Browsers have become wickedly intelligent in many ways, with the notable exception of methods that would protect your privacy. My operating theory is that due to the best (most secure and most widely used and most extensible) browser being produced by a company that generates a tremendous amount of revenue from selling targeted advertising on the web, there is little incentive to fix this particular problem.
I mean “little incentive” in a very literal sense; I generally try very hard to avoid the American habit of using euphemisms to say one thing but through convention so strongly imply another thing that that implied meaning is actually the new practical definition of the term (e.g. “didn’t do the best job” now almost always literally means “did a shit job”). There are many people at Google who do at least moderately respect user privacy; I am told that the Google Front End (GFE) reverse proxy server shares either the IP (if logged out) or the logged in user identity with backend services, but not both, to prevent easy tracking of what a given logged-in user does when they are logged out via IP correlation. (This may also be out of date information, I learned this some time prior to 2015.)
That said, I meant it: they don’t have much incentive. The point of this section is that there may be a possibility of simply adding the incentive that these features get built into Chrome. Google APIs unrelated to tracking are built into so much of the web now that they would likely receive a significant fraction of their tracking data via other means. Some people there actually do care about privacy, and some actually do care about building the best browser and innovating in the browser space, ad-business-be-damned.
(It’s sort of like how Apple used to not care if you used their application software or services or not as long as you bought their hardware. Remember those days? Those were great days.)
Anyway, let’s take a moment to sidetrack and say that if you are not using Chrome with µBlock Origin in grey- or whitelisting mode when you browse the web, you should be. Denying all third party (3P) requests by default on a webpage (with the ability to greylist (allow but filter out known ads/tracking) 3P resources on a per-source-domain basis with a click) is amazing. The interface is extremely confusing but the documentation is decent; consider spending 30 minutes concentrating on their docs to learn it. It is Worth It.
That said, much of this functionality should be built into a browser, or provided in a default extension that comes with it.
Things a browser should do or not do by now, in 2019:
autocomplete=offattribute on all sites by default. Sites that want to disable autocomplete should pop up a consent dialog for the user to permit them to disable it—iff the user wishes.
These are all pretty much obvious to me, basic MVP table stakes for a modern browser. The fact that these are not incorporated into modern browsers seems insane. There are a few more which are plain add-on features which take the concept further:
To be honest, I’m really surprised that Mozilla goes to all the length to maintain their own rendering engine, when the relevant majority of Chrome is open source, including the results of vast (I’m serious—we’re talking double-digit millions+ of USD) security research and hardening invested into it by Google. With or without Firefox, Mozilla or a similarly-minded company should be maintaining a fork of Chrome with these features built in.
Before you suggest Brave: don’t. Aside from being founded and run by a notorious anti-gay bigot who got kicked the fuck out as CEO of Mozilla (for being a bigot, no less), the actual product itself is designed to show ads. Lately they have taken to fraudulently accepting donations for sites that they don’t run and with which they have no business relationship (further discussion here). Their product story has changed a bunch of times, and despite trying to follow it, I still can’t make heads or tails of whether it’s supposed to pay you for looking at ads, pay you for your attention while blocking ads, or let you tip websites using cryptocurrency—and not one of these features requires building a dedicated browser versus just a browser plugin. (And what the actual fuck is up with browser plugins not working on mobile devices?)
None of the items above related to user privacy are aligned with the incentives of a company who profits when you are shown ads, as ad targeting maximizes that revenue and ad targeting benefits immensely from knowing as much specific information as possible about the user receiving the ad.
This post was somewhat inspired by the fact that Google finally added a feature to Chrome I was suprised took so fucking long: it now supports U2F without a hardware token! When enrolling a new hardware token (I have many) in Chrome 73.0.3683.86, I was prompted to use a Touch ID auth to add one (even without external add-on hardware present). I am curious if this is Chrome’s software U2F implementation with the long-term keys stored on disk protected by a Touch ID/Secure Enclave wrapping key, or if the Secure Enclave is actually being used to store the U2F keys themselves.
Someone should fork Chrome and maintain a small set of privacy- and security-protecting features while putting in the effort to continuously pull in all of the other product and security improvements Google is spending tons of money to research, design, and implement. Chromium isn’t it. What’s the point of it being open source, otherwise?
If you agree, disagree, or think someone should yell “but Privacy Badger already does all of this, you fool” at me, please don’t hesitate to drop me a line at firstname.lastname@example.org.
Jeffrey Paul is a hacker and security researcher living in Berlin and the founder of EEQJ, a consulting and research organization.