[HN Gopher] Google tracks individual users per Chrome installati... ___________________________________________________________________ Google tracks individual users per Chrome installation ID Author : rvnx Score : 1659 points Date : 2020-02-04 14:50 UTC (8 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | everdrive wrote: | Is this Chrome the browser, ChromeOS, or both? And if so, will it | be in Chromium? | olliej wrote: | Am I getting this right? | | Irrespective of whether you use any other google products, if you | use chrome google can now track you over any property that uses | google ads, recaptcha, etc. | | The header is inserted by the browser after any extensions run, | and google pins google properties so you can have an intermediate | proxy that strips the header, so they gain persistent tracking of | all users across most of the web? | | If it wasn't a tracking vector why do they limit it to just | google ads, etc? Why not other ad providers as well? | owaislone wrote: | I visited my family a couple of weeks ago and was shocked when my | father told me that his phone 'received' some of our photos. I | checked and a huge chunk of whatsapp photos that were backed up | by my wife's phone had ended up in my dad's Google Photos | account. I discounted it as my wife accidentally sharing the | whatsapp folder with my dad but now I'm not so sure. | Cthulhu_ wrote: | Yup, that's one of the issues you'll get with interlinked | accounts; in this case, Whatsapp backs up / stores photos | automatically to your phone's photo gallery, and said photo | gallery is automatically synchronized with the cloud. | | I don't know exactly what's going on with your wife's / your | father-in-law's accounts though, are they sharing Google | accounts, photo albums, or were the photos shared in the same | whatsapp group? | marriedWpt wrote: | Ahh the good ol HN "stop using Google and start using Firefox" | advertisement. | | It's a bit odd to see this in every Google thread. | | Btw, Firefox is too slow. | Blaiz0r wrote: | Firefox isn't too slow, but you might be talking about how | Google optimise their sites for Chrome at the expense of | Firefox's performance through browser sniffing. | basscomm wrote: | > Btw, Firefox is too slow. | | Ahh, the good ol' "Firefox is too slow for me to consider it" | statement. Is there any evidence that Firefox is slower then | Chrome other than old lingering memories of Firefox being slow | ten years ago? | | I have used both Firefox and Chrome and I can't subjectively | tell that one is significantly faster or slower than the other. | To be fair, I only have a handful of extensions and rarely have | more than ten tabs open at a time, so my use case may be | atypical. | rryan wrote: | I _love_ that Firefox exists and Quantum is an amazing step | forward, but Firefox still regularly runs away with gigabytes | of RAM and hung worker processes. I have no problem with | long-lived Chrome sessions but I need to restart Firefox | ~daily. It 's not bad memories of 10-years ago. | pier25 wrote: | Same for me. | | I've been using FF for a couple of months and I get huge | random CPU spikes on my MBP that go away once I restart it. | It works fine on my iMac and Windows tower though albeit JS | execution seems slower (I mostly work on front end stuff). | | It also seems to consume more battery on Android than | Chrome although I admit I've never made any serious | testing. | Monotonic wrote: | I've been using Firefox as my daily browser at work, home, | and on my mobile devices, and I've literally never had | issues with Firefox taking up too much RAM. Chrome on the | other hand was always one of the main culprits when my | computer(s) would start to slow down. | | This is the problem with anecdotal evidence; everybody's | subjective experiences are slightly different and further | colored with their own biases, so you can never get hard | facts out of it. | mrguyorama wrote: | And yet Chrome consuming huge amounts of RAM is an actual | meme | marriedWpt wrote: | The difference is extremely noticable. So yes. | | I can open up 2 tabs and Firefox is still loading the page. | DangerousPie wrote: | Could it be because people who like their browser tend to tell | others about it? I have absolutely nothing to do with Mozilla | but I think the internet would be a better place if more people | used Firefox. | dang wrote: | We detached this subthread from | https://news.ycombinator.com/item?id=22236328. | fortran77 wrote: | It's not odd at all. It's what the folks at Mozilla do. They | jump in to every thread to push Firefox and Rust and make | people think it's more widely used/better than it is. | falcolas wrote: | Not everything is a conspiracy. I'm not a Mozilla employee, | have never been one (probably never will be one). Firefox is | awesome, fast, and extensible. It's my daily driver for all | of my machines. | bonestamp2 wrote: | Side question: I've been trying to switch to firefox as my | main browser but one thing is holding me up. When I'm using | a private window, cookies are not shared between private | tabs. I can see the advantage to that behavior, but is | there a way to share them so that I can be logged into the | same site in multiple private tabs? Unironically, I haven't | had any luck googling this problem. | lordnacho wrote: | You can make as many separate containers as you like, | where each tab shares the cookies with all the other tabs | in that container. For example, I have a Facebook | container that only shares with Messenger and none of the | other tabs. I can see it works because sites that are | logged in on one container are not logged in on others. | It's easy to right-click and reopen a tab in one of your | other containers. | falcolas wrote: | If you open a new tab from an existing tab, your session | persists across tabs. So, for example, middle clicking on | the Hacker News logo will preserve your HN session across | tabs. | bonestamp2 wrote: | Huh, this is how I expected it to work and it does work | for hacker news but it doesn't work for one site I want | it to work for. I'll have to dig deeper, thanks. | SamPatt wrote: | Same. It works great and uses less RAM than Chrome. | fortyseven wrote: | People who push conspiracies without solid evidence should be | jailed. Or at least publicly ridiculed. | dropdrive wrote: | And then? I use it and judge it bases on it's merits. Surely | they know this (and hence decided it's worth the time?) | detritus wrote: | I work for Mozilla? | | Huh. I should ask for a pay rise... | jeltz wrote: | I think most people who advocate Firefox are not Mozilla | employees. I am for sure not one, I do not even like Mozilla, | but they are a much lesser evil compared to Google. And I | think having multiple competing browsers is vital for | preventing the internet for becoming a walled garden owned by | some big corporation. | Ohn0 wrote: | Isn't moz pretty much funded by google? | VWWHFSfQ wrote: | as a defense against antitrust accusations. microsoft once | funded apple too | throwawa66 wrote: | You must be a google toolhead employee not to see how evil | they've become | swiley wrote: | Google consumer software is almost universally an active full | frontal attack on you. Stop using it. | a_wild_dandan wrote: | This sounded harder to do than it was in my experience. I | figured the alternatives to their products would be less | polished. But I switched to Firefox and honestly prefer it to | Chrome. (They allow extensions on Android, meaning adblock, | which is a game changer for me.) DDG for search is great. | Protonmail for email is fine, etc. There isn't much in the | Google ecosystem that I miss tbh. | Scarbutt wrote: | For me is google docs and maps. | dleslie wrote: | If you need online office and maps then there's Microsoft | Office and Bing Maps. Office is an excellent product, well | worth the few bucks a month. | | AFAIK, Office is fairly good about privacy. | acollins1331 wrote: | The only thing I have problems finding something that works | is Google maps. As an Android user there are a few different | options but Google did make a damn good maps app. | sutro wrote: | Bypassing CORS checks by "hiding" X-Client-Data: | https://chromium.googlesource.com/chromium/src/+/f3ceca9d0fd... | haecceity wrote: | What does freezing mean here? | sergiotapia wrote: | I dropped chrome a long time ago and switched to Brave. Does | Brave have these same issues, considering it uses webkit for it's | rendering engine? Am I just being paranoid? | | What a tumor google has become. | dmtroyer wrote: | I must be dense but I never see the `x-client-data` header in the | request headers of the network tab in developer tools. | outworlder wrote: | Try a packet capture. You wouldn't trust the browser to let you | know all shady emails it is sending, right? :) | dmtroyer wrote: | This did come to mind, hah. | calibas wrote: | I just checked, I see it on Chrome when fetching resources from | google.com, youtube.com, gstatic.com, and | googlesyndication.com. | throwawaylolx wrote: | I just tried it now on google.com, and it sent it in 6 | requests. You can ctrl+f in developer tools in Chrome. | dessant wrote: | I think extensions can filter out the x-client-data header, | though Google should definitely make this data collection | opt-in. | | GDPR is very clear about this data being personal information | [1], since Google has access to the IP address on the | receiving end, which has been repeatedly tested in courts as | being personal data. | | Google is engaging in personal data harvesting without user | consent and control, and no amount of mental gymnastics | presented in their privacy whitepaper [2] will save them in | courts. | | [1] https://ec.europa.eu/info/law/law-topic/data- | protection/refo... | | [2] https://www.google.com/chrome/privacy/whitepaper.html#var | iat... | dmtroyer wrote: | Oh interesting, it must be an extension that is filtering | it out for me (Ghostery, DDG Privacy Essentials or Adblock | Plus in my case) | GrayShade wrote: | Can you also test under the incognito mode? | sunnyque wrote: | i've checked this already, chrome doesn't send this header | in incognito mode, and this is really good | 3xblah wrote: | Right-click in the Name column, select "Save all as HAR with | content". Then grep for the headers, e.g., sed | -n '/headers\":/,/\]/p' example.com.har | | While running Chrome, try ps ax |grep -o | field-trial-handle[^\ ]*[0-9] | | Handle to the shared memory segment containing field trial | state that is to be shared between processes. The argument to | this switch is the handle id (pointer on Windows) as a string, | followed by a comma, then the size of the shared memory segment | as a string. | | Also, can try typing "chrome://versions" in the address bar | | https://superuser.com/questions/541466/what-is-the-variation... | | https://www.ghacks.net/2013/04/05/field-trials-in-chrome-how... | | Further reading: | | https://chromium.googlesource.com/chromium/src/+/master/comp... | | https://chromium.googlesource.com/chromium/src/+/master/comp... | kohtatsu wrote: | It's limited to Google properties. | reader_1000 wrote: | It seems that it does not send "x-client-data" header in | private mode, but it sends it when browsing regular mode. | pbhjpbhj wrote: | But unless you changed IP, and other machine characteristics | they'll be able to link the machine-id with an alternative | fingerprint (cf amiunique/panopticlick). | NotSammyHagar wrote: | That would mean they are actually not tracking you (via that | method at least) in private mode. I was just about to | investigate how or if they were tracking in porn mode. | swalsh wrote: | I BELIEVE it is related to this section: | https://github.com/chromium/chromium/blob/2e452bbf1fa092a742... | outside1234 wrote: | Does this apply to Edge installations? (If not, another great | reason to move to Edge.) | pier25 wrote: | Chromium too? | Cthulhu_ wrote: | As another commenter pointed out, the list of domains the | header is sent to is part of the Chromium codebase: | https://chromium.googlesource.com/chromium/src/+/master/comp... | gempir wrote: | this is just a test case. It could very well be a much bigger | list. | gruez wrote: | Actual list: https://cs.chromium.org/chromium/src/component | s/google/core/... | | via: https://news.ycombinator.com/item?id=22237768 | macinjosh wrote: | Doesn't look like it from my testing of version 81.0.4036.0. | But in normal Chrome I do see it. | olah_1 wrote: | Can you test it in Microsoft's new Edge browser based on | Chromium? I'm very curious about that. (I don't know how to | test such a thing myself, sorry :S) | ryneandal wrote: | I didn't see the x-client-header in the Edge insider | browser when accessing YouTube. | pier25 wrote: | I don't see it in Brave either | AlphaWeaver wrote: | According to this source code [0], it looks like this is in | Chromium as well. Does that mean this affects Electron | applications? | | [0]: | https://chromium.googlesource.com/chromium/src/+/master/comp... | currysausage wrote: | Edge ("Edgium") doesn't appear to send this header. Neither | does Chrome in Private or Guest Mode. | Ndymium wrote: | Checked that Vivaldi doesn't seem to be sending this header. | nornagon wrote: | Electron maintainer here. Electron does not send this header. | croh wrote: | Thanks for clarification. | csagan5 wrote: | Credits to the ungoogled-chromium project [0] for the patch [1] | which is also used in Bromite since 15 February 2018 to prevent | this type of leaks; see also my reply here: [2] | | [0]: https://github.com/Eloston/ungoogled-chromium | | [1]: | https://github.com/bromite/bromite/blob/79.0.3945.139/build/... | | [2]: | https://github.com/bromite/bromite/issues/480#issuecomment-5... | gcb0 wrote: | Which is not the right way to solve this problem. | | This is the reverse ad blocker problem. | | Just use firefox, where we can at least pretend that the full | time paid contributors are not trying to shove Advertising and | Tracking on us. | janpot wrote: | Not endorsing this, but according to | https://www.google.com/chrome/privacy/whitepaper.html#variat... | | > We want to build features that users want, so a subset of users | may get a sneak peek at new functionality being tested before | it's launched to the world at large. A list of field trials that | are currently active on your installation of Chrome will be | included in all requests sent to Google. This Chrome-Variations | header (X-Client-Data) will not contain any personally | identifiable information, and will only describe the state of the | installation of Chrome itself, including active variations, as | well as server-side experiments that may affect the installation. | | > The variations active for a given installation are determined | by a seed number which is randomly selected on first run. If | usage statistics and crash reports are disabled, this number is | chosen between 0 and 7999 (13 bits of entropy). If you would like | to reset your variations seed, run Chrome with the command line | flag "--reset-variation-state". Experiments may be further | limited by country (determined by your IP address), operating | system, Chrome version and other parameters. | flukus wrote: | So they're tracking people and using them as guinea pigs, the | lack of respect for users is astounding. | pdkl95 wrote: | This is impressive doublespeak. | | > This ... header ... will not contain any personally | identifiable information | | > a seed number which is randomly selected on first run ... | chosen between 0 and 7999 (13 bits of entropy) | | They are not including any PII... while creating a new | identifier for each installation. 13 bits of entropy _probably_ | isn 't a unique identifier iff you only look at that header in | isolation. Combined with _at least_ 24 additional bits[1] of | entropy from the IPv4 Source Address field Google receives | >=37 bits of entropy, which is almost certainly a unique ID for | the browser. Linking that browser ID to a personal account is | trivial as soon as someone logs in to any Google service. | | > Experiments may be further limited by country (determined by | your IP address) | | They even admit to inspecting the IP address... | | > operating system, Chrome version and other parameters. | | ...and many additional sources of entropy. | | [1] why 24 bits instead of 32? The LSB of the address might be | zeroed if the packet is affected by Googles | faux-"anonymization" feature ( | https://news.ycombinator.com/item?id=15167059 ) | clSTophEjUdRanu wrote: | >Linking that browser ID to a personal account is trivial as | soon as someone logs in to any Google service. | | Wat? You mean to tell me they can identify you if you log | into their service? | | Am I missing something here? Who cares? | poxrud wrote: | Yes you are missing something important. Once they've tied | the browser ID to your personal account they can track you | across all google properties, even the ones that you didn't | log into. | asdfasgasdgasdg wrote: | I still don't understand. When I log into gmail, it logs | me into all Google services. If I am worried about being | tracked, surely my first mistake is logging in in the | first place? Or visiting in the first place? After all, | even if I click "log out," I'm only trusting Google that | they unlinked the browser state from the account. If I | trust them to do that, I don't see why I shouldn't trust | them to ignore this experiment flag from Chrome, or at | least not use it for tracking. If I don't trust them to | avoid using the experiment state, I don't really see how | you can trust them for anything. | | Anyway, if you're not building Chrome from source, then | you have to trust that they aren't putting anything bad | in it. And if you are building chrome from source, you | can observe that they only send this experiment ID to | certain domains, and they already know who you are on | those domains anyway. | judge2020 wrote: | Unless you're running some extension that emulates FF's | container tabs or something, it logs you into all G | services. It would matter, though, if this header is | still sent in incognito sessions. | sildur wrote: | I care. I care that I even if I log off, even if I use a | vpn, even if I go into incognito mode, they still can | associate my requests with the account I initially logged | in. | admax88q wrote: | I mean, if you don't want Google to track you, then you | probably shouldn't use their browser... | foota wrote: | I believe someone else in the thread stated it's cleared | for incognito, don't remember if they meant it's not sent | or that it's a new value. | meowface wrote: | The problem is any website can do that. Incognito- | bypassing fingerprinting is difficult to prevent, unless | you use something like uMatrix to disallow JavaScript | from everything but a few select domains. | | This is a collection of random-ish unique-ish attributes. | Any collection of such things can be used to track you, | like installed fonts, installed extensions, etc. If this | were just a set of meaningless encoded random numbers, | then it's essentially a kind of cookie, but that's not | what it is. This is (claimed to be) a collection of | information that's useful and possibly needed by some | backends when testing new Chrome features. It tells | servers what your Chrome browser supports. The | information is probably similar to | "optimizeytvids=1,betajsparser=1". | | So, the only question is if Google is actually using this | to help fingerprint users in addition to the pragmatic | use case. It certainly could be used that way, and it's | possible they are, but they have so many other ways of | doing that with much higher fidelity / entropy if they | want to. If this were intended as a sneaky undisclosed | fingerprinting technique, I think they would've ensured | it was actually 100% unique per installation, with a | state space in the trillions, rather than 8000. | | Yes, this could be so sneaky that they took this into | consideration and made it low-entropy to create plausible | deniability while still being able to increase entropy | when doing composite fingerprinting, but I think it's | pretty unlikely. Also, 99% of the time they could | probably just use use Google Analytics and Google login | cookies to do this anyway. | rvnx wrote: | Maybe one actually useful non-advertising usage could be | reCAPTCHA ? If you read carefully, it says nowhere than | there is the limit to 8000. There is this limit of 8000 | only if you disable usage statistics / crash reports. | [deleted] | make3 wrote: | he means they can continue to identify you after you log | off | pests wrote: | I think the argument is they have other methods like | cookies they could also use. The fact you trust them not | to use those methods extends to this form of tracking. | mdiesel wrote: | If you browse the internet, they could know what websites | are visited by the same person, but not who they are | exactly. | | If you visit a load of websites, then also log into google, | they connect the two and they know what websites were | visited by you specifically. | kag0 wrote: | Normally you would only expect to be identified and tracked | when using Google services when logged in. The significance | of this post is that they would be able to identify and | track you across all your usage of that browser | installation regardless of if you've logged out, or say in | an incognito window. | clSTophEjUdRanu wrote: | Ah. So I was missing something. Thanks for clarifying. | That is alarming. | adriantam wrote: | > They are not including any PII... while creating a new | identifier for each installation. 13 bits of entropy probably | isn't a unique identifier iff you only look at that header in | isolation. Combined with at least 24 additional bits[1] of | entropy from the IPv4 Source Address field Google receives | >=37 bits of entropy, which is almost certainly a unique ID | for the browser. Linking that browser ID to a personal | account is trivial as soon as someone logs in to any Google | service. | | Now this is interesting. If without that 13 bits of entropy, | what will Google lost? Is it because of this 13 bits then | Google suddenly able to track what they were not? If the IPv4 | address, user-agent string, or some other behavior is | sufficient to reveal a great deal of stuff, we have a more | serious problem than that 13 bits. I agree that 13-bit seed | is a concern. But I am wondering if it is a concern per se, | or its orchestration with something else. Of course, | how/whether Google keeps those data also matters. | gruez wrote: | >Now this is interesting. If without that 13 bits of | entropy, what will Google lost? Is it because of this 13 | bits then Google suddenly able to track what they were not? | | At the very least, having those 13 bits of entropy along | with a /24 subnet allows you to have device-level | granularity, whereas a /24 subnet may be shared by hundreds | of households. | rvnx wrote: | They have more than 13 bits of entropy | | https://cs.chromium.org/chromium/src/components/metrics/e | ntr... | | Look how the function is called, high-entropy source :) | AsyncAwait wrote: | But if you disable telemetry, they'll only have 13? | [deleted] | rvnx wrote: | One clarification: | | - By default it's much more than 13 bits of entropy | | - If you disable usage statistics then you are limited to | 13 bits of entropy | skybrian wrote: | Yes, if you have enough bits you can come up with a | fingerprint, but that's not what PII means. | tjoff wrote: | It becomes PII the instant you can correlate that | fingerprint with any PII. | mega_dingus wrote: | This. | | A bank account number is consider PII. Knowing the bank | name & account number will uniquely identify the account | holder's name, which is PII. | fmajid wrote: | IP addresses are considered PII under both GDPR and CCPA. | shadowgovt wrote: | ... which is crazy unrealistic, since it's "PII" that can | only stay "private" by collective agreement of every node | in the network, but no accounting for the reality of | network architecture in passing law, I guess. | | Maybe a deep expectation of anonymity while accessing a | worldwide network of cooperative machines is something | people should stop telling the public they should expect? | labawi wrote: | Under GDPR you can use all the PII you reasonably need to | provide expected services, you don't even need separate | consent. But, if you have PII, the moment you use it for | other purposes, or obtain/retain/share without proper | cause, you are breaking the law. | | IMHO, that is very reasonable. | | Real world example - giving your phone number and | information to your car mechanic / doctor / bank teller / | plumber is reasonable. Using that information to score | girls or ask donation for a puppy shelter would be | considered improper. | outworlder wrote: | Or they can stay 'private' by not being stored or | correlated with other user data. GDPR doesn't apply to | the network itself, it applies to whoever is using it. | shadowgovt wrote: | "Stored" is definitely the purpose of a router. | "Correlated" can be necessary for debugging routing | issues (or client-server connection issues that are tied | to the intermediary fabric near the client doing | something weird; hard to determine if an entire subnet is | acting up if you aren't allowed to maintain state on | errors correlated to IP address). | gcb0 wrote: | > IP addresses are considered PII under both GDPR and | CCPA. | | That's why Google do that little obfuscation dance. All | the trackings of cookie/ip, none of the gdpr annoyances. | | The var is called "kMetricsLowEntropySource" in case | anyone is wondering | | https://github.com/chromium/chromium/blob/dc70013d5a70434 | fae... | forgotmypw38 wrote: | Don't forget that just about any registration requires | recaptcha these days | asdfasgasdgasdg wrote: | > > Experiments may be further limited by country (determined | by your IP address) | | > They even admit to inspecting the IP address... | | I don't think that sentence admits what you say? Chrome could | be determining which experiments to run client-side. | | Of course, when you visit a Google property, they needs must | inspect your IP address to send a response to you, at a | minimum. That goes for any site you might choose to visit. | The existence of sufficient entropy to personally identify a | site visitor is not a state secret. They do not need this | chrome experiment seed to identify you, if that's a goal. | calibas wrote: | Yeah, it's not a "state secret" but it's not common | knowledge either. Their privacy policy says that specific | header can't be used to identify you, but fails to mention | it can be combined with other information to make browser | fingerprinting trivial. | | If you don't know how all this works, which is true for | most human beings, their privacy policy might give you the | wrong impression. | asdfasgasdgasdg wrote: | > says that specific header can't be used to identify you | | That's not what it says. It says the header won't contain | PII, which is true. It can be linked to PII, but so can | literally every bit of information you send to Google | while logged into or otherwise using their services. A | disclaimer to this effect would not have any purpose. | GrayShade wrote: | If I log in to my Google account once, they can associate | that browser id with my account. Even if I log out, clear | my cookies (and probably use the incognito mode), Google | will be able to identify and follow me all over the Web. | | I don't know about your PII thing, but it's personal data | under the GDPR. | asdfasgasdgasdg wrote: | AIUI GDPR restricts the handling and use of PII, not its | existence. So it's PII under GDPR. Is Google misusing it? | If so, that's an issue. If not, then it's kinda pointless | to observe that it's PII under some possibly distinct | legal definition than the one Google is using in its | privacy policy. | calibas wrote: | That's the whole point. Using any Google service means | they can easily personally identify you, that's what the | privacy policy should explain. | | That's their policy towards privacy, you don't have any. | For some reason I can't fathom, you claim mentioning this | in their privacy policy "would not have any purpose". | Instead of honesty, their privacy policy is a wonder of | public relations where it seems like they care deeply | about protecting your privacy. | asdfasgasdgasdg wrote: | We disagree about the purpose of privacy policies. I | believe that privacy policies should describe how data | _will_ be used, not how it _could_ be used. I just don 't | think a policy describing how data could be used is very | useful, because it's going to be the same for all | services. | | Under this formulation, Google's policy is (presumably, | lacking any data to the contrary) honest with respect to | this value. | shuckles wrote: | This is a fair distinction, though it does not include | the option of discussing how the data _won't_ be used. | asdfasgasdgasdg wrote: | Per your observation, I would argue that the intent of | the privacy policy as quoted above is pretty clear. When | the policy says that the identifier doesn't contain PII, | I believe that is meant to convey that it will not be | used to identify you. But it's true that that use is not | explicitly excluded. I'm not a lawyer so I couldn't tell | you if being weasely in this way would count as fraud or | not. Otoh, I suspect that Google is actually abiding by | the spirit of the policy they wrote because honestly they | have little to gain and much to lose by violating it. | emmelaich wrote: | > _I believe that privacy policies should describe how | data will be used, not how it could be used._ | | This is key. If you subscribe to the "how it could be | used" version, then even say _possessing_ an android | phone would be a violation of the privacy policy. Which | is absurd. | coliveira wrote: | > This ... header ... will not contain any personally | identifiable information | | Except for everything you do on your browser. I'm so glad I | haven't used Chrome for almost three years. | [deleted] | rvnx wrote: | They key in the wording is: "If usage statistics and crash | reports are disabled, this number is chosen between 0 and 7999 | (13 bits of entropy)." | | "If, statistics are disabled." | | In chrome://version you can see the active variations. It seems | to be pretty big numbers to be significant, and so far haven't | observed duplicates. | | Since this header is generated server-side, you have only to | believe I guess ? Plus why Doubleclick would need it :) | JMTQp8lwXL wrote: | Is there a reason for only sending this header to Google web | properties and not all domains? | Cthulhu_ wrote: | Is it because Google's webapps will have their own a/b tests | which use experimental features only available in Chrome | perhaps? | | I mean personally I think they should do client-side feature | detection and be back to being standards compliant and not | creepy. The only reason why I'd consider such a flag is | because they optimize the payload server-side to return a | certain a/b test, but even with that they could do the | default version first, do feature detection, and then set a | session cookie for that domain only that loads the a/b test. | | My other Thought was that they test a feature that is | implemented across Google's properties, e.g. something having | to do with their account management. | CommanderData wrote: | I can think of a hundreds reasons why they do this. It | doesn't make it right in any of those. | masswerk wrote: | Isn't this what cookies are for? | rvnx wrote: | Cross-site cookies are soon getting blocked by Chrome | starting Chrome 80 if I'm right (whereas this header | isn't) | CaveTech wrote: | So they build a personal back door to a feature that | they've chosen to remove for everyone else? Because of | it's potential for abuse, yet the very same company is | somehow abusing it in a way more sinister way. Antitrust | can't come soon enough. | cpeterso wrote: | Chrome will only block cross-site cookies that don't use | HTTPS and the SameSite=Lax flag. It's easy for trackers | to user HTTPS and SameSite=Lax. This Chrome change is | mostly intended to protect against Cross Site Request | Forgery (CSRF) attacks, not to block trackers. | macinjosh wrote: | It is an abuse of Chrome's position in the marketplace. | Google is using their powerful position to give themselves | tracking capabilities that other online players can't access. | It is a major competitive advantage for Google. | IshKebab wrote: | Err yeah, because it adds loads of data that can be used to | track you. | some_random wrote: | How many people will actually run chrome with a cli flag? It | would be pretty impressive if every single person reading this | thread did, but it probably won't even be that. Most people | don't even touch their settings. | | 13 bits of entropy is far from a uuid (but to get it to that | you need to disable some more settings, which again very few | people do), but it's still plenty good enough to disambiguate | individuals over time. | Yeroc wrote: | And Google is certainly in a position to disambiguate that | uuid to an individual as soon as they login to gmail or any | other Google property! | ravedave5 wrote: | It appears that chrome based Edge does not send this header. I've | switched to firefox for everything I can switch, perhaps it time | to use Edgeium over chrome for anything else. | pbhjpbhj wrote: | MS Windows probably used the Skype to fingerprint you already, | and don't need the browser to do it explicitly? | Tepix wrote: | According to | https://www.google.com/chrome/privacy/whitepaper.html | | " _We want to build features that users want, so a subset of | users may get a sneak peek at new functionality being tested | before it's launched to the world at large. A list of field | trials that are currently active on your installation of Chrome | will be included in all requests sent to Google. This Chrome- | Variations header (X-Client-Data) will not contain any personally | identifiable information, and will only describe the state of the | installation of Chrome itself, including active variations, as | well as server-side experiments that may affect the | installation._ " | | While this header may not contain personally identifiable | information, its presence will make every request by this user | far more unique and thus easier to track. I do not see Google | saying they won't use it to improve their tracking of people. | goatinaboat wrote: | One click while logged into any Google property will be enough | for them to permanently associate this GUID with your (shadow) | account, they know it, and they know you know it too | balls187 wrote: | This is why I use firefox for personal browsing, and edge for | work. | | Now that Edge / Chromium is out of beta, even better. | cs702 wrote: | Doubtlessly, this will be rationalized and justified as being | necessary for, and in the best interest of, consumers... | | ...but inevitably, it _will_ be used for tracking -- regardless | of intent. | | It might also get Google in trouble. Copying and pasting from the | a comment in the OP's URL: | | _> Example: https://www.youtube.com - in network headers, look | for x-client-data | | > Now, go to https://ad.doubleclick.net/abc - and your browser | also sends this magic x-client-data. | | > It's a unique ID to track a specific Chrome instance across all | Google properties. | | > Really curious about your opinion, especially after the GDPR | explicitly forbidding such tracking. Moreover, it doesn't make | sense to anonymise user-agent if you have such backdoor._ | floatingatoll wrote: | Can Chrome extensions on the new proposed v3 standard remove | that outbound request header? | floatingatoll wrote: | This comment is unreadable on mobile. | https://i.imgur.com/jFusqw0.png | | Could you please remove the four-space indent? You can wrap | each paragraph in * ... * if you want to italic them. | cs702 wrote: | Fixed. Sorry about that. Thank you for letting me know! | floatingatoll wrote: | No worries :) | metahost wrote: | You may give https://hackerweb.app a try! Aside: It is read | only though. | floatingatoll wrote: | I don't appreciate your link to a third-party reader here, | because you're implying that the contradiction of HN's | style guidelines (code formatting is for code) is somehow | made acceptable by the existence of an app that reformats | it for only a few readers. | | If I switch to an app rather than ask the person to stop, | the other HN mobile users who use a browser rather than app | will continue to suffer. "Use an app" is not an acceptable | choice. | cs702 wrote: | It seems my comment may have been misinterpreted. | | I meant that this will be rationalized and justified BY GOOGLE. | mojuba wrote: | > Now, go to https://ad.doubleclick.net/abc - and | | It's funny that the doubleclick URL was removed by my adblocker | and I didn't get what the original message was about. Now I can | see it, thanks :) | reaperducer wrote: | I don't understand why Google and some other tech companies use | their users as involuntary, unpaid guinea pigs. No consent. No | opt-out. | | What's the motivation? Is it simple laziness because they don't | want to deal with wetware? Is it afraid that if people knew what | was happening they wouldn't be happy? Google has eighty | brazillion employees it can test new features on. | basch wrote: | Microsoft Vista was a Windows 7 beta, and was "necessary" to | basically experiment on the entire Home market, to make the | product stable enough for enterprise. | | Although Window 7 may have been one of the most complex | software deployments in history, needing to support decades of | poorly written drivers, while making the system both stable and | compatible. | gruez wrote: | >Microsoft Vista was a Windows 7 beta, and was "necessary" to | basically experiment on the entire Home market, to make the | product stable enough for enterprise. | | That claim is directly contradicted by the fact that there's | Windows Vista enterprise edition[1]. Vista is also supported | for a full 10 years just like 7, which would be strange for | something that was supposed to be an "experiment". | | [1] https://en.wikipedia.org/wiki/Windows_Vista_editions | basch wrote: | most enterprises skipped it. | munificent wrote: | Bias up front: I work at Google but am not speaking for Google. | | _> involuntary, unpaid guinea pigs._ | | I don't see how this is involuntary. You are choosing to use | the product. If you choose to use the product, yes, you may be | exposed to features that the product has. If you don't want to | be exposed to those features, the way to opt out is to not use | the product. | | _> What 's the motivation?_ | | It lets the company incrementally roll out and test features in | real-world network configurations at scale. As far as I know, | almost all tech companies do this. | | Let's say you're Fapplebooglezon and you have an idea to put | kitten emojis on the "Buy Now" button. Before you ship that, | you want to make sure that: | | 1. The feature works correctly. It doesn't crash or have | significant performance problems. | | 2. Users, in aggregate, like the change. No one wants to ship a | "New Coke" debacle. It's bad for the company (they lose money) | and bad for users (they don't like the product). | | 3. Your servers and network can handle the consequences of that | change. Maybe users will be so excited that they all click "Buy | Now" twice as much. You need to make sure your servers don't | crumble under the increased load. | | These are reasonable things that benefit both the company and | users. So the way features and changes are usually shipped is | like: | | 1. The feature is implemented behind some kind of flag. [0] | | 2. "Fishfooding" [1]: The team developing the feature starts | using it. This gives you some feedback on "does the feature | work correctly" but that's about it. The team owns the feature, | so they are biased in terms of its usability. And they are on a | privileged network and not a large enough population to verify | how this affects the distributed system. | | 3. "Dogfooding": The entire company starts using it. This | starts to give you some usability feedback because now people | who don't have a stake in the feature are being exposed to it. | But it's still skewed since employees are likely not a | representative user population. | | 4. "Canary": The feature is enabled for a randomly selected | small population of external users. Now you start getting | feedback on how the feature performs in the wild on real-world | machines and networks. The percent of users is kept small | enough to not crush the servers in case anything goes awry, but | you can start getting some performance data too. | | 5. "A/B testing": Now you start collecting data to see how | behavior of users with the feature compares to users without | it. You can actually start to get data on whether the feature | is good or not. | | 6. Assuming everything looks OK, you start incrementally | rolling it out to a larger and larger fraction of users. All | the while, you watch the servers to make sure the load is | within expected bounds. | | 7. Once you get to 100% of users and things look good, you | remove the flag and the feature is now permanently enabled. | | _> Is it simple laziness because they don 't want to deal with | wetware?_ | | Google, like most other companies, also does lots of user | testing and user surveys too. But that doesn't give you insight | into the technical side of the question -- how the feature | impacts the behavior of your distributed system. | | You may not be aware of this, but this kind of in-the-wild | product testing is something almost all businesses do, all the | time. Food companies test new products in grocery stores in | selected cities [2]. Car manufacturers drive camoflaged | prototypes on the road [3]. Restaurant chains tinker with | recipes to see how sales are affected. There is absolutely no | guarantee that the Coke you're drinking today has the same | ingredients as the one you had yesterday. | | You seem to think this is some nefarious scheme, but it's just | basic marketing. You want to make a thing people like, so you | make two things and measure which one people like more. People | "opt in" and "consent" by using the product. If you don't want | to be a "guinea pig" when McDonald's changes their French fry | recipe, don't buy the fries. If you don't want to test out new | Chrome features, don't use Chrome. | | [0]: https://martinfowler.com/articles/feature-toggles.html | | [1]: | https://www.reddit.com/r/google/comments/3qpdnn/anyone_knows... | | [2]: https://smallbusiness.com/product-development/best-u-s- | citie... | | [3]: https://www.cnbc.com/2017/01/20/camouflage-the-incognito- | way... | reaperducer wrote: | _I don 't see how this is involuntary. You are choosing to | use the product_ | | It's involuntary because it's not informed consent. Google | doesn't tell people up front or in any meaningful way that | this is happening. | | That's like saying "Oh, that steak was covered in the chef's | experimental hot sauce that we didn't list on the menu? Well, | too bad, you chose to come to this restaurant." | munificent wrote: | _> It 's involuntary because it's not informed consent. _ | | I think you're making an analogy that doesn't logically | apply. "Informed consent" is a property of _healthcare_ | administration. When you 're putting drugs into someone's | blood stream or cutting them open while anaesthetized, | yeah, you need to make damn sure you're doing the right | thing for them. | | _> the chef 's experimental hot sauce that we didn't list | on the menu?_ | | Likewise, when you're serving food that someone will ingest | and which may cause allergic reactions or food poisoning, | again the bar is pretty high to make sure you are treating | people safely. | | But we're talking about using a free piece of software. If | Chrome changes the color of their tab bar, no one is going | into anaphylactic shock. When Facebook adds a new button on | the sidebar, there is little risk of that inadvertently | severing someone's carotid artery. | zerkten wrote: | > No consent. No opt-out. | | Do you understand what licensing is? That's one of the | underlying aspects that's important with software and why you | can't treat it like other things you buy. I'd add it's also why | things that adopt software-style licencing models are bad too. | | A company creates a licence with terms and you agree to use the | licence under those terms by using the software. The terms are | difficult to change unless you have leverage. The only party | other than the company is often the regulatory authority. | Regulation is limited in the US at best when compared to the | EU. If you are from the EU then you probably assume the US | works similarly, but most Americans don't recognize issues like | this one. When they do, it's hard to fight the incumbents and | make something opt-in, or ban it outright. | | > What's the motivation? Is it simple laziness because they | don't want to deal with wetware? (the start of your first | paragraph applies here too) | | It's fairly simple. The motivation is making correct decisions | based on the gold standards of decision-making that some people | aspire to. The model is not dissimilar to clinical trials where | a treatment is given to some individuals and not to others. The | hope is that this form of experimentation removes bias and | let's the product manager make the best decisions. | | Based on this thinking it is not possible to test with just | Google's employees. For many decisions, the bias will be | significant, and ultimately the belief is that worse decisions | will be made for users. | | I'm trying to convey that in as neutral way as possible. I | think this can be a useful technique, but I think that there is | little discipline and accountability in the wider software | world compared to medicine. You have PMs who'll routinely just | run an A/B test longer to collect more data (that's better, | right?), but invalidate their results, just to please | management. | | If anyone is going to implement this approach then I'd trust | Google to implement it effectively to meet their needs. They do | it on a large scale across their products and have many layers | of people to ensure it's effectively meeting their needs. As | stated in the previous paragraph, this doesn't mean that other | people do it right, or that everyone in Google does it right | every time. I'm sure they've had a fair share of failed | experiments. | lmkg wrote: | > Do you understand what licensing is? | | Nope, no one understands licensing. Which means that | arguments grounded on "The user accepted the terms!" has a | shaky ethical foundation. Not necessarily a shaky legal | foundation, although that wheel seems to be turning. | gowld wrote: | Do you get the consent to observe everyone you interact with? | duxup wrote: | Isn't that what most A/B testing is? | reaperducer wrote: | No, it's what unethical A/B testing is. | duxup wrote: | " involuntary, unpaid guinea pigs. No consent. No opt-out" | | That sounds like all A/B testing... | csallen wrote: | "Scientists run tests on guinea pigs. A/B testers run | tests on me. Therefore I am a guinea pig. Guinea pigs | have no rights. Therefore A/B testers are taking away my | rights." | | I've never been a fan of this particular type of logic | and reasoning (or lack thereof). | duxup wrote: | Yeah I agree. A/B testing is generally ... innocuous. | | The idea that such a pattern is as severe / bad as | described I don't think makes sense. | reaperducer wrote: | _That sounds like all A /B testing..._ | | In the tech world, maybe. But not in the real world. | | For example, one of the colleges I went to was in an area | with a lot of pharmaceutical companies. My friends would | A/B test drugs for the companies. They made enough money | to pay for college. But it was all completely consensual, | with contracts and disclosures, etc... | | Companies in the increasingly morally bankrupt SV bubble | just test on people without letting them know about it. | That's the problem. | duxup wrote: | In the tech world changing the background color on a | webpage to see what I do and ... medicine are pretty | darned different. | zerkten wrote: | Like it, or not, these companies believe the terms of | service at the bottom of the page suffice for your | consent. We really need this problem to be tackled on | many levels (legal precedents that terms don't matter, | education, encouragement of good alternatives, etc.) | | Until that time, folks in the SV bubble will just keep | doing this. Companies that can operate only from the US | are effectively untouchable when it comes to regulation. | Big companies like Facebook get caught a bit because they | have offices, but many no name companies acting as data | brokers, etc. don't have a presence and are hard to deal | with. | bayindirh wrote: | Firefox's testing (aka studies) are opt-in, not opt-out. | gowld wrote: | Firefox telemetry is opt-out, however. | | https://support.mozilla.org/en-US/kb/share-data-mozilla- | help... | w0m wrote: | ... what? | | If you aren't paying for it; you are the product. Simple. | dawnerd wrote: | But what about people like me that are paying google (quite a | lot actually)? | wolco wrote: | I don't understand your group. The company that offers | everything for free for the price of privacy and you also | give them money? | | If I was paying for a service that didn't respect my | privacy I wouldn't give them my identifying payment info as | well. Your fingerprint is connected to all of the credit | data providers. If you didn't pay they had to guess or | connect you another way. | dawnerd wrote: | Same reason people use amazon/aws or microsoft/azure. | shawnz wrote: | This is a meaningless cliche. Just because users of Google | products don't pay in cash to use them doesn't change the | fact that Google has to attract the users to their platform | in the first place, and keep them there. | zepto wrote: | No, Google has paid to be the the default in most cases. | shawnz wrote: | Anticompetitive behavior is a different and unrelated | problem from monetizing your products using advertising | and personal data | Iolaum wrote: | Nowadays you are the product even if you pay. (E.g. | Subscription news sites including trackers on subscribed | users, smartTVs siphoning data etc) | simias wrote: | I agree completely, that's what's so messed up with this | "freemium" model that's so popular these days. If companies | need to develop the ad-ridden version with tons of tracking | to monetize free users anyway, what's the incentive for | them to turn it off for paying users? | | It's not like 99% of them are going to care and/or notice | anyway, and if anything it would be more work to test and | maintain a different version of the code without trackers. | | Just pay for the things you use people, and block | everything you can with browser plugins. This model needs | to die. | Agenttin wrote: | Thing is the TV's you're only half the customer. That's why | the TV's have gotten so cheap, the extra revenue stream | from selling data. You can't even buy a dumb TV any more. | deathanatos wrote: | My gas pump feeds me ads while I pump gas that I paid | for. | | T-mobile sends me ads over SMS that I paid for. | | JetBlue serves ads to paying passengers on the seat-back | displays. | | I hear Windows has ads now, but I got off that ship a | while back. | | Being the customer is no longer sufficient; companies | have figured out that they can make more money by | charging you _and_ serving you ads. | chewz wrote: | > If you aren't paying for it; you are the product. Simple. | | This nonsense should belong into Ron Swanson Pyramid of | Greatness along with: Capitalism - God's way of determining | who is smart, and who is poor. | arkitaip wrote: | 1. It's about the money. | | 2. See 1. | scarejunba wrote: | It's because most people don't care and if it means that they | have a better product at the end of it, they'll take the trade. | thu2111 wrote: | Google employees are not a random sample of their user base, so | such experiments would be meaningless. | | See the fiasco where they broke Terminal Services last year as | an example of what can go wrong even when doing experiments on | the whole user base. | | Also consider how to measure the usage of web features Google's | own websites don't use, but are popular on e.g. intranets in | Korea. | | A/B testing isn't bad, it's a good thing. People are | notoriously not very good at giving feedback. Experiments and | usage statistics let you get the ground truth about what they | really value, and what's really working. | reaperducer wrote: | _Google employees are not a random sample of their user base, | so such experiments would be meaningless._ | | This is a lazy argument. Google isn't some scrappy tech | startup where 90% of the employees are programmers. Google | has legions of lawyers, mailroom clerks, accountants, travel | coordinators, janitors, cafeteria workers, middle managers of | all stripes, and so much more. Thousands and thousands of | people it can test on without violating the privacy of the | general public. | salawat wrote: | A/B testing as implemented in industry is -evokes emotional | responses eerily similar to those evoked when gaslighting is | noticed -uncompensated -inconsistent with any semblance of | established research ethics -generally non-consensual | -completely undermines trust | | I'm not normally one to make a big deal about this sort of | thing, but there is a reason research ethics exist. If one | can't be trusted to even attempt to follow ethical research | protocols, one damn well shouldn't be trusted with anything | important. | | Your user's time and information is not yours to share. | Whether you bury it in the fine print or not. | at-fates-hands wrote: | > I don't understand why Google and some other tech companies | use their users as involuntary, unpaid guinea pigs. No consent. | No opt-out. | | It's crazy to me to think about when I was in college (in the | mid aughts), I was doing a lot of research into Native American | cultures. The amount of releases, paperwork, and other hoops | you had to jump through in order to just interview subjects was | pretty daunting. | | The fact we have become involuntary research subjects without | any protections as a research subject or easy way to opt out of | these companies data collection (which itself is an ongoing | form of research) is staggering to thing about. | mam2 wrote: | I still do'nt understand how people ask these questions when | it's been it since 30 years. | orthecreedence wrote: | I hate to say this, but duh. It's a closed-source browser made by | an ad company. What the hell to do people expect? | dazbe wrote: | Wow, I didn't think sensationalist headlines were allowed on HN. | I'm guessing mods are asleep or just don't care anymore. | | Edit: If the mods are listening, I've come up with an alternative | title for you: | | "The Evil GOOGLE Has Installed a MALICIOUS BACKDOOR On All Chrome | Users Machines To Sell PERSONAL DATA to RUSSIAN HACKERS on the | DARK WEB". | | This will surely get the clicks now. You can thank me later. | dang wrote: | The mods were asleep. That happens sometimes. | | If you really want to help, suggesting an accurate and neutral | title, preferably using representative language from the | article itself, is a great way to do that. We don't know enough | to get it right in every case, even when awake. | nacho2sweet wrote: | Break this company up. | _jal wrote: | I was fooled by Google for a while, thinking it was less evil | than FB. They're just a little smarter about their shittiness. | CommanderData wrote: | We need the GDPR equivalent in the US. | a3n wrote: | "It's only metadata." | https://en.wikipedia.org/wiki/PRISM_(surveillance_program)#R... | dathinab wrote: | >It's a unique ID to track a specific Chrome instance across all | Google properties. | | >Really curious about your opinion, especially after the GDPR | explicitly forbidding such tracking. | | >Moreover, it doesn't make sense to anonymise user-agent if you | have such backdoor | | Oh, but it does make sense because with this everyone _but_ | google will have a harder time tracking people :\ | d1zzy wrote: | TL;DR I think whoever posted that is trying to bury the UA | anonymizing feature by derailing the discussion. | | What I'm seeing is an RFC for anonymizing parts of User-Agent in | order to reduce UA based fingerprinting, which improves | everyone's privacy, that's a good thing! | | Then I see someone comments how that could negatively impact | existing websites or Chromium-derived browsers, comments which | are totally fair and make an argument that may not be a good idea | doing this change because of that. | | Then someone mentions the _existing_ x-client-data headers | attached to requests that uniquely identify a Chrome | installation. Then a lot of comments on that, including here on | HN. | | To me that's derailing the original issue. If we want to propose | that Chrome remove those headers we should do so as a separate | issue and have people comment/vote on that. By talking about it | on the UA anonymizing proposal we are polluting that discussion | and effectively stalling that proposal which, if approved, could | improve privacy (especially since it will go into Chromium so | then any non-Chrome builds can get the feature without having to | worry about x-client-data that Chrome does). | dessant wrote: | This is the equivalent of a protest, people are objecting to | Google's illegal data harvesting practices in places that | receive engagement, since that's the most effective way to get | the word out and warn others. | | Google's reasoning that this is not personal data is | meaningless in the face of GDPR, which considers an IP address | personal data. Google has access to the IP address when they | receive the data, therefore they are transmitting personal | information without user consent and control, which is illegal. | csagan5 wrote: | It could be argued that a similar violation is present (since | March 2019) in Chromium for the Widevine CDM provisioning | request, see https://github.com/bromite/bromite/issues/471 | | Basically all users opening the browser will contact | www.googleapis.com to get a unique "Protected Media | Identifier", without opening any web page and even before any | ToS/EULA is accepted (and there is no user consent either). | dessant wrote: | I think the Widevine CDM request is needed for the service | to function, though they could certainly delay it until a | website requires DRM. GDPR allows the use of personal data | without consent when it is required to provide a service | for the user. | | The personal data collected with the x-client-data header | is not required for Google sites to function. Google uses | the data to gain a technical advantage over other sites on | the web, this is why the data collection in this case | requires consent. | mokus wrote: | Whether consent is legally required or not, as a user I | want that service, whatever it is, to not work until I | consent to the exposure of my personal data. Given that | it apparently has something to do with DRM, I would be | disabling the service anyway. | baybal2 wrote: | > Whether consent is legally required or not | | Lets not guess it, lets file a complaint, and see if we | can get Google sued for n billions of euros. | csagan5 wrote: | The poster is the author of Kiwi browser, which unfortunately | is closed source [0], but I have reason to believe he is | familiar - as I am for the Bromite project - with all the | (sometimes shady) internals of the Chromium codebase; it is | indeed off-topic to discuss the header issue there but I would | say that there is no explicit intention to derail it (and no | advantage), just incorrect netiquette. | | [0]: | https://github.com/kiwibrowser/android/issues/12#issuecommen... | rvnx wrote: | https://cs.chromium.org/chromium/src/components/google/core/... | | Just thinking out loud. | | What happens, let's say, if someone malicious buys youtube.vg | and puts a SSL certificate on it ? Will they be able to collect | the ID ? | | I guess so ? | gdm85 wrote: | Yes, but they would also need a valid TLS certificate? | | A country's government could also take over the TLD and grab | its traffic overnight. | 3xblah wrote: | The Google employee argues that through UA-CH Google wants to | disincetivise "allow" and "block" lists. | | After many years of testing HTTP headers, IMO this really is a | non-issue. Most websites return text/html just fine _without | sending any UA header at all_. | | What is an issue are the various ways websites try to coax | users to download, install and use a certain browser. | | Another related issue with Google Chrome is users getting | better integration and performance when using Chrome with | Google websites than they would if they used other clients. ^1 | Some make the analogy to Microsoft where it was common for | Microsoft software to integrate and perform better on Microsoft | Windows whereas third party software was noticably worse to | integrate and perform on that OS. | | This leads to less user agent diversity. Users will choose what | works best. | | UA diversity is really a more important goal than privacy, or | privacy in Chrome. The biggest privacy gains are not going to | come from begging Google to make changes to Chrome. They could | however come from making it easier for users to switch away | from using Chrome and to _use other clients_. That requires | some cooperation from websites as well as Google. | | Those other clients could theoretically be written by anyone, | not just large companies and organisations that are dependent | on the online ad sales business. It would be relatively easy to | achieve "privacy-by-design" in such clients. There is no rule | that says users have to use a single UA to access every | website. There needs to be choice. | | For example, HN is a relatively simple website that does not | require a large, complex browser like Chrome, Safari, Firefox, | etc. to read. It generates a considerable amount of traffic and | stands as proof that simpler websites can be popular. Varying | the UA header does not result in drastic differences in the | text/html returned by the server. | | 1. Recently we saw Google exclude use of certain clients to | access Gmail. | unapologetic wrote: | The original issue is supposedly fingerprinting and privacy | related. | | If that's true then Google should be called out for their poor | behaviour. | lordlimecat wrote: | >which improves everyone's privacy, that's a good thing! | | Except it does not affect Google, because Google has this | install ID to use both for tracking and preventing ad-fraud. | | Which means Google competitors are terribly disadvantaged, as | they cannot use that. | | Which not only reduces market diversity (contrary to TAG | philosophy) but represents a significant conflict of interest | for an organization proposing a major web standard change. | | These issues are very relevant to the original proposal, | especially in light of the fact that Noone outside of Google is | terribly interested in this change. Any time a dominant player | is the strongest (or only) advocate for a change that would | coincidentally and disproportionately benefit its corporate | interests, the proposal should be viewed very skeptically. | d1zzy wrote: | > Except it does not affect Google, because Google has this | install ID to use both for tracking and preventing ad-fraud. | | So when Apple releases a privacy feature, that doesn't affect | them as a business, we praise the feature or we say "except | it doesn't affect Apple" and somehow try to argue how the | feature is less valuable because of that? | dessant wrote: | Apple is not engaged in illegal data harvesting to gain a | competitive advantage over other services in the same | space. Google's collection of personal data with the | x-client-data header without user consent is illegal under | GDPR. | joshuamorton wrote: | This relies on the (unfounded) assumption that this | pseudonymous ID is being used for tracking purposes and | that Google is actively lying about it. | dessant wrote: | GDPR treats an IP address as personal data. The data is | not transmitted through an anonymizing network, so Google | has access to the user's IP address when they receive the | data. | | Anything that is associated with personal data also | becomes personal information, therefore Google is | transmitting personal data without user consent, which is | illegal. | | Asking for consent is not required under GDPR when the | data collection is needed for a service to function. This | is not the case here, Google services function without | receiving that header, the data is used by Google to gain | a technical advantage over other web services. | joshuamorton wrote: | > GDPR treats an IP address as personal data. | | No it doesn't. GDPR only treats IP address as personal | data if it is associated with actual identifying | information (like name or address). Collecting IP address | alone, and not associating it with anything else, is | completely fine (otherwise nginx and apache's default | configs would violate GDPR), and through them basically | every website would violate GDPR. | | Edit: and furthermore, even if it did (I see conflicting | reports), if you collect IP Address and another | pseudonymous ID and _don 't_ join them, the ID isn't | personal data. | | IOW, the theoretical capability to make changes to a | system to use info in a non-GDPR compliant way doesn't | make the information or system noncompliant. You actually | have to do the noncompliant things. | dessant wrote: | An IP address is itself personal data, it does not have | to be associated with other personal data. | | https://ec.europa.eu/info/law/law-topic/data- | protection/refo... | | > Collecting IP address alone, and not associating it | with anything else, is completely fine (otherwise nginx | and apache's default configs would violate GDPR), and | through them basically every website would violate GDPR. | | See my comment about consent not being required when the | data is needed to provide a service. Logging is | reasonably required to provide a service. | | > and furthermore, even if it did (I see conflicting | reports), if you collect IP Address and another | pseudonymous ID and don't join them, the ID isn't | personal data. | | The transmission of data is already covered by GDPR, you | don't have to store the data to be bound by the law. | acqq wrote: | To help other readers: | | "The European Commission maintains this website to | enhance public access to information about its | initiatives and European Union policies in general." | | https://ec.europa.eu/info/law/law-topic/data- | protection/refo... | | "Home > Law > Law by topic > Data protection > Reform > | What is personal data?" | | "Examples of personal data | | ... | | - an Internet Protocol (IP) address;" | joshuamorton wrote: | See my edit. There's conflicting information on this. A | dynamic IP, for example, isn't directly related to or | relatable to a specific natural person without other | context. | | But even if that's the case, if you don't tie the | pseudonymous ID to the IP, it isn't personal data. As far | as I can tell, the transfer rules you reference are about | transferring data out of the EU, and can be summarized as | "you can't transfer data to a non-EU country and then | process it in a way that violates the GDPR". Article 46 | notes that transferring data is fine as long as | appropriate safeguards are in place[1], and article 47[2] | defines what constitutes those safeguards (in general, | contractually/legally binding agreements with appropriate | enforcement policies). | | This goes back to what I said before: The theoretical | capability to do noncompliant things doesn't make a | system GDPR-noncompliant. You have to actually do | noncompliant things to not comply. | | [1]: https://gdpr-info.eu/art-46-gdpr/ | | [2]: https://gdpr-info.eu/art-47-gdpr/ | 0xfffafaCrash wrote: | There has been an EU court ruling on this exact question | of whether dynamic IP addresses count as personal data | even in contexts where the website operator in question | does not have the means to associate it with an | individual but another party (such as an ISP) does. The | Court of Justice of the European Union has ruled on this | and it does count as personal data. [1] | | Furthermore, GDPR itself specifically refers online | identifiers in Article 4 as falling under the definition | of personal data[2] and then clarifies in Recital 30[3] | that IP addresses count as online identifiers in this | context. There seems to be no legal ambiguity in the EU | on this topic at this point, but I would be not surprised | to see parties who are not GDPR compliant pretend | otherwise indefinitely. | | [1] https://curia.europa.eu/jcms/upload/docs/application/ | pdf/201... | | [2] https://gdpr-info.eu/art-4-gdpr/ | | [3] https://gdpr-info.eu/recitals/no-30/ | [deleted] | mabbo wrote: | I think the concern is that this disarms Google's competitors | while keeping them fully-armed. | | Ads are a business, and they are Google's business. They are | how they make money. And like all businesses, they are | competitive. Tracking is a way to make more money off online | advertising. By removing tracking from their competitors while | keeping it for themselves, Google stand to make a lot of money | off this change. | | Their motivations are not honest, but they're pushing them as | if this is the high road. It isn't. It's the dirty low road of | dominating the online ad business, made possible by their | dominance in the browser market. And it's always been the end- | goal of Chrome browser. | aidos wrote: | While I agree with some of your comment, I feel like it's | harsh to paint the whole chrome enterprise with that brush. | Chrome was about freeing the world of a truly terrible web | browser and a lot of devoted devs have spent a lot of time | working on it. There's an advertising aspect that it's right | to call out, but I think on the whole it was done to make the | internet better, because the internet is google's business | too. | TeMPOraL wrote: | The way I see it, both of these can be (and most likely | are) true. Intentions of the company aren't usually the | same as intentions of individual contributors (or even | whole teams). The Web is Google's business - the more stuff | happens on the Web, the more money they can eventually make | of it. Advertising is how they make most of that money, so | this is what they're protecting. But beyond that, Chrome | answered a real need and a lot of hard-working people made | it into a best-in-class browser. | taneq wrote: | It wasn't some noble mission to free the world. Chrome was | always about Google controlling the client side of the web | to guarantee their advertising access to web users. The | ability to extract additional data from the user was a nice | bonus. | euske wrote: | I think this is a common strategy of big players at any | industry. | | First, they do some dirty thing to gain a competitive edge | when the industry is still new and unregulated. Later they | develop an alternative way to achieve the same competitive | edge, and then criticize other players for doing an old way, | saying they should be "mature and responsible". | EastSmith wrote: | Downvote me how many times you want, but Mozilla needs to fork | Chromium, degoogle it and fix the web. | | Mozilla is the only internet entity I can say I trust, I am | donating to it, and yet I am using Chrome and Brave on both | Desktop and mobile. | | Just follow the users and fork it! | jrockway wrote: | Mozilla makes a web browser called Firefox. You should try it! | EastSmith wrote: | I've used it for many years, then switched to chrome and | since then I've tried it more times that I want to admit. I | am also donating to it. | lucasverra wrote: | Switch to Edgium then - FF user | ivm wrote: | Microsoft kind of did it with the new Edge: | | https://www.theverge.com/2019/4/8/18300772/microsoft-google-... | EastSmith wrote: | I am using it, but Microsoft, as Brave and Google is a | commercial entity I do not trust. | pbhjpbhj wrote: | Well Mozilla burnt my trust in them over the last couple of | years ... maybe Brave? | | Some don't like their model to tip content providers but they | seem - and I've not made rigorous enquiries here (please | inform!) - to be a relatively trustworthy mod of Chromium!? | EastSmith wrote: | Brave is commercial entity, same as Google. | chrshawkes wrote: | I noticed this when doing work with Puppeteer lately. I thought | about reporting it but didn't exactly know what I was looking at. | KenanSulayman wrote: | Don't forget that even if the number is varying only in an | interval of 0 and 7999, this means without cookies a unique | chrome installation can be identified if multiple users are using | the same IP, like residential houses with families, etc. -- that | way it is possible to determine the unique amount of devices | inside a house. | _pmf_ wrote: | Just ask: why does an advertising company make a browser? | Keloo wrote: | so that you don't have to pay royalties to other browsers for | being the main search engine. I mean you have to pay one less. | And if you have the most used browser, you save a lot. | josefx wrote: | In the good old days everyone and their grandmother just | sideloaded their malware toolbars with freeware crap like | picasa or maps or outright bundled their bloatware with the | system like Google still does for Android. | d1zzy wrote: | Quite a lot of reasons. I assume you asked that because you're | thinking it's used to gather information on its users. That | could be one of the many reasons. At least initially it was | because Mozilla/Firefox didn't want to adopt a multi-process | architecture. | | In terms of strategic reasons, as a company that depends on | people browsing on their websites other reasons are obvious: | avoid lock in that could be pushed by third-party browser | makers/competitors (say IE becomes the most popular and it | implements proprietary extensions that work only on their | websites[1]), ensure there exists a fast secure browser so that | people can keep browsing even if everyone else stops making | good browsers out there. | | [1] Now before you go ahead and point out how Google proposes | HTML/HTTP features that get implemented in their browsers and | on the server side, all such features have public specification | and source code, so anyone else could implement them too. This | is very different from the IE days of yore, where MS was | extending IE through ActiveX. ActiveX was developed in house | and they were releasing binary plugins/SDKs to develop ActiveX | plugins, effectively maintaining full control over it (one | would have to develop ActiveX compatible technology from | scratch if they wanted it open source, with Chrome all they | have to do is fork the source code). | eternalban wrote: | Google is a total-spectrum surveillance company. Advertising is | a product they offer to their clients. (No, that is not you and | me.) | Dirlewanger wrote: | A better question is to ask why people continue to let | themselves be confounded by a browser made by an advertising | company. | macinjosh wrote: | Not sure why this is being downvoted. It hits the nail on the | head. If you are concerned about privacy around advertising | then using a browser from the biggest online ad company is | short sighted. | Cthulhu_ wrote: | When Chrome was first developed, browsers and the web were | relatively slow, and slowing down due to the popularization of | Javascript and heavier websites. | | Google's worked on a number of technologies to make the web | faster; Chrome (and V8), their own DNS, image and video | compression technologies, AMP, HTTP/2 (SPDY), HTTP/3 (QUIC), | webserver plugins (mod_pagespeed), benchmark tooling | (Lighthouse), and extensive guides on website speed | optimization. | | The reason is simple; faster internet = faster browsing = more | page views = more ad impressions + more behaviour tracking data | points. And it's a win-win for Google as well, because it earns | them goodwill (well, except for AMP); especially at the time | Chrome was a breath of fresh air compared to Firefox, and it's | taken a lot of time and effort just to keep up, with mixed | results (to the point where a number of manufacturers have just | given up and adopted Chrome's renderer). | TheRealPomax wrote: | So, an extremely unique identifier for tracking purposes, that | effectively no one knows exists, and no one knows can be changed | at all? | | With an obscure white paper that allows Google to claim they | comply with the law because "they totally offer a way to change | that and they even published that information to the web for | anyone to find"? | | Gotcha. | vkou wrote: | Your comment is factually incorrect. | | 13 bits of entropy is not an extremely unique identifier. | | The first three letters of your first name have more bits of | entropy than that. It would be quite a trick to uniquely | identify you by the first three letters of your first name. | TheRealPomax wrote: | I fear the factual incorrectness isn't mine: the random | string used is 13 bits of entropy _only if usage statics is | disabled_ , which isn't the case by default. By default, it | uses an unspecified entropy (and you can bet real dollars | that it'll be more then 13 bits worth). | x0x0 wrote: | Are you talking about the same thing? Because the identifier | above is claimed to have 13b of entropy. Is there another high | entropy identifier? | rvnx wrote: | 13b, if usage statistics are disabled (not the default). | Otherwise, unspecified amount of entropy. | x0x0 wrote: | thanks. and ugh. | rvnx wrote: | Just referred as High Entropy: https://cs.chromium.org/ch | romium/src/components/metrics/entr... | clarry wrote: | 13b plus IP is already huge, but browsers leak so much more | than that. | rvnx wrote: | By default it's much more than 13b. Seems to be 13b only if | you disable analytics/crash reports. | reddit_clone wrote: | Reminds me of this. | | "There's no point acting all surprised about it. All the | planning charts and demolition orders have been on display in | your local planning department in Alpha Centauri for fifty of | your Earth years, so you've had plenty of time to lodge any | formal complaint and it's far too late to start making a fuss | about it now" | Lio wrote: | Beware of the leopard! | [deleted] | winternett wrote: | Don't be evil... | | Until we are deployed enough that users don't have a choice... | | Now that Google has cornered the market for Internet browsing, | they're using that foothold to change how it works to suit | their dominance. This is why they are not concerned about per- | site tracking that Google Analytics does, as long as THEY as a | company have direct browser-based tracking, they no longer need | to provide tracking services to other private companies to know | what is trending everywhere. This is also probably why they're | trying to kill ad blockers and certain browser privacy | extensions.... But they won't really matter to Google if | everything is done at the browser level to begin with from now | on. :/ | | If they make moves to scale back [free] Google Analytics, which | they probably will at some point, it will only highlight this | ideal... They may turn to selling their privately collected | metrics and qualitative studies to companies after Google | Analytics is rendered useless, and then that's unadulterated | monopolistic profit for them and shareholders... | | Diabolical. | tigroferoce wrote: | True. But luckily you actually have a choice. Many opt for | DuckDuckGo on Firefox, for instance. | LinuxBender wrote: | You are right, but they also know most people won't switch. | They have an entire generation of folks that don't even | think about privacy. | K0SM0S wrote: | There's also the subset of all of us who must use Chrome | because <solution X> needed for work requires said | browser. Google's dominance through Chrome extends to the | whole ecosystem. Same thing with Apple inside their own | (which is nowhere near a monopoly at 10-15% market share | worldwide, thus totally fair game by comparison). | Ygg2 wrote: | On the other hand, people hate ads, so going to Firefox | might actually be better option for new users. | TheRealPomax wrote: | They might and I used to be one of them, but now I use | Google on Firefox isntead, because DuckDuckGo no longer | yields useful results. The number of times I don't go "oh | ffs, fine, !g" has been in steady decline over the last | year, and at this point I've given up. | klipt wrote: | You can probably be identified on Firefox too: | https://amiunique.org | TheRealPomax wrote: | Why do people still dredge up Google's historical "don't be | evil"? It's not been applicable for half a decade now, and | even in 2015 when it was officially removed from the last | company documents, it was already a dead phrase. | | Google had already cornered the market back in 2012, when it | surpassed every other browser, with an absolute majority | dominance (>50% market share) achieved way back in 2015. | | Google has been in control for a _long_ time now. | gowld wrote: | Please don't post blatantly false statements that are | trivial to refute. | | wikipedia.org/wiki/Don't_be_evil | Zenbit_UX wrote: | Because of the deep irony? If you have a moto that binary | and later decide to remove it, what is the world to infer? | darkarmani wrote: | > Why do people still dredge up Google's historical "don't | be evil"? | | Historical? It's not like it was 50 years ago. | deeblering4 wrote: | I see people recommending Firefox, but I'll say that for mac | users Safari is a very usable browser too. It's quite fast, and | to my knowledge is not collecting/sharing my personal data with | apple. https://www.apple.com/privacy/ | | These days I only use chrome for the g-suite tools that seem to | require it to avoid mid-meeting crashes. | throwawa66 wrote: | Safari as well. Almost anything but Chrome. Both Safari and FF | are good. Im only using these 2 myself | Kiro wrote: | Safari is horrible for HTML5 games. Dealing with all sorts of | issues to the point where I've more or less given up and just | tell my Safari players to use something else. | ainar-g wrote: | Some of my front-end colleagues like to tell me that Safari | is the new IE 6. Not in terms of the market domination | (that's Crhome for you), but in terms of dragging the front- | end back with unimplemented features, quirks, and bugs. The | amount of hacks they have to add _just_ to support Safari is | uncomfortable. | yohannparis wrote: | No, they are confusing developing for Chomium first and not | testing on all browsers. | | Safari is behind in terms of W3C features. But implementing | unsupported features does not mean you are hacking to | support Safari. They should look into the progressive | enhancement principle and CSS @support feature. | Kiro wrote: | I'm strictly talking about the canvas and audio | implementations, forcing me to use all kind of different | hacks just to get a reasonable FPS in Safari. Audio I've | given up on long time ago and don't get me started on | Mobile Safari. | chatmasta wrote: | Safari on iOS is great. Safari on Mac is underwhelming and | sucks. | | My biggest gripe is I can't update it without updating the | entire OS. Also, dev tooling is really bad. God help you if you | ever need to unregister a service worker. | pb7 wrote: | For non-developers, which is most people, those are non- | issues. Safari is excellent for the things that matter: | speed, power usage, and integration with the rest of the | Apple ecosystem. | chatmasta wrote: | Agreed. Although Firefox is probably better for general | purpose browsing if you are a non-dev power user, | especially one who cares about ad blocking. | | The integration is a good point. | arh68 wrote: | Have you tried Safari Developer Previews? It's been a while | since I've used them myself. | | [0] https://developer.apple.com/safari/download/ | pb7 wrote: | +1. Safari is great. Super fast, great on battery life, and has | most, if not all, of the extensions you would look for. | izacus wrote: | Safari has the same kind of AdBlock limits that Chrome team | wants to implement. Also it's kinda behind the curve on iOS | when it comes to features. | | Not to mention the fact that iOS users are forbidden from using | any competitive browser, including Firefox. | deeblering4 wrote: | I'm not sure what you mean by forbidden? Chrome and Firefox | (and other browsers too) are readily available through the | iOS app store. | MichaelApproved wrote: | Those iOS browsers you see in the app store are just | wrappers for the same Safari browser engine. | | They all use Safari to display the page, they just wrap the | Safari browser engine with their own toolbars and other | features. | sneak wrote: | WebKit is not Safari. | sneak wrote: | And they don't open when you click links on the device, | only MobileSafari does. | MrZongle2 wrote: | I am Jack's complete lack of surprise. | | Firefox and DuckDuckGo, folks. Today's Google is no more | benevolent than yesterday's Microsoft. | dragonsh wrote: | This is another instance that google doesn't care about users | privacy and track without their consent by using chrome | installation Id. This probably might be against GDPR, so Chrome | installed base in Europe multiplied by per day fine, hopefully | runs into a years revenue of google. | | Another lesson don't trust for profit companies with privacy | protection especially advertising technology company like google | with motto like don't be evil or organize world's information | designed to mislead. | mateo1 wrote: | Honestly, it's 2020, even if your technical understanding is so | low that you have no idea what a "browser" is, you _know_ that | Google will do anything in it 's impressive power to track down | everything you do with legal or illegal means. Thanks to | Snowden, this is no longer a conspiracy theory. It's a fact. | | Google should be fined for this but they probably won't be. | Havoc wrote: | I've taken to using FF for browsing With noscript etc and chrome | for when I need something to work well and can accept some | tracking | [deleted] | woho wrote: | I use (sometimes/often) mitmproxy and remove or change suspect | headers. It is also nice to remove all the fb, google and more | crap from the html. And much more. It is a lot of work not to | break a website. I don't know whether I am more trackable or not | - this is the 'only browser' without x-client-data header. | cft wrote: | Just in time for their announcement that they plan to abolish | third party cookies by 2021. Talk about monopoly. | Ohn0 wrote: | What a mess | jkepler wrote: | Am I correct to understand that this backdoor tracking of | individual users applies to the standard Chromium browser (i.e., | the non Eloston ungoogled-chromium) as well as the Chrome | browser? | | If so, its incredibly consistent with Google's surveillance | capitalist business model.[1] Wow. I'm thankful for Firefox. | | -- | | [1] "The Age of Surveillance Capitalism", by Shoshana Zuboff, | reviewed here: https://www.theguardian.com/books/2019/feb/02/age- | of-surveil... | fnord77 wrote: | Can browser plugins control what headers go out? If so then a | simple browser plugin could put a stop to this. | 8ivek wrote: | Got this from google white paper: "run Chrome with the command | line flag "--reset-variation-state" to reset the value." | | I tried this and my "x-client-data" header changed. | StevePerkins wrote: | Is this at the "Chrome" level, or baked in at the "Chromuim" | level? And therefore also an issue for Brave, Opera, Vivaldi, | new-Edge, and anything else jumping on the browser engine | monoculture? | [deleted] | robin_reala wrote: | Seems to be Chromium judging by some issue comments: | https://github.com/chromium/chromium/blob/ccd149af47315e4c6f... | pier25 wrote: | I don't see it in Brave | 98codes wrote: | I just checked Microsoft's Chromium-based Edge, and it isn't | sending the headers. | jakoblorz wrote: | Don't forget Electron! Like Atom, VS Code etc | nornagon wrote: | Electron maintainer here. Electron doesn't send this header. | NotSammyHagar wrote: | Thank you for that. | aloknnikhil wrote: | This is specifically on Chrome, it seems. | jlgaddis wrote: | FWIW, running Chromium 79.0.3945.130 through mitmproxy (on | Debian sid), I don't see this in the headers when visiting | gmail.com or youtube.com. | gunn wrote: | To give them some credit: it's not sent when in incognito mode. | macinjosh wrote: | How thoughtful of them! | drderidder wrote: | New motto: "Don't get caught being evil". | nurettin wrote: | Please do not destroy vital testing apparatus. | BLO716 wrote: | With that said, one can simply filter out these analytics with a | c:\Windows\Systems32\Drivers\etc\hosts -> pointing to 0.0.0.0 or | PiHole solution (https://pi-hole.net/), yes? | | I mean, this is probably not the holistic solution, but this is | why we have a firewall, vpn, antivirus, filters to just keep DNS | in check, yes? | GrayShade wrote: | So are you suggesting people should DNS block google.com and | gmail.com? | janvidar wrote: | Yes, you can if you are willing to block google.com, | android.com and youtube.com. | | doubleclick.com might not be terrible for most, though. | | Interesting enough, it does not add headers when accessing a | country specific google domain in the EU - such as google.de or | google.fr. Is that GDPR kicking in - with a nod the the | brexiteers given that google.co.uk gets these headers... ? | ins0 wrote: | Not sure, but my chrome will send the additional `x-client- | data` header even when i'm on eg. `google.de` | krick wrote: | Lol, is it news? I mean, it worked like this as long as I can | remember, privacy conscious users were complaining for years, | helplessly watching as Chrome market share grows, but nobody | really cared, so... And now, suddenly, people act like this is | big news and they are outraged by such blatant and unexpected(!) | intrusion into their privacy. | | Wow. I don't even know how I feel about it anymore. | jgon wrote: | U S E F I R E F O X | | That is all. | DangerousPie wrote: | If you haven't used Firefox in a while you should really give it | another chance. It has vastly improved in terms of CPU and | battery usage. It also has a lot of great privacy-enhancing | features like tracking protection enabled by default and | extensions like Facebook Container make it trivial to prevent | tracking even further. | [deleted] | dheera wrote: | The one thing that keeps bugging me is the widgets in Firefox | (Ubuntu 18.04) look super-dated -- reminds me of NCSA Mosaic | and makes me want to close it. Can they please update their | widget library? | | https://imgur.com/a/JYWKhpu | pier25 wrote: | I used FF for a couple of months. Its heart is noble but it's | just not as polished as other options. | | Edit: | | I didn't want to expand because I've already banged that drum | too many times on HN. | | See these other comments of mine: | | https://news.ycombinator.com/item?id=22177747 | | https://news.ycombinator.com/item?id=22059567 | sgsvnk wrote: | Thank you! Someone said that finally. I really tried hard to | like Firefox. But it just really doesn't replace Chrome for | me. Maybe it's the ecosystem, extensions, user experience, | I'm not sure but the browsing experience is never really the | same on FF. | ritchiea wrote: | Has Firefox fixed the bug that made it eat up resources, crank | the fans and go nuts on retina MacBook Pros? | ThePowerOfFuet wrote: | Long ago. | dropdrive wrote: | As a firefox user, they are spending more money on PR and less | on quality. Their UI has gotten progressively worse. And I'm | not taking about xul deprecation. Please Mozilla come back to | your strengths. SIMPLE: Provide a great alternative. | shadowgovt wrote: | Given the purpose of the x-client-data header, I'll be shocked | if Mozilla doesn't have a similar header for feature-enable- | identification to do its own tracking of bugs at scale. | | ... and if it doesn't, they're developing their browser with | one hand tied behind their back on quality assurance relative | to alternatives. | wayneftw wrote: | The days of Firefox are over. Every site I work on has less | than a few percent of Firefox users. We don't even test with | Firefox, because fuck 'em - I never liked the way Mozilla did | anything anyway and their painfully obviously false, preachy | holier-than-thou brainwashing campaign that they're constantly | running in order to keep getting daddy Google's money has | always been annoying. | | I'd rather use MS Edge. It's actually even faster and lighter | than Chrome. So, I've already started using it on my Windows | and Mac machines and I'm just waiting for it to be released on | Linux so I can use it on my main workstations. | | I bet Edge exceeds Firefox market share any day now. Maybe | Google should start giving Microsoft money too! But even if | Edge market share doesn't grow I'll be quite comfortable since | it's the WebKit/Chrome/Blink lineage and compatibility that I | care about. | | Fuck that piece of shit Gecko. I'm tired of hearing about it | from the extremely tiny but loud minority of Mozillatroids. Now | do your duty and fade my comment in your petty attempt at | censoring my words. You can't change the truth. | f1refly wrote: | I think Mozilla is a horrible leadership spending money on | all the wrong things and I'd rather lose my job than donate | to them. But, in all fairness, they're still way better than | both Microsoft and Google. At least Mozilla isn't actively | trying to make my life worse every single day. | eternalny1 wrote: | > We don't even test with Firefox, because fuck 'em | | You are the types of people who are slowly destroying the | internet, nice work. | wayneftw wrote: | Incorrect. Mozilla is responsible for their shitty market | share, not me. | | I don't test with the Opera, QQ, Yandex or Sogou Explorer | browsers either - just to name a few other tiny niche | browsers... Do you?? | Shaaaaaaare wrote: | Wow, you seem very upset. I suggest going for a walk. Take a | couple deep breaths. Calm down. It's just a browser. | | By the way, what sites do you work on? I'd like to make sure | to avoid them. | dang wrote: | Please don't respond to a bad comment with another one. | That just makes the thread worse. Doubly so for personal | attacks, which are a bannable offence on HN. | wayneftw wrote: | What was so bad about my comment? Saying that I don't | support Mozilla/Firefox or just not being anti-Google | enough? | | Also, the guy that you're responding to simply said that | I seemed angry. How is that a personal attack? Somebody | else responded that I'm ruining the Internet and somehow | that's not flagged? | wayneftw wrote: | I enjoy ranting against Mozvillains though :) They're not a | browser, they're just very annoying preachy people who need | to be refuted and since I have no problem doing it, I feel | that I am doing God's work. | tapoxi wrote: | Or just use Ungoogled Chromium, and get the performance | advantage of Chrome without the tracking. | Diederich wrote: | Is there a quick summary of what major site/features that | will be unavailable in Chromium vs. Chrome? I assume, for | example, that 'netflix' will be prominently on that list. | Thanks. | deathanatos wrote: | I use Chromium; you can still Netflix. It does, however, | require installation of "WideVine", which is an opaque, | closed, binary blob. (But you're getting that with Chrome, | too, I believe.) | | You can also do Netflix in Firefox, through exactly the | same mechanism. | gruez wrote: | >You can also do Netflix in Firefox, through exactly the | same mechanism. | | It's somewhat better on Firefox because they run the | binary blobs in a sandbox. | Dirlewanger wrote: | Is there definitive proof that all of the Google stuff is | really out of a naked Chromium install? I remember reading | stuff about it being impossible to wholly untangle Google's | stuff from it. | ColanR wrote: | This is my question as well. Additionally, I've wondered if | there are non-explicit behaviors of the browser that are | used for fingerprinting. | prophesi wrote: | https://github.com/Eloston/ungoogled- | chromium/blob/master/do... | | "those binaries that cannot be removed do not contain | machine code." | | I'm not sure what's meant by them not containing machine | code, but it does seem like some of the binary blobs are | retained that can't be built from source or substituted. | | Honestly, I'd just switch to Firefox to be safe, though | Ungoogled-Chromium does automatically set a lot of sane | pro-privacy defaults that you'd have to manually change | in Chromium/Firefox. | DangerousPie wrote: | Is there actually still a performance advantage these days? | Would be curious to see some benchmarks. | | I will say that Gmail/Hangouts feels faster in Chrome but | that's obviously not a fair comparison. | autonomuzw wrote: | Yes, there is definitely a performance advantage especially | on mobile. see for example some benchmarks for brave | browser, and also a couple of recent tests for desktop | browsers. | | [0] https://brave.com/brave-one-dot-zero-performance- | methodology... | | [1] https://brave.com/brave-saves-batteries/ | | [2] https://venturebeat.com/2020/01/15/browser-benchmark- | battle-... | | [3] https://linuxreviews.org/Web_Browser_Showdown:_Six_Brow | sers_... | cdubzzz wrote: | The conclusion of the linuxreviews article doesn't really | make a strong case for any major difference between the | browsers -- | | _It is hard to declare an absolute winner. Brave and | Chromium, seem to be the overall winners but Pale Moon, | SeaMonkey and Firefox are not bad choices if you never | visit pages with fancy WebGL or WebAssembly ever. | Chromium may be the best choice if you watch a lot of | video on a laptop if your distributions Chromium package | has the hardware video acceleration patches._ | | Lots of "ifs" in there for all conclusions. | nkcmr wrote: | As someone who had repeatedly tried to make the jump to | Firefox, it _finally_ stuck after quite a few attempts. (CPU | and laptop heat issues were problems for a while, now they | aren't!) | | I second this; keep trying even if it isn't for you after a few | times, it was worth it to keep trying, officially Firefoxer :) | mooreed wrote: | It seems like a reasonable time to bring up the reformer project | 'ungoogled-chrome' [1]. I have used it and new versions of | Firefox for over 3 years and have seldom had to jump back to | `Googlified Chrome.` Do know that installing via `brew` [2] means | no - standard browser auto-update. Which in this case, makes | sense to me. | | Aside: It seems to me the realist punk / anti-the-man software | one can work on is a user respecting browser. I don't work on | these, but I am very grateful for those out there who do. | | ------- | | - [1]: https://github.com/Eloston/ungoogled-chromium#downloads | | - [2]: Brew install via: `brew cask fetch eloston-chromium && | brew cask install eloston-chromium` | | Enjoy old school browsing with new school development benefits. | bprasanna wrote: | Obviously! What else to expect from Google! In the user | personalization... | kick wrote: | "Backdoor" this, "backdoor" that. Proprietary software company | releases proprietary software that allows them to spy on you, how | shocking. | | In which they sacrifice privacy to allow their ad network to | target you better. | https://www.blog.google/products/chrome/building-a-more-priv... | | In which they explicitly track you more under the guise of | protecting your privacy. https://github.com/jkarlin/floc | | For every single claim Google makes about being pro-privacy, | their definition of privacy ("data shared between you and Google | and no one more") is implicit. | | It's a surveillance company that makes proprietary software to | sell you ads. As soon as you get that into your head, you'll be | much less shocked. | | "We personally get to track you" is not a unique stance, and it's | far from a backdoor. It's just another vile move from a | surveillance company that's pretty explicit that that's their | goal. | JadeNB wrote: | Sure, the general pattern of behaviour is familiar, but I | didn't know about this specific manifestation, and now I do. | What's the use of being so dismissive about specific | information on which one can act? | kick wrote: | It's not a backdoor! Calling random anti-consumer behavior a | backdoor is the privacy-equivalent of Godwin's law. | sub7 wrote: | The sad part is that most times Google violates your privacy, | it's just some PM who thinks having some data will be super | important and in most cases they're wrong. | | Caveat here is that in 99.99999% cases it's also the case that | nobody ever looks at your individual file but the fact that they | could is bad enough. | masterfooo wrote: | How about Electron apps? | scoutt wrote: | PII concept is not the same for everyone/everywhere. For GDPR we | have: | | > Article 4(1): 'personal data' means any information relating to | an identified or identifiable natural person ('data subject'); an | identifiable natural person is one who can be identified, | __directly or indirectly __, in particular by reference to an | identifier such as a name, an identification number, location | data, an online identifier or to one or more factors specific to | the physical, physiological, genetic, mental, economic, cultural | or social identity of that natural person; | | If this chrome browser ID is matched against a (for example) | google account, then they can track every single person. And that | is just a couple of IDs, let alone all the quantity of data they | have. | | It's against GDPR to not be clear about this kind of ID. If my | browser has an unique ID that is transmitted, then this ID can be | coupled with other information to retrieve my identity and | behavior, so it should be informed (in the EU). | | EDIT: TD;LR, hiding behind "there is no PII in that ID" is not | enough. | shadowgovt wrote: | This is why I consider the GDPR to be unrealistically broad in | its definition of PII; it denies even innocuous feature-mode- | distinguishing headers intended to allow for bug-identification | of massively-distributed software installs. | | If I'm given a forced choice between "more privacy" and "better | software quality" I'm going to lean towards "better software | quality." | scoutt wrote: | Me too. Then a breach happens and someone with a straight | face tells you: "we take your privacy very seriously", asking | apologies, because the breach used some of your data to push | some political campaign or to bother you with spam/extortions | because that night you were watching some porn. | | Programmers should stop pushing buggy or incomplete software | as is, and start releasing software that works. Otherwise | upper levels have an excuse to do all this "experience" | telemetry, and we all are smart enough to see the | consequences of a data breach. | shadowgovt wrote: | > Programmers should stop pushing buggy or incomplete | software as is, and start releasing software that works | | If you demand a perfection-of-function guarantee from | something as complicated as a web browser, you'll never get | a web browser with more features than the ones released in | the '90s (and I'm not even sure we'd be that far along by | now). | | If I'm given a forced choice between "more privacy" and | "the software ever having the features I want to use" I'm | also going to lean towards "the software ever having the | features I want to use." And we know this is true for users | in general because of the number of users who had Flash | installed back-in-the-day in spite of the fact that it | allowed a total bypass of the browser security model, | because it had features that the browser lacked otherwise. | scoutt wrote: | Instead of giving my privacy away, I prefer software like | anything that you have installed from a CD-ROM back in | the 90's and didn't needed a weekly update. Games, | 3D-Studio, Autocad (to name a few) were more complex than | a web-browser ( _a today 's web-browser_) and didn't | needed a weekly update or the hunger for _user-requested_ | features, let alone dialing home _because_. The world | worked relatively fine without the _up-to-date_ wankery | we see today. | shadowgovt wrote: | I remember them. | | They were also buggy and could crash their resident OSs | all the way to a stuck state, and if they did, the | solution was "Try not to trigger that bug again." | | Software quality has significantly improved in the era of | easy patch access and auto-patching. | scarejunba wrote: | Holy Jesus. Those things were chock full of security | holes. If you used a web browser that arrived on a CD ROM | you'd be advertising massive pwnability. | | In fact, you could easily simulate this by using last | year's Firefox. | labawi wrote: | Firefox, chrome, linux ... all are full of unnecessary | complexity. The point being - we need daily patches to | keep it from falling apart. | | I have links (or lynx) on an old SuSE, maybe even a | Mandriva CD. Would they be massively pwnable? | shadowgovt wrote: | Hard to say, but not necessarily a great example; | exploits on software are a function both of attack | surface / complexity and installed userbase (i.e. nobody | bothers to see if lynx is pwnable because a zero-day | against that browser will be worth, what, twenty bucks to | gain access to the five people who use it?). | labawi wrote: | Perhaps. Perhaps not. As a thought experiment: | | How long would it be safe to go without browser updates | with a browser of complexity/capabilies of links, if 50% | of people used it? | | With many people combing through it, would it become | effectively unexploitable? | JohnFen wrote: | > you'll never get a web browser with more features than | the ones released in the '90s | | I would actively prefer a web browser that lacks the | features added since the '90s. | shadowgovt wrote: | That's understandable, but it isn't what most people want | ---developers or users alike. | | Browsers aren't just thin-clients to support HTTP | protocol and HTML rendering. They've grown to adopt a new | distributed computing paradigm, not unlike UNIX and its | descendants grew to support a new multi-user-cum-multi- | process paradigm. The things web development offers--- | location agnosticism, platform agnosticism, combined | multimedia interaction, a workable security model for | multi-source aggregate-component content---are eating | software development, and the browser is becoming the OS | of the modern era. We know users want this because users | were willing to use Flash (even though Flash broke out of | the security model of the old browser). | | There'll always be a place for small text-based pages | much as modern computing will always have a place for | command-line tools, but the genie is out of the bottle | and it won't be put back in. | flukus wrote: | The mozilla suite in 1998 included a browser, an | email/newsgroup client, an IRC client, an address book | and an html editor. | | Modern browsers for all their bloat actually have less | features. | JohnFen wrote: | > This is why I consider the GDPR to be unrealistically broad | in its definition of PII | | And I consider it far too narrow. | | > If I'm given a forced choice between "more privacy" and | "better software quality" I'm going to lean towards "better | software quality." | | Fair enough. I would go for "more privacy", personally. There | is no technical reason why both of our preferences couldn't | be honored. | Mirioron wrote: | Who's going to raise this issue though? And what if they put | this in the browser's T&C? | pbhjpbhj wrote: | I thought they needed explicit consent. T&Cs ain't that. | scoutt wrote: | > Who's going to raise this issue though? | | I'm sure there is someone out there who takes these kind of | things seriously. Not me. I use firefox for that matter. | | > And what if they put this in the browser's T&C? | | Then the rest of GDPR applies: a clear message about the | browser sending this info has to be shown, explaining why, | with who they'll share it, the time they will keep this info, | plus no auto opt-ins, the possibility of asking Google (or | whatever) all the info relative to this ID and the option to | cancel all the data, etc. | bamboozled wrote: | You should also donate to Mozilla because it's an insanely good | piece o software for the price! | kick wrote: | Firefox should definitely be used, but donating to Mozilla is a | mistake. They waste a lot of it, their executive compensation | rates are way too high (especially given that MoCo just laid | off employees), and Mozilla still hasn't kept up with promises | they gave years ago (that Pocket is still proprietary being a | notable and depressing example). | | Donate to smaller developers of software you use, it'll go a | lot further, and they'll probably put it to better use! | alharith wrote: | Better yet, donate to Brave who doesn't share the same | conflict of interest as Mozilla does with Google, as Google | is Mozilla's #1 source of income. Best of all you get a | browser just as fast, if not faster than Chrome because it's | Chrome without all the junk. | asymptotically2 wrote: | But I don't want to participate in dodgy cryptocurrency | scams. | kick wrote: | While Brave not taking the "Search deal with Google" route | is commendable, you shouldn't donate to it, either. | | Venture-funded for-profit startups don't need donations, | and again, donations will be more heavily felt by the | people maintaining the software you use every day that _isn | 't_ created by behemoths. | driverdan wrote: | > their executive compensation rates are way too high | | Just because they're a non-profit doesn't mean execs should | be paid far below market rates. | [deleted] | Spooks wrote: | I agree, I never understood that argument. We have a fairly | large and wonderful kids hospital that looks for donations | and some of my friends said they wouldn't donate because | their CEO makes 500k and he should donate his money | instead. | | I had to explain you want to recruit great talent, and that | 500k is less than he could make some place else. | coldpie wrote: | Right. What people actually want is some form of income | equality, which would bring executive level salaries in | line with their actual worth. You're not going to achieve | that by starving non-profits of executive talent in the | meantime. | mywittyname wrote: | I bet a non-profit like that could find many qualified | executives for much less money. There's an amazing amount | of talent in the middle of most org structures that never | make much past $100k/yr. I'm certain that a handful of | these people would excel if given a chance and promoted | to the top. | | This doesn't happen because most boards are a good ol' | boys club where networking matters, not because of a lack | of available talent at a price point. | kick wrote: | I respect you a lot, but how is what Mozilla's doing in | regards to that at all respectable? It's not "starving | them of talent" to not increase Baker's pay as Mozilla is | laying off employees? She's been there since (almost) the | beginning, and the performance of Mozilla has gotten | worse over the last decade. | coldpie wrote: | I'm responding to the general complaint that executives | at large non-profits are paid too much, and therefore the | non-profit is not using money wisely, and so should not | be donated to. There's a certain pool of people who are | qualified to run companies of these sizes, and in order | to attract that talent, you need to pay a competitive | wage. The non-profit-ness of the company can be a factor, | but like it or not, money is a major motivator, and will | affect what kind of talent you can recruit. The problem | isn't that a given non-profit executive is overpaid, the | problem is that all executives are overpaid. | | This isn't a Mozilla problem, it's an income equality | problem. Punishing Mozilla by restricting the size of the | pool from which they can recruit won't solve the problem. | | I can't speak to the current Mozilla executives' | performance. I'm not qualified to judge that. I will say | that browser market share seems a poor metric, especially | given the reach and pocketbook of Mozilla's primary | competitor. | kick wrote: | In general I definitely agree with you, certainly. | kick wrote: | The Mozilla Corporation laid off like 70 employees the | other day, and Baker's compensation has been inversely | tied to the performance of Mozilla. | ddalex wrote: | I doubt it has been tied, as in a contractual goal. | | The word you're looking for is "correlated". | Spooky23 wrote: | You're assuming the $500k guy is great talent. | | Our local YMCA pays the Executive Director $400k/year. | The child care workers make $11.50/hr + free membership. | (ie. minimum wage) The Y is great, but I'm not donating | anything to them. | sstangl wrote: | Mozilla engineers typically accept a salary that is below | market rates. | | Recently they have been increasing salaries to be more | competitive. | frozenlettuce wrote: | Also, Mozilla made donations to political entities in the | past | kevlarr wrote: | Which ones? Eich donated like $1000 to a political group | that (I would hope) most of us disagree with, but Eich != | Mozilla, and he was removed because of the backlash | frozenlettuce wrote: | RiseUp, from their about-us page: | https://riseup.net/pl/about-us Riseup's Purpose. | | The Riseup Collective is an autonomous body based in | Seattle with collective members world wide. Our purpose | is to aid in the creation of a free society, a world with | freedom from want and freedom of expression, a world | without oppression or hierarchy, where power is shared | equally. We do this by providing communication and | computer resources to allies engaged in struggles against | capitalism and other forms of oppression | | >> We do this by providing communication and computer | resources to allies engaged in struggles against | capitalism and other forms of oppression | kevlarr wrote: | That's... interesting. | | Does being a "trending project in-network" mean they | received money from Mozilla? | frozenlettuce wrote: | 100k to improve security in an email client | https://blog.mozilla.org/blog/2017/10/03/mozilla-awards- | half... | arexxbifs wrote: | I'm a Firefox user but I'm doubtful about donating to the | Mozilla Foundation. | | They at least endorse some really far-out organizations | on the Mozilla Foundation homepage[0], such as Riseup | Networks. | | [0] https://foundation.mozilla.org/en/?utm_source=www.moz | illa.or... | kick wrote: | Riseup is absolutely with Mozilla's mission statement, | though, and all things considered pretty good: | | "Riseup provides online communication tools for people | and groups working on liberatory social change. We are a | project to create democratic alternatives and practice | self-determination by controlling our own secure means of | communications." | arexxbifs wrote: | They have an actual anarcho-communist star in their logo | and their website features revolutionary imagery and | policy statements like "all labor is valued equally" and | "the means of production should be placed in the hands of | the people".[0] | | I'm sure it's a fine organization if you subscribe to | their views. I do not, and I'd rather not fund them, | directly or indirectly. | | [0] https://riseup.net/en/about-us/politics | jupp0r wrote: | I did not know about riseup (or Mozilla funding them) and | parent provided insightful information about them. Given | the funding structure of Mozilla, I could see this being | a red flag for donations for some | organizations/individuals. | Matticus_Rex wrote: | I don't share their views, but I'm thrilled that their | project exists and very happy with Mozilla donating to | help improve their email client security, since it's a | major player in the pro-privacy ecosystem. If I had to | agree with the philosophical beliefs of everyone I gave | money to, I'd starve. | arexxbifs wrote: | If I donate to a FOSS project, I want the money to go | into the development of their software and not turn into | some proxy funding of other projects and organizations - | especially not ones I disagree with. In fact, I think | that's a pretty reasonable expectation. | kevlarr wrote: | Donations go to Mozilla "the non-profit organization" rather | than Mozilla "the corporation". | | Mozilla (the corporation) has the typical/bad corporate | structures and ridiculous executive compensations. Mozilla | (the corporation) had the layoffs. Mozilla (the corporation) | bought Pocket with money that comes from deals with search | engines. | | That being said, though... | | > Donate to smaller developers of software you use, it'll go | a lot further, and they'll probably put it to better use! | | ... is still a great point. | | (Updated this because "Mozilla, Org" and "Mozilla, Inc" were | inaccurate) | marcinzm wrote: | That still doesn't answer why should I donate to Mozilla | the non-profit? What do they do with my donations? | According to another post they don't use them to fund | Firefox or presumably any project run by the corporation | side. | | As I see it if I wanted my donations to go to political or | other activism there's more direct and better organizations | to donate to with less middle management involved. | coldpie wrote: | > According to another post | | Respectfully, HN comments aren't a great primary source. | Here are some places to start your research: | | https://donate.mozilla.org/en-US/faq/ | | https://foundation.mozilla.org/en/about/public-records/ | | https://assets.mozilla.net/annualreport/2018/mozilla- | fdn-201... | | https://foundation.mozilla.org/en/ | marcinzm wrote: | According to https://foundation.mozilla.org/en/ the | donations go to: | | * supporting a diverse group of fellows working on key | internet issues [looking at them they all focus on | advocacy and social issues rather than working on things | like Firefox] | | * connecting open Internet leaders at events like MozFest | | * publishing critical research in the Internet Health | Report | | * rallying citizens around advocacy issues that connect | the wellbeing of the Internet directly to everyday life. | | Or in other words, exactly as the HN comment said, none | of it goes to corporation projects but rather privacy and | social advocacy. | | edit: I'm guessing the Foundation actually takes money | from the Corporation to fund itself since the financial | statement seems to cover both, anyone know if that's the | case? | [deleted] | kick wrote: | The Mozilla Foundation controls and owns the Mozilla | Corporation, and the executive structure looks more or less | the same. Baker's compensation has been inversely tied with | performance, and she runs both. | frandroid wrote: | > Baker's compensation has been inversely tied with | performance | | You've mentioned this twice in the thread now. "Inversely | tied" is quite a strong and unusual claim for | compensation. Care to prove it? | throwaway2048 wrote: | Their salary has gone up, and firefox market share has | gone down, its neither is a controversial statement | kick wrote: | Happily! | | 2.5 million, 2018: | | https://assets.mozilla.net/annualreport/2018/mozilla-2018 | -fo... | | 2.3 million, 2017: | | https://assets.mozilla.net/annualreport/2017/mozilla-2017 | -fo... | | 1 million, 2016: | | https://assets.mozilla.net/annualreport/2016/2016_Mozilla | _Fo... | | <1 million, 2015: | | https://static.mozilla.com/moco/en- | US/pdf/2015_Mozilla_Found... | | Firefox market share has been in decline (30% to <5%) for | over a decade now: | | https://upload.wikimedia.org/wikipedia/commons/6/61/StatC | oun... | frandroid wrote: | That's not "tied", which would imply a contractual | relationship... | oarsinsync wrote: | inverse correlation between executive pay and browser | market share, if semantics are necessary. | eganist wrote: | 'Tied' in relational contexts is generally used to | describe a correlation, relation, connection, or a | consistency between events in the English language. It | can--but does not have to--describe a contractual | relationship, and it does not generally describe one | except in very specific and obvious cases, e.g. what one | _would_ expect to be true: "bonuses are tied to | performance milestones." | | https://www.dictionary.com/browse/tied?s=ts | | https://www.thesaurus.com/browse/correlated?s=t | | But in this context: | | > Baker's compensation has been inversely tied with | performance | | No reasonable person would assume that a person's comp | structure from Company would be contractually bound to | _increase_ as Company 's performance _decreases._ At | which point, the interpretation of "tied" would swing | towards generally accepted usage, i.e. "there's a | potential relationship between these two things." | | ameister14 suggested "associated with" would've worked | better, and that's true. But "tied" isn't technically | wrong. | kick wrote: | That's malarkey. Tied is _not_ exclusively used to imply | a "contractual relationship," and that's (if anything) a | minority-usage of the idiom of tied to/with. | ameister14 wrote: | I think you probably should have used 'associated with' | instead of 'tied to' as when discussing remuneration | contractual ties is not a minority usage of the idiom. | eganist wrote: | I'm not Kick, but while you're correct that "associated | with" would've been better for clarity, no reasonable | person would assume that "inversely tied" describes a | contractually mandated drop in performance for an | increase in pay (my other comment here links to | dictionary.com and thesaurus.com, both good references | for this discussion). Couple that with the generally | accepted usage of 'tied' and the usage by Kick was | correct, if perhaps ambiguous to a narrow population. | ameister14 wrote: | Kick's usage is correct except within the business world | and especially financial and executive populations, | which, while admittedly narrow, are what we were | discussing. When you say that an executive's pay is tied | to the company's performance, within these communities | it's generally understood that this is a contractual | relationship. | | ex. "John's salary is tied to performance - if the | company is valued at over 100 billion, he'll get another | 5% stock" etc. | | or "bonuses are tied to performance milestones" | | If you are simply observing that an executives pay rises | while performance falls, associated is a clearer term. | poxrud wrote: | https://twitter.com/BrendanEich/status/121751770391464345 | 6 | kevlarr wrote: | Owns, yes. That is radically different from "funds", | though. | | Not going to dispute anything about executive structure | or Baker's compensation and (mis)management, but a lot of | people here are acting like donations either go directly | to the corporation or funnel to it through the _actual_ | recipient of the donations, but there isn 't really any | evidence being presented. | arexxbifs wrote: | I think the Mozilla Foundation is starting to look a lot | like a sinecure employer for friends of friends in the non- | profit biz. | | Here are a few seemingly similar titles listed on their | leadership page[0]: VP, Advocacy | Director, Digital Engagement Director, Communications | VP, Global Programs Director, Partnerships | Director, Events and Training Interim Director, | Leadership Programs | | [0]https://foundation.mozilla.org/en/about/leadership/ | zapdrive wrote: | Do you care how Apple pays its executives when you shell out | 3-4k on their laptops or 1-2k on their phones? The OP just | said that Firefox is a great piece of software available for | free, and they deserve to be compensated (in form of | donation). Now, I'm totally on board with you that they waste | money, that's not even debatable. | coldpie wrote: | > Firefox should definitely be used, but donating to Mozilla | is a mistake. | | These seem at odds with each other. If you want Firefox to be | used, how do you suggest its development be paid for? | kick wrote: | They're already getting more than enough to fund | development with the Google deal, which they've shown no | willingness to let up on, despite it seriously compromising | user privacy. Donating to Mozilla at this point is just | encouraging organizational bloat. | coldpie wrote: | I guess we'll have to agree to disagree (which is fine!). | I'd rather continue donating to them to show there are | funding sources outside of advertising, which is a | business model I despise. | eitland wrote: | I thought like you. | | There seems to be a huge problem though: for some reason | it seems they aren't allowed to use donated funds for | what I thought was the main reason for Mozillas | existence: development of the Firefox web browser. | | Instead donated funds seems to go to outreach etc. | | I have nothing against outreach but if this is the case | I'd rather donate to such organizations directly (or | rather increase my monthly donation to Amnesty | International). | coldpie wrote: | Sure. I guess to me that feels like an implementation | detail. I like Mozilla and I want them to exist so I give | them money. If they stopped making Firefox, I would | probably stop giving them money. But whether my money | goes to Firefox development is up to them, they know | their financial arrangements better than I do. I | understand if you don't agree with that policy. | dblohm7 wrote: | Donations are not used for Firefox development -- they go | to the Foundation, not the Corporation. | chopin wrote: | As long as they keep Firefox available they can waste my | money as much as they want. Why should they owe me anything? | I am taking their browser. | dang wrote: | We detached this subthread from | https://news.ycombinator.com/item?id=22236328. | Engineering-MD wrote: | So I pay for Pocket Premium as it is wholly owned by Mozilla as | a way of diversifying their income away from search and | donations. I like and use pocket and get something in exchange | for my money (which makes me more likely to keep a rolling | payment going on). II know it's not open source, but tbh that | doesn't hugely bother me given that Firefox itself is. | | Does anyone object to this indirect way of funding Firefox? | Does it cause indirect harm by making them prioritise pocket | over Firefox? | nerdponx wrote: | I don't object. Personally I'd be happy to pay for Firefox | Send, or better still for tech support in self-hosting | Firefox Sync and Send. | newspheasant wrote: | I've spent a lot of time considering Pocket Premium but the | price point is just too high. Maybe if they roll in features | from feedly and have a really nice RSS reader. | | I also hate spending money on news that isn't going to | journalists. | Engineering-MD wrote: | Well that's why I factor it in as a donation to Firefox | instead of paying for the features (which I agree with you | the price point is way too high for what you get). | 45ure wrote: | I agree with the endorsement as a FF/TB user. However, I would | stop at charity shaming, as there is always a different side to | the story. | | https://news.ycombinator.com/item?id=22057737 | AnIdiotOnTheNet wrote: | Sorry, I can't bring myself to trust them after pocket, mr. | robot, and of course the time they fired that guy for having a | fetish. I might use their browser product if it ever seems like | it'll be better for my needs but I'm certainly not giving them | money. | dgudkov wrote: | Mozilla Corporation which makes the browser doesn't accept | donations. | throwawa66 wrote: | Do you know why that is? | tsukurimashou wrote: | because otherwise users would have a saying in the | direction web browsers evolve and Google would be sad | | Half kidding there | throwawa66 wrote: | So they're accepting donations after all? | maeln wrote: | Mozilla Corporation is a for-profit company. Depending on | the legislation it is sometimes forbidden to take donation, | or at least very difficult/limited for company. | | Mozilla Foundation is the non-profit organization (and they | do take donation). | Mountain_Skies wrote: | They probably can take donations just fine but there is | no tax deduction for the donor. | throwawa66 wrote: | I'm going to start donating to Mozilla every month. | zozbot234 wrote: | I assume they do get quite a bit of money from Mozilla | Foundation, which does. | dblohm7 wrote: | The Foundation does not provide money to the Corporation. | Look at the annual financial statements. | dgudkov wrote: | I asked the Mozilla Foundation if anything from the | donations goes to the browser, they said no, not a single | penny. | [deleted] | troseph wrote: | No Facebook Firefox PiHole is my Live Love Laugh | bilekas wrote: | Jesus.. It gets better and better.. | eitland wrote: | I haven't read this carefully enough to decide exactly how bad it | is, but one thing seems clear to me: | | From what I see many techies are now aware and upset, and hardly | anyone seems to want to defend Google anymore. | | I consider it more likely than not that Google will take some | real beatings in the years to come. Kind of like Microsoft was | fined by the US and EU, forced to advertise for competing | browsers and ridiculed by Apple ads. On a case by case basis I | think some of this will be well deserved, some less so, but few | outside of employees and shareholders will cry. | | I also _guess_ a lot of people, including certain owners and many | in management hasn 't deciphered the writing on the wall yet, and | in that case it whatever comes next will be surprising. | morley wrote: | > From what I see many techies are now aware and upset, and | hardly anyone seems to want to defend Google anymore. | | To me, the explanation is simpler: people don't want to defend | Google on HN because they'll get downvoted or shouted down | because of it. | simias wrote: | >From what I see many techies are now aware and upset, and | hardly anyone seems to want to defend Google anymore. | | Be careful, most of us on HN are part of a very small echo | chamber. "What you see" is a small, non-representative portion | of "techies". If it wasn't Firefox wouldn't be at sub-5% in | general usage surveys and AMP would've died years ago. | skybrian wrote: | There is little point trying to correct misinformation about | Google on Hacker News anymore, because people will just make up | more tomorrow, and it will get hundreds of upvotes if it looks | vaguely plausible. | | So, people who want to dislike Google will find everything they | need to confirm their biases here. | eitland wrote: | IIRC it's not that long ago that trying to criticize Google | here on HN was an exercise in futility. | | I won't say that the current situation is perfect but I can | see why. In my view Google had earned the current criticism | by hard work: | | - mismanagement of services people loved to the point were | Google always running 3 different more or less incompatible | message services, while closing services east and west has | become a meme, | | - shoving other ideas down people's throats (hi identity and | real name part of Google+) | | - etc | throwawa66 wrote: | More and more people are blocking ads. Google's business model | is under threat. They will turn into hyenas in order to | survive. | eitland wrote: | Good point. Although I feel their hyena nature has been | visible for a while now and what we are now seeing is hungry | hyena :-) | throwawa66 wrote: | Oh it will get worse. Youtube will be riddled with ads | every 5 minutes or so. Will take the cable tv path soon. | The good news is that their greed will eventually crash | themselves. | | Hey, i dont mind a little ad here and there even though I | give 0 fucks about any product being advertised. But the | quantity is becoming hard to process without adblockers. | Had they not taken the full evil mode path I'd have | considered paying for youtube. | | I think im better of weaning myself off almost completely. | Or alternatives... | kmlx wrote: | i think their business model is just fine: https://www.google | .co.uk/amp/s/9to5google.com/2020/02/03/alp... | falcolas wrote: | There's a certain irony of linking to an amp site on | Google's domain as part of a larger discussion about their | business ethics. | [deleted] | lern_too_spel wrote: | Is this better? https://search.yahoo.co.jp/amp/s/9to5goog | le.com/2020/02/03/a... | falcolas wrote: | How about just https://9to5google.com/2020/02/03/alphabet | -q4-2019-earnings/ ? | | No amp required, under 1 second to display content. I | will say that it's a bit beefy at 5mb total, though the | AMP site loads the same amount. | lern_too_spel wrote: | You complained that it was hosted on Google specifically. | I tested that Chrome specifically copies the canonical | URL and not the location bar URL when I share that AMP | page, which doesn't fit your narrative. | | Also, the reason the AMP page is faster is that it | prerenders above the fold from a SERP, not due to total | page weight. | falcolas wrote: | AMP is, hosting aside, a problematic project when it | comes to Google's business ethics. | | And the differences in rendering speed were negligible, | to my eyes. IIRC from the dev tools, it was about 1/10th | of a second difference to get readable content. | throwawa66 wrote: | AMP is basically gobbling up other contributor's content | and shamelessly profits at the expense of the content | owner. As an end user I also don't like amp. Im on | duckduckgo now | lern_too_spel wrote: | > And the differences in rendering speed were negligible, | to my eyes | | Reread my previous post. You didn't load it from a SERP. | That's what AMP is useful for, instant loading from link | aggregators. | | > AMP is, hosting aside, a problematic project when it | comes to Google's business ethics. | | How, especially considering that Google's browser does | not share AMP URLs? Is RSS a problematic project? How | about GTFS or microdata? All three give the user a better | experience at the expense of the publisher. | falcolas wrote: | > instant loading from link aggregators | | Per research tests which look at load times and | abandonment, under 1 second has the same retention as | instant. So, AMP provides no practical benefits here. | | > How [is AMP problematic]? | | A large number of electrons have been spilled on this | topic. I recommend reading one of those. It really comes | across as an attempt to argue in bad faith by ignoring | these well-distributed (especially on HN) concerns; even | worse to try and paint RSS and similar as harmful. | | Thank you for the conversation, good luck! | lern_too_spel wrote: | > Per research tests which look at load times and | abandonment, under 1 second has the same retention as | instant. | | Citation needed. | | > A large number of electrons have been spilled on this | topic. | | Most of those electrons have been spilled by people who | do not understand what AMP does, which included you until | you had read the GP post. Those arguments dare | nonsensical to somebody who does understand what AMP | does. | | > even worse to try and paint RSS and similar as harmful. | | I do not think RSS is harmful, but your stated reasons | for claiming that AMP is harmful apply equally well to | RSS. Your argument is therefore inconsistent with itself. | glyxbaer wrote: | When I moved into IT almost 10-15 years ago, Google was one of | the companies that I adored (in a kind of naive way, but | nevertheless..). Working at that company has always been a | dream of mine. They had the reputation for hiring the best of | the best engineers, with great benefits and work culture. | | Meanwhile I'd hate to apply for them. Everything they do in | terms of tracking, etc. has become so vile and almost evil that | even Microsoft has a better standing among my peers.. | | Would love to hear some insight from ex employees on what | changed on the inside of that company, but from the outside it | doesn't even seem to be the same any more. Maybe they're just | worse at hiding it.. | dleslie wrote: | We thought Microsoft was evil because of how they treated | their partners and competitors. | | We didn't consider that a greater evil would arise, and all | it would take was a disregard of the sanctity of personal | privacy. | raxxorrax wrote: | To my knowledge Google still hasn't done anything | comparable to the worst offenses of Microsoft in its prime. | These "tests" don't really help though. | eitland wrote: | Eh. One of the things Microsoft was actually punished for | was bundling IE, and it didn't help that they were | actually hostile to other browsers as proven by the fact | that their documentation pages would work if Opera faked | the IE headers. | | Googles pushing of Chrome and disregard for other | browsers across their web properties comes dangerously | close in my opinion. | Kovah wrote: | I think that Googles' push is even worse. Just think | about how many possible devices Microsoft could target | back in the days. 300-500 million devices maybe? Google | not only invaded desktops in the past decades, but | completely owns the Android platform, which comes bundled | with Chrome and Google as the primary search engine. | Desktops with Chrome plus the Android platform must be | far more than 2-3 billion devices. | dleslie wrote: | > > and all it would take was a disregard of the sanctity | of personal privacy | | ;) | | I would have been aghast if you had told me 30 years ago | that by now our movements, purchases, letters, phone | calls, photos, rolodex, walkman, television, and more | would all be connected to a central database and used to | produce models to coerce us into changing our behaviour. | thu2111 wrote: | Well, I'm an ex employee. Actually nothing has changed inside | the company. "Tracking" as you put it isn't perceived as | evil, it never has been, and for good reasons. The only thing | that's changed is people's perception of the company and - | very recent post 2016 political issues aside - that was | mostly driven by a sustained campaign by an angry media | industry that wanted money (see: link taxes). | | Firstly, if tracking usage statistics or activity was | actually evil then everyone would hate it, desperately try to | stop it and have tons of stories about the horrors of it. | | In fact what Google sees is: | | 1. Web apps are extremely popular although they all keep | server side logs that reveal every button click, every | message you type, every email you send, every search you do. | Users routinely migrate from thick client apps that give | great privacy to web apps that give none whatsoever without | batting an eye. | | Hacker News readers in particular should understand this. | It's overrun with Silicon Valley types who build their entire | livelihoods around "let me run this program for you as a | service". There's nothing special about Google in this | regard. The entire software industry has moved away from | privacy in the last 20 years because ... | | 2. Users rarely if ever use privacy features when they're | provided, even when they're heavily promoted. In fact, | despite all the noise, hardly anyone cares. For the vast | majority convenience wins over privacy every time. But not | just convenience, also ... | | 3. Security trumps privacy. People say they like privacy, but | they _hate_ getting hacked and tend to blame the service | provider if it happens. They have very little patience for | explanations of the form "yes this attacker was obviously | not you and yes we had enough data to know that, but we | didn't use any of it ... for your own good!" | | 4. Users can't and won't give accurate feedback about what | they value or what their actual experience of using an app is | like. This means A/B testing is critical to avoid making bad | business decisions. The heavy reliance on experiments and | data driven decision making is one reason tech firms tend to | steamroller their legacy competitors. | | Google hasn't become evil over time. It's been doing A/B | tests, keeping server logs and writing unused privacy | features since the company first began. All that's changed is | it got big and rich, so people - rightly - started to think | about its power more. But the hypocrisy is strong. The world | is full of companies collecting and using data for the | benefit of their customers. It's really only Google and | Facebook that get the vitriol. | emmelaich wrote: | You have good points. | | You have to be diligent in your efforts to show that Google | is actually doing wrong before accusing them. | | If you don't -- you're playing into the hands of their | rivals, especially "old" media companies. | Proziam wrote: | So, Google (And others) _are_ evil, but because customers | don 't value privacy until it's too late, it's _okay_ to | abuse them for profit? | | You aren't ethical if you only act ethically when you are | forced to. | Yhippa wrote: | > 1. Web apps are extremely popular although they all keep | server side logs that reveal every button click, every | message you type, every email you send, every search you | do. Users routinely migrate from thick client apps that | give great privacy to web apps that give none whatsoever | without batting an eye. | | I think people here might be shocked at the amount of | surveillance going on in the most basic web apps. Lots of | telemetry like you describe and other ambient data is being | captured all as part of the terms and agreements you | probably clicked through with the website. Google is not | alone in this. | throwaway41968 wrote: | Your points are sound, but I'm puzzled by your last line: | | >It's really only Google and Facebook that get the vitriol. | | The way I read it, it seems as though it's unfair that they | get away with doing questionable stuff when "others do | worse". Why yes, if you have nefarious intentions but no | power to act them out, people are going to throw less | "vitriol" at you than if you _do_ act them out. | tartoran wrote: | Thats right. Is google the most evil? Well, no, I really | don't think so. But they exert a lot of evil to the world | because of their size, power and ubiquity more than | others. Same with Facebook and Amazon. | | I always keep in mind the motto Google carried when they | stepped in: "Do no evil". I used to love Google back | then, but they were something else. | | They killed good products that people loved, they abused | their trust, they are what they are not because they keep | on innovating but because of their current size. They | killed a lot of small fries who in aggregate could have | given us a lot more value. | throwaway5752 wrote: | I think it's key that I never see any kind of comparative | behavior. Does Amazon do this, does Facebook do this, do | private platforms do this? How does this compare to | tracking done by apps? Based on my experience and | knowledge, Google falls on the ethical side of the spectrum | among its peers. | | I get ads from Microsoft now (in app in some cases, other | free services). I know this is a Mac/Linux heavy forum, but | I would also love to see how this tracks with Windows | telemetry (to the point made about security). I am sure | that every Windows 10 install has higher fidelity | fingerprinting sent with telemetry. | | What has changed is how easily people can be manipulated on | social media and how they can be programmatically | orchestrated with much less effort than before 2000-2005. | mafuy wrote: | Most people use default settings and have no idea about the | software they are using at all. "everyone would hate it" | assumes people know about these things, but they do not. | Don't use this as a point. | | ad 3), you make it sound as if it was one xor the other. | This is sometimes the case to some degree (like checking | urls for phishing sites), but far from always. | | ad 4), it is not my problem as a user that you have trouble | doing tests. If you need information for your business, | then spend the money and effort to acquire it. Do not abuse | your users without care. Your business case is not more | important than people's privacy. And if others do this to | gain an advantage over your business, don't whine, sue | them. | | When I was involved in user tests we had a lot of trouble | due to our ethical concerns, but we did not consider | dropping these concerns. | | edit: I may add that I'm German. We were taught about the | value of privacy in our history. "boring statistics about | religion" led to the murder of hundreds of thousands of | Jews. Disregard for privacy led to the atrocious human | rights violations in Eastern Germany. I cannot understand | why Americans, who explained this to us Germans after WW2, | apparently forgot all about the _reason_ for privacy. | pb7 wrote: | >hundreds of thousands | | Millions. | alleyshack wrote: | As an Xoogler, my experience is that one thing changed, and | one thing didn't. | | The thing which changed is that Google operates on a much, | much larger scale than anything imaginable back in the late | 90s when they first started. In 1999, nobody had any inkling | about the cloud and SaaS revolution that was about to come. | Nobody knew that everything was about to move into web apps | and cloud services, which permit and require(?) tracking in | ways, and on a scale, no one had thought possible. (Require | with a question mark because - ad tracking aside - what | little I know of frontend development includes that they need | to be able to see certain information, like your browser | type, in order to provide effective services.) | | The thing which didn't change is the mindset of the engineers | building the services. On average, Googlers tend to be much | less concerned with personal privacy than an equally educated | consumer, and much more interested in the features and | services they can build for themselves and others which | happen to require huge amounts of personal information to | function. In other words, a typical Googler is more likely to | think, "Oooh, having a personal digital assistant is great! | If I give Google access to my email inbox, it can suggest | tasks, automatically add calendar invites, and do other cool | things." | | The problems we're seeing now come when the engineers working | on advertising products have that mindset and access to | Google-scale information. They don't consider it a problem or | a violation because _they_ don 't mind targeted ads, _they_ | don 't mind giving up their data in exchange for services, | and _they_ don 't (want to) understand why people who aren't | them might object. | | It's a lot more complicated than that because Google, while | the largest and arguably most effective, is not the only | player in this game. There are a lot of other corporate and | social influences at play. This is just to answer the | question about what changed at Google. | dleslie wrote: | > They don't consider it a problem or a violation because | they don't mind targeted ads, they don't mind giving up | their data in exchange for services, and they don't (want | to) understand why people who aren't them might object. | | And worse, they never thought to ask. Most users never | really had the opportunity to provide informed consent. | alleyshack wrote: | Yep. "I think this way, therefore everyone else thinks | this way," is an incredibly common human fallacy. | dontblink wrote: | Seems to equally apply here though. Many people are | perfectly fine with targeted ads in exchange for free | useful services. I would even propose the majority | (otherwise these services wouldn't be popular in the | first place!). | oarsinsync wrote: | > > > Most users never really had the opportunity to | provide informed consent. | | > Many people are perfectly fine with targeted ads in | exchange for free useful services. I would even propose | the majority | | I feel like these two remarks should be taken together, | and not in isolation. My straw poll of a few non- | technical folk in a highly-technical firm is that they're | broadly unaware of these kinds of things (but everyone | has anecdotes...) | | Speaking for my own perspective, I was perfectly fine | with Gmail when it first launched (1GB of free email | storage in exchange for a computer scanning my mail and | showing me text adverts on the side? DEAL!), mostly | because in 2003 I had no idea what my data was worth | (individually, very little. in aggregate along with | eevryone else's? $GOOG indicates it's in the ~trillion | range). Facebook? For sure! Have my favourite books, | albums, movies, tv shows, all my photos, why not? | | It took many years before the implications of that | decision that we (collectively) made came through. Not | everyone has the bandwidth to focus on this, and so it | just becomes background noise. | JMTQp8lwXL wrote: | There's been more than a few departures at Google recently. You | have the profile departures of C-level execs; You've had | prominent open source folks leaving projects like Angular. | While some attrition is personal circumstance, you have to | wonder how much is attributable to the changing identity of | Google itself. | clarry wrote: | > From what I see many techies are now aware and upset, and | hardly anyone seems to want to defend Google anymore. | | From what I've seen is it's like it's always been: people are | upset for a day or two and then continue to not care, and | continue to (directly or indirectly) support the evil they were | upset about. It's incredibly difficult to get even geeks to | support a cause if it requires more than pressing a like button | or posting a comment. | | Also, it's not like Google's wrongdoing are recent news. Anyone | remember Google Watch (the site)? People have been warning and | predicting things since very long ago, yet the geek crowd never | seems to hesitate to embrace the next soon-to-be evil company | and their proprietary offering. | c16 wrote: | Chrome explicitly having a line [1] of code to not send the | `x-client-data` header to Yahoo made me laugh. | | [1] | https://chromium.googlesource.com/chromium/src/+/master/comp... | jcl wrote: | FWIW, it looks like that's a test case -- it is not part of | Chrome itself. They most likely just wanted an example of a | third-party website, and could have used any non-Google site | there. | c16 wrote: | Yes, But they tested Yahoo of all websites to make sure they | don't send tracking data, and not an unrelated website like | wikipedia or archive.org. The only non-google test case too I | might add. | robbrown451 wrote: | I've long seen it almost as a tradition to use yahoo for | things like testing if the internet is working, e.g. "ping | yahoo.com". I suspect this isn't much more than that. | gruez wrote: | It's a test case I wouldn't read too much into it. Maybe | it's evidence of a massive anti-trust conspiracy at google, | but it could very well be because it's the first domain | that came to the programmer's mind at the time. | jmccorm wrote: | I wasn't aware of this, but it still seems like a thread | worth pulling on. You're assuming, right? The reason I | ask is that using any third-party company seems | inappropriate. Even more so when Google has plenty of | domains of its own to test against. Even more so when it | is against a media/advertising company. And again, even | more so against a company that changed from Google to | Bing to power their search function. It seems to be an | inappropriate or poor choice, doesn't it? | | There's no smoking gun here, but I don't think that | concern might be dismissed out of hand. It might be good | to see what Yahoo's take on this. This could even evolve | into participation by the US Attorney General. I'd like | to know more, either way. Like if Yahoo was independently | added to the list at a later date, or if it was there | from the start? | zerocrates wrote: | The functionality is the functionality: it targets the | header to Google sites. If there's a legal issue it | really stands or falls there, not on the presence of | another company's domain in the tests. There's nothing | Yahoo-specific about what Chrome is actually doing. | quotemstr wrote: | It's an arbitrary test string, not evidence of evil intent. | A sufficiently uncharitable interpretation can make | anyone's writing look evil. It's not so. | jacobwilliamroy wrote: | Is this also true for all the standalone binaries that embed | chromium? | carlsborg wrote: | If you strace chrome on linux it also picks up /etc/machine-id | (or it did back when I looked), which is a 32 byte randomly | generated string which uniquely identifies you and on some | systems is used as the DHCP ID across reboots. | throwaway8941 wrote: | Which (among many other things) can be faked with firejail, if | you absolutely have to run Chromium (e.g. for testing): | --machine-id Spoof id number in /etc/machine-id | file - a new random id is generated inside the sandbox. | Example: $ firejail --machine-id | GrayShade wrote: | Chromium doesn't seem to read that file. | xfs wrote: | First I thought reading /etc/machine-id would be expected if | Chrome uses D-bus or pulseaudio libraries which depend on | D-bus, and /etc/machine-id is part of D-bus. But no, they | really use it for tracking purposes. | | And in a sick twist they have this comment for it: | std::string BrowserDMTokenStorageLinux::InitClientId() { | // The client ID is derived from /etc/machine-id // | (https://www.freedesktop.org/software/systemd/man/machine- | id.html). As per // guidelines, this ID must not be | transmitted outside of the machine, which // is why we | hash it first and then encode it in base64 before transmitting | // it. | jabedude wrote: | That really is a cynical comment. It almost bothers me more | than this header. | mc3 wrote: | > which is why we hash it first and then encode it in base64 | before transmitting it. | | This made me chuckle. "As per the rules, we'll put on a | boxing glove before we punch your lights out". You wont get | privacy, but at least there is some security! | chias wrote: | In fairness, the guidelines they reference suggest you do | exactly what the comment says they're doing (assuming they're | keying the hash). The guidelines seem explicitly written with | the idea that unique identifiers _derived from_ this value | are not similarly quarantined, provided that you cannot take | the derived value and "reverse" it back to the original | identifier. | | Quoting from | https://www.freedesktop.org/software/systemd/man/machine- | id....: | | This ID uniquely identifies the host. It should be considered | "confidential", and must not be exposed in untrusted | environments, in particular on the network. If a stable | unique identifier that is tied to the machine is needed for | some application, the machine ID or any part of it must not | be used directly. Instead the machine ID should be hashed | with a cryptographic, keyed hash function, using a fixed, | application-specific key. That way the ID will be properly | unique, and derived in a constant way from the machine ID but | there will be no way to retrieve the original machine ID from | the application-specific one. | pbhjpbhj wrote: | What else is going to break if one randomises that ID (per | boot or per hour, say)? | mc3 wrote: | What about running Chrome inside a container? | Tijdreiziger wrote: | What about not running Chrome? | chatmasta wrote: | When puppeteer first came out I was nervous to use it for | scraping because I could totally see Chrome pulling tricks like | this to help recaptcha in identifying the bots. I'm still not | convinced they aren't. | commotionfever wrote: | firefor / tor also read this file | pbhjpbhj wrote: | What does tor do with it? Maybe pass it along in packet | timing intervals, or something ... ;o) | augustk wrote: | And this is a legal thing to do? | raxxorrax wrote: | This it outrageous. Browsers are user-agents, not advertising | accelerators. They should hide as much personal identifiable | information as possible. This is exactly why using a browser from | an advertising company is not a good idea. They use it to improve | their service... The lie gets old... | | This comment was sadly written in Chrome, since I need it for | testing... | | edit: pretty much exactly 10 years ago they already tried their | shit with a unique id. We should have learned from that | experience. | jaywalk wrote: | Well when the browser is created by an advertising company... | ec109685 wrote: | You can see all the domains they add the header to here: | https://chromium.googlesource.com/chromium/src/+/master/comp... | | Previous discussion: | https://news.ycombinator.com/item?id=21034849 | tbodt wrote: | Actual list: | https://cs.chromium.org/chromium/src/components/google/core/... | [deleted] | robocat wrote: | Security flaw? Surely some entity is squatting youtube on | some TLD?! | | If there is a country TLD of X where Google owns google.X but | entity Y owns youtube.X then entity Y gets the X-CLIENT-DATA | header information. See usage of IsValidHostName() in code. | rvnx wrote: | like youtube.vg that is available ? | robocat wrote: | Note this would be a privacy flaw which is not covered by | the Chrome Rewards program (it only covers security flaws) | so I haven't bothered logging it as a bug since I don't | want to waste my time verifying it for nothing! | | https://chromium.googlesource.com/chromium/src/+/master/doc | s... | chatmasta wrote: | This seems like a cut-and-dry case of getting caught in | monopolistic behavior. The code is right there. The Chrome | codebase has special features for Google's own web | properties. | | I hope all these AGs suing google have some good tech | advisors. It's hard to keep track of all the nefarious things | google has been up to over the past decade. | c0restraint wrote: | Perhaps you can send a summary to them, including the | evidence? | [deleted] | fnord77 wrote: | Can scripts from non-google sites making XHR requests to google | domains see the outgoing request headers? | bsharitt wrote: | Everybody imagine going back 15 years and tell yourself that | you're using a web browser made by the parent company of | DoubleClick. Your 15 year ago self would think you're a moron | (assuming that 15 years ago you were old enough to know what | DoubleClick was). | antisthenes wrote: | Doubleclick ads were, originally, what prompted me to seek an | adblock extension. | | I think it was around 2006 that I got the extension for | Firefox; Google bought them about a year later. | comboy wrote: | Well, it depends. Do I get a funny animation following my | cursor if I do it? | Andrex wrote: | I can only speak for myself, but myself from 15 years ago would | not have cared so strongly about the choice of browser. I | believe I was using the newly-ad-less Opera at the time, and | new/cared little about the company making it. | kokey wrote: | My 15 year ago self would have taken a double helping of | DoubleClick if my only choices were that or Internet Explorer | 6. | rplnt wrote: | I always believed that tech-savvy people using Google Chrome | are morons. It's the perfect blend of Google being evil trying | to force it to everyone, the browser being dumbed down to | masses so much it's missing the most basic features, and I | guess privacy concerns too when using browser from advertising | company. ___________________________________________________________________ (page generated 2020-02-04 23:00 UTC)