When you tell Chrome to wipe private data about you, it spares two websites from the purge: Google.com, YouTube Google exempts its own websites from Chrome's automatic data-scrubbing feature, allowing the ads giant to potentially track you even when you've told it not to. Programmer Jeff Johnson noticed the unusual behavior, and this month documented the issue with screenshots. In his assessment of the situation, he noted that if you …
actually ... I tried this with "Ungoogled Chromium" and it also has the same behaviour: "clear all cookies and site data when you quit Chromium", and then I closed the window but it didn't clear the Google cookies and site data. Darn.
But then it dawned on me: did I actually, really, quit Chromium ? a killall chromium confirmed that no. So how do you quit Chromium ? In the right side the small button with ⋅⋅⋅ has the magical "Exit" function, and then Chromium really does suppress the cookies, even the Google ones. May-be ungoogled chromium changes that behaviour, who knows ?
They knew there would be no consequences when they were. Sure, there is talk about breaking them up in the EU and now the US, but talk is cheap.
I've seen claims that if Google were forced to spin off Chrome it couldn't survive on its own, Given that Google pays Apple billions to be the default search on Safari and Safari has far less browser market share than Chrome does, I would think that an independent Chrome would be quite a profitable business. But much less threatening to the future of the web once no longer part of Google.
Can I take a guess at the inevitable answer? Something along the lines of:
"It was test code that was never supposed to be released to the public. We have no idea why it was left in the released code, but we are looking into it in order to see that it never happens again."
Hey, it's worked for them all the other times!
Shun go ogle and everything else under Alphabet. They are a disastrous societal accident in progress.
Nope. Good guess though. After all, it's worked before. But the article has now been updated to say "it's a bug that will be corrected". Which is another favourite.
There's a story, I don't know if it's actually true mind, about Macy's department store in the 1920s. If a customer cut up really rough, and was a really entitled arse abot their complaint then the manager could summon a particular guy. Don't know what his day job was, but his side role was to be sacked. So said manager would listen to the complaint and then tell the customer that they'd deal with the person responsible. This guy would then be summoned, dressed-down in front of the customer and told that they were dismissed. Then it was back to wherever they came from an on with whatever they were doing. Unless Macy's had so may annoying customers that the guy was getting "sacked" every half hour...
Anyway I feel that it's time Google got themselves a nice sacrificial engineer - perhaps with a particularly fetching hat - that they can publicly wheel out and sack whenever they want to use this excuse. It can be the same one every time, its not like they don't know that we know that they're lying through their teeth. But at least it makes the pretence more interesting. Perhaps a trained actor, who can cry on cue and give us a better show...
It may very well *be* a bug. But if it is, it's only a bug because Google's sites are *intentionally* getting some *other* special handling.
Google needs to be forced to divest Chrome and anything related to it, and Google's pressure on browsers like Firefox needs some government monitoring, too.
"So said manager would listen to the complaint and then tell the customer that they'd deal with the person responsible. This guy would then be summoned, dressed-down in front of the customer and told that they were dismissed. "
When I was IT manager in our Japan office, we had a period of high instability with our trading platform. I used to employ a person on my team whose role was to be a professional apologizer. I would take him with me to the meetings at the banks and he could sincerely apologize with every ounce of his being. The sort of person that you could imagine was still apologizing half an hour after the meeting finished.
BleachBit works a treat for clearing out cookies, vaccuuming out SQLite databases and other PII from storage and is even in the Linux repositories.
You can also assign BleachBit to clear out custom folders or files within the preferences settings if what you want purged is not already listed.
I set up a bash alias to clear everything out using the command terminal after I'm done browsing the web.
https://www.bleachbit.org/
I'd probably be interested in installing something like what you mentioned, except I've already uninstalled Chrome entirely.
I noticed that Google & Youtube were *not* wiped even though I told it to wipe everything; I noticed that it kept banging on about JavaScript issues even though I had explicitly turned it off; and I had gotten beyond frustrated at it constantly rendering sites into indecipherable glop. Case in point: NewEgg.com has Edit fields for Price, but Chrome kept being unable to render the maximum value Edit field. I have no idea why, but load the exact same URL under IE11 & the site renders just fine.
I finally gave up & uninstalled Chrome. Imagine my (lack of) surprise when I found Chrome data splooged all over my system that the uninstall "accidentally" missed. I restored my system to the point prior to having installed it thus ensuring all such orphaned data got purged, & have given up on Chrome.
I don't know what/why sites won't render properly *except* under IE11, but it irks the piss out of me that sites (like Youtube) scream at me to use a "modern" browser (ignoring the fact that there's a copy of IE11 in Win10) because "older unsupported browsers will fail to render our site properly", yet I have to use said pseudo-outdated browser to get their sites to render in such a way as to be accessible.
I'll go back to using FireFox ESR for those few times I want to determine just how screwed up the web has become under a "modern" browser. =-\
Just for the record, although I test out most other browsers[0], I use Firefox ESR exclusively for actual web browsing. It's the only one that always works, every time, for the things I need a browser for.
Obviously advice is worth what you pay for it, and YMMV. Have a beer anyway.
[0] Can't convince a client that their marketing driven choice is a piece of crap unless you know exactly why it is a marketing driven piece of crap.
If you are using Windows, and you restore, there is no guarantee that some data structures are modified through the restore process; Restore does exactly that, restore pretty well, but Delete was never a great part of the program. RTM, Restore doesn't try to damage a lot of user data, of which Chrome is creating.
scream at me to use a "modern" browser ...
.
Seems to be a new united push to a monoculture: some sites just read from the same words issued by Google [ no doubt ] that only 5 browsers are acceptable, 4 of which happen to be Chrome-based.
.
The Twitter Version
We officially support versions of the following browsers from the past year on twitter.com:
Edge (https://microsoft.com/edge)
Safari (https://www.apple.com/safari)
Chrome (https://www.google.com/chrome)
Firefox (https://www.mozilla.org/firefox)
Any browser based on Webkit / Chromium engines (Opera, Samsung Internet, UCBrowser, etc.)
.
.
[ from my thread in the Pale Moon forum ]
.
And 15 minutes ago I looked up on Google Image a still of a charming 1940s actress, and though I think the identification was off, nearly all the results were from rotten tomatoes, and that foul site just refused to let me in at all
https://www.rottentomatoes.com/unsupported-browser?err=custom-elements,shadow-dom
To enjoy RottenTomatoes.com, try using a newer browser like Google Chrome, or Mozilla Firefox.
As ever, like with tracking insistence etc. etc. / American Media going mental over GDPR, if they put up barriers, one just leaves and lives without them.
And if they're too thick to work that one out, no wonder their dying marketing is crap.
For a start, this isn't something discovered recently. Just a mere google (heh) for google.com and local storage shows that someone asked this very question 6 years and 9 months ago ("Why does chrome never delete google.com localstorage?") so seeing this on El Reg over 6 years later is just baffling.
The article also seems to conflate cookies and local storage. Sure google could *potentially* store cookies in the local storage, in the same way they could *potentially* sell your browsing habits and IP address to any takers. The question is what is possible, but what are they actually doing or intending to do?
Given this has been happening for so long already, and no clue as to how far back this particular behaviour actually goes, it does sound like an attempt to make much of an issue than it really is - hence the article emphasising what google could do if they decided to put cookies in the local storage.
When much of the argument is based on a hypothetical premise to support its doomsaying, it merely highlights the severe lack of substance otherwise.
So google has been doing this for over 6 years at least. What have they hidden in the localstorage after all that time? If there is something to show for it, then that is where the article should be going.
Otherwise, if you want to decry google for hypothetical situations, you may as well pop down the pub and re-create Harry Enfield's Self Righteous brothers.
Google has enough skeletons in their closet already - no need to find another closet and postulate how many skeletons they could fit in there.
Good grief, so many words to say:
"I knew about this already, I found out six years ago.
They haven't stored cookies in local storage and they could have. You should investigate that."
Postulate my arse.
I never heard that there was anything kept in the browser except cookies and cache. What's even the point of having data that is not stored as a cookie? Isn't it functionally the same? Is information that you are logged in to a website part of "site data", or is it a cookie (which is what I assumed)?
Also called "local storage", was introduced with HTML5 as a W3C standard several years ago. Reasonable browsers allow you to select which sites (if any) may store site data on your machine. Others cheat, others again (like Adobe) use plugins (i.e. Flash) to secretly store stuff.
A cookie belongs to a domain and is always sent when a browser sends a request to that domain.
localStorage belongs to a domain but isn't sent when the browser sends a request. It is available to code served from the domain so gives a site a way of accumulating state without bulking up the http requests.
deadlockvictim,
It is cheesy. But in a good way. I wouldn't say that the special effects haven't aged well, but only because they weren't all that good in the first place... But the soundtrack is great, I particularly love the bit when the Wedding March starts up, and it's full-on Queen guitars-a-go-go.
It's good, leave-your-brain-at-the-door fun. And no worse for it. Even when future Blue Peter presenter Peter Duncan is failing to act and saying, "spare me the madness" before being killed off by future James Bond Timothy Dalton.
If I wasn't at work I'd crank up the speakers right now and chuck a bit of Queen on.
Flash still exists?
It's still lurking in the background, generally refusing to die. For me, not installing Flash was one of the best browser performance mods, as well as neatly denying all those fecking annoying Flash ads. I think last time I allowed it on a box was to try out the ITV Player. That was based on Flash, and did fun things like allowing ads to unmute speakers and maximise volume. As for local storage, it seemed demanding. Plugin had options to automatically increase it's local store, or set a size. I figured 100KB should be fine for cookies. Then error saying it'd run out of store. Then by the time it demanded >10MB, I'd given up on it and vowed to terminate with extreme prejudice.
Its a useful tool with a lot of potential for damage, often will be used to buffer images for uploading, or use it as a cache to resize in the background (on your device) the images so you send over the wire much smaller files, as one example, but thats a trivial hello world use. But its really a SQLLite DB createable on a per site basis, and not that easy (for the non dev minded) to inspect.
The real issue is that due to the law lagging behind the tech, as long as the tracking ID is stored in the local DB instead of as an actual cookie (a text file in browser cache folder) and programatically sent i.e.
var bollocks_to_dnt = localdb["sneeky_tracking_id"];
HTTPWrapper.SetCookie("data_hostage_id", bollocks_to_dnt);
Then my understanding of the current laws and regulations is that, its ok to do that because its "not" a cookie, as its something more ephemeral (pep pills vs speed). When used like that its actually much worse than a cookie, as a cookie is limited to being pretty small in size (off top of head 1kb plain text payload), where as using local storage like this, well you could dump the entire db (limited to 5mb unless you grant permissions which people do because they like getting alerts on cat videos) and send as a binary stream over a websocket, which is a LOT harder to pick apart for the average joe, as even if they can find the network tab in dev tools know to look at the websockets, they still would have to be able decode the binary protocol in use.
This is one of the things that scares the hell out of me with web assembly, as currently it should be possible (no matter how obfuscated the JS is) to set a break point and examine the data in the browsers JS debugger before it gets encoded and sent. Cant see that being easy to do with a strongly signed web assembly, especially one that implements a non text based protocol for comms, and does end to end crypto/mutual TLS. Assuming you can access your private key, and can decode the protocol then at best you will be able to view the response sent back to you, encoded with your public key, while what you send i.e. the data us privacy minded are probably most concerned about would remain opaque and unknowable without the co-operation of who ever is ingesting the sent data. All from little black boxes controlled by those who profit from our data, instead of now where they at least all have to use common web techs. Of course when people realise the problem it will be too late as they traded it for some free to use service or convenience.
Probably but until that scenario gets prosecuted i imagine it will be interpreted as "rule as written not rule as intended" by the data slurpers ambulance chasers and given the green light until a court says specifically no.
And even then GDPR will be harder to enforce with web assembly due to the potential of side stepping any of the web techs that covers, and drop down a level to be TCP/IP level legislation, and frankly the law would be too broad and unenforceable if it covered any potentially identifiable token sent over a network (i.e. **this is a massive stretch but...** ARP tables could be under that description, and how would you grant permission on a per device basis as your packets are routed), and even then i dont think that GDPR would be grounds enough to force a data slurper to publicly document or share private keys for a proprietary encrypted protocol for public scrutiny, and even if they did it would be trivial to code in a VW emission scandal test fudger to behave compliantly when being watched (they would just have to have examine the thumbprints of the private key in use, strip idents if using the scrutiny thumbprint, slurp away if using the real private key).
Hopefully it never gets that bad, but i have little faith in the unholy union of tech and politics
"We are aware of a bug in Chrome that is impacting how cookies are cleared on some first-party Google websites. We are investigating the issue, and plan to roll out a fix in the coming days."
Anyone here remember the early days of the BOFH excuse calendar? Because I'd be more inclined to believe "Solar flares!" or "Magnets!" right now...
Elves is my goto answer.
Non Tech Boss: "So how does this work?"
Me: "Do you want the technical answer which will raise more questions than answers, or the answer that will make you happy, but ignorant to how it works?"
Non Tech Boss: "Just because im marketing doesnt mean i cant understand technical answers"
### 40 mins later ###
Me: "...so once the feed from supplier b has been manipulated to this format, we can then start processing this batch as the data it refers to now is available via this api"
Non Tech Boss: "But what does that have to with the feature i asked about"
Me: "I call it ice berg dev, your concerned about the tiny percentage above the water, but the whole thing relies on whats under the water, if you dont understand that you will want to know why that icon changes in this scenario and i will have to explain it anyway, or do you want the other answer?"
Non Tech Boss: "OK whats the other answer?"
Me: "Elves, digital voodoo, reticulated splines and a sky hook covered in tartan paint"
I noticed this ages ago. It's why I use Chrome for my work stuff (the office has G Suite) and Firefox for everything else. The inconvenience is worth it for the peace of mind.
I haven't tested it lately, but I also remember that "incognito" allowed leakage of Google cookies across windows.
An important thing to be aware of about Incognito mode (and Private Browing in Firefox) is that it only isolates the Incognito windows from non-Incognito windows - all Incognito windows & tabs open at the same time share the same state.
So if you want to browse 2 different sites which both have google (or other) trackers, and try to avoid google making the connection - you need to do all your business in the 1st site, then close all Incognito windows, open a new Incognito window, then do your business in the 2nd site.
Firefox's Private Browsing works in the same way, which is why I use Firefox Temporary Containers instead of Private Browsing - much more powerful.
As Google is basically using Chromium as the basis for this, has there been any information about Chromium itself?
Might be a safer alternative without losing the benefits of Chrome - as yet, NONE of the other browsers come even close to its support for WebRTC. I have no idea why the rest are so rubbish at it, but it's a sad reality.
".. just like our wholesale grabbing of WiFi data when we were running Streetview. The fact that we had a complete back end ready to receive and process all that juicy data was a complete coincidence."
Face it folks, it's about money and it's a US company. The past decades with Microsoft ought to have give you an idea what that means regarding ethics, principles and respect for law, because Google is following the exact same playbook, also because fines normally tend to be minuscule compared to their income from such illegal activity. That was why the corridors of Brussels were filled to the rafters with Google (and others*) lobbyists when the EU were debating the levels of GDPR fines, thankfully to no avail.
* Oracle, for instance, which I found rather interesting.
Let me guess... they wanted to be able to test third party websites, needed the clear function, but couldn't be bothered to write an extension that cleared everything without logging them out of their corporate email and chat?
And I could just have about believed that if just google.com was involved. But YouTube? No, I don't think so. Back to the naughty step for you, Google.
Of course it was deliberately set up to work that way in Chrome. Its easy for Google to play ignorant and claim it was a bug or accidentally left in developer code once they get caught. That way they get to track millions of additional people they would have missed if site data had been removed when the implemented the wipe private data feature.
Just switch from Chome to another browser, Firefox would be my preferred choice but if you need one that runs the Chromium engine then Brave is another good choice
Back in the old days, dreadful programmers (and companies) used to say "It's not a bug, it's a feature" to excuse bad stuff.
Now, since whenever it was we passed through the looking glass and truth became lies and lies became truth, the excuse has been reversed too.
"It's not a feature, it's a bug".
Why is this even news? Chrome explicitly tells you that you won't be logged out of Google sites - so of course they can still track you, you're still logged in. Who cares if they forget to delete a couple more cookies or local storage than the ones they've already told you that they're not going to delete??!
Microsoft has used the same technique with some of its self-favoring changes to Windows 10, like how it would reset all of the privacy settings to their most blabby with each feature update. When people complained, it became a "bug" that they would fix in time, but it's the same peculiar type of bug that just happens to serve the interests of the makers of the software containing the alleged bug. It's a self-serving bit of code that becomes a bug if anyone raises a big enough stink about it (does that mean it became a stink bug?).
If you can call it a bug and be off the hook, why not include these kinds of things and see if they slip under the radar if you are a Google or a Microsoft?
Google this and Other Big Companies names that but never the person/s responsible for controversial many times criminal actions, Your bluster is as effective as making fun of a wall full of graffiti, as if the wall was a real being. I watch This Week In Tech, (TWIT) I’ve seen you and heard youses.clutching them pearls about giant companies yet always yielding to whatever drivel anonymous spokesperson (“don’t blame the messenger excuse has been thoroughly debunked by observing Trump’s interactions with the press) and wondering out loud what can be done,”oh so sad the state of tech” why don’t you begin by attaching more names responsible for the shite you report. From suspicious changes in code to the regular big bro stuff you report.I’ve heard that github can help with some of this, dunno, maybe it an urban legend. regardless you call yourself journalists be one or let someone who will,be.
More truthfully, the error was making it too easy to find.
In over 30 years of software development and development management I've never encountered a genuine bug that resulted in a benefit to either the user or the vendor. Goooooooogle must have some absolutely magical developers. Even their mistakes produce useful outcomes.
The developers integrated Google Account authentication with the browser and reused what was already there to track state (why wouldn't you?) for maintaining authorisation tokens. If someone clears every bit of data from their browser, then it would lose that state information and result in you needing to log back into your Google Account. As it's assumed that Chrome users would want their seamless Google Services integration by the very nature of the browser's design goals - protecting the data from deletion makes more sense than duplicating code when it comes to efficiency. Unlike Microsoft Edge, which has a dedicated set of system services that ship with Windows to act as a broker for authenticating to Microsoft Accounts (and/or Azure AD) to achieve a form of authorisation persistence, Google doesn't have that luxury.
Common sense shall always reign supreme. This isn't a deliberate act to benefit any form of privacy invasion. It is a user-first policy to make things work the way they're intended to, while minimising bloat.
Programming error? I'm rolling my eyes at that one. I don't do the cookie clearing anyway, but exempting themsleves and only themselves from it's not at all cool. Definitely not a programmer error either; but, at least (now that they've been caught red-handed...) at least they're fixing it instead of making some excuse about how it's not a problem or something.
More like fixing the programming error that made it so obvious what they were doing.
Trust and Google are so far apart they may as well just not bother trying to deny any of it. They should just say you bunch of sucker could not care less what we do with your data so just shut up and let us get on with taking over the world.
Now we are going to buy Oracle and make all that nonsense go away. Literary as we we pull support for Oracle DBs after 6 months just before we shut down the Stadia servers.
Just a bug? I wonder if it would have ever been fixed if it wasn't reported.
Isn't it time to escape Googles grip o our private data. I found the easyest way to delete my Google account and switch to /e/ from e foundation on my mobile, which is ungoogled android made for privacy. Because it doesn't share data with Google, I can still use android apps while being private.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
