I am less likely to accidentally give you permission over my computer to do shady shit if I am forced to install an app vs happen to click the wrong link on my browser.
The difference is intent. By installing Chrome I do not intend on giving up every last bit of privacy and control over my computer, they just want to trick me into doing so by stuffing functionality into web APIs that should never have been web APIs in the first place.
If you're questioning whether they're trustworthy, you should be going out of your way to avoid installing their native app, preferring a web-based solution instead.
> By installing Chrome I do not intend on giving up every last bit of privacy and control over my computer, they just want to trick me into doing so by stuffing functionality into web APIs that should never have been web APIs in the first place.
Is Chrome really so bad about accidentally granting privileges (webcam, say) to websites?
Perhaps there's a more privacy-oriented browser that lacks such functionality entirely? Sounds like a good idea, come to think of it.
That is just the point. I can avoid installing their native app, but it is much more difficult to opt out of these insidious and unnecessary web APIs. This is especially the case when the leading browser happens to be created by a data collection company.
Yes, Chrome is bad at managing privileges and leaking data back to Google and any other web site that is smart enough to know how to ask for it. Avoiding browsers that implement this and shaming sites that use the APIs is apparently the approach that will be necessary going forward.
> Aren't you in control over what you allow to access on the per-site basis?
You mean the same way you are in control over what data tracking you allow and what cookies can be set on a per-site basis? In theory perhaps, in practice no.
A native app, once installed, basically owns you. With a web app you have to explicitly grant permission for each and every API (of the kinds listed in TFA at least). Are you in the habit of accidentally clicking "accept" in a series of permission prompts? Even if the answer is yes, it's ok, as it's very easy to revoke the permissions in your browser.
There's no way you can argue that a single "grant all permissions" step is more privacy friendly than fine grained permissions.
I wouldn't have any problems giving these APIs access via the web, but one challenge with the websites is that I'm never 100% sure that when I "retract" a permission or say "stop tracking me" that it's done. I think that if access to these API's were wrapped in some sort of Privacy API that superseded each website's privacy and data collection polices I would be more comfortable with this. These changes just seem like something Google threw over the wall to get things working with Chrome and every other browser developer said "no thanks".
With app store apps I am told what permissions they need and I usually opt to not install them, but it's hard to get by without a web browser these days.
Well, first of all, there's a massive difference of threat scale between "the apps I have personally chosen to download and install" and "every website that I visit, even if only for a moment."
Second of all, there's no App Store review process for malicious websites. An app that wants to harvest your data will at least have to have some vaguely plausible useful purpose in order to even have a chance to try.
So I don't know about you, but personally, if you were to ask me, "Do you think a restriction that reduces the number of people able to harvest your data in this particular way by about 90%, or is it totally useless if it's not 100%?", I'd say go for the 90% solution rather than just throwing up my hands and saying it's hopeless.
Forcing someone to install a native app not only lets the maker of the app siphon the users web browsing data, it also allows them to siphon all data from their machine, including bank details, passwords etc, and often opens security vulnerabilities that allow people who aren’t the app maker to do the same.
At least on an iPhone, it's nearly impossible to get bank details and passwords with a native app unless you're using some incredibly sophisticated techniques.
Forcing them to install a native app also massively reduces the number of people who are going to actually let you in.
I am less likely to accidentally give you permission over my computer to do shady shit if I am forced to install an app vs happen to click the wrong link on my browser.
The difference is intent. By installing Chrome I do not intend on giving up every last bit of privacy and control over my computer, they just want to trick me into doing so by stuffing functionality into web APIs that should never have been web APIs in the first place.
I don't follow this line of thinking at all.
If you're questioning whether they're trustworthy, you should be going out of your way to avoid installing their native app, preferring a web-based solution instead.
> By installing Chrome I do not intend on giving up every last bit of privacy and control over my computer, they just want to trick me into doing so by stuffing functionality into web APIs that should never have been web APIs in the first place.
Is Chrome really so bad about accidentally granting privileges (webcam, say) to websites?
Perhaps there's a more privacy-oriented browser that lacks such functionality entirely? Sounds like a good idea, come to think of it.
That is just the point. I can avoid installing their native app, but it is much more difficult to opt out of these insidious and unnecessary web APIs. This is especially the case when the leading browser happens to be created by a data collection company.
Yes, Chrome is bad at managing privileges and leaking data back to Google and any other web site that is smart enough to know how to ask for it. Avoiding browsers that implement this and shaming sites that use the APIs is apparently the approach that will be necessary going forward.
3 replies →
> The difference is intent. By installing Chrome I do not intend on giving up every last bit of privacy and control over my computer
You make it sound as if Chrome will expose your private data and the control over your computer to everyone who cares to use it.
Aren't you in control over what you allow to access on the per-site basis?
> Aren't you in control over what you allow to access on the per-site basis?
You mean the same way you are in control over what data tracking you allow and what cookies can be set on a per-site basis? In theory perhaps, in practice no.
2 replies →
A native app, once installed, basically owns you. With a web app you have to explicitly grant permission for each and every API (of the kinds listed in TFA at least). Are you in the habit of accidentally clicking "accept" in a series of permission prompts? Even if the answer is yes, it's ok, as it's very easy to revoke the permissions in your browser.
There's no way you can argue that a single "grant all permissions" step is more privacy friendly than fine grained permissions.
I wouldn't have any problems giving these APIs access via the web, but one challenge with the websites is that I'm never 100% sure that when I "retract" a permission or say "stop tracking me" that it's done. I think that if access to these API's were wrapped in some sort of Privacy API that superseded each website's privacy and data collection polices I would be more comfortable with this. These changes just seem like something Google threw over the wall to get things working with Chrome and every other browser developer said "no thanks".
Creating these APIs doesn't just grant access to them to well-thought-out PWAs with a clear use case.
It grants access to every shady malware ad that wants to siphon your data and that of everyone around you.
To what degree is this true for App store apps too though? What with the Facebook (sign-in) SDK and all? Honest question.
With app store apps I am told what permissions they need and I usually opt to not install them, but it's hard to get by without a web browser these days.
1 reply →
> It grants access to every shady malware ad that wants to siphon your data and that of everyone around you.
Can't native apps do so as well?
Well, first of all, there's a massive difference of threat scale between "the apps I have personally chosen to download and install" and "every website that I visit, even if only for a moment."
Second of all, there's no App Store review process for malicious websites. An app that wants to harvest your data will at least have to have some vaguely plausible useful purpose in order to even have a chance to try.
So I don't know about you, but personally, if you were to ask me, "Do you think a restriction that reduces the number of people able to harvest your data in this particular way by about 90%, or is it totally useless if it's not 100%?", I'd say go for the 90% solution rather than just throwing up my hands and saying it's hopeless.
Forcing someone to install a native app not only lets the maker of the app siphon the users web browsing data, it also allows them to siphon all data from their machine, including bank details, passwords etc, and often opens security vulnerabilities that allow people who aren’t the app maker to do the same.
At least on an iPhone, it's nearly impossible to get bank details and passwords with a native app unless you're using some incredibly sophisticated techniques.
Forcing them to install a native app also massively reduces the number of people who are going to actually let you in.
From a tech point of view browsers are switching the roles of client and server. It's getting to be like X windows or something.