Edge privacy worse than Chrome

Avatar
38

A Dublin professor has released a paper on web browser privacy. Edge is singled out for using hardware identifiers in requests and unnecessarily sharing entered URLs with Microsoft:

“From a privacy perspective Microsoft Edge and Yandex are qualitatively different from the other browsers studied. Both send persistent identifiers than can be used to link requests (and associated IP address/location) to back end servers. Edge also sends the hardware UUID of the device to Microsoft and Yandex similarly transmits a hashed hardware identifier to back end servers. As far as we can tell this behaviour cannot be disabled by users. In addition to the search auto-complete functionality that shares details of web pages visited, both transmit web page information to servers that appear unrelated to search auto-complete”

Comments (47)

47 responses to “Edge privacy worse than Chrome”

  1. Avatar

    wp7mango

    Sending the device hardware UUID isn't really a privacy issue.

    • Avatar

      j5

      In reply to WP7Mango:
      Why not? I'm curious because having your hardware ID could tell a lot about your device, where, what when, and matched up with other metadata scraped that's a lot of information now on the user.


    • Avatar

      wright_is

      In reply to WP7Mango:

      UUIDs are considered personal information, as is the IP address under GDPR.

      • Avatar

        wp7mango

        In reply to wright_is:

        I don't think so. When I was implementing GDPR compliance for several companies I work for, the principal test is whether the data being transmitted can on its own or with other data make it identifiable with a real person. If the user is using Edge standalone, but is not using any Microsoft account, then I don't see how this can be used to identify a real person. If they do use a Microsoft account, the UUID is probably used throughout the OS services anyway, so sending it from Edge makes no difference. Furthermore, GDPR compliance must give the user the ability to request that any personal data held is to be deleted. Ironically, on certain systems, verification/proof of deletion requires the UUID to remain on record with all personal data deleted, so the user can use the UUID to check whether the data has in fact been deleted, i.e. The UUID essentially works as a transaction/audit ID for GDPR compliance.

        • Avatar

          wright_is

          In reply to WP7Mango:

          UUIDs and IP addresses are most definitely considered personally identifiable information.

          Yes, an IP address could be another server, but it could be a private residence occupied by a single person, or it could be a single-user mobile device. Therefore it is treated as PII - the same as a physical address, it could be a company address, a block of flats or the address of a single-occupancy residence, therefore it is PII.

          Even web server log files should be anonymised, for example. The last 2 octets should be zeroed in log files, for example, when they are rotated. It is allowed to keep the full IP address in the case of a security breach to aid in tracking down the culprit, for the duration of the incident and the subsequent investigation - once the case has been closed and the evidence passed to the police, the original logs would need to be anonymised or deleted, unless the whole server had been handed over.

          https://www.groundlabs.com/what-is-pii-for-gdpr/

          search for IP address.

          • Avatar

            wp7mango

            In reply to wright_is:

            The definitions vary between jurisdictions. PII data sensitivity also varies on a case by case basis. That's why every case needs to be looked at individually.


            Sending the UUID itself is not a breach of privacy per say. It's what you do with that UUID that makes the difference.

  2. Avatar

    bnyklue

    Does this really surprise anyone? Despite what people seem content to believe, Microsoft under Nadella has become an incredibly unethical company. The notion that they actually care about privacy is just another scam that should be easy to see through. Edge is designed from the top down to collect telemetry and mine data for advertisers. That’s the only reason it exists.

  3. Avatar

    simard57

    new edge or legacy edge?


  4. Avatar

    wright_is

    If you actually read what they are doing Chrome is worse, but it doesn't use a UUID, if you aren't logged into Chrome. If you have used your Google account to log onto Chrome, it is a lot worse than Edge. Google also follows you around the web from the other side. The research is interesting, but probably irrelevant for most Chrome or Edge users, as they will probably have "logged in" to the browser for the convenience it brings.

    (Note: I'm not a user of Chrome or Edge, so no hidden agenda on which is better)

  5. Avatar

    minke

    99.9% of people using the Internet don't care, especially younger folks who grew up with the Internet always available. The understand this isn't really about "privacy" but about financing the functioning of services that are used everyday. I would be fine with switches that could turn off all the tracking, but there would then have to be a fee for those that want to do so. It is a trade off. You provide useful information to these services and they provide useful services to you. Personally, I just ignore most of the ads I see. What's the big deal? Are you such sheep that you are afraid you won't be able to resist the advertising they are trying to target you with?

  6. Avatar

    madthinus

    Also, Smartfilter screening needs a back end to prevent you from using / downloading malware invested sites / files. Firefox and the google browsers used Google's safe browsing tech. All of that needs urls going to the cloud and back. I prefer mine to go to Microsoft or Firefox.

    • Avatar

      proesterchen

      In reply to madthinus:

      That's certainly one way to do it, but not necessarily the only, and most definitely not the most privacy-focused.


      Along the lines of anti-virus software, browser vendors could just as easily deploy a set of signatures to a local instance checking for flagged sites, which would completely eliminate the need to send any information back. (though the vendors may want to ask users to contribute information back on an opt-in basis)

    • Avatar

      anderb

      In reply to madthinus:

      "Also, Smartfilter screening needs a back end to prevent you from using / downloading malware invested sites / files. Firefox and the google browsers used Google's safe browsing tech. All of that needs urls going to the cloud and back."


      It absolutely does not need URLs going to the cloud and back and they don't. Google's safe browsing works by downloading a database of malicious URL hash codes. When the user enters a URL, the browser computes the hash code for it and checks if that hash is in the database - the entered URL does not need to be sent to Google. Unlike Microsoft's less private approach.

  7. Avatar

    sherlockholmes

    Guys, when you are concerned about Edge and/or Chrome, there is a simple way out: Use Firefox.

  8. Avatar

    madthinus

    Newsflash, telemetry is not tracking! Also, telemetry is not bad per se! All browser makers have telemetry going back to them. Some is just more transparent about it. I have turned on telemetry in Firefox, because I trust the folks at Mozilla. Plus I understand what they use the information for. Bowsers are complicated beasts. They relay on hardware acceleration for fast rendering and prone to be vulnerable to issues caused by drivers. Having the telemetry and crash data going back to the vendors ensure that they can build a better browser. We need to get past this telemetry is an invasion of privacy nonsense and understand what it it being used for. Also know that both Mozilla and Microsoft anonymise the data before it goes into the telemetry database.

    • Avatar

      justme

      In reply to madthinus:

      "We need to get past this telemetry is an invasion of privacy nonsense and understand what it it being used for."


      Respectfully, no, I disagree. What we need to get past is the idea that it is OK for a company to make software and track what the user does with it or how it is being used without the express informed consent of the user. GDPR came about precisely because of a lack of informed consent regarding data companies collect. I fully understand what you are saying. The problem is the majority of users do not - and will not unless and until Microsoft and other tech companies are more forthright and transparent about what they are doing. All I would ask for is Microsoft be up front about the data it collects, be up front about WHY it is collects the data, be up front about how the data is (and isnt) being used, and give me the option to turn off that data collection. Microsoft has an Insider program - why cant they limit telemtry just to those participants?

      • Avatar

        Paul Thurrott

        So. I kind of agree with both sides here. Microsoft isn't doing anything evil with telemetry data, in my opinion, but it's a fact that it's literally the primary way they improve product quality now, and that is the reason they're so weird about it. But ... Yes. Anyone who wants to turn this off, completely, for whatever reason should be able to do so.
    • Avatar

      sherlockholmes

      In reply to madthinus:

      Nothing you said is new to readers on thurrott.com. But it should be up to the user for what data they want to send to the company. And when someone doesnt want to send anything or at least just the absolute minimum, that should be fine too.

    • Avatar

      anderb

      In reply to madthinus:

      Newsflash, Edge is sending entered URLs to multiple Microsoft servers and they can be linked back to a specific PC. That IS tracking.

      • Avatar

        Paul Thurrott

        In reply to anderb:

        "Can be" is different than "is." If we take this academic paper at face value---that is, just accept what it says as truth---than what we're left with are the most important unknowns: Why Microsoft is doing this and what, if anything, it is doing with this data.


        If you seriously believe that Edge, or any mainstream browser, is worse for your privacy than Chrome, you're just nuts. Chrome is an ad-dealing, privacy-stealing engine. It exists only for those purposes.

        • Avatar

          anderb

          In reply to paul-thurrott:

          "Chrome is an ad-dealing, privacy-stealing engine. It exists only for those purposes."


          As the paper states, towards the end of the startup process Edge is already talking to a Microsoft ad-server. The advent of Edge is hardly a philanthropic endevor. Both companies are out to make money from your browsing habits. What is becoming increasing apparent is that Microsoft's interpretation of 'privacy' has shifted the boundary beyond the physical device. Your data is 'private' in the sense that 'only' Microsoft and its partners know about it. The continuing integration of Windows 10 desktop search functionality with Bing is proof of this.

          • Avatar

            Paul Thurrott

            Google makes most of its revenues from ads. Microsoft makes almost none. The potential for abuse is far greater from Google and is negligible from Microsoft, even if they were so inclined. And they're not. You're a bit over the top in your distrust of Microsoft. And a bit silent about how freaking evil Google is. These tw things are not comparable.
            • Avatar

              proesterchen

              In reply to paul-thurrott:

              I don't know what the basis is for judging Google guilty unless proven innocent while presuming Microsoft's innocent until proven guilty, especially in the face of the findings of this paper.


              I'd rather measure them both against the same stick, and frankly, they both collect more data than I would choose to supply them with, given proper user controls.

              • Avatar

                Paul Thurrott

                It's not about guilty vs. innocent in this particular case, which is very limited in scope. I'm talking about the broader behavior of both companies, which is well-understood.
                • Avatar

                  proesterchen

                  In reply to paul-thurrott:

                  I guess I just don't see (or don't know, giving them the benefit of the doubt) the actions Microsoft has taken to warrant an inordinate amount of trust.


                  There are however at least a few decisions I'm aware of that definitely decrease their users' privacy.


                  So I don't know how Microsoft would overcome a default attitude of 'trust no one'.

                • Avatar

                  Paul Thurrott

                  Microsoft and Google are on completely different planets when it comes to trust. A few ... decisions? Google is violating your privacy all day long, every single day. We gotta stop pretending that these companies are in any way comparable when it comes to trust or in their respective ability and desire to do wrong by their customers to pursue revenues.
                • Avatar

                  proesterchen

                  In reply to paul-thurrott:

                  Your contention appears to be that Microsoft is less bad than Google. My contention is that they are both not good enough to warrant trusting either by default.

                • Avatar

                  sherlockholmes

                  In reply to paul-thurrott:

                  Paul, I have a question. When you really think that Google is an evil company, why do you still use Chrome and G Suite? And dont tell me its about convenience.

                • Avatar

                  Paul Thurrott

                  Every decision we make is a calculation between risk and benefit. Every one. I don't use Chrome, I use Edge. I use G Suite because the company uses it, and I don't have a choice. I've been trying to get them off it since I signed on. But I do use Google Maps, because it's the best solution and when I'm driving 5 hours to Boston or whatever that information matters. I use Google Photos because it is the best photo service by far, but I also put everything in OneDrive (and locally on a NAS) just in case. I use Google Play Music because it's one of the only services that lets me combine my own music (for free) with a service that's not Apple and I trust Apple even less than I trust Google.
                • Avatar

                  yoshi

                  In reply to paul-thurrott:

                  Paul, just out of curiosity - why do you trust Apple even less than Google? I prefer Android overall, but I'm always thinking maybe I should switch to iOS for privacy reasons. But maybe the grass isn't greener?

                • Avatar

                  Paul Thurrott

                  Apple are control freaks that think they know better than their own users. Google for all their issues let you do whatever you want. Including removing access to their own apps and services. I just don't like Apple's parentalism.

Leave a Reply