1. 31
  1.  

  2. 20

    I’m fairly privacy-focused, but the hard-line “any unique data sent anywhere is a form of spyware” philosophy really puts me off (although I accept that others disagree).

    Some of these issues are complex and involve difficult tradeoffs. Take Firefox’s use of Google Safe Browsing service, for example. The site’s Firefox article says that this is spyware and Allegedly used to protect you from “phishing” websites.

    It’s unhelpful to ignore that this service absolutely will protect some users from phishing and malware, things that for an individual can cause much larger privacy breaches and significant harm than even the most snoopy mainstream browser.

    Nuanced (but more difficult) questions include:

    • Is the privacy cost of sending an IP address, URL 32-bit hash prefix, and single-purpose local installation identifier to a Google service worth the benefit of being able to use their crowdsourced malware database?
    • Even if it is worth it, can we do better?
    • When Firefox accesses this API, does Google follow the Chrome policy of only keeping the IP and identifier for a request for up to 30 days? If yes, is that policy acceptable?
    • If Firefox switched to a different default service, would it be as effective (unfortunately Google/Chrome has scale on their side here), and would it be better privacy-wise?
    • Are users sufficiently aware of this service and what data is sent? This is a hard one, because explaining complex things is hard - it’s much harder than messages like “Firefox respects your privacy” or “Firefox is spyware”, which are both equally simple and uncomplex. (I personally think this explanation is pretty good, though I noted that the link to Google’s privacy policy didn’t seem to have an answer about their use of Safe Browsing data - the only info I could find was in the Chrome whitepaper linked above.)
    1. 14

      I’m also a little bothered by the simplistic thinking that seems to be behind this site. For instance, a common criticism against Pale Moon is that it’s basically an old version of Firefox with many of the fixed CVEs still in there. Putting that under “best privacy” is very misleading and potentially dangerous, because anyone who really absolutely needs high levels of privacy privacy (say, dissidents under a dictatorship) are at a higher risk running such a browser because it’s much easier to attack. You don’t even need zero-days.

      1. 11

        Second this. I’ve spent and continue to spend a ridiculous amount of time ensuring my personal setup and the systems I administer are configured to minimise telemetry and the usage of (mis)features which infringe on my privacy or that of their users. However, there are trade-offs. Labeling anything which may entail some privacy risk as “spyware” is unhelpful. That’s particularly the case for genuine security features which implicitly need to communicate some information which may be personally identifiable.

        There’s always going to be a grey area, but as the parent points out, features like Safe Browsing which obfuscate the download information via a cryptographic hash from my PoV have a good-faith design to minimise the privacy implications while providing the security benefit, acknowledging that the nature of the feature makes communicating some information necessary.

        • Do I personally feel I need that feature? No.
        • Is it of clear benefit to the vast majority of users? Yes, absolutely.
        • Should it be disabled in Tor Browser? Yes, definitely.
        • Do I think it’s fair to describe it as spyware? No, that’s a distortion of the intent.

        It’s possible for a given system to have privacy risks and provide security benefits.

      2. 6

        While its certainly not usable for daily to day activities, I still think NetSurf is a cool browser. It would probably end up in the mid tier, as it doesn’t have any tracking but it also doesn’t have any privacy protecting features.

        1. 5

          The same author did indeed post a review of NetSurf

          Upon launch Netsurf makes a request to get the default search engine’s icon, that default search engine is Google. […] Other than that, there are no unsolicited requests.

        2. 5

          Safari is conspicuously absent.

          1. 5

            From reading different reviews on the website it seems to me that the author uses Windows and so probably cannot test Safari. That being said, given Apple’s status as a trillion dollar corporation I wouldn’t be shocked if they didn’t have the end user’s best interest in mind.

            1. 2

              I’d say that for Edge, which I also don’t see on this list. But given Apple’s stated focus on privacy, I was hoping to see how Safari stacks up in a detailed evaluation.

          2. 5

            In their vivaldi review, they mentioned piwik as if it were spyware. And that seemed to be the loudest objection. It’s been a few years, but my recollection of piwik was just that it was local analytics for a site. By that I mean you could use it to see where someone came from, what they did in your site, and when they left. It wasn’t anything that could track you across sites, and nothing about it then made me nervous. Is there something nasty about it that either I missed or that has been developed since then?

            1. 1

              You can either self-host Matomo (the scenario you described) or use an already existing server (Matomo themselves offer that for a fee), which would give the possibility of tracking across sites, you would have to read the ToS/trust Matomo not to do it. I don’t know what Vivaldi was doing, but it wouldn’t be the first time I read “local” tracking described as spyware.

              (Piwik was renamed to Matomo)

            2. 4

              Interesting. I was unaware that Firefox uses Google Analytics!

              1. 9

                last I checked, their contract with Google specifically spells out google can’t use the information collected for anything.

                Not that I’m very happy about this, but at least Mozilla is trying to keep Google honest.

                1. 4

                  then why are they collecting it

                  1. 4

                    I don’t understand the question.

                    Mozilla can obviously look at the information it collects, but the contract with Google says Google can’t look at it.

                    I assume they honour that contract, but I have no idea.

                    What Mozilla is doing with the information collected, I also don’t really know. I assume they want to know how many active users they have, versions in use, etc, etc.

                    1. 1

                      no worries, you answered it

                2. 7

                  This shocked me as well, but there is some subtlety here. The site says “Firefox tracks users with Google Analytics” and “Firefox has been integrated with … “Google Analytics””. Exactly what’s happening is that https://mozilla.org webpages use Google Analytics (with the extra no-sharing option that Mozilla pushed Google to add, as mentioned in another comment).

                  Like this or not, it’s a bit different to all Firefox users’ browsing being integrated with GA, which is what I originally read the site as saying.

                  (I don’t know if any automatic URL requests that firefox makes to mozilla.org backends end up with GA, but I can’t find anyone saying they do and I’d be surprised if they do as my understanding is GA only runs on webpages not backends.)

                3. 3

                  I wonder what the verdict is on Chromium. Not Chome, but not the Ungoogled Chromium either. Just the plain Chromium that you can apt get or pkg install.

                  What really bothers me with Chrome is:

                  Google Chrome is confirmed to be constantly listening to any open microphones on your computer.

                  1. 2

                    I appreciate the work done by the author. And there are a lot of browsers I didn’t know. It’s really cool.

                    I’m always sadden to see that, as of today, your only two options for a browsable web is basically Gecko or Blink.

                    But going back to the other topic, privacy is great, I love it. But what is ignored here is the security and vulnerability of these browsers. Would I go on some shady websites with these browsers? Hmmmm… I’m not sure. I feel that the risk would be low because these browsers are niche browers.

                    1. 2

                      I’m a bit sad there were no webkit2 browsers there.. like luakit, midori, etc…