back to article If you're serious about browser privacy, you should probably pass on Edge or Yandex, claims Dublin professor

Microsoft Edge and Yandex are "much more worrisome" compared to Brave, Chrome, Firefox and Safari, according to a paper on browser privacy (PDF) published this week. Douglas J Leith, a comp sci professor at Trinity College Dublin, investigated the network activity of six browsers – Google Chrome, Mozilla Firefox, Apple Safari …

  1. alain williams Silver badge

    GDPR

    None of this is even hinted at when you first run one of these browsers, let alone freely given, specific, informed and unambiguous as required by the GDPR. Thus all of this is illegal.

    Let us hope that the EU takes this up with them. Oh, drat, post Brexit I am no longer protected by the EU, I cannot see the Boris government giving a toss.

    1. Wellyboot Silver badge

      Re: GDPR

      All current EU laws (GDPR included) will stay in effect in the UK and the UK regulator will still exist, GDPR will be required if there is to be any meaningful data transfers at any level between UK & EU. This will continue until parliament gets around to changing laws piecemeal, but with BoJo & co. pushing international trade one could (with rose tint specs) expect (hope?) that the UK GDPR regs keep their teeth.

      1. pakman
        Big Brother

        Re: GDPR

        Hm, I think the script goes something like this:

        BoJo: User privacy? Harumph... Who gives a toss? PifflePaffleWiffleWaffle....

        EU: You still want to exchange data with us? Respect user/consumer privacy then!

        BoJo: Drat! Oh, OK then.

        Greek Chorus (Rees-Mogg, Francois et al.): Vassal State! Oh woe! Vassal State!

        1. mr-slappy

          Re: GDPR

          Um...

          'But the government would not accept any alignment with EU laws as the EU is demanding, with Mr Gove adding: "We will not trade away our sovereignty" ... there will be no jurisdiction for EU law or the European Court of Justice in the UK'

          GDPR will be one of the first things to go. It will be sold as dynamic Bojo getting rid of all those annoying EU cookie notices that preface every web access.

          https://www.bbc.co.uk/news/uk-politics-51650961

          1. Phil O'Sophical Silver badge

            Re: GDPR

            But the government would not accept any alignment with EU laws as the EU is demanding

            In other words, the government won't let the EU tell it what laws to make, it will make those which it deems necessary and appropriate. It wants a partnership of equals based on negotiation, not on "do what you're told, we know what's best for you" paternalism.

            Clearly data protection to GDPR is necessary and appropriate to maintain trade with the EU, and since UK data protection law has always been stronger than EU minimum requirements there's really no reason (except knee-jerk "Brexit, woe, woe, I hates it, waaaaaah") to assume it would change.

            1. Peter2 Silver badge

              Re: GDPR

              GDPR will be one of the first things to go.

              Technically speaking, the GDPR has never had any legal effect in the UK because it's a foreign law and the 1689 english bill of rights says that no foreign prince, person, prelate, state or potentate has any jurisdiction, power, superiority, preeminence or authoritiy (ecclesiasticall or spiritual) within this Realme, so all EU legislation comes before parliment and gets signed off as a UK law to work around this.

              In the case of the GDPR, it was implemented as the Data Protection Act 2018, so it's actually a UK law that in many areas goes further than the minimum requirements in the GDPR.

              And in any case, I don't think there is any serious clamour to get it revoked. Business always wants certainty and stability, and doesn't want to deal with cost of implementing new rules so certainly lots of companies didn't want a bit of legislation that required everybody in the business receive training and that every company in the country had to put new stuff in place and argued against certain aspects of it. (for instance; allowing companies to ask people to contact a compliance department for a SAR rather than being able to ask anybody including the office junior who may not have understood the significance of the request)

              But once all of that is done then it's done and we'd really rather not change it at all, because having implemented it then any changes are additional costs which nobody actually wants.

              1. Mike 137 Silver badge

                Re: GDPR

                Thanks Peter2

                that's all in principle valid comment. But where things break down is that a behemoth corporation can do what it damn well likes in disrespecting personal privacy as the disparity of power between it and the individual is so great and (at least in the UK) it's almost impossible to get the regulator to take individual complaints seriously. Consequently it doesn't really matter what the law allows or disallows.

                1. Peter2 Silver badge

                  Re: GDPR

                  You obviously don't have anything to do with data protection in your line of work.

                  We've had the ICO make a decision against us on the basis of a client claiming that they'd given us a new address in an email on a particular day and we had failed in our duty to update our records as required. I promptly demonstrated that the client had only sent us one email that day, and that it hadn't contained a notification of a change of address in it.

                  The ICO's response was basically "whatever, we've already ruled against you and we aren't changing the ruling" despite the fact that they'd issued a ruling on the basis of a false premise on the sole basis of a client complaint without even asking us for our side of the story. If it'd have had any penalty attached we'd have fought it in court and they'd have lost horribly but as it is we've just carefully filed the details in case they try and reference that ruling in the future for anything.

                  But you think that it's impossible to get the regulator to take individual complaints seriously and that they protect businesses?

                  It's really not, and they *really* don't try and protect businesses.

                  1. Mike 137 Silver badge

                    Re: GDPR

                    Fair comment from your own position, but the key distinction is the relative scale and power of the two parties. A smaller business may be challenged over an individual complaint, but a behemoth is unlikely to be as it's harder to make it stick, particularly if it's an international behemoth. The law applies to all, but enforcement increasingly applies only where it's cost effective. The regulator doesn't protect businesses but it does exercise discretion about what it considers worth pursuing - just like the CPS - it acts when there's a reasonable prospect of success. I've been consulting in data protection for around 20 years, so I've seen this time and time again.

              2. Anonymous Coward
                Anonymous Coward

                1689 Bill of Rights ?

                Bill of Rights 1689 states “That all Grants and Promises of Fines and Forfeitures of particular persons before Conviction are illegal and void.”.

                But then it can't even get you off Road Traffic Fixed Penalty Fines.

            2. Roland6 Silver badge

              Re: GDPR

              But I'm sure the UK government and the EU will be happy if after closed-door discussions the UK proposes a UK law change that the EU can agree to and thus align EU law with UK law...

              The only question is whether THTB in the UK have the mental nous to work in such a mutually beneficial way...

      2. Sgt_Oddball Silver badge

        Re: GDPR

        expect (hope?) that the UK GDPR regs keep their teeth.

        Of course they'll keep them.... In the cup of water next to the bedside table in case they have to be woken from their sleep.

        Until we see a big player being worked over by GDPR enforcement, it all just looks like a distraction meant to keep the proles happy...

    2. JoeCool

      Re: GDPR

      Firefox policy & practices is pretty clear to me. I don't need a splash page every time I fire it up.

      The Settings menu | Privacy page is really nicely laid out.

  2. Diogenes

    What happens when you turn autocomplete off? Do the browsers still phone home as aggressively?

    1. cybershooters

      Yeah, I've just been through the settings in Edge, Yandex and Firefox and it's easy to turn it off, you just turn off search suggestions. Duh. As it says, it's a very narrow study, I wouldn't sweat it.

  3. Matthew 3

    Private browsing?

    Even with the lame 'buying a present for the wife' excuse there will be plenty who deliberately choose private browsing modes for, ahem, certain activities.

    Does that get sent with the same identifier? Hardware or otherwise?

    1. Anonymous Coward
      Anonymous Coward

      Re: Private browsing?

      Asking for a friend?

    2. Len Silver badge
      Alert

      Re: Private browsing?

      Chrome's Incognito mode blocks some of your information to be shared with third parties (and not logged and stored on your machine). It does not prevent Google themselves from collecting data on what you were up to during the 'incognito' session.

      "The report confirms that Google is no respecter of the Chrome browser's "incognito mode" aka "porn mode", collecting Chrome data to add to your personal profile" Android data slurping measured and monitored

      Simply never use Chrome (with or without Incognito mode) for anything remotely private or personal.

    3. Wade Burchette Silver badge

      Re: Private browsing?

      Um ... I always search in private mode, no exception. Mostly because I don't want the sites I click on to track me. I am not trying to hide anything from other people, just from other companies.

      1. Greybearded old scrote

        Re: Private browsing?

        Sorry Wade, but it doesn't do that. Private mode stops the browser leaving your history behind on your computer, and that's all.

        1. Len Silver badge

          Re: Private browsing?

          I don't know how it works on other browsers but on Firefox a Private Window does not have read or write access to the cookies stored on the computer. That should make tracking by third parties harder. Not impossible, but harder.

          1. Anonymous Coward
            Anonymous Coward

            Re: Private browsing?

            Test with this.

  4. Anonymous Coward
    Big Brother

    ""Edge and Yandex both use hardware identifiers,"

    Nasty, Microsoft's project copy Google has exceeded all expectations.

    1. Anonymous Coward
      Anonymous Coward

      And phones home with the URL's you're browsing.

      and presumably the PC Retailer where you got your PC/Motherboard/Network card from has your Credit Cards details linked to the unique hardware ID's of the kit they sold you.

      It's a Stasi Wet Dream.

      1. NetBlackOps Bronze badge

        "Everything is working by design."

  5. Aoyagi Aichou
    Windows

    Is this relevant though?

    I'm not sure if any privacy-conscious person would leave their browser in default settings. I mean it's nice to know which of the most popular browsers are the most aggressive, but in practice the user express-installs whatever is offered as default by their self-imposed walled garden, or uses whatever is pre-installed.

    1. flokie

      Re: Is this relevant though?

      I kind of agree, what would be useful is to know what settings can be changed in these browsers, either through the main settings, or via advanced options.

      Can you have a separate search bar and disable search in the address bar? Disable search suggestions altogether? Is DuckDuckGo easily available as a default search engine or does it take manual steps? etc etc.

      1. Aristotles slow and dimwitted horse Silver badge

        Re: Is this relevant though?

        Yes, this was my thought on the article as well. My Firefox install has all of the "default" search engines removed (i.e. Google, Bing, Wikipedia etc.) with Startpage being the start-up homepage and only default search engine, with all of the autocomplete options etc etc turned off.

        Just wondering if any research had been carried out for those sorts of instances.

        Ta.

        1. JDPower

          Re: Is this relevant though?

          Startpage, now owned by an ad finger. Might wanna change that

  6. Richard 31
    Paris Hilton

    Actual data transmissions.

    Does it matter how many requests are actually made?

    What really matters is how much information the third party collects at the end of the day. It doesn't matter if they send 1 or 100 requests if they send the information about the url or whatever.

    More requests may well influence your behaviour though.

    1. eldakka Silver badge

      Re: Actual data transmissions.

      In this case (mostly), 'more' requests == more granular data.

      For example, where they said edge sent every keystroke typed into the address bar. Which means it gets even aborted (deleted/corrected) typed in data.

      e.g. pornhub^H^H^H^H^H^H^Htheregiser

      Since edge sends every keystroke, Microsoft will know that you were at least considering going to pornhub, then changed your mind and decided to go to the register instead.

      Of course, they could have still sent all that information as a single 'bundle' of information, but the generality is that usually more frequent data transmission is more granular data.

      1. Richard 31

        Re: Actual data transmissions.

        I don't consider going to pornhub.... i always go to pornhub... :)

  7. Anonymous Coward
    Anonymous Coward

    Didn't test...

    Opera? My favourite for anonymous activities because VPN & Private mode.

    1. Aristotles slow and dimwitted horse Silver badge

      Re: Didn't test...

      Opera doesn't have a VPN, what they are shilling as a VPN is really just a data gobbling and very limited web proxy.

      1. Anonymous Coward
        Anonymous Coward

        Re: Didn't test...

        But it's a secure web proxy service, right? So not technically a VPN-LAN/WAN service, but then you'd not expect it to be. It's more of a VPB.

        Anyway, the question was more related to the degree with which the browser is associated with the browsing history. Hardware level, software level, user level, session level? I mean, one knows full well that they're gobbling the data... but how much of it can be pieced together?

        1. Anonymous Coward
          Anonymous Coward

          Re: Didn't test...

          But it's a secure web proxy service, right?

          One end is you, one end is Opera. All your data transits Opera, that well-known finance business.

        2. eldakka Silver badge
          Facepalm

          Re: Didn't test...

          Since Opera are the proxy operators, Opera will still get all the data they want from the proxy server. So the browser sends unique ID, referer and user-agent strings to the proxy, which Opera can then pick up from the proxy before stripping off for forwarding onto the destination site. And, since it's Opera's proxy, they can customise it how they want, therefore any extra HTTP header information in Opera requests (the aforementioned unique IDs, referers, user-agent, etc.) might not get stripped by the proxy, they could still be forwarded to the eventual recipient, perhaps even conditionally based on contracts Opera could have with certain end-points. Just because you are using 'a' proxy, doesn't mean that it is stripping off everything you'd expect an impartial 3rd-party proxy provider using unmodified open source software (e.g. squid) to do.

          I'm not saying that Opera are doing this, I'm saying that relying on a proxy (or even VPN) operated by the browser vendor to prevent the browser vendor from getting this extra information from their own browser is, well, crazy.

  8. MJI Silver badge

    With Firefox

    A recent update removed the search box (now refitted).

    But I have the ominous text in the address bar of Search with xxxx or enter address

    Where xxxx is current search engine.

    How do I get rid of search with as I want seperate boxes?

    1. Anonymous Coward
      Anonymous Coward

      Re: With Firefox

      Firefox has been painful for this sort of thing for years.

      I don't like autocomplete, and don't like having the url bar automatically send information to a search engine when an address is wrong. When I first started using Firefox, it did neither of these things. Over time, various updates introduced them. Over time, I went into about:config, and set various flags to try to switch them off.

      Over time, various updates re-introduced them as the flags were no longer relevant. So I set more flags. At one point, Firefox decided that it would re-introduce them in a way that about:config couldn't disable (version 66?). So I found out about userchrome.css and used that.

      On Monday I upgraded to version 73, and again spent half an hour setting flags, and adding lines to userchrome.css to try to get rid of them.

      I still use Firefox, but their developers do make it difficult to like.

      1. Len Silver badge
        Happy

        Re: With Firefox

        Just put the separate search bar back into Firefox toolbar and set that to use DuckDuckGo by default. That's what I did years ago and very happy with it. I use the URL bar only for URLs, history and bookmarks, never for searches. Works a charm.

        1. Anonymous Coward
          Anonymous Coward

          use the URL bar only for URLs,

          And what happens if you accidentally mistype an url, or enter a search term, in the url bar? On my firefox, I find it "helpfully" does a search anyway...

          1. Anonymous Coward
            Anonymous Coward

            Re: use the URL bar only for URLs,

            about:config, set keyword.enabled=false

            1. Anonymous Coward
              Anonymous Coward

              Re: use the URL bar only for URLs,

              Thanks! It doesn't get rid of the "Search with DuckDuckGo" text though, strange enough. Maybe they forgot to do that.

        2. This post has been deleted by its author

    2. Pascal Monett Silver badge

      You can configure that in Options under Search.

  9. Chris G Silver badge

    Off (with) the Edge

    Just updated my Win 10 to the newest incarnation, half an hour to regain a semblance of privacy. There are a lot of options to disable various apps that probably phone home, when I got to Edge the disable box is dimmed out, have to block outgoing Edge at the firewall.

    1. Hubert Cumberdale

      Re: Off (with) the Edge

      I find Winaero Tweaker helps with some of that.

  10. Zippy´s Sausage Factory

    I still use Pale Moon as my main browser, although DuckDuckGo has replaced StartPage as my search engine of choice (based on quality of the search results, weirdly).

    I do use Brave a lot, but I'd like to see how Pale Moon fared in that - sadly it isn't really popular enough, but I suspect it would do very well.

  11. mark l 2 Silver badge
    Joke

    Surely the only information Edge gives to Microsoft is the number of people who only ever make one search on Bing and that to get the download URL for Chrome?

    1. Len Silver badge
      Megaphone

      I know it's a joke and all that but I wouldn't rule Bing out entirely.

      My standard search pattern is DuckDuckGo first, if they can't find what I'm looking for I go to Google, if they can't find what I'm looking for I go to Bing. You'd be surprised how Bing sometimes works better for stuff that Google has pushed back to page 47.

      Also, if you are a website owner, I would make sure your site shows up on Bing searches too. Bing is one of the data sources for DuckDuckGo so if you want to appear in DDG searches you'd better show up on Bing first.

      1. adam 40 Bronze badge

        Duck duck off!

        What about Altavista, and the Wayback machine (for the best stuff that's been deleted)

        1. Anonymous Coward
          Anonymous Coward

          Re: Duck duck off!

          Altavista is dead, it just redirects to Yahoo now.

          Of course it's really been dead for a long time.. Every since we all thought Google was going to be a respectable company ("Don't be evil" - LOL were we fooled then).

  12. Greybearded old scrote

    I think we need a browser plugin to repeatedly replace that browser identifier. Perhaps even a random number for every request.

    1. Len Silver badge
      Devil

      I wonder what would be worse for them. A random ID for each search or an ID that stays the same for some random time between 60 and 90 hours. The latter might throw algorithms off more than the former.

      1. Roland6 Silver badge

        I think the side effects will depend on how unique the random ID's are ie. the likelihood of your random ID matching someone else's random ID within a reasonable timeframe.

        1. eldakka Silver badge
          Devil

          Oh my god, how about a plugin that can share ID's with other random users? Therefore when an ID is created on a browser, it gets put into a central or shared ID pool, which the plugin can then randomly pull from. Therefore each request sends a different pre-existing random ID of another user.

          That'll pollute their tracking data.

    2. Barrie Shepherd

      Rather than a true randon identifier just a set of ten.

      Then they would get so much conflicting data, from so many sources, their "experience improving" "targeted advertising" would effectivly be hitting random audiences?

  13. BinkyTheMagicPaperclip Silver badge

    It might help if applications supported 'paste preview'

    Better still is the return of distinct search and browsing entryfields, and not automatically (hello, Windows 10), sending application/file searches to the Internet.

    However, it's not uncommon to paste things that ideally shouldn't be pasted into a search engine, and a paste preview could help this.

    I remember back in the days of OS/2, of a particularly decent utility that extended the number of clipboards and offered macro facilities - very useful. I'm sure similar programs exist today.

  14. adam 40 Bronze badge

    I've braved it...

    Just switched over to Brave.

    I have saved 4GB of real memory and 12GB of virtual memory (compared with Chrome)

    I didn't have to add adblock plus.

    Fairly painless so far.

    Win-win!

  15. Def Silver badge

    Hardware IDs

    Obtaining a hardware ID for user identification purposes is fairly par for the course for most software these days. I can pretty much guarantee *every* app you ever ran on your phone or tablet uses such an ID in some form or another.

    It wasn't so long ago that both iOS and Android returned a real hardware ID for any app that asked for it - albeit unique at the user level. These days though, each "hardware ID" is unique to the application and user that requested it. And this is no different on Windows - requesting a hardware ID returns you an application and user specific ID only.

    Not convinced the same can be said about Linux though. /etc/machine-id exists, and is discouraged from being used (by sternly worded documentation), but do you trust every application you run to follow the rules?

    1. Paul Crawford Silver badge

      Re: Hardware IDs

      Not convinced the same can be said about Linux though. /etc/machine-id exists, and is discouraged from being used (by sternly worded documentation), but do you trust every application you run to follow the rules?

      You can use strace on any program when started to observe attempts to open that as a file, but if they are really sneaky there is probably some way to obscure the access.

      1. Def Silver badge

        Re: One task done properly

        That won't help though. Because you're supposed to read it, and the machine ID should be hashed with a cryptographic, keyed hash function, using a fixed, application-specific key.

        It's that second part you need to be worried about.

        (Sorry, I should have clarified that in the first place. It's not to be *directly* used.)

    2. eldakka Silver badge

      Re: Hardware IDs

      If you really want, you can set it up to create a new value on every reboot.

      Although, it seems it is only strictly necessary to reboot on changing the /etc/machine-id if you use D-Bus (if you use systemd, you are using d-bus) because d-bus uses it as a machine identifier (duh!) for the bus on the local machine for IPC (Inter-Process Communication).

      1. Def Silver badge

        Re: Hardware IDs

        But I thought one of the much lauded benefits of Linux was that you never had to reboot. ;)

  16. cybershooters

    Yandex

    I don't care, I'm still going to use the Yandex Browser. You can turn off search suggestions which should largely resolve this, although I admit I haven't Wiresharked it yet. It's just got so many useful doodads in it. Although I use various other browsers as well. And as for GDPR, don't give a stuff, don't live in the EU.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020