Edge privacy worse than Chrome

A Dublin professor has released a paper on web browser privacy. Edge is singled out for using hardware identifiers in requests and unnecessarily sharing entered URLs with Microsoft:

“From a privacy perspective Microsoft Edge and Yandex are qualitatively different from the other browsers studied. Both send persistent identifiers than can be used to link requests (and associated IP address/location) to back end servers. Edge also sends the hardware UUID of the device to Microsoft and Yandex similarly transmits a hashed hardware identifier to back end servers. As far as we can tell this behaviour cannot be disabled by users. In addition to the search auto-complete functionality that shares details of web pages visited, both transmit web page information to servers that appear unrelated to search auto-complete”

Conversation 47 comments

  • wp7mango

    28 February, 2020 - 8:05 pm

    <p>Sending the device hardware UUID isn't really a privacy issue. </p>

    • j5

      Premium Member
      28 February, 2020 - 9:12 pm

      <blockquote><em><a href="#524100">In reply to WP7Mango:</a></em></blockquote><blockquote><em>Why not? I'm curious because having your hardware ID could tell a lot about your device, where, what when, and matched up with other metadata scraped that's a lot of information now on the user.</em></blockquote><p><br></p>

      • wp7mango

        29 February, 2020 - 3:37 am

        <blockquote><em><a href="#524103">In reply to j5:</a></em></blockquote><p>It's still not a privacy issue if the data being transmitted doesn't contain any personal information.</p>

      • sherlockholmes

        Premium Member
        29 February, 2020 - 4:30 am

        <blockquote><em><a href="#524103">In reply to j5:</a></em></blockquote><p>Every unnecessary send data to a company is a privacy issue.</p>

        • Paul Thurrott

          Premium Member
          29 February, 2020 - 9:06 am

          Yes, but I’d add … “especially when you are not given the option to turn it off completely and/or have no idea that it is happening.”

    • wright_is

      Premium Member
      02 March, 2020 - 2:41 am

      <blockquote><em><a href="#524100">In reply to WP7Mango:</a></em></blockquote><p>UUIDs are considered personal information, as is the IP address under GDPR.</p>

      • wp7mango

        02 March, 2020 - 10:22 am

        <blockquote><em><a href="#525015">In reply to wright_is:</a></em></blockquote><p>I don't think so. When I was implementing GDPR compliance for several companies I work for, the principal test is whether the data being transmitted can on its own or with other data make it identifiable with a real person. If the user is using Edge standalone, but is not using any Microsoft account, then I don't see how this can be used to identify a real person. If they do use a Microsoft account, the UUID is probably used throughout the OS services anyway, so sending it from Edge makes no difference. Furthermore, GDPR compliance must give the user the ability to request that any personal data held is to be deleted. Ironically, on certain systems, verification/proof of deletion requires the UUID to remain on record with all personal data deleted, so the user can use the UUID to check whether the data has in fact been deleted, i.e. The UUID essentially works as a transaction/audit ID for GDPR compliance. </p>

        • wright_is

          Premium Member
          03 March, 2020 - 12:53 am

          <blockquote><em><a href="#525108">In reply to WP7Mango:</a></em></blockquote><p>UUIDs and IP addresses are most definitely considered personally identifiable information.</p><p>Yes, an IP address could be another server, but it could be a private residence occupied by a single person, or it could be a single-user mobile device. Therefore it is treated as PII – the same as a physical address, it could be a company address, a block of flats or the address of a single-occupancy residence, therefore it is PII.</p><p>Even web server log files should be anonymised, for example. The last 2 octets should be zeroed in log files, for example, when they are rotated. It is allowed to keep the full IP address in the case of a security breach to aid in tracking down the culprit, for the duration of the incident and the subsequent investigation – once the case has been closed and the evidence passed to the police, the original logs would need to be anonymised or deleted, unless the whole server had been handed over.</p><p>https://www.groundlabs.com/what-is-pii-for-gdpr/</p><p>search for IP address.</p>

          • wp7mango

            03 March, 2020 - 4:33 am

            <blockquote><em><a href="#525327">In reply to wright_is:</a></em></blockquote><p>The definitions vary between jurisdictions. PII data sensitivity also varies on a case by case basis. That's why every case needs to be looked at individually.</p><p><br></p><p>Sending the UUID itself is not a breach of privacy per say. It's what you do with that UUID that makes the difference.</p>

  • sherlockholmes

    Premium Member
    29 February, 2020 - 3:43 am

    <p>Guys, when you are concerned about Edge and/or Chrome, there is a simple way out: Use Firefox. </p>

    • Paul Thurrott

      Premium Member
      01 March, 2020 - 8:39 am

      <blockquote><em><a href="#524195">In reply to SherlockHolmes:</a></em></blockquote><p>Or Brave, which is probably even more privacy-friendly. But yes, there are obviously alternatives. </p>

      • sherlockholmes

        Premium Member
        01 March, 2020 - 11:00 am

        <blockquote><em><a href="#524707">In reply to paul-thurrott:</a></em></blockquote><p>I like helping the underdog 😉 </p>

        • james_b

          02 March, 2020 - 11:21 am

          <blockquote><a href="#524710"><em>In reply to SherlockHolmes:</em></a><em> Brave or Vivaldi but NOT Firefox. What the Mozilla Corp. did to Brendan Eich is beyond the pale. I will not allow anything from Mozilla on my devices.</em></blockquote><p><br></p>

      • justme

        Premium Member
        01 March, 2020 - 3:07 pm

        <blockquote><em><a href="#524707">In reply to paul-thurrott:</a></em></blockquote><p><br></p><p>Indeed. I tend to use both Brave and Firefox.</p>

  • madthinus

    Premium Member
    29 February, 2020 - 8:16 am

    <p>Newsflash, telemetry is not tracking! Also, telemetry is not bad per se! All browser makers have telemetry going back to them. Some is just more transparent about it. I have turned on telemetry in Firefox, because I trust the folks at Mozilla. Plus I understand what they use the information for. Bowsers are complicated beasts. They relay on hardware acceleration for fast rendering and prone to be vulnerable to issues caused by drivers. Having the telemetry and crash data going back to the vendors ensure that they can build a better browser. We need to get past this telemetry is an invasion of privacy nonsense and understand what it it being used for. Also know that both Mozilla and Microsoft anonymise the data before it goes into the telemetry database.</p>

    • sherlockholmes

      Premium Member
      29 February, 2020 - 8:22 am

      <blockquote><em><a href="#524202">In reply to madthinus:</a></em></blockquote><p>Nothing you said is new to readers on thurrott.com. But it should be up to the user for what data they want to send to the company. And when someone doesnt want to send anything or at least just the absolute minimum, that should be fine too. </p>

    • Paul Thurrott

      Premium Member
      29 February, 2020 - 9:04 am

      Exactly.

    • anderb

      Premium Member
      29 February, 2020 - 7:28 pm

      <blockquote><em><a href="#524202">In reply to madthinus:</a></em></blockquote><p>Newsflash, Edge is sending entered URLs to multiple Microsoft servers and they can be linked back to a specific PC. That IS tracking.</p>

      • Paul Thurrott

        Premium Member
        01 March, 2020 - 8:39 am

        <blockquote><em><a href="#524331">In reply to anderb:</a></em></blockquote><p>"Can be" is different than "is." If we take this academic paper at face value—that is, just accept what it says as truth—than what we're left with are the most important unknowns: Why Microsoft is doing this and what, if anything, it is doing with this data.</p><p><br></p><p>If you seriously believe that Edge, or any mainstream browser, is worse for your privacy than Chrome, you're just nuts. Chrome is an ad-dealing, privacy-stealing engine. It exists only for those purposes. </p>

        • anderb

          Premium Member
          01 March, 2020 - 5:01 pm

          <blockquote><em><a href="#524706">In reply to paul-thurrott:</a></em></blockquote><p>"Chrome is an ad-dealing, privacy-stealing engine. It exists only for those purposes."</p><p><br></p><p>As the paper states, towards the end of the startup process Edge is already talking to a Microsoft ad-server. The advent of Edge is hardly a philanthropic endevor. Both companies are out to make money from your browsing habits. What is becoming increasing apparent is that Microsoft's interpretation of 'privacy' has shifted the boundary beyond the physical device. Your data is 'private' in the sense that 'only' Microsoft and its partners know about it. The continuing integration of Windows 10 desktop search functionality with Bing is proof of this.</p>

          • Paul Thurrott

            Premium Member
            02 March, 2020 - 7:39 am

            Google makes most of its revenues from ads. Microsoft makes almost none. The potential for abuse is far greater from Google and is negligible from Microsoft, even if they were so inclined. And they’re not.

            You’re a bit over the top in your distrust of Microsoft. And a bit silent about how freaking evil Google is. These tw things are not comparable.

            • proesterchen

              03 March, 2020 - 7:46 am

              <blockquote><em><a href="#525062">In reply to paul-thurrott:</a></em></blockquote><p>I don't know what the basis is for judging Google guilty unless proven innocent while presuming Microsoft's innocent until proven guilty, especially in the face of the findings of this paper.</p><p><br></p><p>I'd rather measure them both against the same stick, and frankly, they both collect more data than I would choose to supply them with, given proper user controls.</p>

              • Paul Thurrott

                Premium Member
                03 March, 2020 - 8:22 am

                It’s not about guilty vs. innocent in this particular case, which is very limited in scope. I’m talking about the broader behavior of both companies, which is well-understood.

                • sherlockholmes

                  Premium Member
                  03 March, 2020 - 9:18 am

                  <blockquote><em><a href="#525392">In reply to paul-thurrott:</a></em></blockquote><p>Paul, I have a question. When you really think that Google is an evil company, why do you still use Chrome and G Suite? And dont tell me its about convenience. </p>

                • Paul Thurrott

                  Premium Member
                  04 March, 2020 - 7:33 am

                  Every decision we make is a calculation between risk and benefit. Every one.

                  I don’t use Chrome, I use Edge. I use G Suite because the company uses it, and I don’t have a choice. I’ve been trying to get them off it since I signed on.

                  But I do use Google Maps, because it’s the best solution and when I’m driving 5 hours to Boston or whatever that information matters. I use Google Photos because it is the best photo service by far, but I also put everything in OneDrive (and locally on a NAS) just in case. I use Google Play Music because it’s one of the only services that lets me combine my own music (for free) with a service that’s not Apple and I trust Apple even less than I trust Google.

                • yoshi

                  Premium Member
                  04 March, 2020 - 12:49 pm

                  <blockquote><em><a href="#525742">In reply to paul-thurrott:</a></em></blockquote><p>Paul, just out of curiosity – why do you trust Apple even less than Google? I prefer Android overall, but I'm always thinking maybe I should switch to iOS for privacy reasons. But maybe the grass isn't greener?</p>

                • Paul Thurrott

                  Premium Member
                  05 March, 2020 - 7:47 am

                  Apple are control freaks that think they know better than their own users. Google for all their issues let you do whatever you want. Including removing access to their own apps and services. I just don’t like Apple’s parentalism.

                • sherlockholmes

                  Premium Member
                  05 March, 2020 - 12:00 pm

                  <blockquote><em><a href="#525742">In reply to paul-thurrott:</a></em></blockquote><p>Thanks for sharing. </p>

                • proesterchen

                  03 March, 2020 - 12:28 pm

                  <blockquote><em><a href="#525392">In reply to paul-thurrott:</a></em></blockquote><p>I guess I just don't see (or don't know, giving them the benefit of the doubt) the actions Microsoft has taken to warrant an inordinate amount of trust.</p><p><br></p><p>There are however at least a few decisions I'm aware of that definitely decrease their users' privacy.</p><p><br></p><p>So I don't know how Microsoft would overcome a default attitude of 'trust no one'.</p>

                • Paul Thurrott

                  Premium Member
                  04 March, 2020 - 7:17 am

                  Microsoft and Google are on completely different planets when it comes to trust. A few … decisions? Google is violating your privacy all day long, every single day. We gotta stop pretending that these companies are in any way comparable when it comes to trust or in their respective ability and desire to do wrong by their customers to pursue revenues.

                • proesterchen

                  05 March, 2020 - 7:24 am

                  <blockquote><em><a href="#525725">In reply to paul-thurrott:</a></em></blockquote><p>Your contention appears to be that Microsoft is less bad than Google. My contention is that they are both not good enough to warrant trusting either by default.</p>

    • justme

      Premium Member
      01 March, 2020 - 3:04 pm

      <blockquote><em><a href="#524202">In reply to madthinus:</a></em></blockquote><p>"We need to get past this telemetry is an invasion of privacy nonsense and understand what it it being used for."</p><p><br></p><p>Respectfully, no, I disagree. What we need to get past is the idea that it is OK for a company to make software and track what the user does with it or how it is being used without the express informed consent of the user. GDPR came about precisely because of a lack of informed consent regarding data companies collect. I fully understand what you are saying. The problem is the majority of users do not – and will not unless and until Microsoft and other tech companies are more forthright and transparent about what they are doing. All I would ask for is Microsoft be up front about the data it collects, be up front about WHY it is collects the data, be up front about how the data is (and isnt) being used, and give me the option to turn off that data collection. Microsoft has an Insider program – why cant they limit telemtry just to those participants? </p>

      • Paul Thurrott

        Premium Member
        02 March, 2020 - 7:43 am

        So. I kind of agree with both sides here.

        Microsoft isn’t doing anything evil with telemetry data, in my opinion, but it’s a fact that it’s literally the primary way they improve product quality now, and that is the reason they’re so weird about it.

        But … Yes. Anyone who wants to turn this off, completely, for whatever reason should be able to do so.

  • bnyklue

    29 February, 2020 - 9:34 am

    <p>Does this really surprise anyone? Despite what people seem content to believe, Microsoft under Nadella has become an incredibly unethical company. The notion that they actually care about privacy is just another scam that should be easy to see through. Edge is designed from the top down to collect telemetry and mine data for advertisers. That’s the only reason it exists. </p>

    • ghostrider

      02 March, 2020 - 8:00 am

      <blockquote><em><a href="#524217">In reply to bnyklue:</a></em></blockquote><p>100% true. MS are more unethical now than they've ever been.</p>

      • bnyklue

        02 March, 2020 - 10:03 am

        <blockquote><em><a href="#525067">In reply to ghostrider:</a></em></blockquote><p>They really are. The "New Microsoft" con Nadella has pulled on the press is incredible. </p>

  • simard57

    29 February, 2020 - 9:08 pm

    <p>new edge or legacy edge?</p><p><br></p>

    • Paul Thurrott

      Premium Member
      01 March, 2020 - 8:20 am

      <blockquote><em><a href="#524339">In reply to Simard57:</a></em></blockquote><p>New Edge, according to the paper.</p>

  • wright_is

    Premium Member
    02 March, 2020 - 2:30 am

    <p>If you actually read what they are doing Chrome is worse, but it doesn't use a UUID, if you aren't logged into Chrome. If you have used your Google account to log onto Chrome, it is a lot worse than Edge. Google also follows you around the web from the other side. The research is interesting, but probably irrelevant for most Chrome or Edge users, as they will probably have "logged in" to the browser for the convenience it brings.</p><p>(Note: I'm not a user of Chrome or Edge, so no hidden agenda on which is better)</p>

  • minke

    03 March, 2020 - 10:47 am

    <p>99.9% of people using the Internet don't care, especially younger folks who grew up with the Internet always available. The understand this isn't really about "privacy" but about financing the functioning of services that are used everyday. I would be fine with switches that could turn off all the tracking, but there would then have to be a fee for those that want to do so. It is a trade off. You provide useful information to these services and they provide useful services to you. Personally, I just ignore most of the ads I see. What's the big deal? Are you such sheep that you are afraid you won't be able to resist the advertising they are trying to target you with?</p>

    • Paul Thurrott

      Premium Member
      04 March, 2020 - 7:22 am

      This is such a dangerous and — sorry — stupid attitude. We need to wake up to this stuff, people. Ignoring an ad is like the Titanic ignoring the iceberg because what they can see, the tip, is so small and can’t possibly be dangerous.

      • minke

        04 March, 2020 - 12:12 pm

        <blockquote><em><a href="#525731">In reply to paul-thurrott:</a></em></blockquote><p>Maybe you think it is stupid, but it is realistic. Most people simply do not care. Get out a bit and talk to real people in the real world. The folks commenting here are not at all representative of the vast majority of users.</p>

        • james_b

          04 March, 2020 - 1:12 pm

          <blockquote><br></blockquote><p>How would you know what is representative of the vast majority of users? Where is the proof of this claim?</p>

          • Greg Green

            05 March, 2020 - 8:25 am

            <blockquote><em><a href="#525821">In reply to James_B:</a></em></blockquote><p>The massive number of people using these services. If people cared about privacy they wouldn’t be using all the social apps as much as they do.</p>

  • madthinus

    Premium Member
    04 March, 2020 - 3:00 am

    <p>Also, Smartfilter screening needs a back end to prevent you from using / downloading malware invested sites / files. Firefox and the google browsers used Google's safe browsing tech. All of that needs urls going to the cloud and back. I prefer mine to go to Microsoft or Firefox. </p>

    • proesterchen

      04 March, 2020 - 6:53 am

      <blockquote><em><a href="#525715">In reply to madthinus:</a></em></blockquote><p>That's certainly one way to do it, but not necessarily the only, and most definitely not the most privacy-focused.</p><p><br></p><p>Along the lines of anti-virus software, browser vendors could just as easily deploy a set of signatures to a local instance checking for flagged sites, which would completely eliminate the need to send any information back. (though the vendors may want to ask users to contribute information back on an opt-in basis)</p>

    • anderb

      Premium Member
      04 March, 2020 - 11:50 pm

      <blockquote><em><a href="#525715">In reply to madthinus:</a></em></blockquote><p><em>"Also, Smartfilter screening needs a back end to prevent you from using / downloading malware invested sites / files. Firefox and the google browsers used Google's safe browsing tech. All of that needs urls going to the cloud and back."</em></p><p><br></p><p>It absolutely does not need URLs going to the cloud and back and they don't. Google's safe browsing works by downloading a database of malicious URL hash codes. When the user enters a URL, the browser computes the hash code for it and checks if that hash is in the database – the entered URL does not need to be sent to Google. Unlike Microsoft's less private approach.</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC