> In fact, we were able to circumvent the issue just by changing the name of the Chrome app on a Windows desktop. It seems that Microsoft threw up the roadblock specifically for Chrome, the main competitor to its Edge browser.
From the beginning of the article, I was led to believe Microsoft had changed an API around checking/setting the default browser to show Microsoft's dialog instead. Which doesn't seem great to change an API without warning, but maybe you can make an argument that it ensures a "neutral" choice rather than apps pushing the choice on users.
But this shows it's specifically against Chrome. Regardless of whether it's legal or not, it's unforgivably anti-competitive behavior. It's a truly shameful tactic.
Sorry, but I have had it with Microsoft. They produce an operating system. If I decide to use $browser treat me as an adult and actually let me use $browser.
Or you know, make it extra hard to change the default application and "forget" what I told you every now and then, bring that edge icon back to the task bar after every update etc.
It is not a platform that can be trusted. And maybe in 2023 there is value in a digital platform that can be trusted.
I have had it with both of them. I even moved my gaming computer over to Linux because I got tired of the constantly resetting defaults, I have been using Firefox and you.com (search engine) for a while.
Yes but in this specific case Google is more wrong. MS implemented a security feature where user applications aren't allowed to change the default browser. You can disagree with it and it's sketchy as hell but it's there and supposedly to prevent the bundled-with-java problem.
Breaking it is basically guaranteed to lead to plugging the hole and blacklisting the misbehaving app is easier than getting out the real fix. You can be all like "rebel chrome
is taking on big operating system" and that's fine and makes total sense but "how dare MS enforce their own rule" is a weird take. You can't be like "hey, they weren't supposed to do it back" when you intentionally abuse your elevated privs to bypass security measures.
This kind of sounds true in a vacuum. Unfortunately we're not talking about a security thing in a vacuum. We're talking about 2 browsers, both of which are just making the user experience horrible in slightly different ways. Therefore all users are losers in this pre-school food fight.
It doesn't hurt that (old) Edge had a worse UX than IE. The rendering was nicer, but I do not need a browser where back/forward/stop etc all just queue up and wait for the rendering engine to finish. The whole point is the page is taking too long to render and I want out.
No, technically the issue that was supposedly the straw that broke the camel's back was simply placing a transparent div on top of the video. That is not an entirely unreasonable thing to do on a video player that supports overlays captions and other features. The reality is it didn't really make any sense to develop a competing browser from scratch when they could simply fork Chrome instead.
YouTube frequently need to update their anti scraping and anti piracy tech. There could be valid reasons why they don't inform Microsoft of the changes.
Microsoft cannot market they OS as developer friendly and then take steps against a specific developer.
It's funny, every now and then (at least in gaming circles) there is always some fanboy yelling "but MS isn't the old evil company as they were, look, they did X or Y". But it's just same bullshit under new manager.
So, total rumor, but I've heard from a few sources on the grapevine that one of the reasons for their antitrust spat with the DoJ was actually as a proxy battle, and the main thing the DoJ cared about was Microsoft's unwillingness to play ball wrt data collection and "lawful intercept".
The sense I've gotten is that Microsoft of the time really did have a very libertarian core thought process that wasn't really into spying on it's users.
> The sense I've gotten is that Microsoft of the time really did have a very libertarian core thought process that wasn't really into spying on it's users.
I think this sense is mistaken. Microsoft has always been pretty hostile to users and not so keen on things like user rights. Their customers were (and still are) businesses.
The tech was there but there were much stronger objections to apps plucking random data from devices and send it to corporations for evaluations. And developers are as guilty here.
Yes, there can be benefits to diagnostics, but then you failed to acknowledge what this data collection is about.
What surprises me about this stuff is that no one has ever tried to get a definitive answer to this sort of question with the help of reverse engineering. It's always this guesswork for some reason. It does not have to be guesswork when the ground truth is right there inside your C:\Windows folder.
you act as if reverse engineering is easy. I guarantee you its not, especially something like edge is a rats nest of packages, assemblies, 3rd party components, config files, all neatly bundled in something unreadable for security reasons.
I specialized in reverse-engineering binaries for a few years (it's shockingly common for companies to lose the source code for their own products), and I second this.
Reverse-engineering is difficult and time-consuming. Reverse-engineering something as large and complex as a browser would be a huge project all by itself.
What about getting ahold of the binary or whatever raw version of Windows you can get (C++, assembly?), and look at the diff from before this change and after. Would that drastically narrow down what you should look at? Moreover, if there is a literal CONSTANT that says "Chrome", is it possible that it's not obfuscated and sitting in the code in plain sight?
So the opening of the dialog happens when user association hash verification fails if I recall correctly.
Shell32.dll has the code for it under QueryUserAssocAndVerifyHash I believe. Perhaps they've interfered with the hash interpretation for Chrome or Chrome is hooking into it in a different way - Firefox directly computes and writes a new hash to the registry.
Raw diffs of binaries may or may not help, depending, but it's not likely to help as much as you might think. If you can get the source code (C++, assembly, whatever), then there's no need to reverse engineer anything.
I would think it would be the Windows equivalent of `grep -a Chrome -R C:/Windows`, right? Then, when it finds the file, just hexdump and/or disassemble it to learn more. Maybe they're scrambling the executable somehow?
I suspect that it’s worse than that, it’s somewhere in windows. So you’d probably have to start by hunting for a task then find the binaries associated and hope it’s not too high up in the OS mess.
That, and Windows is *huge*. The best bet would probably be to reverse engineer the patch in question, but if it’s a typical combo patch then you’re probably looking at changes across a dozen system files. If you’re unlucky, the patch is just flipping a flag or something for a feature that already existed: it wouldn’t surprise me if Windows already had hacks specifically for “chrome.exe” (for compatibility or anti-compatibility reasons). In that case it becomes much more time consuming to isolate the one component that is responsible for the problem.
I posted this below, but I suspect the scoping for Chrome.exe was done because Chrome was misusing an API.
According to the article:
"the worst was reserved for users on the enterprise version of Windows. For weeks, every time an enterprise user opened Chrome, the Windows default settings page would pop up. There was no way to make it stop unless you uninstalled the operating system update. It forced Google to disable the setting, which had made Chrome more convenient."
Enterprise maybe didn't like settings getting changed that way (conflict with group policy?). If it was constantly opening new windows, it's probably because it was constantly calling an API (probably in the wrong or an undocumented way). So it would make sense to change how the API works based on a known bugged application. It wouldn't be the first time Windows changes how something works based on application name [0].
Keep in mind there's also more than just the documented Win32 API exposed to applications on Windows (and who knows if Chrome was misusing these undocumented ones) [1].
But it can lead to instability. There's a reason these are not documented.
Also, we know Chromium used some. There's a proprietary Chrome layer on top of it that might be using more under the hood. Unless someone decompiles there's no way of knowing (but considering how it broke Enterprise, wouldn't be surprised it was doing undocumented stuff under the hood).
I have not encountered any other browser that has a button like Chrome put in. Back in the day, a browser and email apps could set themselves as default, on their own. A long time ago.
This was bad. I don't want an app to be able to make itself default for something, and just magically trust that the app will ask me first. There is an OS control for that - I don't want apps to be able to do that on their own. So MS fixed it, and all was good, for a long time.
Chrome then somehow found a sneaky way to get that back. Truly a shameful tactic.
Well guess what "google" - you're not allowed to do that, and there's a reason the functionality was removed for all apps. You're just a browser app, I don't want you to screw with or even have access to screw my OS settings.
Microsoft fixed a security hole. Good on them. For now, they specifically fixed it for the malicious actor. Hopefully they'll fix it OS-wide eventually.
I don't. In a fight we all as end users lose. Competition is beneficial to the end user, fighting, where they sabotage each other or bar each other or their own apps from platforms is not.
Did end users benefit when YouTube was blocked from being used on Amazon Firesticks? Did they benefit when Roku and HBO were feuding and you couldn't use HBO Max on Roku devices?
In Dutch we have a saying "when two dogs fight over a bone, a third runs off with it". I support the fight if it will weaken both Microsoft and Google.
I thought about it. Carefully. If google and microsoft went bankrupt tomorrow i wouldn't miss a thing and would be feel abundance of joy. The world would be a much better place without then.
That's a combined 400,000 employees out off a job in one day. I wouldn't wish that hardship on those people all of a sudden, and that's before we consider the wider ramifications to the economy from those people being unemployed. Then there's all the people and companies, non-profits and NGOs that use theiur services which would run into major problems.
I would be be tempted to think perhaps you just glossed over that, because the alternative appears to be a complete lack of care for others, but as you've noted you've thought about it. Carefully.
giving people tools like Word/Docs, Excel/Sheets, etc that they can use to express themselves and calculate things? Providing email for people? Giving people "it just works" (albeit not as well as Apple's stuff) operating systems (Windows/ChromeOS/Android) that they can use without having to deal with the complications of getting Linux working (although you could argue in recent days Ubuntu does this as well)? VS Code? Creating widely used programming languages (C#, TypeScript, Golang, Dart)? Paying people to work on open source projects? Google search, which, while far from perfect, does still enable people across the world to easily access information that is useful to them?
Would the income currently going to Apple, Google, Amazon and Microsoft for various services be better off going to 10,000 businesses employing 100 people each? That would give more choice, equal number of jobs and a stronger middle class
I think you're missing the point, which is that to make such a change in a day would be chaotic and problematic. I'm not saying Microsoft and Google need to stay, I'm saying that it's not something that could change overnight without extreme hardship caused to many people. It's not just the change, it's how it happens. Many more people are able to work from home now than a few years ago, but I doubt most people think the cause of that was worth it. Do I think we'd all be better off with less mega corporations and more SMBs? Yes. Getting from here to there in a way that makes sense and doesn't cause major problems is important I think though.
Either the person I replied to above was being flippant and callous in their wording in a way they should have been aware of if they thought carefully about it, or they didn't think all that carefully.
Given that Chrome is aggressively pursuing privacy sandbox, which is roundly rejected by everybody in the web privacy community, is aggressively user hostile, and designed solely as a means to leverage chrome’s (current) dominance to support google ad business, it’s fair to start treating chrome as malware.
What part of this description of privacy sandbox doesn't apply to what Microsoft has been doing with Windows? I think it's time to treat Windows 11 as malware as well.
Honest question, why is the privacy sandbox user hostile? I assume it's because Google is using it to collect your information but blocking everyone else from collecting it?
At face value they claim it's designed to eliminate tracking techniques like fingerprinting, it's actually a system explicitly designed to collect the users' private information. From the horse's mouth.
"To provide this free resource without relying on intrusive tracking, publishers and developers need privacy-preserving alternatives for their key business needs, including serving relevant content and ads."
The proposals involve reducing UA data, ip tracking, etc.
But still allows for some amount of targeting. From my understanding instead of you being an identifiable individual via fingerprinting, the aim is to make you "probably one in [large group] of technology people".
I'm not saying I think it's a good thing, but on the surface it does appear _better_.
Does Privacy sandbox prevent fingerprinting completely (for example, canvas fingerprinting, WebGL fingerprinting, audio fingerprinting)? Or the advertisers would be able to use both fingerprinting and newly provided data?
I don't understand why we need to trade here. Just block figerprinting and do not provide any alternatives for advertisers. This is the best for users.
You can't block fingerprinting completely without breaking a ton of useful features. But the sandbox has a concept called the privacy budget which tries to determine if a site is collecting too much information. It should allow sites that actually use some of these features to continue to work.
The idea is that if sites that query fonts, engage canvas, read the user agent information, etc, they are likely trying to build a fingerprint, so the browser will start to return generic data.
Presumably - hopefully - it would allow users to set their own privacy budgets. Even better if it supports granular per-site control, which may be needed for certain specialized websites.
> You can't block fingerprinting completely without breaking a ton of useful features.
Many of those features are not so useful and their main use is fingerprinting, for example:
- WebGL is mostly used for fingerprinting
- enumerating installed fonts is mostly used for fingerprinting
They should be put behind a permission popup, so that only those sites that really need them (e.g. graphic editors, text editors) can use them. So nothing gets broken.
Put WebGL, enumerating installed fonts, web audio, etc. behind a permission. In rare cases when they are really needed not for fingerprinting, the user will grant a permission and nothing gets broken.
Have you been around for the past 10-15 years of Android? Manual permissions don't solve the problem. People will just say why yes, I do indeed want to read this clickbait article/use this flashlight app, go ahead and give the server my GPS location so it can follow me around. The only reason you don't get much of this anymore is the limits the app stores enforce these days.
> I assume it's because Google is using it to collect your information but blocking everyone else from collecting it?
It isn't so much a privacy sandbox, it's an anti competition sandbox.
Google is designing standards and practices under the auspices of user privacy but in reality these changes simply lock others out of accessing data while serving it up to Google.
* Not only are they locking out competition, but they're preventing the user from stopping or mitigating collection of data as well.
I think you can have a lot of debate on it, but for me personally it can be summoned down to the following: the privacy sandbox wants to block tracking on everything that isn’t of “high user interest”. But as a user I don’t want “any” privacy intrusion.
On one hand it’s better than what’s going on now, on the other hand it’s not going to give you privacy and it’s likely going to further Google’s advertisement monopoly on much of the internet. Which is where a lot of the debate can be had, but as a user, do you really want any company to track you? If not, then you most likely don’t want control of who gets to track you in the hands of the biggest advertisement company on earth.
That's true, but Edge is literally the same codebase and architecture, rebranded and with slightly tweaked UI, plus additional MS tracking. So Edge should get the exact same treatment.
Since people seemed to believing Google PR at face value here is the w3c position in rejecting the proposal:
The intention of the Topics API is to enable high level interests of web users to be shared with third parties in a privacy-preserving way in order to enable targeted advertising, while also protecting users from unwanted tracking and profiling. The TAG's initial view is that this API does not achieve these goals as specified.
The Topics API as proposed puts the browser in a position of sharing information about the user, derived from their browsing history, with any site that can call the API. This is done in such a way that the user has no fine-grained control over what is revealed, and in what context, or to which parties. It also seems likely that a user would struggle to understand what is even happening; data is gathered and sent behind the scenes, quite opaquely. This goes against the principle of enhancing the user's control, and we believe is not appropriate behaviour for any software purporting to be an agent of a web user.
The responses to the proposal from Webkit and Mozilla highlight the tradeoffs between serving a diverse global population, and adequately protecting the identities of individuals in a given population. Shortcomings on neither side of these tradeoffs are acceptable for web platform technologies.
It's also clear from the positions shared by Mozilla and Webkit that there is a lack of multi-stakeholder support. We remain concerned about fragmentation of the user experience if the Topics API is implemented in a limited number of browsers, and sites that wish to use it prevent access to users of browsers without it (a different scenario from the user having disabled it in settings).
We are particularly concerned by the opportunities for sites to use additional data gathered over time by the Topics API in conjunction with other data gathered about a site visitor, either via other APIs, via out of band means, and/or via existing tracking technologies in place at the same time, such as fingerprinting.
We appreciate the in-depth privacy analyses of the API that have been done so far by Google and by Mozilla. If work on this API is to proceed, it would benefit from further analysis by one or more independant (non-browser engine or adtech) parties.
Further, if the API were both effective and privacy-preserving, it could nonetheless be used to customise content in a discriminatory manner, using stereotypes, inferences or assumptions based on the topics revealed (eg. a topic could be used - accurately or not - to infer a protected characteristic, which is thereby used in selecting an advert to show). Relatedly, there is no binary assessment that can be made over whether a topic is "sensitive" or not. This can vary depending on context, the circumstances of the person it relates to, as well as change over time for the same person.
Giving the web user access to browser settings to configure which topics can be observed and sent, and from/to which parties, would be a necessary addition to an API such as this, and go some way towards restoring agency of the user, but is by no means sufficient. People can become vulnerable in ways they do not expect, and without notice. People cannot be expected to have a full understanding of every possible topic in the taxonomy as it relates to their personal circumstances, nor of the immediate or knock-on effects of sharing this data with sites and advertisers, and nor can they be expected to continually revise their browser settings as their personal or global circumstances change.
A portion of topics returned by the API are proposed to be randomised, in part to enable plausible deniability of the results. The usefulness of this mitigation may be limited in practice; an individual who wants to explain away an inappropriate ad served on a shared computer cannot be expected to understand the low level workings of a specific browser API in a contentious, dangerous or embarrassing situation (assuming a general cultural awareness of the idea of targeted ads being served based on your online activities or even being "listened to" by your devices, which does not exist everywhere, but is certainly pervasive in some places/communities).
While we appreciate the efforts that have gone into this proposal aiming to iteratively improve the privacy-preserving possibilities of targeted advertising, ultimately it falls short. In summary, the proposed API appears to maintain the status quo of inappropriate surveillence on the web, and we do not want to see it proceed further.
Because in reality, "meeting the needs of advertisers" is not a prerequisite to "protecting people's privacy." It's a false premise that Google constructed and which only exists because the dominant browser is created by an advertising company.
A browser that truly protected people's privacy would definitionally not meet the needs of advertisers, because those needs are in direct opposition to people's need for privacy.
Protecting people's privacy is not the sole job of a browser. The web in general needs to look at the needs of all of the stakeholders and come together to find a solution that all parties can find agreeable. A browser should care about not just the users, but also the rest of the people in the ecosystem. If Chrome shipped an update that blocked all ads it would kill many sites and would cause a disaster to the health of the web ecosystem. Chrome should try and improve the ecosystem.
> A browser should care about not just the users, but also the rest of the people in the ecosystem.
Hard disagree. A browser is supposed to be my user agent. It is supposed to work for me. It should not be engaging in compromises to my wishes in order to benefit others.
> Chrome should try and improve the ecosystem.
I think that there is much disagreement about what "improving the ecosystem" would look like.
>I think that there is much disagreement about what "improving the ecosystem" would look like.
Sure, but enabling sites to be financially viable to run is almost universally considered good. If something is not viable on the web either it will be built on another ecosystem or it won't be built at all. It ends up making the web a worse place to be and strengthens the competitors to the web.
If an industry in a very competitive market is polluting rivers we don't find a way to maintain its ability to pollute, we stop the pollution through rigorous action while trying to keep it competitive.
If collectively we decide that intrusive advertising has to go and we need to more directly pay for labour online, then so be it. It doesn't necessarily have to stay the old way forever.
> enabling sites to be financially viable to run is almost universally considered good.
That isn't what's on the table, though. This impacts the ability to target ads. Targeted ads are absolutely not required for a website to be financially viable.
> If something is not viable on the web either it will be built on another ecosystem or it won't be built at all.
The history of the web demonstrates that this isn't true. There's an excluded middle there.
> It ends up making the web a worse place to be and strengthens the competitors to the web.
What are the competitors to the web?
But aside from that, in my opinion, advertising has made the web a much worse place as it is. Advertising has made the web more like interactive cable TV, and limits the variety of activities because only the ones advertisers approve of are effectively allowed.
>Targeted ads are absolutely not required for a website to be financially viable.
There is a subset of sites where it is required. Or at least it is with how much resources they are investing into the site and free services they offer.
>What are the competitors to the web?
The biggest competitors are Google's Play store and Apple's App store.
>Advertising has made the web more like interactive cable TV, and limits the variety of activities because only the ones advertisers approve of are effectively allowed.
The existence of sites with advertising doesn't mean that sites without advertising can't exist.
The econmics don't work out for someone making a browser specifically for you and no one else. Products typically are designed to support the needs of many people instead of optimizing for a single person at the detriment of everyone else.
If that is the metric you want to go by, users outnumber advertisers by several orders of magnitude, so in this sense, anything that makes online ads easier is optimizing for the few at the expense of the many.
In any case, why in the world would I want to use a browser that is working against my interests and in favor of the interests of an industry that has done nothing but been abusive for a very long time?
> If Chrome shipped an update that blocked all ads it would kill many sites and would cause a disaster to the health of the web ecosystem.
I think this would be the best thing that could possibly happen for the health of the web, tbh. Imagine Google search results if every blogspam page plastered with ads no longer had a financial incentive to exist.
EDIT: It would kill some useful sites too, undoubtedly, but I think it would be worth the cost.
Blog spam sites are not expensive to host and they would just pivot to referral links. What it hurts are sites that generate user value and give it away for free by subsidizing it with ads.
Remember, the nickname "Browser" was invented after the fact, to describe the program that loads URLs and displays them to the user. The proper name of such a program is "User Agent". It is a program that acts as the agent, or the servant, of the user.
My "browser" runs on my computer, by me, for me. It is not beholden to "all of the stakeholders", or "the rest of the people in the ecosystem". If my agent acting in a manner that User Agents were originally intended to, only fetching the URLs that I - the user - want it to fetch, "would cause a disaster to the health of the web ecosystem", then maybe the current web ecosystem is bad and deserves to meet with disaster.
The web managed to explode in usefulness and popularity before surveillance capitalism became a thing, not because of it.
A web browser implements the web standards. The web standards are put together by organizations that do respect all stakeholders. If the web ignores stakeholders then people will migrate off the web. This is how you get into a world where you have to use mobile apps and the web is near barren.
Currently you often have the option to use either, but in theory the option to use the website could go away from many services if it's not worth it to have.
It doesn’t protect “privacy”, it at best limits a subset of reidentification attacks, and only in a vacuum where other fingerprinting vectors don’t exist.
If it’s so great it would be any easy opt-in for users. But it’s not.
It is definitely about meeting the needs of advertisers, by implementing new methods to violate user privacy. Every other browser has simply blocked advertisers from collecting this information, but Google is an ad company, and hence is anti-consumer at heart.
> In fact, we were able to circumvent the issue just by changing the name of the Chrome app on a Windows desktop. It seems that Microsoft threw up the roadblock specifically for Chrome, the main competitor to its Edge browser.
From the beginning of the article, I was led to believe Microsoft had changed an API around checking/setting the default browser to show Microsoft's dialog instead. Which doesn't seem great to change an API without warning, but maybe you can make an argument that it ensures a "neutral" choice rather than apps pushing the choice on users.
But this shows it's specifically against Chrome. Regardless of whether it's legal or not, it's unforgivably anti-competitive behavior. It's a truly shameful tactic.