no longer solicit donations, but for them to pretend they're viable without that omg privacy violating teat to suckle at is just gauche.
So while Mozilla does make money from those, it would do that no matter which of the major search engines it defaulted to, no?
And note that there is a reason the search field is not merged with the url bar in Firefox. Precisely because it would be a privacy violation.
Can Google do anything to help make browsers appear to be less unique, and thus less trackable?
I'm talking about http://panopticlick.eff.org/
I'd much rather find a technical solution to that than a political non-solution.
Take a look at https://trac.webkit.org/wiki/Fingerprinting for some discussion around what would be required. It's very, very nontrivial.
So even if there might be a browser-signature based solution for CSRF protection, there is a very solid alternative, which I think is the best practice anyway.
As for the larger question, I really don't think there's any way of preventing sites from uniquely fingerprinting a given browser installation. There are just so many places where fingerprints leak through (and the behavior is relied on) that I'd expect it would take a massive overhaul of the web as we know it. Although, I'm a security guy not a privacy guy, so maybe I'm just too pessimistic.
I already do click-to-play for plugins in Chrome, and it doesn't seem to help much. According to Panopticlick, there are 19.75 bits of data in my Browser Plugin Details, and for the "value" it describes all the plugins I have enabled.
Also with click-to-play enabled, Panopticlick can see my system fonts (20.75+ bits of data, one in 1,769,122 browsers has this value). Apparently Panopticlick is not using one of my plugins to get that data... I haven't whitelisted eff.org or otherwise enabled plugins there.
Somehow my Chrome had lost its click-to-play setting. I don't remember unsetting that... hrm.
Anyway, with click-to-play enabled you are correct: Panopticlick cannot see my fonts. Sorry about the confusion.
However, with click-to-play definitely enabled, Panopticlick can still see my Browser Plugin Details.
This is just a thing Chrome has to live with, it's a browser developed by a company that makes money selling user behavior to advertisers. You'd have to be stupid not to think this is a possibility.
Must be frustrating to the developers who know what it does and doesn't do though.
In this case, that "whoever has the data" has been publicly dismissive of fundamental privacy concerns up to and including CEO level, and has a business model built around extracting as much value as possible from that private data without regard for the privacy concerns of any individual.
This is a very tough cookie to crumble. The counter-argument to "we are open source" is that the binaries can potentially be assembled from an altered source code. Ideally, the binaries should be assembled by multiple independent "build points" and compared against vendor's version. There was a secure smartphone OS vendor (the name escapes me ATM, it was several years ago) and they did just that - an open source project with audited build system - and it was a major hassle by the looks of it.
The only sure way to deal with the trust issue is to not have a conflict of interest to the first place, which is something that seems to be neigh impossible with Chrome.
We have to take Google's word for it that Chrome is identical to Chromium as regards privacy, and as others stated, Google's business interest is clearly to track user information, not to respect their privacy.
So, go ahead and check out a release branch, set the "Official" build flag yourself, wait anywhere from 2-8 hours for the binaries to get built, and verify it against the bits we ship.
So one can build Chromium with "Official", then add some DLLs (Flash, etc.), and get something 100% identical to Chrome?
Edit: And is there an official statement of this somewhere?
"As Chrome's resource blocking API is not yet comprehensive, some elements may execute." - http://www.ghostery.com/download
Look at the progress on privacy-related APIs over the last year: WebRequest is coming along nicely, WebNavigation and ContentSettings are feature complete and in the final stages of polish, and Proxy went out to stable in Chrome 13. Privacy and Clear just landed in experimental, and we're iterating on them rapidly.
(Details on the state of each are available at http://code.google.com/chrome/extensions/trunk/experimental....)
The API in experimental now, so download a dev release of Chrome/Chromium, enable experimental APIs via `about:flags`, and start filing bug reports. :)
I really don't understand the extreme sentiment that your info via cookies is the worst form of privacy breach there is. Why would you not be more concerned with the companies that charge $.50 per call to access an API that can fetch information on anyone that fills out a form ("Oh I never knew my neighbor only makes $48k a year")? I guarantee you these companies know more about you than Google, Twitter and Facebook (unless you post every thought ever, of course). Case in point, they knew my coworker's wife at the time was 4 months pregnant. Unless you can derive such information from searches (doubtful and completely not worth the effort) then this information obviously came from elsewhere. Perhaps, for instance, like the doctor's office.
Google is the largest ad network on the Web.
Look at the implementation of SafeBrowsing, for instance, which does some clever work with hashes to ensure that Google never knows exactly what URL you visited that triggered the warning. It would have been _much_ simpler to just send the URLs, I assure you.
On one, we have source. On the other, we just have the quote "We go out of our way to avoid doing that, actually." What other evidence?
I mean both Chrome and Chromium. The source is there, we develop in the open, and I'm not sure what additional evidence I can provide to you to prove a negative. Wireshark?
* Public referrer logs created a backlink
* Somebody (else) published the URL
* Somebody (else) shared the URL
* You pinged the URL to search engines or other services.
* The URL appeared in your RSS feed
* The URL appeared in your sitemap
* Your pages URL ranges are easily guessable (/item.php?id=1007, /item.php?id=1008) and traversed by a search engine.
And more recently, something less innocuous: You simply added a Google +1 button to your pages.
When you add the +1 button to a page, Google assumes that
you want that page to be publicly available and visible
in Google Search results. As a result, we may fetch and
show that page even if it is disallowed in robots.txt.
> When you type URLs or queries in the address bar, the letters you type are sent to your default search engine so the Suggest feature can automatically recommend terms or URLs you may be looking for. If you choose Google as your search engine, Google Chrome will contact Google when it starts so as to determine the best local address to send search queries. If you choose to share usage statistics with Google and you accept a suggested query or URL, Google Chrome will send that information to Google as well. You can disable this feature as explained here.
> If you navigate to a URL that does not exist, Google Chrome may send the URL to Google so we can help you find the URL you were looking for. You can disable this feature as explained here.
> If you enable the optional AutoFill feature, which automatically completes web forms for you, Google Chrome will send Google limited information about the structure of pages that have web forms and information such as the arrangement of the form so that we can improve our AutoFill service for that page.
Could you give us more information about the AutoFill feature? Does it send the URL along with the listed information? Does it do this for every URL that contains a web form?
Disclosure: I use Chrome (default) and IE9 (whenever Chrome fails).
That leaves five other places where data is sent back to Google for things like search suggestions and malware detection. You can find an explanation of those features and instructions on disabling them here: http://www.google.com/support/chrome/bin/answer.py?answer=11...