Web Browser Privacy – Academic Paper

Topic

New Reply

A recently-published academic paper from Prof. Douglas J. Leith, School of Computer Science & Statistics, Trinity College Dublin, Ireland
February 24, 2020

 
Web Browser Privacy: What Do Browsers Say When They Phone Home?

Abstract—We measure the connections to backend servers made by six browsers: Google Chrome, Mozilla Firefox, Apple Safari, Brave Browser, Microsoft Edge and Yandex Browser, during normal web browsing. Our aim is to assess the privacy risks associated with this back-end data exchange. We find that the browsers split into three distinct groups from this privacy perspective. In the first (most private) group lies Brave, in the second Chrome, Firefox and Safari and in the third (least private) group lie Edge and Yandex.

 
From the report’s conclusion:
We study six browsers: Google Chrome, Mozilla Firefox, Apple Safari, Brave Browser, Microsoft Edge and Yandex Browser. For Brave with its default settings we did not find any use of identifiers allowing tracking of IP address over time, and no sharing of the details of web pages visited with backend servers. Chrome, Firefox and Safari all share details of web pages visited with backend servers. For all three this happens via the search autocomplete feature, which sends web addresses to backend servers in realtime as they are typed. In addition, Firefox includes identifiers in its telemetry transmissions that can potentially be used to link these over time. Telemetry can be disabled, but again is silently enabled by default. Firefox also maintains an open websocket for push notifications that is linked to a unique identifier and so potentially can also be used for tracking and which cannot be easily disabled. Safari defaults to a poor choice of start page that leaks information to multiple third parties and allows them to set cookies without any user consent. Safari otherwise made no extraneous network connections and transmitted no persistent identifiers, but allied iCloud processes did make connections containing identifiers.

From a privacy perspective Microsoft Edge and Yandex are qualitatively different from the other browsers studied. Both send persistent identifiers than can be used to link requests (and associated IP address/location) to back end servers. Edge also sends the hardware UUID of the device to Microsoft and Yandex similarly transmits a hashed hardware identifier to back end servers. As far as we can tell this behaviour cannot be disabled by users. In addition to the search autocomplete functionality that shares details of web pages visited, both transmit web page information to servers that appear unrelated to search autocomplete.

 
To download the PDF report, click here

7 users thanked author for this post.

lmacri, grahamperrin, Steve, woody, samak, satrow, Bluetrix

Reply | Quote

Replies

[Ascaris]

“Kirsty wrote,” in context, means citing the original author of the paper.  She is not the source of these quotes.

Kirsty wrote:

Chrome, Firefox and Safari all share details of web pages visited with backend servers. For all three this happens via the search autocomplete feature, which sends web addresses to backend servers in realtime as they are typed.

All three do this because it is a feature most people want.  Of course it comes from a server!  It’s a little disingenuous to suggest it’s “details of web pages visited,” though.  It’s details of web search terms typed, not URLs.  If you visit a site via a bookmark or link, there’s no web search going on.  If there IS a web search going on, it’s a lot more important to think about the search provider than autocomplete queries… if it’s Google, that’s a huge privacy issue, particularly if you have a static IP or if you don’t clear out the cookies regularly.

The “leaked” info with search suggestions is nothing but the keypresses before the search text was fully typed; if you are searching for “funny cat videos,” the “leaked” data would consist of “funny” and “funny cat.”  The search engine already knows the final search term that the user submitted, which in this example would be “funny cat videos.”

As far as I know, search suggestions are forwarded to the search provider in question, not to some centralized server owned by the browser’s developer.  That being the case, I’m not all that worried about them having “funny” and “funny cat” in addition to the search term “funny cat videos” that I actually submitted (and is therefore not leaked, but is sent deliberately)… it’s kind of self-evident.

If you’re referring to the search suggestions submitted when entering items into the URL bar, which can include typed or pasted URLs (which will then be submitted as search suggestions), the solution is simple: Don’t use the URL bar for searches.  This was yet another UI blunder that Google made into the “standard,” which of course prompted Mozilla to copy it… but with Firefox, you have the option of enabling the search bar, whereas in Chrome, you do not.  It takes an addon to do that, and it’s still not as good as being there in the first place.

Kirsty wrote:

Telemetry can be disabled, but again is silently enabled by default.

“Silently”

Here’s a tab that automatically opens when you first run Firefox 73, or when you create a new profile:

Right there, in bold, enlarged text… “Firefox by default shares data to…”

“Silently”

Kirsty wrote:

Telemetry can be disabled, but again is silently enabled by default. Firefox also maintains an open websocket for push notifications that is linked to a unique identifier and so potentially can also be used for tracking and which cannot be easily disabled.

“can be used for tracking”

Don’t tell me what it “can be” used for.  Tell me what it “is” used for. The entire browser “can be” used for spying.  We’re not talking about what it “can be” used for, though, right?  We’re talking about the actual behavior, not some theoretical worst-case if the browser developer was a secret bad actor (hard to do with open-source, though!).  Do you have any evidence that Firefox’s push notifications system has been used nefariously?  Push notifications is a legitimate feature that some people want, and it has to be accomplished somehow.  If you don’t want it (as I don’t), don’t use it.

“cannot be easily disabled”

Open about:config.  Paste this into the search box:

dom.webnotifications.enabled

Double click it to toggle the value from yes to no.

I’d call that ‘easily.’  You’ll never be harassed about enabling web site push notifications again.

This “study” should be an embarrassment to its author, who is probably just trying to raise his profile as a college professor as a career move.  Publish or perish, so they say.  He obviously has very little actual understanding of the issues at hand, or how actual privacy threats across the web manifest themselves.  I’d hope for better from a CS professor, but knowing how to write programs doesn’t necessarily translate to understanding the business model of the likes of Google, and how they use various tools to slurp up vast amounts of private data.  To equate Firefox’s push notification and search suggestion functions with anything Google (even the same features– unlike Mozilla, Google has a business model that includes slurping up data from all sources) is just ridiculous.

As for telemetry, the user is informed of it the first time the browser is run and each time a new profile is first used, and it can be turned off if desired.  I actually left mine on deliberately when I used Firefox proper as my main browser, as I wanted to help them improve it as much as possible.  They left it to me to make that choice, and that’s what I chose; if they had attempted to force it the way Microsoft does, I would have used unsupported means to block it.  Ask me and the answer may be yes; tell me I can’t turn it off and the answer will be “no way.”

This report shows how it is possible to report (mostly) factual information to support a flawed assertion, missing the point completely in the process.  All of the data Firefox “leaks” is for legitimate features that many users expect and want, and they can all be turned off.  Even if they’re not, Mozilla is not in the business of amassing huge data profiles on anyone, or in profiting from advertisements in any way.

The excerpted bit from the report also makes no mention of the anti-tracking and fingerprinting features of Firefox, and it doesn’t make mention of how Chrome once tied signing into Google on a web page into signing in at the browser level, instantly recreating any Google cookies even if the user had an addon to delete them.  This behavior was obviously intended to subvert any attempts by users to clear all of the cookies (one could whitelist Google cookies to not be cleared if that was the desired behavior of the addon).  People raised a big stink about it, and as such I think the “feature” was reverted, but Google will never stop trying to sneak things like that by.  Microsoft does the same thing with Windows, and if they were called on it, they’d issue what Woody called an “aw, shucks” statement and try again next time.

Microsoft, FWIW, hasn’t been shown to be collecting data for advertising purposes, but they are now in the ad biz, with ads in multiple places in Windows 10, not to mention Bing.  A small, specific set of details is useful for monitoring how things are working and for product improvement… for advertising, all data collected, no matter how trivial or irrelevant it may seem, may be useful, so it is all collected if possible.  There’s no evidence of that with MS, but vigilance is warranted.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

• This reply was modified 5 years, 2 months ago by Ascaris.
• This reply was modified 5 years, 2 months ago by Ascaris.

3 users thanked author for this post.

Steve, AlexEiffel, woody

Reply | Quote

You actually appear to be the one who missed the point. If you’re going to do a proper report on privacy issues, you can’t leave things out simply because most people are okay with them. You have to include everything, along with the explanation of why it is there, so that the user can decide for themselves whether they find it acceptable.

Second, the issue with autocomplete is not that you might leak a search. It’s that it leaks everything that is typed in the address bar–including “web addresses” (URLs) that people type in.  Not using address bar for searches does not in any way prevent this, since the search will still be enabled whether you use actually use it or not.

Third, you complain about them revealing potential issues, instead of verified issues. Again, this is a report on privacy. Of course a privacy report is about how things could be used, not how they are actually used. It’s like telling someone who is finding bugs that they should only report on them if the bug is actually being used. No, you report on what is there, and let the user decide.

Fourth, as pointed out, an esoteric setting hidden away in the options that normal users are not supposed to mess with (ala the Windows Registry) is not easily disabled. And what is being disabled is not just notifications, but the entire API. This can actually break things–I remember when Twitter wouldn’t work because I enabled that option. There is no reason for  a supposedly user-focused browser to hidden.

Fifth, you condemned the article while ignoring the important parts. You ignored the reason why Firefox’s telemetry is bad–it leaks information that uniquely identifies a particular user. And you ignored the part about how Yandex and Edge are in a class of their own, actually deliberately including hardware identifying information–likely in part for the advertising issue you complain about.

The only part of your post that I thought was reasonable was the claim that Firefox does inform the user of telemetry. However, I will point out that it does so in a place that most users are going to ignore. It previously did better in this regard, including a popup when you started the browser which you had to specifically dismiss, and included a link to the options where you could change this.

As for Firefox’s other privacy-focused features: those are likely part of the reason that the actual report cites Firefox (along with Brave) as one of the most privacy-friendly browsers. Just because it reports negatives about the browser’s privacy handling doesn’t mean they were attacking the browser.

And, if I may share my opinion, that seems to be how you interpreted it. Your post reads like you’re defending Firefox from attacks. But that is not what a privacy report is about. It is about potential leaks of information that people might want to keep private.

1 user thanked author for this post.

grahamperrin

Reply | Quote

“Open about:config. Paste this into the search box: dom.webnotifications.enabled
Double click it to toggle the value from yes to no. I’d call that ‘easily.’ ”

IMO that comes nowhere near close to ‘easily’. Why not just include the option to disable it on the same screen in your screenshot? That would be easy.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

That’s a separate question.  I’d love for Mozilla to put more options for things into the UI, but they’re going the opposite way, removing options (and features) and dumbing everything down.  The point of my criticism, though, is to address the idea that the author of the original paper wrote, giving the impression that it’s difficult, if not impossible, to disable the feature.  If he’d written that the method to disable the feature requires a typing “about:config”, performing a copy-paste, and a double click, taking a grand total of about ten seconds, the impression the reader would have had would be a lot different than saying “there’s no easy way to disable it.”  I would not call the procedure to turn the feature off difficult… inconvenient, perhaps, but something that pretty much anyone can handle.  That’s not the impression the article gives.

Lots of features that Mozilla considers unimportant have no UI… if you’re not the type of person that just uses whatever is handed to you, it’s best to get used to such things, because the minimalism fad has infected nearly all corners of the software world.  Prior to Mozilla’s quest to have Firefox become Chrome, they had what I consider to be the best browser UI ever seen in a desktop setting, and now their UI is essentially a copy of Chrome’s (which I consider to be the worst browser UI around).

Time and time again, I’ve started a new version of Firefox only to find that some bit is behaving differently than it used to, and I’d follow the trail back to the bug tracker where they were discussing the change, and I’d find that “Chrome does it that way” was the only actual reason for the change.  Those few people still using Firefox are presumably using it because it’s not Chrome, yet Mozilla tries to remove every bit of Firefox that differs from Chrome, and has been for many years. The removal of the large library of powerful XUL addons in favor of Chrome’s weaker addons is just one of many examples of this kind of thing.

How’s that supposed to work?  People who want Chrome already have a browser with maximum Chrominess, and people who do not want Chrome are increasingly finding that if they choose Firefox, they’re going to get Chrome anyway, at least in terms of the user experience.  The privacy benefits (which are real, despite what this ridiculous paper suggests) are real and are worth having, but you don’t have to move out of the Chromium world to get them– there are plenty of Chrome variants with the Google removed if that’s your thing.

Brave, the “winner” in the aforementioned article, is one of these variants, but there are others, with varying degrees of change from the base Chromium browser upon which they’re all based.  Ungoogled Chromium is a dead ringer for Chrome, but Vivaldi has a ton of changes, including several UI setups that are vastly superior, IMO, to that of the base Chromium.  It still has a few rough spots that are inherited from the base Chrome, but it keeps getting better.  Firefox, at least in terms of the user experience, keeps getting worse.

It seems to me that the biggest reason to use Firefox now is for people who have an aversion to anything Google (or who don’t trust the likes of Brave to truly remove all of the spying bits), or who want to keep Google from having a monopoly on web rendering engines (which would allow them to single-handedly dictate web standards, much as Microsoft was able to during the height of the IE6 days).  That is a very worthy goal, but not something that’s likely to catch fire with the masses.  Most people don’t know what a rendering engine is, and a surprising number think that a browser is “the internet”.  “It doesn’t use Blink” is not going to mean a thing to those users.

Without a feature set that’s better than Chrome, most people are simply not going to be bothered to switch, and Mozilla just keeps chopping things that Chrome can’t do off of Firefox, in the hopes that someday it will somehow be Chrome-like enough to start getting some interest.  It hasn’t happened in the nearly a decade they’ve been trying this (all the while losing market share), but they just keep at it… I keep hoping someday they will wake up, but after this much time, it’s pretty obvious that they’re not listening.  They’re going to keep following the same strategy they’ve been using for the entire time their market share has been in freefall.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

4 users thanked author for this post.

RockE, Steve, AlexEiffel, Cybertooth

Reply | Quote

@ascaris, I agree with the general thrust of what you wrote up there, but I have one observation about the author’s claim that disabling the push notifications is difficult: While it’s easy to make the change, the difficulty lies in that the user needs to become aware, somehow, that he/she can make this change. Because the UI doesn’t display this option, there is no evident way for the user to discover this possibility.

Like you, I prefer a rich interface that shows me all of the options available, or that at least gives me a self-evident way to find them. I remember years ago reading up on some issue with Windows and someone in a help forum writing about “right-clicking” on an option. Huh? I’d been using Windows for years at that point and had no idea that one could right-click with the mouse on anything, as nothing Windows showed onscreen had ever suggested to me that I could do that.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

Steve

Reply | Quote

The browser variable dom.webnotifications.enabled in Firefox v73.01 is already there.

But you do have to toggle it from true to false.

Thank you very much.

Important links you can use, without the monetization pitch = https://pqrs-ltd.xyz/bookmark4.html

Reply | Quote

Re: the abstract (also quoted in Reddit), I might take this as a key phrase:

… normal web browsing …

From twenty-something years of providing hands-on IT support, I can say with confidence that:

• end users’ normal browsing habits very often include not paying due attention to the first thing that’s on screen

– or the second thing, and so on; and this is particularly true wherever a person is rushed, or overworked, or simply on a mission to find something – one thing. A fleeting mission that does not involve any thought of privacy or potential risk.

Yes, a first run of Firefox will present relevant information. Yes, the user might see it (in the moment) as irrelevant, in which case the tab or window will be closed and forgotten. And so on …

… however this is not to criticise Firefox, or any other browser that takes a reasonable approach to gradually, methodically, educating end users about privacy and security.

I have not yet read the tech paper in its entirety (I might do in due course – it’s not long), in the meantime: from what I see of the abstract and conclusion, I reckon that it was suitably focused.

User habits etc. were probably out of scope.

HTH

Reply | Quote