Comment by RajT88
1 day ago
I'm waiting for IT departments worldwide to wake up to the threat that your browsers are leaking all of your URI's by default back to the manufacturers.
URI's leak company secrets. I'm sure there's some people at Google using Edge which are leaking company data to Microsoft. I'm sure there's some people at Microsoft using Chrome which are leaking data to Google.
Edge and Chrome both send back every URI you visit to "improve search results" or to "sync history across devices". It's not clear if this includes private mode traffic or not (they don't say).
Huge privacy hole to allow this, and nobody seems to be aware or care.
For that to be in anyway useful for those companies (as a means to spy on their competitors), they'd have to be actively looking into the information to derive intelligence. Not really practical without some serious engineering, which would leave tons of evidence. It's not worth it. That's just not how these companies operate.
> there's some people at Google using Edge
I'd be surprised if it's more than a handful of people with explicit exceptions for work-related tasks. Chrome is the norm.
> For that to be in anyway useful for those companies (as a means to spy on their competitors), they'd have to be actively looking into the information to derive intelligence. Not really practical without some serious engineering, which would leave tons of evidence. It's not worth it. That's just not how these companies operate.
Was thinking about this as well. What evidence would it realistically leave? I mean - they are sending the uri's by default so no client side reverse engineering is needed. They say plainly they are doing this.
Yes, it's a lot of traffic.
IP spaces are well known. Easy to filter for corporate traffic. From there, it's a smorgasbord of internal URI's to dig through - anything with no domain name, or host.(companyname).com traffic. Also easy.
Maybe this ends up in a big data lake queryable by certain groups, but not anyone likely to spill the beans. NDA covers you there. This is not New York Times level corporate subterfuge. It's almost certainly not legal - and this is the important thing - the regulators haven't had the gumption to prosecute anti-competitive behavior in earnest since the 70's or earlier. What Microsoft went through in the 90's in retrospect was antitrust litigation with kid gloves on.
This armchair analyst sees no downside to such practices. Risk, but so little it doesn't matter.
Sure, insiders could spill the beans and violate their NDA's, but who the fuck is going to do more than levy a slap on the wrist for something too difficult to explain to Congress in a way that gets them to care?
Now, I think if you actually put your hands on the browsing history of congressmen harvested in this way, and put it into the public domain, you're going to get a bunch of regulators to all of a sudden care about antitrust enforcement again.
You're putting too much faith in NDAs. All it takes is one disgruntled employee with a sense of ethics.
Also, evidence doesn't have to be externally visible. In a lawsuit discovery will dig through design docs, server logs, emails, chats, everything.
That's what we have AI for. This type of thing is no longer a manual or manually-automated process.
I mean, realistically, yes. But you'd be surprised sometimes pretty technical folks who just use whatever is installed when their work machine for whatever reason runs Windows.
Wait til you hear about how many companies willfully perform all their work in g-suite and office 365/teams
Indeed. And they are trying to find sneaky ways to get you to back up more and more data there.
They do have privacy policies which say they won't sell that data, or use it for advertising or anything other than delivering the service. But - who knows if that is true? There's no oversight. And if they get caught breaking that privacy policy, who has the appetite these days to do anything meaningful in terms penalties? Nobody.
WHEN they get caught and the fine never outweighs the sale price of the data. It's not a coincidence. It's a clear factory in the cost of doing that into business. There's no Moreland ethical backbone here.
I believe the point of the above comment is "The trust model already trusts the recipient, so nobody cares that the recipient is seeing query params because they trust the recipient to ignore them."
> who knows if that is true? There's no oversight
The oversight is that those companies rely heavily on being trustworthy, and proving untrustworthy would be disastrous for their business models. Companies don't have to care right now because they have reason to believe Google, MS, et. al. aren't sniffing that data. If they came to believe they were?
Google alone is making $43 billion on Cloud and would prefer not to jeopardize that revenue stream.
2 replies →