Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome, Safari and Opera Criticised For Removing Privacy Setting (sophos.com)

Posted by msmash on from the closer-look dept.

It's a browser feature few users will have heard of, but forthcoming versions of Chrome, Safari and Opera are in the process of removing the ability to disable a long-ignored tracking feature called hyperlink auditing pings. From a report: This is a long-established HTML feature that's set as an attribute -- the ping variable -- which turns a link into a URL that can be tracked by website owners or advertisers to monitor what users are clicking on. When a user follows a link set up to work like this, an HTTP POST ping is sent to a second URL which records this interaction without revealing to the user that this has happened. It's only one of several ways users can be tracked, of course, but it's long bothered privacy experts, which is why third-party adblockers often include it on their block list by default.

Until now, an even simpler way to block these pings has been through the browser itself, which in the case of Chrome, Safari and Opera is done by setting a flag (in Chrome you type chrome://flags and set hyperlink auditing to 'disabled'). Notice, however, that these browsers still allow hyperlink auditing by default, which means users would need to know about this setting to change that. It seems that very few do.

33 of 130 comments (clear)

  1. Chrome was good for a while ... by Anonymous Coward · · Score: 3, Insightful

    ... and made Firefox lift its game out of complacency, but it is long past the time to return to FF.

    1. Re:Chrome was good for a while ... by flippy · · Score: 4, Insightful

      I've LONG since returned to FF. The best out there, IMO.

    2. Re:Chrome was good for a while ... by flippy · · Score: 1

      Interesting. Not a whole lot of info about it on its site, though.

    3. Re:Chrome was good for a while ... by bhcompy · · Score: 1

      Never left.

    4. Re:Chrome was good for a while ... by houghi · · Score: 1

      The webspage is https://www.waterfoxproject.or... and the link to the Android one does not work and nothing on the Google store. :-/

      --
      Don't fight for your country, if your country does not fight for you.
    5. Re:Chrome was good for a while ... by Darinbob · · Score: 1

      These browsers all work for the ad industry, directly or indirectly. They want the business from web sites that make their money from ads. They won't do anything to hurt that golden goose.

      We don't use adblock and noscript and turn on privacy settings because we want all those web site developers to lose money or their jobs. We use these tools in self defense! To reduce that wasted bandwidth that ads take up, to block against the primary vector of malware, and to stop tracking and other privacy intrusions.

    6. Re:Chrome was good for a while ... by Rockoon · · Score: 1

      and made Firefox lift its game out of complacency

      Firefox went far more complacent once the Google money started rolling in.

      --
      "His name was James Damore."
  2. Can't this be fixed with extensions? by SurenEnfiajyan · · Score: 1

    Can't this be fixed with extensions? Currently Ublock doesn't let the browser to ping even though the feature is enabled. Also ping attribute is trivial to detect and remove compared to obfuscated JS code.

    1. Re:Can't this be fixed with extensions? by xack · · Score: 2

      Modern webExtentions are neutered by design by the advertising industry funding Chrome and its puppet Mozilla. Even Pale Moon is neutered by blacklisting of extensions.

    2. Re:Can't this be fixed with extensions? by Anonymous Coward · · Score: 1

      Why is there not false feedback options. If advertisers discover 5-80% of their leads are worthless, they will be mad. So rather than block, how about sending the IP address of a spammer/bulk emailer etc. Mash these uniqueish fingerfrints - mac address, battery hardware id etc. Make them pay for all those unique leads. Misdirection and disinformation is YOUR right.

    3. Re:Can't this be fixed with extensions? by The+MAZZTer · · Score: 2

      Yes, it is trivial to fix, though you have to write an extension with the scary "can look at all web pages you visit" permission since it has to muck with all pages.

      There's a standard mechanism to inject a script into every page that loads. You would set it to inject on every page and frame. The script should look for any a tags with the ping attribute, and remove the attribute. Then you want to set up a MutationObserver (or whatever the newer API is now?) to detect any changes to the page which could add in ping attributes to a tags or new a tags. When the event fires, you run your code again to scan for a tags with ping attributes and remove the attributes.

      That's the basic functionality and it would not take long to make. You'd probably want to make it fancy by adding things like a pings blocked counter or whatever which would take longer. Such extensions probably already exist.

    4. Re:Can't this be fixed with extensions? by hairyfeet · · Score: 2

      The one Pale Moon "blacklisted" refused to fix serious issues with getting it running on PM so the PM team simply replaced it with uBlock Origin, they even have a handy updater that contacts Github and grabs the latest uBlock version compatible with PM so you don't need to deal with keeping up with versions.

      Considering uBlock actually works with PM and does the same job while the later versions of NS was crashy AF on PM? I really see blacklisting an extension that wouldn't work properly as a non issue as uBlock does the same job and is compatible. BTW feel free to contact the NoScript dev and ask him to support the latest version of PM but don't be surprised if he tells you which bridge to jump off of as I've heard the dev is rather..."surly" and doesn't take criticisms or suggestions very well. A shame really but...well "not very sociable" developers aren't exactly a new thing are they?

      --
      ACs don't waste your time replying, your posts are never seen by me.
    5. Re:Can't this be fixed with extensions? by mrbester · · Score: 1

      Don't forget to send such data as pings blocked back to the mother ship with navigator.sendBeacon so you can aggregate the block count and show it on your site in a flashy box: "this really works! 2,046,732,755 pings blocked and counting!"

      --
      "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
    6. Re:Can't this be fixed with extensions? by AHuxley · · Score: 1

      An extension might block approved ads. The approved ads always have to get deep into the browser.

      --
      Domestic spying is now "Benign Information Gathering"
  3. Chromification of the web by Anonymous Coward · · Score: 1

    This is a natural result of the Chromification of the web (where standards based browsers are increasingly being replaced with a single, monopoly-owned browser, Chrome). Who would have thought that giving google more power over the web would result in this!?

  4. fortunately there are alternatives by Virtucon · · Score: 3, Interesting

    Just seek out one of the alternatives, it's sad that these mainstream browsers are ok with the privacy issues that tracking incurs but hey, we are the product right? I'd gladly pay for software, browsers included that doesn't track and pay a premium for actually defending my privacy without ambiguous TOS that changes every time the wind shifts.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:fortunately there are alternatives by 93+Escort+Wagon · · Score: 2

      I'd gladly pay for software, browsers included that doesn't track and pay a premium for actually defending my privacy without ambiguous TOS that changes every time the wind shifts.

      Unfortunately, you are in the minority. Whenever someone tries to figure out how to make a living catering to people like you, they fail.

      I’m sure someone’s going to trot Apple out as a counter-example, but 1) in this case Safari is one of the offenders; and 2) there’s a huge price premium on the brand, very little of which is actually related to giving up the revenue from tracking you.

      --
      #DeleteChrome
    2. Re:fortunately there are alternatives by Immerman · · Score: 1

      Sad, but utterly predictable when the mainstream browsers are are built atop an HTML engine made by an advertising company.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
  5. Didn't know this existed by Sebby · · Score: 1

    I wasn't even remotely aware of this 'ping' attribute.

    Now that I do, I think I'll have some fun having it modified by an extension to 'ping' back a URL with a nasty message in it!

    --

    AC comments get piped to /dev/null
    1. Re:Didn't know this existed by gtall · · Score: 1

      You do realize that there's no one there to read the nasty message, yes? Welcome to bot-world, you only exist to provide service to the bots.

  6. thanks for the info by FudRucker · · Score: 1

    i never knew it was there, but i do now, and i just disabled that spying feature (bug) and it looks like chromium-73.x.xxxx is the last version of chromium i will use, when the next version is released with that feature forced on users i will switch to firefox full time

    --
    Politics is Treachery, Religion is Brainwashing
  7. Re:Guess what by bhcompy · · Score: 1

    Brave is Chromium based, but is called out in article as not changing its behavior.

  8. Chromium? by sconeu · · Score: 1

    What about the actual Chromium browser itself (rather than Chrome). Does anyone know if Chromium went evil?

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    1. Re:Chromium? by SurenEnfiajyan · · Score: 1

      Chromium is "evil" by default. There is no reason for Google to maintain code that they don't need. Edge will be based on Chromium and won't have the flag for that reason. But I wonder if extensions, such as Ublock, will be still able to block pings even with the removed flag since Ublock blocks the pings even when the flag is enabled. Also ping attributes in DOM are trivial to detect and remove, unlike obfuscated JS codes.

  9. Isn't this just a redirect? by jbmartin6 · · Score: 2

    I couldn't find any response from Google, though there could very well be. But this just seems like a shortcut for something Google and others have done for a long time, which is just use an intermediate link as the tracker, which just does a redirect to the ultimate destination. A site admin could just replace any links on the site with intermediate links to the tracker/redirector.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  10. Re:Guess what by Anubis+IV · · Score: 4, Insightful

    I'm not sure why you think those three browsers are repackaged versions of each other. Apple forked WebKit in 2010 as WebKit2 for use in Safari, and hasn't used WebKit proper since it made the switch. Google forked WebKit in 2013 as Blink for use in Chromium/Chrome, and hasn't used WebKit proper since it made the switch. In the last few years, Chromium has been adopted by Opera and Microsoft, but Safari—despite having started at the same place that Chrome started—today remains on a different foundation. That Safari is making this change at the same time as the others is due to political/corporate maneuvering, not technical changes.

    Also, while there are valid arguments to be made against a browser monoculture—a problem that WebKit-based browsers are contributing to—that doesn't mean that the rendering engines themselves are bad. Far from it, I think most people would agree that on their technical merits, WebKit-based engines are among the best we have, and certainly aren't bad enough to justify your vitriolic frothing against them.

  11. Don't use APK's software by Anonymous Coward · · Score: 1

    Can you trust that someone who openly has antisemitic views (see his "Jewgle" nonsense) to secure your computer?

    Can you really trust a prolific spammer like APK to secure your computer?

    Can you trust that a hateful person like APK doesn't include malicious functionality within his closed source software?

    The answer to each of these questions should be no. APK is not to be trusted. There are superior open source alternatives to his software, such as Steven Black's software. It's written in Python, so it works on far more systems (like MacOS) than APK's inefficient closed source program. It also doesn't require a GUI, so it can be run automatically as a cron job to keep your hosts file updated.

  12. Other browsers by BlackOverflow · · Score: 1

    I was sad to see that Vivaldi browser has this enabled by default.

  13. Uninstalled by cmaurand · · Score: 1

    I uninstalled opera last night and switched back to Firefox. I don't like forced updates, but I value my privacy more than I object to forced updates.

  14. Dup by grep+-v+'.*'+* · · Score: 1

    Previous Article vs Some Details vs Ublock setting.

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  15. Been using Firefox since it was called Netscape by waspleg · · Score: 1

    Fuck. Your. A(i)ds.

  16. Re:Why would a regular citizen need privacy? by dark.nebulae · · Score: 1

    I don't care that anyone would see, via a warrant, the fact that I shop at amazon, read slashdot, write code and sometimes even surf porn.

    I'll give you my browser history if you really want to see it. Doesn't mean jack to me.

    What I hate though is the creepy advertising. If I go to amazon to look for a blanket, every non-amazon site I visit is going to show me blankets. This creepy feeling that folks are following me around trying to tempt me with something I looked at because I had a need at the time, that's the stuff that I don't want.

  17. Re:Guess what by Anubis+IV · · Score: 1

    Apple forked KHTML from KDE project to create WebKit to use in Safari. Please do some background check prior posting it.

    Sure, but KHTML originally operated on Linux, for which we can thank Linus Torvalds. Or didn’t you know that?

    Which is to say, I’m well aware of the information you just shared, but it has no relevance to the point at hand. I intentionally constrained my comment to recent history, from the forks onward, because that’s the only part of their history that was relevant. Why talk about Julius Caesar when you’re correcting someone’s understanding of the French Revolution?