Is Chrome really secretly stalking you across Google sites using per-install ID numbers? We reveal the truth Google is potentially facing a massive privacy and GDPR row over Chrome sending per-installation ID numbers to the mothership. On Tuesday, Arnaud Granal, a software developer involved with a Chromium-based browser called Kiwi, challenged a Google engineer in a GitHub Issues post about the privacy implications of request header …
I don’t think anyone will be, but it is staggering. You’d think that in the current climate they’d be keen to be seen to be operating without a “special advantage”. Yet here we are. If the 48 state attorneys and the federal government wanted some evidence that Google have been abusing their near-monopoly position, it’s right there. Advertising on Google web services works curiously better than in other places? Well, guess why.
The data privacy violation inherent in this is less surprising, frankly. Google have seemed repeatedly uncaring about that kind of thing despite the billions in fines they’ve copped already.
It's not that Google doesn't care, it's that none of them do. The bigger picture leads to Windows 10 and Android as they are the largest pieces of spyware that exist on Earth. So while calling out Chrome is rightful, it's also like changing a sail on a sunken ship. No web browser or website can spy better than an entire OS, if only it could have remained that simple.
What would you break out?
If the Chrome browser no longer enabled targeted ads, it would no longer have a reason to exist.
Open-source browsers exist. Use them. I do.
Fingerprints that are only available to Google are automatically available to government agencies when requested.
"What would you break out?"
Separate Android and Search. And may-be YouTube. Let search be search with some added satellite services (Maps...), let YouTube be like any other broadcaster, and Android like Nokia or Samsung were/are.
It's like Microsoft repeat: they should have separated OS and Office. And like Facebook: separate Facebook and WhatsApp and Instagram. Let's break up monopolies and have competition again. What does society as a whole gain by these untouchable giants (like banks, the same).
Wish I could upvote you more.
It's amazing that anyone is surprised by yet another sneaky googlies attempt to stalk everyone on the internet. And it seems that nothing they do seems to (a) discourage anyone from using their services or browser or (b) make the law makers wake up and stomp on them.
WHY anyone uses Chrome is completely beyond my comprehension - it was always intended to be a stalking and data-gathering tool. And the people that work on it must have exceedingly low morals.
>Regardless of any of its other characteristics, the fact that it spies makes it a terrible browser.
In your opinion. In many peoples' not so much. They care how well it can run FaceBook and Amazon and iPlayer as their top priority.
This post has been deleted by its author
'Because as a side-effect of stealing your information, it is the best web-browser out there'
Utter rubbish. That's like saying "apart from me stabbing you in the stomach, I'm the best friend you have". There is nothing Chrome can do other browsers can't. Firefox, for me is a much better browser. F**k Chrome.
I could re-phrase: people use Chrome because it WAS by far the best browser and they haven't had the motivation to switch.
People use X, it's crap
Y comes along and is much better, people switch to Y
X catches up with Y, people don't switch back
Of course for the people here who prefer to turn most of the browser off, it's different. But you really need to get this into your heads: you are not the target user. Your mum is.
I could re-phrase: people use Chrome because it WAS by far the best browser and they haven't had the motivation to switch.
This could also be it's undoing. Pretty soon most new installs of Windows will come with the new version of Edge. I wonder how many people will simply stick with that now it's good enough?
Thanks Chris G
You've made a very important point. Please submit it to the CMA Online platforms and digital advertising market study before the deadline of 12th Feb.
What is surprising is that do it on youtube.com in http headers. Thats lazy. And may get them busted.
They have other ids, when you install chrome it looks around the network for printers bluetooth devices wifi etc and builds a fingerprint of your computer (rather that the browser install) so it can detect reinstalls and sends it all of to google. It uses that cookie for "user metrics" such as its monitoring of which sites you use. How much porn etc.
All this is in Chromium source if you want to look. I tried to remove user metric calls from chrome. But if you do google maps crashes. Suspect.
There is rumored to be more tracking in closed source Chrome.
There is rumored to be more tracking in closed source Chrome.
Surprised and saddened by what you mention in Chromium (though I tend to use Waterfox).
Pretty sure Chrome will have as much tracking/gathering as they can get away with (and then some).
Ugh.. Times like these I kinda wish 'hell' was real...
> According to Granal, this identifier is sent to youtube.com, google.com, doubleclick.net, googleadservices.com...
The code[1] shows the X-CLIENT-DATA is sent for any google.X domain where google owns the TLD, but if there were any youtube.X domain owned by a squatter then the PII would be leaked to that squatter. I haven’t looked if there are youtube domain squatters that match that restriction...
[1] https://cs.chromium.org/chromium/src/components/google/core/common/google_util.cc?q=IsGoogleAssociatedDomainUrl
This post has been deleted by its author
"it has Google Analytics, DoubleClick, Adsense, reCaptcha and other code on pretty much every site that matters"
Yep, and NoScript is set to block all of that on my browser, so no data that way. I have no doubt Google can still find ways to track me, but I'm not holding the double doors wide open for it.
And that's the problem, isn't it? Techies can complain about this all they like, strip-out googlies and faecesbook, etc etc from their lives, but the other 99.999% of internet-using peeps out there won't have a clue about any of this.
It's why these abhorrent companies carry on as they are - the (undoubtedly enormous) flack they get from the tech world makes no difference to them; it's still a tiny tiny drop in a very large ocean. You can block them all you like (as I do) and they don't care. Because they don't need YOUR or MY data; they have a few billion other people they can stalk instead.
When I first set up my Pi-Hole, my daughter came to visit and logged into my Wi-Fi. A few minutes later, she said "your Internet doesn't work!"
I quickly checked with my phone, nope, everything working fine.
She then said, "but Instagram isn't working." Ah, that would be because all of Facebook is blocked (over 2,000 domains and counting). "But this is Instagram, not Facebook!" Quick lecture of who owns Instagram and WhatsApp and she logged back out of the Wi-Fi to check her Instagram account.
One thing I have always wondered: does (the excellent) NoScript actually stop your browser from even fetching the request for the script (or web font, CSS, pixel bug, etc) listed on the web page, or only prevent the script from running?
If your browser still makes the request in the first place, then that presumably still results in some request header data ending up in Google's logs, even if they can't do further JavaScript evil about your interaction with the site that you are actually visiting?
RTA. If you were running Chrome noscript wouldn't make any difference to this. It's not "google domains serve tracking code" it's "Google browser sends magic id to Google domains". JavaScript is not needed, this is a browser function.
All my browsers were too slow (too many ad-blocking addons) to access a certain (non-ad-ridden) site. So I installed chrome:
1. 10 minutes in search of an offline installer (google search)
2. exe found at last, installed, opens the site, success, but...
3. laptop fans in overdrive like I hit a mine coining script, WTF?! - back to google search
4. appears that chrome installed "software reporter" component that scans my hdd for soft "interfering with the normal functioning of the browser" WTF?!
5. back to google search, deleting reporter no good, re-installs, etc. Some registry fiddles, etc, et. WTF, why should I bother with this (...)?!
6. uninstall, leave a "love you too" message on the usual page that google didn't ask my permission to open (in firefox though).
Total: 20 minutes wasted. But at least it confirmed my google paranoia & phobia are not totally groundless :)
Why do you need an offline installer for software that needs a network connection? I get it for software that need never contact the internet. For something that contacts the internet, whatever nasty you think might be in the installer could be in the main app also.
Tip for the future: use VirtualBox to test out untrusted software. Reset VM back to previous state after the test.
A little too parochial, I wot.
You're not going to save the world from global laziness and/or stupidity (cf. Donald Trump). But it makes a difference to me, at least, and those other commentards of a like bent, to protect themselves (and associated loved ones, family members, close friends, people with curiosity or a willingness to listen, etc.) from the likes of Google.
Ad brokers get paid no matter what, and adding in truly random data to their training data will just increase their signal-to-noise ratio, but they'll easily filter it.
"All it takes for evil to succeed..."
YOU are the reason we have this, you and the lazy defeatist people like you. Because too many have the attitude of bending over and taking it at the first suggestion, regardless of what you want or think, just because "they don't care what I want so I might as well cave in", we have these people who think they can make their demands, act outside the law, and people will do what they want and hand over money and worse their privacy without further question.
It doesn't take many people standing up to bullies for the bullies to cower back into the holes they belong in. But it does take people standing up, and any decent person will not bother to look if they have support or not, any decent man will take up the fight regardless of support. True, it works better if you have a well-organised team behind/beside you, and you can make your first step a look to see if anyone is at your side, but if you're alone that doesn't make this cowardice acceptable.
And that's really what this defeatist attitude is, cowardice. Man up, stand up, step up, and even if you punch like a newborn kitten do your best to give them a bloody nose and send them packing. They may not notice the first 10,000 of us, but if people actually start fighting eventually they will notice.
[El Reg, can we get a "raised fist"/"Power to the people" icon?]
That's fine, but that won't change anything.
What will make a difference to Google are things like:
For info: I've been avoiding Google and counselling against use of any of their products for more than a decade, but local solutions don't scale.
For info: I've been avoiding Google and counselling against use of any of their products for more than a decade, but local solutions don't scale.
So.. You're not one of those locked away in mom's basement furiously bashing out blog posts (read only by you and Mr Kitty) thinking you're something.. You're one who is doing something and something of value.
For that you have my thanks :)
(FTR : Mom died years back and basements aren't common for residential houses in NZ)
"Strategy." "What about it?" "Need some."
It's not so much the strategy we're lacking as the "suitable numbers of people with the will and ability to carry it out" :(
Sometimes you can't win, but you can still hold to principles and do what you can. You may only be able to do a small amount, but if you're doing it you can hold your head high. Most people don't do anything of value.
Not surprised, not particuarly bothered, get the feeling that all the privacy hee haw getting main stream press attention following cambridge analytica is just the sound of the door closing after the horse bolted, meh :(
On the plus side, decided to see what X- headers el reg sends back with requests and well the server bods have managed to put a smile on my face with x-reg-bofh and x-clacks-overhead, well done guys, have a pint or 10 on me!
I found this hex filled code being served up from akamai which uses elaborate figerprinting techniques and posted it to PasteBin:
https://pastebin.com/2tW06app
Doing a web search of one the the deobfuscated variables brought me to a persons GitHub gist where they also created a tool to deobfuscate the same:
https://gist.github.com/ttilberg/c23f39318f5efacdd3ec45f3e1b19ad4
I'd assumed Chrome was part of Google/Alphabet's spyware suite. Replacing the need for Wardriving on Streetview.
It baffles me why they have such a big market share, except Firefox lost the plot on GUI, plugins and more, becoming a poor copy of Chrome. I use Waterfox + uMatrix + Classic Theme Restorer and other stuff on Desktop. I don't want desktop programs that look like badly ported mobile apps.
Chrome got the market share through a few things.
1. massive online advertising
2. sneaky backdoor installs (lots of other software came with a hidden chrome install)
3. Chrome was significantly faster / more advanced than the then leader Internet Explorer (which at the time had only got it's market share by being included as part of the operating system)
Don't forget they and apple copied ms and put it into oses, it's chrome on mobile and tablet which really has the market share.
Chrome on desktop is only because Firefox shat the bed when they focused on service on top to try and replace the income lost by Google no longer paying them for default homepage and a really annoying download button. On the search homepage.
Well I went back to Firefox after Opera decided each new version needed to mess with the GUI and menus, add a load of annoying bugs and the developer team routinely ignore user complaints. The Firefox GUI isn't all that bad and I tend not to run many potential security risk browser plugins, just a few add/spyware plugins. Best thing, as far as I'm aware, each new Firefox version doesn't break things, unlike Opera.
What about Chromium and Chromium-based browsers,like Falcon ? Is there a way to check ?
"users logged into a variety of services like Chrome, Gmail, Google Maps, Google Docs"
I'm not even registered in these "services", even less online logged in. May-be that's why YouTube always tells me to log-in to improve my user experience. Yeah, sure
This is not true. Chrome (also) exists because it was in Google's interests to make the web-browsing experience better for computer users, so they would use it more and therefore see more ads in a more polished way.
Getting everyone to do everything on the web gets ads more visibility.
Well from personal experience over the past 35 years since I was emailing via JANET, they've a fuck of a long way to go. I'd say 80% of companies - no matter where they advertise - seem to be welded to the fucking phone. On the odd occasion you can find an email address, it goes unanswered.
Your information is out of date. Edge Stable has been available for several weeks (both v79 and v80 are in stable, and those map closely to Chromium versions with the same inflated numbers). While there are Dev and Canary channels (and I run in Dev) it's definitely wide release as of Jan 15.
And as far as I can see, Edgium doesn't send the X-Client-Data header (nor did it seem to have an equivalent for Microsoft properties so it seems to be MORE privacy conscious than Chrome).
I don't get the continued FUD about Microsoft hoovering up info - unlike Google where you don't pay for stuff (which supposedly means you're "the product", right) you do pay MS. And regardless of all the noise about it, I've never actually seen anyone show any data suggesting that MS really is copying everyone's hard disks to the cloud. Even when all the "privacy invasions" are left on.
And regardless of all the noise about it, I've never actually seen anyone show any data suggesting that MS really is copying everyone's hard disks to the cloud. Even when all the "privacy invasions" are left on.
There's this site that has LOTS on articles on that you might wish to peruse. I hear they have a somewhat functional search system even that could help you find the articles on MS slurpage - tinfoil-hatter, suspected, logical and actually proven.
It's called "theregister.co.uk". An article about some winslurp borkage that meant local data/software search would not work because Bing was not reachable is a good place to start. If MS aren't slurping everything, why is the local search tied to Bing?
Some companies that get all of their revenue by tracking you and spewing ads at you should not be allowed to produce the tools (OS and browsers). It's as simple as that. Just like some companies https://www.trustpilot.com/users/5d6f4b4be97c312a5dc07e63 shouldn't be allowed to employ people.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
