Comment by d1zzy
6 years ago
TL;DR I think whoever posted that is trying to bury the UA anonymizing feature by derailing the discussion.
What I'm seeing is an RFC for anonymizing parts of User-Agent in order to reduce UA based fingerprinting, which improves everyone's privacy, that's a good thing!
Then I see someone comments how that could negatively impact existing websites or Chromium-derived browsers, comments which are totally fair and make an argument that may not be a good idea doing this change because of that.
Then someone mentions the _existing_ x-client-data headers attached to requests that uniquely identify a Chrome installation. Then a lot of comments on that, including here on HN.
To me that's derailing the original issue. If we want to propose that Chrome remove those headers we should do so as a separate issue and have people comment/vote on that. By talking about it on the UA anonymizing proposal we are polluting that discussion and effectively stalling that proposal which, if approved, could improve privacy (especially since it will go into Chromium so then any non-Chrome builds can get the feature without having to worry about x-client-data that Chrome does).
I think the concern is that this disarms Google's competitors while keeping them fully-armed.
Ads are a business, and they are Google's business. They are how they make money. And like all businesses, they are competitive. Tracking is a way to make more money off online advertising. By removing tracking from their competitors while keeping it for themselves, Google stand to make a lot of money off this change.
Their motivations are not honest, but they're pushing them as if this is the high road. It isn't. It's the dirty low road of dominating the online ad business, made possible by their dominance in the browser market. And it's always been the end-goal of Chrome browser.
I think this is a common strategy of big players at any industry.
First, they do some dirty thing to gain a competitive edge when the industry is still new and unregulated. Later they develop an alternative way to achieve the same competitive edge, and then criticize other players for doing an old way, saying they should be "mature and responsible".
See also first world countries industrializing/modernizing & becoming rich/lifting people out of poverty using industrial techniques that pollute heavily, then "going green" and criticizing other players (India, China) for doing the same thing, saying they should be "mature and responsible".
5 replies →
Just yesterday I had to disable anti fingerprinting I'd enabled in Firefox because despite having a solid IP and and existing cookies to login to Google, it's security system rejected me, even after answering security questions. Turn off fingerprinting and I could log in.
So, this is a round about way of agreeing with the hidden dark patterns that Google are bringing to the web. It must stop.
I have to log into Gmail just to pass captchas. Every time I do it I die a little inside.
All the more reason to keep bad actors in containers isolated from the rest of your web browsing. Google can fingerprint me all they want if that gets their rocks off, all they'd see is my gmail inbox that they see anyway.
Much of such discussions demonize the company, but we need to look broader. Google is a public company and its shareholders, since they share the company, are also to be pointed out. Discouraging such behaviour is better done by the shareholders by dumping shares since Google could very well argue that if it didn't work to maximize ad revenue, it would not be operating according to fiduciary responsibility principles. (IANAL .. just thinking out loud)
That is such short term thinking.
Doing unethical things because "We had to so the shareholders would make money" is such a cop-out. I see it just the opposite way. You have a duty to do things ethically so that in the long run customers continue to want to use your product. So that governments don't start going after you for the unethical things you do. So that other businesses will trust you and continue to work with you.
Here's an example: Huawei. They've reached out to me saying they'll pay me more than my employer and my commute will be shorter. No effing way. I'm sure I could make them a lot of money, but they're history of unethical behaviour is an instant deal-breaker for me. Others will, sure, but in the market of labor they're going to have a reduced supply because I'm surely not alone in this attitude.
I'm with you on the shareholders being complicit in the behaviour (through ignorance or inaction in a lot of cases), but unfortunately I'd guess 90% of said shareholders wouldn't be aware of the scummy tactics Google have undertaken, similar to Microsoft I'd say, outside of the IT/HN realm.
It's unfortunate. Profit of their shares is the only thing a lot of people look at (and willfully ignore anything else unless it slaps them in the face/becomes a major mainstream media event).
"I think the concern is that this disarms Google's competitors while keeping them fully-armed."
Pretty sure that was their main reason for helping push https-everywhere. A good idea generally, but hurt every other entity trying to do tracking more than it hurt Google.
> while keeping them fully-armed.
That's sort of a fragile assumption though. I mean, yes, there's enough specificity in this number that it could be used (in combination with other fingerprinting techniques) to disambiguate a user. And yes, only Google would be capable of doing this. So it's abusable, in the same way that lots of software like this is abusable by the disributor. And that's worth pointing out and complaing about, sure.
But it's not tracking. It's not. It's a cookie that identifies the gross configuration of the browser. And Google claims that it's not being used for tracking.
So all the folks with the hyperbole about user tracking for advertising purposes need to come out with their evidence that Google is lying about this. Occam says that, no, it's probably just a misdesigned feature.
> Google claims that it's not being used for tracking
> Occam says that, no, it's probably just a misdesigned feature.
Allow me to introduce to you "mabbo's razor": If someone can make money by doing X and it's impossible for anyone to tell whether or not they are doing X, then they are probably doing X or else will as soon as you believe they won't.
While I agree with some of your comment, I feel like it’s harsh to paint the whole chrome enterprise with that brush. Chrome was about freeing the world of a truly terrible web browser and a lot of devoted devs have spent a lot of time working on it. There’s an advertising aspect that it’s right to call out, but I think on the whole it was done to make the internet better, because the internet is google’s business too.
EDIT I just wanted to point out that a load of people have poured their lives into making Google Chrome the amazing bit of software that it is and suggesting that the end-goal has been entirely about supplying ads does a great disservice to their personal contributions.
These aren't mutually exclusive things. The people working on Chrome were and are highly motivated, intelligent and passionate people, some of whom I call friends, who want to see the web become a better place. In that regard they have succeeded massively.
But by this point, Google has dropped billions of dollars on salaries for those developers to build Chrome (call it >500 devs, >$200k salaries, >10 years). Google is not a charity. They didn't build Chrome with the intent to lose money on it. Everything else Google made that wasn't profitable is gone now, and yet here Chrome stands. Because it is an indirect profit center.
And you've pointed out the real issue: Chrome was about freeing the world of a truly terrible web browser. 'Was'. But it did that! So what is it about now? Why would Google continue to pour money into it if they didn't expect to extract more money out of it in the future?
You can make the world better and make money while doing it. Ideally, that's what we all are doing.
It wasn’t some noble mission to free the world. Chrome was always about Google controlling the client side of the web to guarantee their advertising access to web users. The ability to extract additional data from the user was a nice bonus.
The way I see it, both of these can be (and most likely are) true. Intentions of the company aren't usually the same as intentions of individual contributors (or even whole teams). The Web is Google's business - the more stuff happens on the Web, the more money they can eventually make of it. Advertising is how they make most of that money, so this is what they're protecting. But beyond that, Chrome answered a real need and a lot of hard-working people made it into a best-in-class browser.
"Chrome was about freeing the world of a truly terrible web browser "
Chrome is about establishing more control over the web to further the business objectives of Google and Alphabet.
The problem with this belief of Google as some kind of 'benevolent actor' is a function of the new kind of branding they helped introduce, something that an entire generation of particularly young people are being duped by.
'Brand' used to be the image that companies presented - it was a decision, a marketing tactic, usually invented by agencies. Google was one of the first to change that, to effectively 'internalize' the brand so that they (staff, even leaders) really kind of believed their own kool-aid. There's an incredible aura of 'authenticity' to this; when leaders really believe their own schtick, it rings more powerfully. (This is an issue for another thread.)
But Google has proven that in the long run, they're just a regular company. I don't think they are bad actors, and in the big picture, they're better than most. But, they're just a self-interested entity: they will do whatever is in their power and which is also legal, to leverage their incumbency and stymie competition.
2 replies →
>which improves everyone's privacy, that's a good thing!
Except it does not affect Google, because Google has this install ID to use both for tracking and preventing ad-fraud.
Which means Google competitors are terribly disadvantaged, as they cannot use that.
Which not only reduces market diversity (contrary to TAG philosophy) but represents a significant conflict of interest for an organization proposing a major web standard change.
These issues are very relevant to the original proposal, especially in light of the fact that Noone outside of Google is terribly interested in this change. Any time a dominant player is the strongest (or only) advocate for a change that would coincidentally and disproportionately benefit its corporate interests, the proposal should be viewed very skeptically.
> Except it does not affect Google, because Google has this install ID to use both for tracking and preventing ad-fraud.
So when Apple releases a privacy feature, that doesn't affect them as a business, we praise the feature or we say "except it doesn't affect Apple" and somehow try to argue how the feature is less valuable because of that?
Of course we'd say "except it doesn't affect Apple"...
If there's a privacy gap, (and Apple is actively exploiting that gap)
When Apple patches it, (while leaving it open for themselves)
They'll get called out.
Apple is not engaged in illegal data harvesting to gain a competitive advantage over other services in the same space. Google's collection of personal data with the x-client-data header without user consent is illegal under GDPR.
15 replies →
This is the equivalent of a protest, people are objecting to Google's illegal data harvesting practices in places that receive engagement, since that's the most effective way to get the word out and warn others.
Google's reasoning that this is not personal data is meaningless in the face of GDPR, which considers an IP address personal data. Google has access to the IP address when they receive the data, therefore they are transmitting personal information without user consent and control, which is illegal.
It could be argued that a similar violation is present (since March 2019) in Chromium for the Widevine CDM provisioning request, see https://github.com/bromite/bromite/issues/471
Basically all users opening the browser will contact www.googleapis.com to get a unique "Protected Media Identifier", without opening any web page and even before any ToS/EULA is accepted (and there is no user consent either).
I think the Widevine CDM request is needed for the service to function, though they could certainly delay it until a website requires DRM. GDPR allows the use of personal data without consent when it is required to provide a service for the user.
The personal data collected with the x-client-data header is not required for Google sites to function. Google uses the data to gain a technical advantage over other sites on the web, this is why the data collection in this case requires consent.
2 replies →
The poster is the author of Kiwi browser, which unfortunately is closed source [0], but I have reason to believe he is familiar - as I am for the Bromite project - with all the (sometimes shady) internals of the Chromium codebase; it is indeed off-topic to discuss the header issue there but I would say that there is no explicit intention to derail it (and no advantage), just incorrect netiquette.
[0]: https://github.com/kiwibrowser/android/issues/12#issuecommen...
The Google employee argues that through UA-CH Google wants to disincetivise "allow" and "block" lists.
After many years of testing HTTP headers, IMO this really is a non-issue. Most websites return text/html just fine without sending any UA header at all.
What is an issue are the various ways websites try to coax users to download, install and use a certain browser.
Another related issue with Google Chrome is users getting better integration and performance when using Chrome with Google websites than they would if they used other clients. ^1 Some make the analogy to Microsoft where it was common for Microsoft software to integrate and perform better on Microsoft Windows whereas third party software was noticably worse to integrate and perform on that OS.
This leads to less user agent diversity. Users will choose what works best.
UA diversity is really a more important goal than privacy, or privacy in Chrome. The biggest privacy gains are not going to come from begging Google to make changes to Chrome. They could however come from making it easier for users to switch away from using Chrome and to use other clients. That requires some cooperation from websites as well as Google.
Those other clients could theoretically be written by anyone, not just large companies and organisations that are dependent on the online ad sales business. It would be relatively easy to achieve "privacy-by-design" in such clients. There is no rule that says users have to use a single UA to access every website. There needs to be choice.
For example, HN is a relatively simple website that does not require a large, complex browser like Chrome, Safari, Firefox, etc. to read. It generates a considerable amount of traffic and stands as proof that simpler websites can be popular. Varying the UA header does not result in drastic differences in the text/html returned by the server.
1. Recently we saw Google exclude use of certain clients to access Gmail.
https://cs.chromium.org/chromium/src/components/google/core/...
Just thinking out loud.
What happens, let's say, if someone malicious buys youtube.vg and puts a SSL certificate on it ? Will they be able to collect the ID ?
I guess so ?
Yes, but they would also need a valid TLS certificate?
A country's government could also take over the TLD and grab its traffic overnight.
The original issue is supposedly fingerprinting and privacy related.
If that's true then Google should be called out for their poor behaviour.