return to table of content

Chrome is entrenching third-party cookies that will mislead users

codedokode
91 replies
21h58m

Have been using Firefox for a long time, no issues, though long ago when I had little memory, Chrome was using less of it. Firefox also has HTTPS-only mode, encrypted DNS without fallbacks, supports SOCKS and Encrypted Client Hello (although almost no website support it). However, it is better to just buy more memory (unless you are lucky to use Apple products).

Regarding analytics, I believe browsers should take user's side and do not cooperate with marketing companies; even better, they should implement measures to make user tracking and fingerprinting more difficult. There is no need to track user's browsing history; just make a product better than competitors (so that it gets first place in reviews and comparisons) and buy ads from influencers.

It would be great if browsers made fingerprinting more difficult, i.e.: not allowed to read canvas data, not allowed to read GPU name, enumerate audio cards, probe for installed extensions etc. Every new web API should guarantee that it doesn't provide more fingerprinting data or hides the data behind a permission.

Regarding 3rd party cookies: instead of shady lists like RWS browsers should just add a button that allows 3rd party cookies as an exception on a legacy website relying on them (which is probably not very secure). Although, there is a risk that newspaper websites, blog websites and question-answers websites will force users to press the button to see the content.

autoexec
53 replies
19h25m

Regarding analytics, I believe browsers should take user's side and do not cooperate with marketing companies

Browsers were supposed to act as agents working for the user. User-agents. These days it's getting harder and harder to find a browser that doesn't work for an ad company at the expense of the user.

Chrome's entire reason for existing is data collection. Firefox can, for now at least, be hardened to work for the user (and prevent a lot of fingerprinting), but Mozilla is an ad-tech company too now. They've made their lack of respect for Firefox users clear by making Firefox spy on users by default so that Mozilla can sell that data to marketers.

Currently, you can disable that spying in about:config by setting dom.private-attribution.submission.enabled to false (see https://news.ycombinator.com/item?id=41311479 and also https://web.archive.org/web/20240827185708/https://make-fire...). No idea how long that will continue to be an option or how often you'll have to go back and reset that back to false following updates though.

We really need a new browser that actually works in the interest of the users.

dheera
32 replies
15h7m

Google analytics? Check.

Add this to /etc/hosts

    0.0.0.0 www.google-analytics.com
    0.0.0.0 google-analytics.com
    0.0.0.0 ssl.google-analytics.com

tommica
28 replies
13h43m

Is it as simple as this?

dogecoinbase
27 replies
13h40m

Unfortunately no. The entire point of DoH is to bypass the ability of the users to prevent browsers from providing browsing habits to their owners.

bluejekyll
13 replies
13h31m

No, that is not the entire point of DoH. That’s like saying the entire point of TLS is to prevent users from looking at the traffic being sent to a website.

DNS without DoH, DoT, or DoQ, is wide open to anyone snooping traffic in the raw, that’s not necessarily information you want to share with the world.

Xelbair
4 replies
10h25m

The entire point of DoH is to take away control of DNS from the OS vendor to the browser.

There were other encrypted standards(dnscrypt for example) that didn't require you to do that, but the one that bypasses the OS was forced by adtech monopolist in charge.

dspillett
3 replies
8h54m

No, the point of DoH is to take control of DNS from ISPs (and related middlemen) and give it back to site/service owners (so their settings are not overridden for whatever reason) and the end-user (so their habits are not as easy to disrupt or track at the ISP level).

> but the one that bypasses the OS was forced by adtech monopolist in charge.

Assuming by “adtech monopolist in charge” you mean Google, I don't think taking control from OS would benefit them given they effectively have control of more than two thirds of the mobile market share globally¹ so they are shooting themselves in the foot as much as anyone else – so I assume there are practical reasons², or purely technical ones, for DoH being their preferred choice (assuming that are pushing a preference).

And anyway, there is nothing that says applications have to implement DoH instead of letting the OS do that, Chrom{e|ium} and FF have gone that way in part because base OS support wasn't (isn't?) commonly available/enabled.

----

[1] A less than two thirds if you only count the US, as some published figures do, because Apple does rather better there compared to global averages.

[2] isn't dnscrypt's standard still officially a work-in-progress?

chgs
2 replies
7h2m

If it was implemented at an OS level and respected standard configuration then fine, DoH, DoT, whatever, I’m happy.

However it wasn’t, and it doesn’t defer to the OS or the network. I can’t set a dhcp option on my network to tell my dozens of clients what dns server to use, I have to manually adjust each browser. I additionally get different reaults depending what I use, my browser will contact a different server than any other application.

That’s broken behaviour which benefits AdTech companies like Google.

dspillett
1 replies
6h30m

> I can’t set a dhcp option on my network to tell my dozens of clients what dns server to use, I have to manually adjust each browser.

But at that point, you are effectively the ISP trying to control how users do DNS, in a way that might enable you to track/block/redirect. You might be trustworthy to your users so that is fine, but that isn't the case for every user's relationship with their service providers.

Is there an arrangement that would stop less trusted networks from tracking/redirecting/blocking DNS requests without (accidentally) helping AdTech by making DNS-based blocking harder?

chgs
0 replies
6h27m

As I run the OS I can choose to accept the hint or override the dns servers.

pwdisswordfishz
3 replies
10h38m

That’s like saying the entire point of TLS is to prevent users from looking at the traffic being sent to a website.

In the case of mobile apps, it is.

dotancohen
2 replies
4h28m

Can you clarify that statement?

oarsinsync
0 replies
2h5m

A lot of mobile apps use TLS connections when communicating with their backends.

You can MITM the traffic, and continue to deliver the traffic using a self signed certificate that you’ve trusted on your mobile device, and boom, you can capture the traffic at your proxy point and be happy.

A lot of mobile apps use certificate pinning to ensure that the backend certificate matches what the app expects. Now your self signed certificate, even though it’s trusted at the OS level, no longer matches the certificate that the app is expecting, and no data is exchanged after TLS handshake fails.

gkbrk
0 replies
2h11m

A lot of mobile apps use TLS with certificate pinning, so even if the user installs a system-wide root CA, the app doesn't accept it and won't let the user look at what data is being sent to the servers.

chgs
1 replies
7h6m

DoH is pushed by goggle et al to ensure you continue to provide your data to them.

The browser should respect the OS. The OS should respect the network (dhcp/slacc). If you want to override this then that should be an active choice by the user.

I am quite happy with my OS using normal dns (via WireGuard when out) to my dns server which blocks bad domains before they even reach my firewall, I don’t need DoH, although I have no problem with that as a concept.

What I don’t like is my browser taking away my choice and breaking the model. It should defer to the OS (and I can’t see any time I wouldn’t want it to defer to the OS)

codedokode
0 replies
1h24m

DoH is necessary because ISPs snoop on DNS traffic and meddle with it. DNS is sendig everything in clear text and has no protection from modification.

As for DoH, you can choose not to use it, or use your own DoH server. I see no problems with it.

autoexec
1 replies
12h25m

Which (for people not handing all of their DNS traffic over to google anyway) usually just means that their ISP can see their DNS traffic which is kind of a moot point because your ISP can see the domains you go to even with DoH.

If somebody is on your local network capturing packets or they've cracked your wifi you've got bigger problems than your DNS leaking a list of domains. They'll also see the IP of every server you visit online anyway

The way DoH is implemented usually means that all of your DNS traffic is collected by some third party for-profit corporation like cloudflare anyway (who admittedly will already know most of the domains you visit anyway because of how often cloudflare's IP space is where DNS will point you).

There really aren't any good options for DNS and privacy, just a lot of compromises. Host your own. Or, if your ISP is trustworthy, you might be better off using what they provide. The DNS traffic between you and your ISP's servers should never leave their network.

unethical_ban
0 replies
3h2m

ISPs seeing the domains of user traffic is not a given. And DoH is a step toward mitigating that.

People were setting their DNS resolver to custom values before DoH.

I agree that DoH would ideally be enabled at the OS level, or that the browser flow would default to still checking host file before sending out the query.

grishka
11 replies
13h22m

DoH and similar technologies don't override /etc/hosts. They're just a different way of making DNS queries. The entire point of these technologies is to prevent your ISP and everyone else along the way from knowing which websites you visit.

roelschroeven
8 replies
10h20m

DoH means that each application does its own DNS queries, instead of using the OS's functionality. Whether that includes reading /etc/hosts is up to the application, and it looks like high profile applications like Chrome and Firefox don't read /etc/hosts.

The entire point of these technologies is to prevent your ISP and everyone else along the way from knowing which websites you visit.

More correctly, the point is to shift all that from one organization to another. Maybe you trust Google or Mozilla more than you trust your ISP, but I don't think it's the same for everyone.

You could even argue that your ISP can already see which hosts you connect to, so using it's DNS resolvers doesn't add much information for them. Using DoH means that both your ISP and another party can see that.

grishka
4 replies
9h57m

DoH means that each application does its own DNS queries, instead of using the OS's functionality.

HUH?! No! You aren't supposed to implement DNS on the application level! Most modern OSes support some form of DNS over TLS at the system level. You should use that.

chgs
2 replies
6h52m

You’re not but that’s the point. Google realise they don’t control the OS (in many cases) and thus struggle to monetise it.

I don’t have a problem with doing dns lookups over http, or any other protocol you want to use, if I configure my OS resolver to do that.

When people don’t like DoH they tend to mean they have a problem with bypassing the OS.

Theres then the concept of DoH, network admins have a harder job blocking it without MitMing traffic (and in some cases installing new root certificates and thus reducing security for users).

I’m less concerned about that. The argument for DoH often goes to “I don’t trust my network but I do trust Google” but I can see why some don’t trust their network. Personally I’d tunnel all traffic if I were on an untrusted network.

As someone who doesn’t trust Google (as their income comes from selling my personal data against my will) but does trust my network (as I am the network admin) I lean in the “anti DoH” camp, but regardless of which camp, DNS should be configured at the OS level (whether that’s a manual choice to use Google or cloudflare or whatever, or to accept the network hints)

bad_user
1 replies
3h57m

What you mean is that network admins have a harder time controlling people's devices.

I have a DoH server set in my Chromium browser, installed on my corporate laptop, and I love it, because my DNS queries don't leak to my network admin.

wahern
0 replies
55m

The perspective is significantly different when you're both the user and network admin. From your vantage point, you're picking the lesser of two evils.[1] But there's a third option that keeps you in even greater control, yet it's increasingly becoming more onerous to preserve. It's something like a collective action problem.

[1] Or at least you think you are. If your employer is running provisioning and "security" malware, I wouldn't take any bets on what they're logging or not logging.

account42
0 replies
7h2m

Should and what browsers actually do is completely different then.

bad_user
2 replies
3h59m

Excluding leaks, the ISP does not see the hostnames, what it sees are the IPs you're connecting to. 20% of internet traffic goes through Cloudflare, so at least for those, the IPs are meaningless.

Both privacy and security are layered, and perfect is the enemy of good. Securing the DNS is an obvious first step, forcing the Internet to HTTPS by default was another. Google and Mozilla have contributed to better privacy. People that want more privacy, depending on needs, can also use a VPN or for the more extreme cases, something like Tor.

Not sure what you mean about having to trust Google or Mozilla. I'm not using either Google's or Mozilla's DoH servers. But yes, I would trust them more than my local ISP. Google, at least, proved quite competent in handling whatever data they collect.

dingaling
1 replies
2h9m

Excluding leaks, the ISP does not see the hostnames

Unfortunately they can, either through the unencrypted hostname passed in SNI or in the cert returned by the server .

codedokode
0 replies
1h20m

In TLS 1.3 server certs are encrypted. And while browsers support ECH (Encrypted Client Hello) to encrypt SNI, almost no server supports it. Cloudflare has ECH disabled globally for some "issues" they do not disclose [1].

[1] https://developers.cloudflare.com/ssl/edge-certificates/ech/

dotancohen
0 replies
4h26m

Since the application itself is making the DNS requests, it is completely building the relevant OS networking features, including hosts file support.

TacticalCoder
0 replies
6h56m

The entire point of DoH is to bypass the ability of the users to prevent browsers from providing browsing habits to their owners.

It is the entire point of DoH indeed, while hiding behind the idea that is somehow prevents the state/ISP from knowing which sites you go to (which it really doesn't).

There only one way to get best of both world:

    - force your browser to never ever use DoH / DoT: force good old, in the clear, DNS over port 53

    - run your own local DNS resolver (I run *unbound*)

    - only ever allow DNS port 53 to/from your machine and your local resolver (I run *unbound* on an old Raspberry Pi)

    - have your DNS resolver use DoH
This way you get the imaginary protection that your DNS traffic is "encrypted" between you and your ISP: I mean, it is encrypted... But it's an illusion to believe it prevents your ISP / friendly-state-after-your-well-being from knowing which sites you visit.

But you also get full control over which domains can be resolved or not.

As a sidenote unbound supports "wildcards" when blocking domains, which is sweet (as opposed to your typical OS's hosts files, which doesn't support wildcard).

FWIW I've configured unbound to return 0.0.0.0 for the millions (!) of (wildcarded) domains I'm blocking and then I use dnsmasq, locally, to convert any 0.0.0.0 to transform into NXDOMAIN. It's versatile and I like that way.

It's Linux so you set that up once and it works for years.

_Algernon_
1 replies
6h0m

Firefox doesn't respect hosts by default. An about:config option needs to be toggled for this to work.

shadowgovt
0 replies
1h26m

Fascinating. I wonder what the history is of Firefox deciding to ignore hosts? Hosts has been standard since the early days of the Internet.

jhpacker
0 replies
12h21m

With GA4, the tracker code is loaded from www.googletagmanager.com (even if the tag isn't loaded via a GTM container). The measurement requests can be sent to (region1|www).google-analytics.com or analytics.google.com (to share cookies with Google login better).

rpastuszak
9 replies
9h44m

but Mozilla is an ad-tech company too now.

The recent events related to FF are not that much of a shift, considering that Google pays $20B per annum to its (technically non-ad tech) partners, then 85% of Mozilla's total revenue comes from its partnership with Google. That ship had sailed long time ago.

https://untested.sonnet.io/Defaults+Matter%2C+Don't+Assume+C...

autoexec
8 replies
7h9m

Firefox really has been going downhill for a long time. Forcing Pocket into the browser, the ad infested new tab page, telemetry, making user accounts a thing, force installing TV show promotions, etc.

What they haven't done before is spend a fortune buying up an ad-tech start up. They barely even bother to maintain a pretense that they care about Firefox users. They basically came right out and said "We know that users don't want this, we can't convince them to, so we were right to force it on them by default and just hope most people don't notice and start complaining" (https://cdn.adtidy.org/blog/new/2wffyscreen_mozilla.png?mw=1...)

bad_user
7 replies
4h19m

Forcing Pocket into the browser

Fun fact: by subscribing to Pocket, you're directly contributing to Firefox's development.

Mozilla found itself in a situation of damned if they do, damned if they don't. People scream at them for depending on Google, and then they scream at them for trying to diversify their revenue.

Nobody wants to pay for a browser, browsers are essentially incredibly complex nowadays, and I have yet to hear how in the world are browsers supposed to get funding.

And of course they want to cater to advertisers because it is advertising that maintains the open web, and it is advertising that is paying for all browser development, actually, including Safari. And the open web is also dying, because people have been moving to mobile apps, where all pretence that "the user agent must act on your behalf" is gone. In other words, even if you get what you wish for, in a couple of years it may not matter at all.

rpastuszak
3 replies
3h48m

And of course they want to cater to advertisers because it is advertising that maintains the open web

As someone who worked both on advertiser and publisher sides (incl. content monetisation): advertisers like to say that they support publishers and the open web, but in fact, they are keeping it hostage.

We've had the means/tech to support publishers directly for years (I don't mean crypto). It's in the interest of companies like Google to keep users (and publishers, and brands) in the dark. And one of the issues here is that they have so much impact on the discourse. There are only few places, where I saw more people using ad blockers than the adtech businesses I worked with or at.

Nobody wants to pay for a browser

True, but I don't think people would have an issue with paying for browsers if they understood the value of it. At this stage, I think the only solution would involve:

1) education 2) regulation/better legislation

bad_user
1 replies
3h37m

As someone who worked both on advertiser and publisher sides (incl. content monetisation): advertisers like to say that they support publishers and the open web, but in fact, they are keeping it hostage.

I know what you're saying, I agree, as I worked (in the past) on advertising platforms as well, but both of those statements can be true at the same time.

The open web was built on advertising, but the perverse incentives in advertising are also poisoning the open web.

I don't think we've ever had a good solution. People like free stuff, and also, micro-transactions are not possible given the huge banking fees. What we're seeing, the alternative, are subscription-based services behind closed hardens, and mobile apps whose ads can no longer be blocked, so here we are.

I also think that Google isn't the greater evil, because Google has an incentive to keep the web going. For instance, what happens with local newspapers, when they die, besides depriving ad networks of revenue, is that the audience of these newspapers moves to walled gardens like Facebook. The failure of advertising on the web right now results in more centralisation.

hn_version_0023
0 replies
2h46m

micro-transactions are not possible given the huge banking fees.

We can change this via legislation. The “financialization” of everything feels related to the adtech conundrum.

Bringing banks to heel for the good of society is long overdue IMO.

greenchair
0 replies
45m

When I was a kid you could buy a browser in an electronics store :)

Y_Y
1 replies
3h40m

Mozilla found itself in a situation of damned if they do, damned if they don't. People scream at them for depending on Google, and then they scream at them for trying to diversify their revenue.

People didn't like Pocket as a product. It wasn't as if they just didn't like it because Firdfox wanted to make money out of it.

Sure they should diversify, but with something that isn't otherwise (so) objectionable. Like their VPN, or sponsorship, or just let go of all the upper management.

krzyk
0 replies
55m

What people? Do you have source for that?

Anectodal one: I liked it.

autoexec
0 replies
1h35m

Fun fact: by subscribing to Pocket, you're directly contributing to Firefox's development.

That's not true. It isn't directly supporting anything except surveillance capitalism. Allowing yourself to be exploited in that way may indirectly support Firefox, but it's not the same thing as direct support.

Firefox users have literally begged Mozilla to let them actually directly support Firefox's development in the form of donations explicitly for that purpose alone, but Mozilla has always refused to allow it.

Mozilla found itself in a situation of damned if they do, damned if they don't. People scream at them for depending on Google, and then they scream at them for trying to diversify their revenue.

People scream at them when they involve themselves in surveillance capitalism so yeah, spending a ton of money that could have gone into firefox development to instead buy an ad company so they can start spying on us while we use the internet isn't helping.

Nobody wants to pay for a browser, browsers are essentially incredibly complex nowadays, and I have yet to hear how in the world are browsers supposed to get funding.

Are web browsers more "incredibly complex" than linux? I don't understand how people assume that web browsers are impossible to develop without selling users to the marketing industry while somehow linux and countless other open source projects have never once needed to do that.

Mozilla could at the very least try letting users pay for firefox development like users have been asking them to before they jump to selling firefox users out to the ad industry.

And of course they want to cater to advertisers because it is advertising that maintains the open web

Advertising doesn't maintain the open web, it poisons it.

And the open web is also dying, because people have been moving to mobile apps,

That's because many people don't own even computers anymore. Even where computers haven't been entirely replaced by devices that are designed for data collection and mindless content consumption, the cell phone is the computer that people have with them at all times. The dire situation around computing in general wouldn't be so bleak if we could get some decent and affordable mobile devices that weren't designed to spy on us, but I guess you might see it as that spying being what maintains the computer industry.

ineptech
5 replies
3h12m

Mozilla is an ad-tech company too now.

I'm sorry, this seems egregious. I agree that it should've been off by default but I challenge anyone to read how the implementation works (not just the blog post and the FUD responses to it) before calling it a giveaway to the ad industry: https://github.com/mozilla/explainers/tree/main/ppa-experime...

FF is currently a key tool in the fight to avoid a Google-top-to-bottom future, and before we start the meme that it's gone to shit we should be really really sure that's actually true.

axolotlgod
1 replies
3h2m

It really is disheartening to see so many technically-inclined people berate the one browser that is preventing Apple/Google hegemony. The expectations set upon Mozilla and Firefox are so unrealistic it's laughable.

Firefox is rock solid, open-source, backed by a great organization (which has recently reinvested additional resources in it) and a joy to use imo. Also, the levels of vitriol that even the slightest bit of anonymous telemetry incurs is unhelpful and I encourage people who hold that viewpoint to really interrogate it.

codedokode
0 replies
1h11m

While Firefox is great, they should not sell their userbase to Facebook with such proposals. If ad companies want to know about ad effectiveness, they must pay the users for collecting the data, not collect it for free without asking the user.

autoexec
1 replies
1h58m

Ultimately, the problem is that entire premise is deeply offensive. I do not want my browsing history being monitored, collected, sent to third parties, and sold to marketers in any form period. I do not want a browser using my data in any way to support surveillance capitalism.

The implementation is just FLoC/Topics API all over again and it's still not compelling. The first kick in the teeth comes right at the start where the entire thing is predicated on data gathered from having an ad shoved in your face.

At impression time, information about an advertisement is saved by the browser in a write-only store. This includes an identifier for the ad and whether this was an ad view or an ad click.

I do not want ads. Ever. Like many (likely most) firefox users, I go to some lengths to prevent them from showing up in any form. Now that firefox is going to be profiting directly off of firefox users seeing and clicking on ads they will certainly degrade our ability to prevent them.

It then involves sending my data to third parties so that it can be aggregated. Then my browsing has to be monitored to identify conversion events. None of this is acceptable.

Here's what their Cookie Monster paper says:

User perspective. Ann browses various publisher sites that provide content she is interested in, such as nytimes.com and facebook.com. Ann does not mind seeing relevant advertising, understanding that it funds the free content she enjoys.

I am not Ann. I very much mind seeing advertising, relevant or not. I do not understand that if funds "free content" I enjoy. If I need to be exploited to pay for something, that thing it isn't "free" and if it's infested with ads I do not enjoy it. The entire thing is based on a fantasy where users find this acceptable. We don't and it isn't. If we did, we'd probably all just be using chrome.

FF is currently a key tool in the fight to avoid a Google-top-to-bottom future

Why should we care if Firefox isn't Google if both are just going to exploit us?

ineptech
0 replies
45m

You're preaching to the choir, but even preaching needs to be truthful and I don't think calling Mozilla ad-tech or suggesting that it's just as bad as Google is remotely true. This is where "the perfect is the enemy of the good" comes from.

I mean, what do we have now? Google and a bunch of middle-man ad techs are hoovering up everything they can get, including a crap-ton of stuff that browsers can't affect at all, and wink-wink-promising that they anonymize some of it in some cases even though no one can verify that. A world in which the subset of that data that passes through a browser has been provably anonymized would seem to be strictly better, even if you still don't like it.

codedokode
0 replies
1h14m

It is ridicoulous. Why do browser developers cooperate with ad companies? They were supposed to protect us from them.

It gives no benefits to end users. Ad companies will not stop using old methods, they will just add one more method.

I hope responsible Linux distributions will patch this out and disable by default.

A fair model would be if this feature was opt-in and if Mozilla paid to the users who enabled it.

The purpose of this API is to provide a privacy-first design for advertising companies to be able to measure how advertising drives conversions. That is, answering the question of whether advertising effectively achieves its goals, such as increased sales.

Not my problem. I don't earn anything from their sales.

kilolima
0 replies
12h34m

I just switched to Libre Wolf, seems like a pretty good Firefox replacement but without the malware.

cyanydeez
0 replies
4h31m

Power balance is how relationships always evolve. Browsers are basically politicians at this point and they are easily swayed by the power of the dollar and have varying degrees of requirements to side with the users.

Google, of course, has rammed chrome into it's primary place.

crooked-v
0 replies
2h19m

Safari does a decent job of that, especially with Apple pushing an increasing number of privacy features by default. Of course, that comes with it being as a feature of an expensive hardware ecosystem, rather than an independent product.

lcnPylGDnU4H9OF
18 replies
21h35m

Every new web API should guarantee that it doesn't provide more fingerprinting data or hides the data behind a permission.

FWIW, it's practically impossible to provide that guarantee because the API necessarily provides at least the data point of, "Did they select an option in the permission notification?" ("If yes, what option was selected?" etc.)

It's often said that the only solution to this is regulation and there seems to be a good case for that perspective.

SpaghettiCthulu
12 replies
20h49m

FWIW, it's practically impossible to provide that guarantee because the API necessarily provides at least the data point of, "Did they select an option in the permission notification?" ("If yes, what option was selected?" etc.)

Wrong. The status of permissions should not be visible to the page in most cases. Instead, fake data should be returned from them. That would be practical.

paulryanrogers
10 replies
20h5m

I've heard that fake data, like from AdNausium, just becomes noise as the advertisers know the patterns to filter them out.

Assuming that's true, it seems to waste everyone's time and bits to fake it instead of just not answering or a minimal denial.

autoexec
9 replies
19h17m

I've heard that fake data, like from AdNausium, just becomes noise as the advertisers know the patterns to filter them out.

It's actually much worse. That fake data is dangerous because data brokers don't really care how accurate their data is. Even the fake data AdNausium stuffs into your dossier will be used against you eventually, just like the real data will be. If you get turned down for a job, or your health insurance rates go up, or you have to pay more for something than you would have otherwise, you won't even be told that it was because of data someone collected/sold/bought. You sure won't be told if it was fake or real data and you won't be given any opportunity to correct it.

greiskul
8 replies
18h8m

If you get turned down for a job, or your health insurance rates go up, or you have to pay more for something than you would have otherwise

It must suck to live in a capitalist dystopia. Dunno why Americans put up with it.

adastra22
3 replies
16h6m

We don’t. Individualized health insurance rates like that are illegal.

autoexec
2 replies
15h52m

We do.

Insurers contend that they use the information to spot health issues in their clients — and flag them so they get services they need. And companies like LexisNexis say the data shouldn't be used to set prices. But as a research scientist from one company told me: "I can't say it hasn't happened." source: https://www.propublica.org/article/health-insurers-are-vacuu...

See also:

Is it legal? As explained by William McGeveran, University of Minnesota professor of law, and Craig Konnoth, University of Colorado associate professor of law, it is — largely because federal law hasn’t kept pace with the modern, technological world in which we live. source: https://www.chicagotribune.com/2018/08/29/help-squad-health-...

Another important takeaway from that second article is that none of your "protected" HIPAA data is prevented from being sold as long as it's "anonymized" which is a total joke since it's often trivial to re-identify anonymized data. It's about as secure as requiring companies to ROT13 your data before they sell it. It will be used to identify and target you individually.

jgraettinger1
1 replies
13h46m

which is a total joke since it's often trivial to re-identify anonymized data

HIPAA doesn't say ROT13 or anything else in particular counts as "anonymized". It's an after-the-fact assessment. If your "encrypted" data is accidentally released, and there's any reasonable suspicion inside or outside the company that it's crack-able, then it's a YOU problem and you need to notify a bajillion people by mail and per-state press release plus large fines.

I think you're being overly pessimistic on the strengths of US regulations on this with regard to preventing deliberate malfeasance, and that most of the stupid we see in stories is really just by accident or individual actors.

autoexec
0 replies
12h54m

HIPAA doesn't say ROT13 or anything else in particular counts as "anonymized".

ROT13 was only an example of a step that makes data look "protected" in some way when it really isn't, just like the ineffective means used to anonymize data makes it look safe to sell that data when it really isn't.

There is a lot of research showing how easy it can be to identify an individual using data that has been anonymized. (https://www.technologyreview.com/2019/07/23/134090/youre-ver...)

HIPAA does provide a standard and guidelines for what they call the "de-identification of protected health information" (https://www.hhs.gov/hipaa/for-professionals/special-topics/d...) and it includes, for example, a list of specific identifying information that must be removed from the records before they can be sold or otherwise passed around in order to get safe harbor protections. It also includes an option where an "expert" ("There is no specific professional degree or certification program for designating who is an expert") can just say "Trust me bro, it's anonymized".

If somebody was able to buy their re-identified data from a broker and they could prove that was sold by a health provider bound by HIPAA, they would still have to prove that the provider who sold the data had "actual knowledge" that the broker would be able to re-identify the individual, where:

actual knowledge means clear and direct knowledge that the remaining information could be used, either alone or in combination with other information, to identify an individual who is a subject of the information.

Which all seems like it would be almost impossible to prove unless the provider left obvious identifying information in the data, or if a whistleblower came forward with records of direct communication between the seller and buyer where the buyer was reassured that the data being sold to them would later be able to be re-identified.

Awareness of the fact that we have mountains of research showing that individuals are easy to re-identify from anonymized data doesn't count as "actual knowledge":

Much has been written about the capabilities of researchers with certain analytic and quantitative capacities to combine information in particular ways to identify health information.32,33,34,35 A covered entity may be aware of studies about methods to identify remaining information or using de-identified information alone or in combination with other information to identify an individual. However, a covered entity’s mere knowledge of these studies and methods, by itself, does not mean it has “actual knowledge”

Which leaves us with healthcare providers who can use methods to "anonymize" data that have been proven to be vulnerable to re-identification, then freely sell that "anonymized" data to third parties with a nudge and a wink.

I'll admit to being pessimistic. We know that the strength of the regulations we have in the US has done little to slow down the buying and selling of our healthcare data.

We've also already seen a lot of very shady behavior by health care providers and companies such as tricking or coercing people into giving up their rights so that they don't even have to pretend to protect their data with anonymization before selling it. (see https://www.washingtonpost.com/technology/2022/06/13/health-... and https://www.washingtonpost.com/technology/2023/05/01/amazon-... and https://news.ycombinator.com/item?id=22177812 and https://www.12onyourside.com/story/23852025/on-your-side-ale...)

chrisweekly
1 replies
15h43m

Where do you live, that sucks less?

justinclift
0 replies
10h41m

Australia seems significantly better in most quality of life metrics. Many EU countries as well.

The UK doesn't seem so good any more from recent reports though. :(

zx8080
0 replies
17h36m

It's the democracy. The big capital one.

/s

digging
0 replies
3h12m

Dunno why Americans put up with it.

Have you seen the guns that enforce it?

autoexec
0 replies
19h14m

It's always better to give no data (aside from leaving them with "we couldn't collect that data") than it is to give fake data because that fake data will be used against you just as often as real data would. Don't hand companies extra ammo to use against you, or think that you're safe just because they've written an incorrect assumption about you on the bullet. You're still going to be taking the hit.

XlA5vEKsMISoIln
2 replies
21h19m

API necessarily provides at least the data point of, "Did they select an option in the permission notification?"

If a bird app (or, heck, pancake recipe site) asked for WebRTC or GPU access I would be rightfully suspicious. It's a shame these things don't happen.

chgs
1 replies
6h47m

They do ask for location data, and it tends to mostly work - sites like openstreetmap will ask for it when you press the right button for example, which makes sense.

There is a risk that it ends up like cookie banners, and the adtech industry manages to brainwash the world into thinking that the government is the bad guy and they just want some harmless data to share with their 1,345 best friends and they are “forced” to show these. Despite there being no requirement at all to track data, and they break the law with it anyway so why bother.

USiBqidmOOkAqRb
0 replies
5h37m

This is a poorly explored avenue. I think a lot of these more advanced APIs ought to be permitted to "installed" PWAs. Maybe it could even look like permissions menu for apps in phone OSes.

I was a bit dismayed when mozillians in the bugtracker dismissed the idea of requiring consent to initialize WebRTC. F'k it, scan the local network.

thescriptkiddie
0 replies
20h45m

One solution to this is to have the option to feed the application fake but plausible data. Android (or maybe some Android fork I was using) used to have this option for dealing with apps that insist on asking for location permission for no reason.

codedokode
0 replies
1h5m

FWIW, it's practically impossible to provide that guarantee because the API necessarily provides at least the data point of, "Did they select an option in the permission notification?" ("If yes, what option was selected?" etc.)

If 99% of users will have permission disabled then it has little value, and only those who enabled it can be tracked. I don't give permissions to sites so this will not apply to me.

Also, the status of permission (1 bit) provides less information than API it protects (for example, list of installed fonts or GPU name) so it is a win.

nine_k
7 replies
20h15m

BTW I don't understand the anti-tracking absolutism. I don't care about being profiled as long as the profile lands me in a group of thousands of people like me. Yes, I live in ${CITY}, identify as ${GEDNER}, am approximately ${AGE_RANGE} years old, run ${BROWSER} under set to ${LOCALE}. This does not allow to easily harm me. If it allows ad networks to target their ads, so be it, uBlock Origin still works well.

But anything more precise would be uncomfortable.

mbb70
5 replies
20h7m

How do you feel about ${INCOME}, ${SEXUAL_PREFERENCE}, ${RACE}, ${WEIGHT}, ${RELIGION}? Those categories are at least as broad as the ones you mentioned and are absolutely profiled.

nine_k
4 replies
19h54m

Fine enough, if the ranges for each value are wide enough. Compare:

- $120-140k, hetero, white, 190-220 lb, broadly Christian.

- $137,500/y, prefers tall redhead females, Irishman originally from Cork, 197 lb, observant Catholic.

The first one is too unspecific, while the second could suffice to identify a particular person in a neighborhood.

What makes a butter knife safe is not that it's completely devoid of an edge, but that its edge is sufficiently blunt.

throwaway937474
3 replies
18h27m

Now substitute the first one for "gay", and you might get a death sentence in several parts of the world. Why does almost nobody on this site thinks about the wider world bedsides their own extremely privileged position?

I would very much prefer for advertisers to not even be able to determine my city, for personal safety. Throwaway account for obvious reasons.

nine_k
2 replies
16h36m

This is very true. Usually the discussion goes about tracking by commercial entities in rich Westernized countries, which, by no coincidence, are the principal market of the ad industry. (Yes, China exists and is a huge market, but commercial tracking is a minor problem here, compared to other forms of surveillance.)

If you belong to such a category that the mere belonging to it is a death sentence, if revealed, the situation is vastly different. You have to act more like a secret agent or a spy. This means constant, pervasive, fastidious opsec. Any death-sentence-invoking activities should be strictly separated from the normal civil life. Only use the normal browser to visit commerce, official news, and government web sites. Everything that is not openly pious and loyal should belong to ephemeral VMs with a fresh browser install every time (preferably several different), VPNs that are indistinguishable from legitimate web traffic, like XRay, truecrypt-protected media with some plausible deniability data, etc. It all takes quite some technical chops, but is not sufficient. Many other small details, related to technology or not, have to be carefully, well, sanitized, and any small slip can out you.

Such undercover life, while possible, is very tiring, takes a lot of extra time and energy, and noticing this also may mark you as suspicious.

Another browser API that may slightly help track you is a minor problem on this background, unless it pierces any of your layers of protection.

mindslight
1 replies
2h58m

Government and commercial surveillance are intrinsically linked and framing them as some dichotomy is essentially just a coping mechanism. It's quite plausible that someone in a category that is openly accepted in the western world ends up traveling to a country where that category has been criminalized, and then ends up in the sights of the authorities based off surveillance records/analysis bought from consumer surveillance companies in the western world.

nine_k
0 replies
2h21m

Fair enough. The difference is mostly how much the government limits commercial surveillance (eg in EU) or integrates / buys it as part of its own surveillance (not only China or Russia, but also many Western countries to a limited extent).

JohnFen
0 replies
16h5m

That's a reasonable stance to take, certainly. I also think it's reasonable for others to be even more sensitive about it. I'm an anti-tracking absolutist because I am angered by the strong-arming, the deception, and the hacking around defenses against it.

The tracking is a constant assault, and I'm no longer willing to put up any of it, even if the data being tracked is relatively minor. Screw the bastards, they've burned one too many bridges.

threeseed
1 replies
18h51m

Have been using Firefox for a long time

It allows long lived first party cookies so isn't that much better.

Only Safari clears them after 7 days to prevent tracking.

Terr_
0 replies
18h43m

As far as I can tell from some quick searching around, that limit only applies to cookies set through JavaScript code, as opposed to through server headers.

I assume it's because of situations where websites include JavaScript from a third party, and then that JS uses first party cookies as a state-keeping workaround while synchronizing tracking information in some other way.

noirscape
0 replies
21h19m

https://news.ycombinator.com/item?id=40966312 - 20 days ago.

In light of that acquisition, this also seems related. Firefox is the best choice but Mozilla is the biggest reason why people aren't using it and shit like this doesn't help.

morjom
1 replies
12h15m

Firefox doesn't have ECH support (atleast not turned on by default)

https://privacytests.org/

(Scroll down to Misc tests)

codedokode
0 replies
28m

I observed Firefox sending ECH extension in ClientHello, maybe I just enabled it in the settings, so Firefox supports ECH (on by default since version 119). However, virtually no servers support ECH now. Not Google, not Hackernews, not Cloudflare etc.

This seems to be a not very good comparison, and it looks like it cherry-picks convenient for a certain browser points and ignores others. Look at "fingerprint protection", for example, and see that it does not include features that provide most fingerprinting data:

- preventing reading GPU name via WebGL debugging extension (does Brave block this?)

- preventing reading back canvas data which is used to fingerprint browser and OS code responsible for rendering graphics and text

- enumerating audio devices

And if you read the issues in Brave github [1], then you'll notice that Brave developers refuse to block features providing important fingerprinting information under compatibility" reasons (including GPU vendor and model), although these features could be made blocked only in high security mode.

So regarding fingerprinting, the comparison you refer to is pretty much worthless: it doesn't mention many important fingerprinting APIs.

[1] https://github.com/brave/brave-browser/issues/35646

netdevnet
0 replies
10h9m

tbh, many of the main browsers have marketing companies as their main customers

factormeta
0 replies
20h3m

It would be great if browsers made fingerprinting more difficult, i.e.: not allowed to read canvas data, not allowed to read GPU name, enumerate audio cards, probe for installed extensions etc. Every new web API should guarantee that it doesn't provide more fingerprinting data or hides the data behind a permission.

This should be what browser maker's #1 focus! Preventing fingerprinting of user's browser.

Seems all this cookies talk the news and for policy makers are just limited hangouts.

TacticalCoder
0 replies
7h4m

Have been using Firefox for a long time, no issues, though long ago when I had little memory, Chrome was using less of it.

I'd say the only area where I still see Chrome leading a bit is for web development: when I run super-heavy JavaScript in dev mode, Chrome is faster than Firefox at executing all the JavaScript nonsense. Seen that there's no ecosystem with more turds, bloatedness and slowness than that horror that JavaScript-the-piece-of-crap is, having a browser a bit quicker at running JavaScript helps.

Long story short: for Web development, I use Chromium (it ships with Debian). For the rest I use Firefox.

Firefox also has HTTPS-only mode...

In doubt port 80 is blocked by the firewall too.

encrypted DNS without fallbacks,

And Firefox has a relatively easy "corporate" setting too where you can force also DNS "in the clear" over port 53 UDP (well, it's 99.9999% of the time going to be UDP so you can even firewall port 53 TCP and things shall keep working: believe me I know: theory vs practice and all that)

It's convenient if you run your own DNS resolver (which, itself, can then be forced to only use encrypted DNS).

supports SOCKS

I confirm: a SOCKS5 proxy over ssh is always sweet.

Firefox just works.

MisterTea
0 replies
3h33m

Regarding analytics, I believe browsers should take user's side and do not cooperate with marketing companies; even better, they should implement measures to make user tracking and fingerprinting more difficult.

Kinda hard to enact when the leading browser is developed by an ad company. Worse, the same company is contributing to the firefox foundation and drives web "standards." Its all collusion and the simple fact that browsers are more complex than the OS they run on is deliberate in ensuring no scrappy team can disrupt them.

My curmudgeonly solution is to avoid as much of the web as possible and focus on human scale computing.

cabbageicefruit
74 replies
1d1h

Damn. If there was ever any doubt about why you should get off chrome, this seems to put an end to that.

JonChesterfield
47 replies
1d1h

Shed a tear for the Firefox that could have been

rectang
18 replies
23h29m

Firefox is still working great for me, and I intend to keep using it for the foreseeable future.

I don't know what it might take for people to migrate away from Chrome en masse, but the alternative is there.

nicce
9 replies
22h33m

Mozilla is slowly turning to ad company too. Let's see what future brings us.

devrand
5 replies
21h59m

And the recent antitrust ruling against Google might see Mozilla lose like 80% of their revenue...

tristan957
2 replies
8h6m

Lunduke is a known right wing propagandist. Engaging with any of his content is a waste of time.

squarefoot
0 replies
7h29m

Thanks for the information. I'm the last person who would spread right wing stuff, the link came from a search, however in this case the problem about the overpaid Mozilla CEO and developers being sacked is real and well known outside politically involved sites.

chgs
0 replies
6h37m

There’s a massive overlap between right wing activists and anti-Firefox commentators

pndy
0 replies
20h47m

Mozilla has a range of different priorities now and most of these do not revolve around the flagship project which Firefox should be.

---

I remember reading news in 2005 saying that Mozilla has established its Corporation subsidiary - and I had a bad feelings about it at that time. And years later we can see the effects - what's the revenue, how browsers market share looks like. Now, every time I'm reading that project, foundation xyz is creating "for profit" branch, subsidiary I know that this most likely won't end well. Profits will go over users needs, wishes each time and those at the project will change as well. It's like a magic wand appears and turns open-minded contributors into some mindless corporate drones with an arrogant attitude.

I want to still like Firefox but in last 14 years Mozilla managed to seriously deteriorate trust in its capabilities of handling their main product. And I also cannot fathom how they managed to screw up promotion of the browser and let Google dominate the market. That didn't happen overnight but Google at some point started to bundle their browser as "additional offer" in almost every software installer for Windows, while Mozilla did nothing similar.

delfinom
1 replies
22h14m

I mean...they have to fund operations somehow. There's no money in pure open source in today's society.

kevwil
7 replies
22h13m

Firefox is usually great for me, but with Chromium-based browsers having such a massive market share monopoly I do occasionally find a website that doesn't work properly on Firefox. But, I will stick with Firefox as long as possible.

raybb
6 replies
21h25m

Do you have any recent examples? It's more often I see websites that claim they don't work with firefox but actually do if you change your user agent.

paulryanrogers
2 replies
20h2m

YouTube, FreshDesk, Google TV (sharing from Firefox)

shiroiushi
1 replies
15h31m

Huh? I use YouTube all the time on Firefox and it's fine. Better than fine, really, thanks to the YouTube improvement extension I have loaded. Never heard of the other two though.

71bw
0 replies
9h37m

Google is essentially using A/B testing methods to slow it down for one group of FF users while keeping it absolutely fine for another. Funnily enough, I've been placed in this 'slowdown' group even though I am a Premium subscriber ever since it launched (post-Red renaming) and another channel on the same Google account has 0 issues in the same browser on the same PC etc.

fendy3002
1 replies
13h19m

I cannot open message in LinkedIn with Firefox linux. Haven't pinpoint the error cause though

chgs
0 replies
6h39m

I have no problem with anything on LinkedIn with Firefox/linux.

I have one internal corporate site which won’t work with Firefox for some reason, but never had any problems elsewhere.

EasyMark
0 replies
20h4m

Yeah I keep hearing this but it never pans out, seems like in my experience a lot of people don’t know they might have to turn off an extension or two (ublock, built-in trackers, etc) to get a website to work.

JohnFen
13 replies
23h14m

I certainly do. That said, I struggle to find another browser that's any better and most are worse. So I accept Firefox as the lesser evil.

Filligree
6 replies
22h48m

Safari. That's the only browser I really use.

JohnFen
3 replies
22h25m

That's not an option unless you're an Apple user, though.

reaperducer
2 replies
22h19m

I can't say what it's like on Linux or Windows, but the Duck browser is pretty good. It's my second choice.

On Macs and iOS, and iPadOS, it's clunkier than Safari, but less clunky than Firefox.

Perhaps the Windows experience is similar.

heraldgeezer
0 replies
21h51m

Just use Firefox... No need for more Chromeium forks.

Timwi
0 replies
21h29m

What does “clunky” even mean in this context?

kevwil
1 replies
21h45m

With the massive tide of browsers converting to Chromium under the hood, I wonder how long Apple can hold out. Fingers crossed they keep allocating budget for it.

shiroiushi
0 replies
14h12m

Apple can hold out indefinitely. If a website doesn't work on Apple devices, that's not Apple's fault, according to legions of Apple users. And they're kinda right: there really are a lot of them, and they do tend to spend more money than other users, so websites that somehow manage to stupidly not work on Safari (presumably by using Chrome-only functionality and never testing) are potentially losing a lot of users and business.

I'm not normally a fan of Apple at all, and I have no interest in using Safari myself, but here I am glad that they've so far refused to jump on the Chrome bandwagon: it's good for keeping the web standards-based so we don't have a repeat of the IE6 days.

FractalHQ
5 replies
22h33m

Brave browser is such an obvious win for me… chrome + privacy. None of the bugs and missing features that come with Safari or Firefox.

JohnFen
3 replies
22h26m

That's what I used for a year or so before switching back to Firefox. It's OK, but doesn't come as close to meeting my needs as Firefox does.

anderber
2 replies
22h4m

Curious about what needs you had that Brave didn't fill?

sundarurfriend
0 replies
20h10m

Not your parent commenter but I love Firefox more after discovering that you can't even customize the toolbar buttons in Brave. That's such a basic functionality that I'd taken for granted, until I tried to move out of Firefox for a brief time.

JohnFen
0 replies
16h16m

Lack of sufficient customization and lack of extensions I want. The customization is a big deal because I dislike the Chromium UI and want to be able to fix the worst of it. My dislike of the UI is also a source of grumbling from me about modern Firefox, which has picked up a lot of Chromium and which is also less customizable than it used to be, but I can still fix a lot.

I also want to be able to use the same browser at work as at home, and my workplace banned the use of Brave when it started including a VPN.

lolinder
0 replies
5h45m

The fact that it's Chrome is the problem with Brave. What you call "bugs and missing features" I call necessary diversity to avoid Google dominating the standardization process more than they already do.

heraldgeezer
3 replies
21h52m

Firefox Nightly just got official vertical tabs. It is also just as fast as Chrome now, subjectively just browsing around.

No issues with Google services like Youtube (I'm an addict)

I keep Chrome installed just in case, and Edge due to being on Windows.

pbhjpbhj
2 replies
10h23m

Firefox already has "vertical tabs" * from the Tree Style Tabs addon. Why not just support that?

* side tabs, I would say, the tab is a horizontal extension of the page, so they're horizontal tabs, right?

heraldgeezer
0 replies
9h6m

Vertical tabs addons have been a thing for years yes. But it is clunky and does not work as well as the native implementation.

Also the notion that Mozilla should "just support that"

lol

This is a thing the devs of Firefox should make and implement.

71bw
0 replies
9h34m

It's a very clunky solution that falls apart the moment you turn on whatever Incognito was named in Firefox.

EasyMark
3 replies
20h6m

Kind of wondering what you’re talking about here? Firefox still works great for me, did I miss something in the news? Is there some sort of big change coming down the pipeline?

lolinder
2 replies
5h42m

Not OP, but Firefox didn't have to lose nearly all its market share to Chrome. Mozilla could have course corrected and righted the ship, but instead they got distracted on dozens of unrelated and often controversial projects and ended up burning most of their credibility.

Mozilla is a husk of what it could have been, and that's hurt Firefox.

gjm11
1 replies
1h51m

What, specifically, should they have done differently that would have made Firefox not lose most of its market share to Chrome, and how do you know it would have worked?

lolinder
0 replies
22m

Keep Firefox in focus instead of losing sight of the browser and getting distracted on a million side projects, most of which had only a tangential relationship to the internet. Raise money to support the browser rather than to support politically divisive causes of the month.

I can't say for sure it would have worked, but I know that what Mozilla actually did do was actively counterproductive.

kevwil
1 replies
21h47m

I'm concerned that if Google ever stopped paying Mozilla to be the default search engine in Firefox, Mozilla would not be able to afford continued development on Firefox.

immibis
0 replies
14h39m

Mozilla barely funds Firefox as is. All of its money is spent on other things.

echelon
1 replies
23h1m

Forget Firefox as a fix. Call your legislators and explain this Google Chrome funny business to them.

johnmaguire
0 replies
22h6m

Why swim upstream?

dingdingdang
0 replies
5h54m

LibreWolf is my only installed edition of Firefox, similar to Brave in place of Chrome.

Aperocky
0 replies
4h54m

Firefox is working just fine for me, not sure why people seemed to think that it was a problem.

I think Mozilla is poorly managed and feature may have been slow or "lagging behind". But for me the lack of those shiny new things might as well be a feature than a bug.

pennybanks
23 replies
1d

right but at least google will tell you.

brave a lot more shady and just wont say anything or let you opt out. many examples in the past. imagine if they were anywhere near a quarter of googles size it wouldnt be pretty imo.

bad_user
13 replies
22h23m

This is wrong.

All settings in Brave with an impact on user privacy are opt-in. They even inform you of their product metrics, when you first start it, despite having a paper on how they anonymize that data. Versus Firefox, which never bothered. Firefox, which also added metrics for ads, similar with Privacy Sandbox, without informing users.

I've never seen a browser with such a strong focus on privacy, the only contender it has being LibreWolf.

The hate against Brave on this forum is completely unjustified and based on falsehoods, as if the issue isn't about Brave itself.

johnmaguire
12 replies
22h2m

Brave has received negative press for diverting ad revenue from websites to itself,[30] collecting unsolicited donations for content creators without their consent,[43] suggesting affiliate links in the address bar[49] and installing a paid VPN service without the user's consent.[58]

These are the primary issues I hear about regarding Brave on this forum.

It's also founded by Brendan Eich who was forced out of Mozilla for his strong and vocal opposition of same-sex marriage. I tend to be a bit idealistic, but this is a strong reason for me to avoid Brave, especially when they are injecting content into pages.

bad_user
2 replies
14h6m

"collecting unsolicited donations for content creators without their consent"

Those "donations" were from handouts of BAT. What they "collected" was their own BAT that they've donated to users of Brave. And it wasn't long lived. At least they've been trying to create a business model that's privacy preserving and that benefits content creators. Firefox has been selling their users to Google for years.

"suggesting affiliate links in the address bar"

You mean like what Firefox also did?

"and installing a paid VPN service without the user's consent."

I've never seen a VPN service installed with Brave. Is this a Windows thing? If you're talking about the VPN functionality in Brave itself, isn't this what Firefox also did?

"It's also founded by Brendan Eich who was forced out of Mozilla for his strong and vocal opposition of same-sex marriage."

He never talked on the topic. And did you know that, at that time, both Obama and Hillary Clinton were also opposed to same-sex marriage? Times change, people's minds have changed. Whatever beliefs he still has, he keeps private, as he should.

But yes, this confirms my suspicion that this is a US-politics thing, and for non-US citizens, it's getting annoying. While we are on the topic, don't you find it problematic when Mozilla engages in political activism, promoting Marxism? Or when they promote cancel culture?

https://blog.mozilla.org/en/internet-culture/chris-smalls-ri...

https://blog.mozilla.org/en/mozilla/we-need-more-than-deplat...

For me, these were never reasons to avoid Firefox, but seeing that this is how the world works now, maybe they should be. And I'm sorry for pointing at Firefox right now, I used it for years, but I'm sensing a serious double standard. So let's talk of Chrome ... have you surveyed the political beliefs of Chrome's developers? Because it's the big, faceless corporations that benefit from this kind of polarisation the most.

johnmaguire
0 replies
4h52m

Most of your comment amounts to whataboutism. Many of the counter-examples you point out are also problematic!

> "suggesting affiliate links in the address bar"

You mean like what Firefox also did?

Firefox did experiment with "Sponsored" results in the URL bar but they did not rewrite URLs to include affiliate links, which is also harmful to privacy: https://www.reddit.com/r/ProtonMail/comments/gybv0e/brave_br...

I've never seen a VPN service installed with Brave. Is this a Windows thing? If you're talking about the VPN functionality in Brave itself, isn't this what Firefox also did?

Yes, this was a Windows thing: https://www.ghacks.net/2023/10/18/brave-is-installing-vpn-se...

Are you referring to the Mozilla VPN that is a separate download? https://www.mozilla.org/en-US/products/vpn/download/

For me, these were never reasons to avoid Firefox, but seeing that this is how the world works now, maybe they should be.

Yes, you are absolutely entitled to "vote with your money" (or free usage / market share, as the case may be.) Boycotts are an integral component of free speech and self-expression.

gjm11
0 replies
1h26m

when Mozilla engages in political activism, promoting Marxism?

The link you provide in support of this (https://blog.mozilla.org/en/internet-culture/chris-smalls-ri...) is an interview with Chris Smalls, a union organizer. It does not in any way promote Marxism.

(Smalls does at one point talk about "class struggle". He makes it explicit what he means: he thinks there is an opposition between "99.9% of us" and "the billionaires". This is not Marxism even though it uses one phrase that Marxists also use.)

Or when they promote cancel culture?

The link you provide in support of this (https://blog.mozilla.org/en/mozilla/we-need-more-than-deplat...) is to a blog post titled "We need more than deplatforming". It mentions deplatforming but doesn't advocate it (though it doesn't condemn it either), and the actual things it calls for are all Not Cancel Culture: "reveal who is paying for advertisements", "commit to meaningful transparency of platform algorithms", "turn on by default the tools to amplify factual voices over disinformation", "work ... to facilitate in-depth studies of the platforms' impact on people and our societies".

You might reasonably disagree with those proposals; for instance, the next-to-last one could be anywhere from "excellent" to "dystopian" depending on what exactly "amplify X over Y" means and how "factual" versus "disinformation" is decided. But none of it is advocating cancel culture.

As for the "deplatforming" in the title: the specific case it's talking about is the idea that a social media platform should ban a particular user who had for some time plainly been breaking the platform's rules, and who (according to some) had used the platform to attempt to organize an antidemocratic coup. "Social media platforms should be encouraged to ban users who blatantly break their rules, even when those users bring them a lot of traffic" and "Social media platforms should not let themselves be tools for antidemocratic insurrection" are positions one can take without being a fan of "cancel culture".

(Not necessarily correct positions. E.g., if you hold that the insurrection in question was not antidemocratic, that it was a response to blatant election-rigging, then you will likely take a quite different view of how a social media platform should respond to it. I don't myself think that's a credible position, and I doubt the good faith of most of the high-profile people who endorse it, but I know it is something many people believe. Anyway, my point isn't that those positions are right, it's that they're positions many reasonable people take, and that getting from those to "Twitter was right to kick Donald Trump off" doesn't require any sort of endorsement of "cancel culture", and that therefore the fact that an article mentions the possibility of doing that in a not-obviously-disapproving way does not amount to "promoting cancel culture".)

ToValueFunfetti
2 replies
20h51m

Not that it makes him any less opposed to same-sex marriage, but I think 'vocal' is very much not the right word here. The only quotes I can find from him on the subject are him saying he's not going to talk about it.

asadotzler
1 replies
18h32m

"Unrepentant financial supporter of opposition to same-sex marriage" is a more accurate description.

pbhjpbhj
0 replies
10h11m

Basically, we got played, Eich made a private political action, someone used that to get rid of him and then Firefox starting paying 10x as much to their CEO, doing all sorts of anti-user stuff, acting in advertiser's favour (but not too overtly), and ultimately ditching their engineers so they could maintain the CEOs stupid pay. All while begging users for money.

FMecha
2 replies
20h11m

Also, BAT being a cryptocurrency already turns off people who aren't fan of crypto.

JohnFen
1 replies
16h11m

BAT was what kept me from trying Brave for a very long time, but I eventually tried it nonetheless (I'm back on Firefox now). In fairness to Brave, you can disable the BAT stuff and never have to see it.

bad_user
0 replies
13h50m

The BAT stuff is entirely opt-in, not opt-out.

willywanker
1 replies
11h27m

He was opposed to it as a private citizen, not as Mozilla CEO. His beliefs and supported causes as the former are nobody else's concern; had he been discriminating in terms of employment or otherwise making public statements it would be a different story. Or are we now witch hunting people for wrongthink?

johnmaguire
0 replies
4h54m

I don't think it's "witch hunting people for wrongthink" to suggest that those in a position of power are able to use that power to influence public opinion.

Especially when that position of power is the CEO of a browser that replaces content on web pages.

hnpolicestate
0 replies
20h36m

This goes both ways for people. I switched from Mozilla to Brave when the latter first released because to me Mozilla's political positions seem at odds with an uncensored and privacy focused browser. I actually support universal marriage equality but don't consider it relevant to why I would choose a browser.

I can't remember all of the details but Mozilla made a blog post regarding 1/6 and their commentary didn't align with a browser that would try and protect users from state, NGO and "just research" edu adversaries.

arktos_
4 replies
1d

the only two browsers, Chrome and Brave

malfist
2 replies
22h30m

That doesn't make a bit of sense. There's plenty of browsers, there's chrome, brave, firefox, opera, edge and safari, those are the big ones. There's also a ton of spinoffs like ice weasel or that browser Kagi is developing that I can't remember the name of.

Way more than just two chromium browsers in existence.

dialup_sounds
0 replies
18h39m

Vivaldi users: ::autistic screeching::

pennybanks
0 replies
23h33m

i mean theres really only 2 relevant ones and the other one is because its owned by the most popular phone manufacture and is the only option. ofc we can use anything we want but in terms of real world relevance. and i guess the other one is forced by the most popular OS.

notpushkin
1 replies
23h59m

Could you elaborate?

pennybanks
0 replies
23h38m

vpn incident for one and their refusal the change initially or admit any wrong doing which i mean is the theme for every controversy they go through

smileson2
0 replies
11h14m

that's false, why do you think that?

Vinnl
0 replies
22h53m

I wouldn't count the Privacy Sandbox doublespeak as "telling you". Brave is not my browser, but it seems completely unjustified to just put them on the same (or even lower) level as Chrome.

morkalork
1 replies
22h17m

Nah, borking adblockers was the bridge too far. This is just salt in the wound.

rachofsunshine
0 replies
21h6m

They can have my uMatrix Firefox when they pry it from my cold, dead app list!

knallfrosch
18 replies
23h34m

I don't care because I use Firefox.

immibis
17 replies
23h10m

Firefox will either support this or your favorite websites won't work so you'll switch to Chrome so they do work.

JohnFen
13 replies
22h20m

or your favorite websites won't work

If my favorite websites stop working with Firefox, they won't be my favorite websites anymore. I'll just stop using them instead.

reaperducer
12 replies
22h17m

I'll just stop using them instead.

Easily said, until it's your bank, or a government entity, or the electric company, or any of the thousands of other entities that have started blocking Firefox.

Firefox should really camouflage its user agent, or make it trivial to do so.

JohnFen
3 replies
22h11m

Easily said, until it's your bank, or a government entity, or the electric company

Still easily said, since I don't use the websites for any of those things anyway. If it's really important, or involves very sensitive personal information, I'm not doing it on the web.

or make it trivial to do so.

There are extensions that make this very trivial.

jjulius
1 replies
22h8m

This is my approach, as well. And if I absolutely had to use their web service? Well, keep the bank in my Chrome bookmarks bar, and only go there when I'm in Chrome. Head on back to Firefox when I'm done doing whatever it is that I needed to do.

chgs
0 replies
6h29m

It’s probably a good idea to have a separate browner for your bank anyway, on a seperate user account, probably a separate VM.

shadowgovt
0 replies
1h25m

If it's really important, or involves very sensitive personal information, I'm not doing it on the web.

It's definitely a position you can take, but that's a very minority position among web users these days.

For the rest of us, "Just stop doing it on the web" would be a pretty substantial lifestyle change and, practically speaking, not worth it.

EasyMark
0 replies
19h59m

That’s likely just because they don’t bother to test at all in Firefox, not because they will ban you.

squidbeak
0 replies
8h26m

If Firefox changes it UA for these sites, their operators will see even less needs to support the open standards it champions.

pornel
0 replies
19h58m

That's why Firefox needs a userbase too large to ignore.

If the overwhelming majority of users submits to Google, then Google has the power to erode privacy for everyone.

chgs
0 replies
6h31m

My bank and electric company don’t block Firefox, not sure why they would, but it’s not like there’s no competition.

My government certainly won’t do that, they have a strong open data background.

ThunderSizzle
0 replies
1h48m

I already need to camouflage my user agent because some websites broke on a Linux host running chromium or Firefox. Switching UA to windows fixed this.

I believe it was an analytic bug in Disney+, where they didn't except Linux to be an acceptable OS.

Prickle
0 replies
18h45m

Internet banking is so ridiculously insecure, I always go do it myself in person.

Although, I rarely have to do anything with the bank that would require any online or offline process beyond using an ATM.

So no, that wouldn't really be a reason for me to stop using Firefox.

kstrauser
0 replies
23h4m

Unlikely. Love 'em or hate 'em, Apple nudged most organizations to handle third party cookie blocking unless they wanted to completely lose iPhone users.

"If Google limited 3rd party cookies, we'd go out of business!", said the companies who have literally 0 Safari users.

kevwil
0 replies
22h5m

Or start limiting Internet usage.

edent
0 replies
22h18m

I use FF on Android and Linux. I've restricted cookies and use an ad-blocker. I browse many popular (and unpopular) websites. I can't remember the last one which refused to work because I was on Firefox.

svieira
14 replies
1d2h

We conducted a user study with 30 Web users, recruited over social media, and presented them each with 20 pairs of websites. Website pairs were randomly selected from both the Related Website Sets list (i.e., sites Google designates as “related”, and so warranting reduced privacy protections), and the Tranco list of popular websites. Each user was presented with different pairs of websites, asked to view the sites, and then decide if they thought the two sites were operated by the same organization. This resulted in 430 determinations of whether unique pairs of websites were related.

In our study, the large majority of users (~73%) made at least one incorrect determination of whether two sites were related to each other, and almost half (~42%) of the determinations made during the study (i.e., all determinations from all users) were incorrect. Most concerning, of the cases where both sites were related (according to the RWS feature), users guessed that the sites were unrelated ~37% of the time, meaning that users would have thought Chrome was protecting them when it was not.

... We conclude from this that the premise underlying RWS is fundamentally incorrect; Web users are (understandably, predictably) not able to accurately determine whether two sites are owned by the same organization. And as a result, RWS is reintroducing exactly the kinds of privacy harms that third-party cookies cause.

Lest anyone judge the study participants for being uninformed, or not taking the study seriously, consider for yourself: which of the following pairs of sites are related?

1. hindustantimes.com and healthshots.com

2. vwo.com and wingify.com

3. economictimes.com and cricbuzz.com

4. indiatoday.in and timesofindia.com

(For the above quiz, if you chose “4”, then, unfortunately that is incorrect. That is in fact the only pair of the four that isn’t considered “related” to each other.)
nsagent
11 replies
1d1h

If anything it sounds like "related" is not what they are actually doing. Rather they are looking at ways to uniquely fingerprint users through optimizing how they split "related" sites.

Reminds me of the research that shows that 87% of people in the US can be uniquely identified with only three pieces of information: date of birth, gender, and zip code [1].

[1]: https://dataprivacylab.org/projects/identifiability/paper1.p...

dwighttk
6 replies
1d

That seems to be saying it is extremely likely that the only other person in my zip code that shares my birthdate is opposite gender

paulmd
3 replies
1d

statistically, 50% chance, innit?

dwighttk
2 replies
23h52m

OP seems to claim 13% same / 87% opposite

jsnell
1 replies
22h30m

I don't think you can make that conclusion.

I think you're making the assumption that all three data points are needed for all 87%. But obviously some people can be uniquely identified based on just {zip, date or birth}, such that gender isn't necessary.

So the distribution could e.g. be 8% same, 8% opposite, 5% both, 79% neither, and explain the original numbers without triggering the paradox.

dwighttk
0 replies
2h19m

Yeah I was off, but by their numbers

87% of the time, there are no others on my birthdate or there is one other and opposite gender.

13% of the time is 1 same gender or more of either or both.

alwa
0 replies
1d

Only 50% of the time, but that’s 50% better of a guess than you’d make without knowing gender.

ZIP codes contain maybe 40K residents [0] (many contain fewer) and there have been around 25K days in the last 70 years. Sure births are not evenly distributed, but still...

[0] https://www.unitedstateszipcodes.org/images/comparison-of-po...

aftbit
0 replies
1d

That sounds like a pitch for one of those "singles near you" apps. Find hot women in your area who share your birthdate!

Yawrehto
3 replies
23h59m

Really? That's odd. The typical zip code has a population of about ~9000. Dates of birth are about evenly distributed, so you'd still get about 24 people/birthday, or around 12 men or women per birthday per zip code.. I might be off by a fair amount in either direction, but I don't think I'd be twelve times off.

snowwrestler
1 replies
23h57m

Dates of birth are not evenly distributed.

To clarify: your date of birth includes the year. It’s more specific than your birthday, which we usually think of as just day & month.

Terr_
0 replies
23h6m

Also, the difficulty of identifying someone probably looks like a power-law curve, meaning that most of the "total difficulty" is concentrated in a small group, the ~13% that can't be identified.

In other words, even if one person is extraordinarily tricky to find [0], their share of the total un-findable-ness does not diffuse outwards to help anybody else.

[0] http://tailsteak.com/archive.php?num=433

meindnoch
0 replies
22h5m

birthday != date of birth

tomschwiha
1 replies
1d1h

1) Shares the same company name in the About us 2 & 3) Same company name in the privacy declaration 4) timesofindia.com belongs to the 3) company

timesofindia.com also redirected me on tabbing out to a "you won a free Samsung phone". Shady.

tomschwiha
0 replies
1d

Tried also to ask ChatGPT (4o) and it got it right on first attempt.

thayne
13 replies
11h36m

This is a tough situation.

Yes, this can, and will, be abused for tracking users across domains that they don't expect to be related.

But there are also legitimate use cases for this.

For example, consider the stackexchange family of sites. They are clearly related, have a unified branding, etc. but are on separate domains. On Firefox, which blocks third party cookies, I have to log in to each of those domains separately. I can't log in to stackoverflow.com, then go to superuser.com and already be logged in. That is a problem that First party sets would solve.

You can argue that it would be better for those sites to be subdomains of a single unified domain, but when the sites were created there wasn't any compelling reason to need to do that, because third party cookies were still very much alive and kicking. And I can say from experience that migrating an app to a different domain without breaking things for users is a royal pain, and can be very expensive.

I'm not saying that First Party Sets should be accepted as is, but it is attempting to solve real problems. And I think a solution that simultaneously protects users' privacy and maintains a good experience for sites that are legitimately related will be difficult to find, or maybe impossible.

renonce
3 replies
9h22m

I can't log in to stackoverflow.com, then go to superuser.com and already be logged in.

I would expect a popup like “This site wants to share cookies with stackexchange.com, press Allow to sign in, press Reject to reject forever or press Ignore to decide later”. Takes a single click to enjoy the benefits of both worlds. The mechanism should make sure that every website has a single “first-party domain” shared across all subsites and that first-party domain must not share cookies with any other site than itself to minimize confusion.

thayne
1 replies
4h11m

And that would be annoying to people who aren't already logged in to a related site.

Also, there is no way to know which related site the user is logged in to, so they would have to prompt for every one of their sites.

renonce
0 replies
2h43m

Also, there is no way to know which related site the user is logged in to, so they would have to prompt for every one of their sites.

This is not how it works. The mechanism is about allowing a cluster of websites to choose a single first party domain and have all of them share cookies together, not sharing arbitrary cookie from arbitrary domain, otherwise it would create loopholes in connected components that bring back the downsides of third-party cookies. What you mentioned should be done using SSO.

After thinking about it a bit more, I have a clearer picture of how it should work in my mind:

* All cookies are double-keyed: the primary key is the origin of the top-level page and the secondary key is the origin of the page that sets the cookie, just like how partitioned cookies work right now.

* stackoverflow.com uses a header, meta tag or script to request changing its primary key domain to “stackexchange.com”

* The browser makes a request to https://stackexchange.com/domains.txt and make sure that “stackoverflow.com” is in the list, authorising this first-party domain change

* When the user agrees to the change, the page is reloaded with stackexchange.com as the primary key, thus stackoverflow.com can obtain login details from stackexchange.com via CORS or cross site cookies.

* A side effect is that all cookies and state are lost when switching the first-party domain. Should stackoverflow.com be acquired by a new owner, say x.com and changes its first-party domain to x.com, all cookies on stackoverflow.com are lost and the user will have to login on x.com again, maybe using credentials from stackexchange.com. It’s unfortunate but it works around the issues mentioned in the post in a clean way, avoiding loopholes that transfer cookies by switching the first-party domain frequently.

troupo
0 replies
8h40m

Instead you will get a "we and our 3789 partners value your privacy", and people will blame GDPR/whatever regulation for it.

muratsu
2 replies
10h58m

This reminds me how google conveniently made the switch to manifest v3 when there were legitimate use cases like adblockers. Sure, technically speaking v3 is more secure and that may be better for users but your comment just made me think the opposite is in motion here.

renegat0x0
1 replies
10h44m

In politics there is a Churchill quote "Never let a crisis go to waste".

In IT, big tech never wastes opportunity to introduce a dark design behind a useful feature.

tyingq
0 replies
7h8m

Also see "Patriot Act".

IMTDb
1 replies
7h9m

You can argue that it would be better for those sites to be subdomains of a single unified domain, but when the sites were created there wasn't any compelling reason to need to do that

I can also argue that Safari and Firefox have been blocking third party cookies for years now. So stack overflow has had plenty of time to adapt and migrate to the "right" organisation.

To me it look like either they care about allowing unified sign in on their various domaines, and they should have migrated to a subdomain model a long time ago, because users of Firefox, Safari etc have been negatively impacted for a long time. Or they do not care that much (which is fine), but then chrome blocking third-party cookies and the discussion around first party sets should not concern them too much.

thayne
0 replies
3h28m

Or, they do care, but not enough to spend the significant resources and opportunity costs to do something about it for the minority of users who don't use chrome. Of particular note, changing domains can really hurt SEO.

lupusreal
0 replies
8h21m

On Firefox, which blocks third party cookies, I have to log in to each of those domains separately. I can't log in to stackoverflow.com, then go to superuser.com and already be logged in. That is a problem that First party sets would solve.

The cure is worse than the disease.

jonkoops
0 replies
10h49m

First Party Sets are legitimately terrifying to me, it gives a commercial party (Google) complete control over who is and isn't allowed to set cookies in a third-party context. It's Google using their absolutely dominating market share to force even more control.

hedora
0 replies
10h20m

Stack overflow was founded in 2008. Netscape added a block third party cookie button in 1997 (and the web has mostly worked fine with that feature turned on ever since).

fivre
0 replies
3h5m

OIDC seems like it can reasonably help in a fair number of these cases, maybe? it's iffy because (a) the major providers, are, well, Google and their ilk, (b) SSO solutions trend toward reducing user confusion at the cost of choice--im still out on whether the common "enter your email/account identifier so we can select which IDP we use" login flow is something of an anti-pattern or not

i generally like having the option for "sign in with github" as opposed to the all-encompassing "sign in with google" (ignoring that github is a microsoft account but not quite at this point)

smaller-scope IDPs for a particular field ("ey, you work on code stuff? you probably have either a github or gitlab account to log into our code-adjacent service" or "ey, you use stackoverflow? you can use that same login on superuser") is maybe a decent middle ground, where shared authentication is more explicit than third-party cookies were

tomComb
10 replies
1d1h

As if brave were a good or objective source for this topic.

neilv
8 replies
1d1h

Do you mean that Brave is a competitor, or something else?

TylerE
7 replies
23h16m

Both a competitor AND a history of operating in, to be polite, less than good faith.

nicce
4 replies
22h30m

As a competitor, let's add that they are ad company too.

bad_user
3 replies
4h13m

Name one browser that isn't funded by ads.

Even the minor browsers, pretending to not be funded by ads at this point (while the VC capital is drying up) depend on one of the 3 browser engines, all of which are funded by ads.

zimpenfish
1 replies
4h9m

Name one browser that isn't funded by ads.

Safari? Unless you're going to say that Apple gets the money for Safari through ads which, y'know, technically correct but disingenuous in this context, surely.

bad_user
0 replies
3h54m

Google is paying Apple 20 billion per year in their search deal, which is 40 times more than what Mozilla takes.

Safari is funded ENTIRELY by Google's ads, also making a profit, and this is a fact. We can entertain a counterfactual, maybe Safari would still be funded without Google funding it with billions, but that's not the world we live in today.

And given Apple's reluctance to advance the web, going against their other cash cows, it's disingenuous to suggest otherwise. I recommend reading this opinion: https://infrequently.org/2022/06/apple-is-not-defending-brow...

gkbrk
0 replies
2h5m

Ladybird is funded entirely through donations, and doesn't depend on one of the 3 browser engines.

hnben
1 replies
9h12m

less than good faith

Could you elaborate?

(I know next to nothing about Brave, so I may not be aware of obvious examples)

hapless
0 replies
1d

Obviously they have a commercial incentive to complain about Chrome, but that doesn't make their complaint untrue

acheron
9 replies
1d

Padme: So then Brave isn’t going to be based on Chrome anymore, right?

topspin
7 replies
1d

Brave is a Chromium derivative, not Chrome. Can't imagine why any of this would imply they would need to stop deriving Chromium: they can develop and deploy whatever cookie policies and defaults they want.

kevwil
3 replies
21h55m

Not to disagree with you specifically, but this seems a good context to make this point:

Maybe I missed the memo that we stopped hating monopolies? Every browser worth considering, except Firefox and Safari, is based on Chromium. Firefox and Safari make up about 20% global market share, meaning Chromium in about 80% [0]. A bug in Chromium is a bug in all of them. A backdoor in Chromium is a backdoor in all of them. A feature of Chromium, good or __bad__, is a feature in all of them. It baffles me that this isn't a bigger concern to more people.

[0] https://gs.statcounter.com/browser-market-share

bad_user
1 replies
3h27m

Because it doesn't matter that much, as Chromium is open source, not to mention it did a fine job thus far in advancing the open web.

I'd like Firefox to stick around, but as far as I'm concerned, if Safari goes away, I couldn't care less.

ThunderSizzle
0 replies
1h44m

Sure, it's open source, but it's controlled entirely by Google. No work has been done on Chromium that Google hasn't wanted done.

Said another way, Chromium can not be updated to risk Google's business or profit.

zamadatix
0 replies
19h41m

This is one of those situations where "monopoly" is a very overloaded word in terms of what it means to different people in different situations, causing confusion when it gets broken down into specifics.

Most people were never worried, and probably will never be worried, with the points you're listing there. That's not to say they've stopped hating browser monopolies, just maybe not your definition of what a browser monopoly is or why they're problematic.

In general (not just browsers) most people treat "popularity" and "monopoly" as completely orthogonal concepts. I.e. something unpopular can still be a monopoly, something with 99% usage can still not be a monopoly. There is typically just a tendency for extremely popular things to also happen to be a monopoly.

fabrice_d
1 replies
22h41m

At this point they likely have no choice but to keep building on a chromium base. However the cost of maintaining their changes and additions will likely increase.

topspin
0 replies
22h21m

I suppose. That is a matter of business model, whereas I was addressing purely technical aspects.

I've been using Brave as primary for years. At this point I'd pay for a license if it were necessary. Frankly that would be an improvement: if it's free, you're the product. Brave just monetizes you differently.

I no longer argue with the legion of Brave haters. I've decided they're a benefit: the more people that don't use Brave the less likely Google et al. will be compelled to destroy it.

nicce
0 replies
22h27m

Can't imagine why any of this would imply they would need to stop deriving Chromium: they can develop and deploy whatever cookie policies and defaults they want.

Maintaining a very diverged fork can take even more work than building your own browser. I think they don't want to stop receiving upstream updates when the upstream is one of the biggest software projects in the world.

EasyMark
0 replies
19h57m

They have software engineers, I’m sure they plan on just turning off that portion of the code and moving on with life like they do with so much of chrome engine

namdnay
7 replies
1d2h

and even after third-party cookies have been deprecated in Chrome

apparently this was written a few weeks ago :)

pimlottc
6 replies
1d2h

Care to explain?

IX-103
4 replies
1d1h

It's complicated. Chrome won't block 3rd party cookies by default. But it will present the users with a choice of whether to block them (with what exactly that means TBD). If most or all users choose to block them then it would have roughly the same effect as blocking third party cookies by default would.

Though regardless of that, Related web sites (or whatever that set is currently called) does present a hole in that logic. It was originally meant to allow sites with different domains to share cookies/storage (like google.com and google.co.uk). From what it sounds like, bad actors are using it in the expected ways. There were supposed to be mechanisms to prevent this, but it seems like they failed in this case.

The list is in a public repository however, so Brave could have filled issues and a pull request to address the issue. Instead they decided to stage a meaningless survey and declare Chrome a threat to people everywhere.

dwighttk
3 replies
1d1h

If most or all users choose to block them then it would have roughly the same effect as blocking third party cookies by default would.

Sure but most won’t unless the “go away now” button is “block” which I’m guessing Google wouldn’t do.

jeroenhd
2 replies
1d

Google wanted to (that's why they created stuff like FLoC) but other advertisers didn't like that and went to the market authority. They demanded the ability to track users, arguing that the system would give Google an unfair advantage.

After years of back and forth, Google abandoned their efforts. You can still disable third party cookies, in fact I don't think there's been a version of Chrome that doesn't let you block them. Go to your settings and set "third part cookies" to always be blocked. By default, grouped sites may be permitted to read each other's cookies, but you can disable that too.

The problem Google faces is changing the default, simply blocking third party cookie has never been an issue.

riku_iki
1 replies
1d

and went to the market authority

its interesting that authority is in UK, but they pushed Google to abandon effort globally.

jsnell
0 replies
22h16m

Authorities in the US, EU and (IIRC) Japan had expressed anti-trust concerns (threats?) about the original plan. The UK CMA is the only one of those that had a formal complaint, and thus ended up with a veto right on the new design.

hashtag-til
4 replies
1d1h

Does this affect non Chrome users?

judah
3 replies
1d1h

It's a proposed web standard, so ultimately yes, it could affect other browsers in the long run. And it would almost certainly affect other Chromium-based browsers.

troupo
0 replies
8h36m

Since Chrome dominates the browser market, they just pay lip service to the web standards process.

They will have this as proposal, its status will be "not on any standards track", it will be shipped in Chrome, and enabled by default.

thayne
0 replies
11h30m

It's proposed, but it's unlikely to be accepted.

Firefox and Safari have both said "no, we're not doing that". And then chrome decided to move forward with it, regardless of whether it gets standardized.

IX-103
0 replies
1d1h

Only other chromium web browsers that enable that feature. Safari and Firefox already said they're not implementing the feature, so unless they change their mind it's not going anywhere.

JohnFen
4 replies
23h32m

That seems the obvious result of this sort of thing.

Related Website Sets (RWS) is a way for a company to declare relationships among sites, so that browsers allow limited third-party cookie access for specific purposes.

So the website itself gets to declare other "blessed" domains that can bypass third party cookie blocks? Big websites are constantly looking for ways to abuse users by bypassing their attempts at protecting themselves. How would anyone think these sites can be trusted not to abuse this?

jahewson
2 replies
22h2m

No, the website itself does not get to declare this. There’s a master list that they have to submit their site to and go through an approval process.

But as the article details, the contents of that preliminary list is already disconcerting. The whole “Google as the arbiter of all things ads” concept is a bust.

But the alternative isn’t great either - today’s system of third party cookies allows for far worse. We need some better ideas.

klabb3
0 replies
17h55m

There’s a master list that they have to submit their site to and go through an approval process.

Wtf, seriously? I skimmed the post and honestly didn’t think RWS was so bad, assuming that obviously it would be decentralized. A centralized list that Google (or some shell consortium) controls is the biggest no-no. Decades of erosion of web principles have clearly made us complacent.

JohnFen
0 replies
16h2m

There’s a master list that they have to submit their site to and go through an approval process.

How is that not the website declaring it? Approval processes are meaningless.

today’s system of third party cookies allows for far worse.

That's why I want zero third party cookies.

HnUser12
0 replies
15h45m

I don’t know too much about this but I’m curious if what I saw recently on safari is similar? When visiting related Microsoft websites, I got a pop up asking permission to share the cookie for login. I was up to me to approve or reject that request. Seems like a better implementation.

aftbit
3 replies
1d

I know this isn't quite the right place, but can anyone point to some research or writeups on the Chrome ad topics stuff? How does that impact user privacy? What is shared with third parties? I know next to nothing about it at the moment.

afavour
1 replies
1d

This is a great paper on how it doesn’t make reserve privacy in the way Google claims it will:

https://arxiv.org/html/2403.19577v1

pennybanks
0 replies
23h46m

so do they mention if the old system would be better in comparison? cause short of just making you pay to use the products i dont know if it can be any worse.

at the end of the day it seems like 90% of people using google products dont even care. while some even prefer the convivence of some features that directly save your info. not sure what percentage that is compared to the people that practice a lot privacy.

but shown by the chrome market share google really doesnt have to care about this section of users. the fact theyre willing to try things is a good sign imo. either way in 2024 to be complianing about google is funny to me. literally dont have to interact or use a google product, they already have your information and so does the internet better to not let them occupy any of your mind as well

yohhaan
0 replies
18h28m

Hi!

I am the main author of 2 papers evaluating the Topics API from Google: [1] and [2] and working on more research in that space.

I have also started compiling different papers and analyses on projects like the Privacy Sandbox initiative from Google (https://privacysandstorm.com/proposals/) as well as releasing other resources (datasets, tools, etc.), contributions welcome if you are interested!

Best,

Yohan (https://yohan.beugin.org/)

[1] Interest-disclosing Mechanisms for Advertising are Privacy-Exposing (not Preserving) https://petsymposium.org/popets/2024/popets-2024-0004.php

[2] A Public and Reproducible Assessment of the Topics API on Real Data - https://arxiv.org/abs/2403.19577

andresp
1 replies
9h15m

Most people here seem to forget that ads is what pays for the free internet services. The main issue with them is not making the consent more explicit to the user. I think the business model: you either get this for free with ads and targeting, or otherwise you have to pay X, should be more common. I bet most people would pick the free option with ads and targeting.

troupo
0 replies
8h38m

You don't need pervasive and invasive targeting to run ads.

Google earned billions of dollars with their contextual ads long before pervasive tracking was a thing.

styfle
0 replies
7h3m

Does Google expect other browsers to just copy their list[0]?

Or are developers supposed to submit their related domains to each browser and they all have their own list to maintain?

This sounds like HSTS.

[0]: https://github.com/GoogleChrome/related-website-sets/blob/ma...

ssss11
0 replies
14h13m

Google doing something not in the interests of their users? Shock

nashashmi
0 replies
1d

I always thought that rws was built in with cross site scripting declarations

mrwww
0 replies
13h37m

Firefox for mac and firefox focus for iOS is great.

martinald
0 replies
9h59m

This seems quite out of date given Google has announced they are not deprecating third party cookies recently? Or am I missing something?

enhancer
0 replies
8h26m

People re leaving chrome more and more. Let's hope the trend continues

doo_daa
0 replies
21h34m

I've tried brave and Firefox on mobile (android) and I've tried Safari on MacOs. I still just prefer Chrome, it's just a bit better. So I use it with third-party cookies turned off, which is easily (and transparently) done using the settings menu. I can also turn off this "related websites" thing. So what exactly is the problem? All major browsers have allowed users to turn off 3P cookies for years.

callmeal
0 replies
23h11m

I guess it's time to start blocking /.well-known/related-website-set.json

bugtodiffer
0 replies
9h26m

Hey Google, this site is the password change site for Google.

Is that enough rationale to add this to the list?

bradley13
0 replies
22h14m

tl;dr: Google is evil. The antitrust measures cannot come soon enough.