[arpowers]

My friend Jake runs an analytics company.

He's faced enormous challenges due to Google's "privacy" policies... Google is removing nearly all access to user data, they don't even like you looking at the user agent string (which issues a warning)... not to mention its impossible to know about search traffic and even referring urls.

Meanwhile Google has access to all this data, so he tells me all this is just gaslighting so they can illicitly protect their monopoly on web data.

[dceddia]

Seeing this all go down, it feels like this is exactly Google’s master plan.

1. Roll out stuff they brand as “privacy respecting” that actually collects data for their own use.

2. Brand anything that would give competitors access to that data (third party cookies, user agent strings, etc) as a threat to user privacy.

3. Lock all of that stuff down so that nobody can access it (“we’re protecting you!”)

4. I don’t think we need the ???, it’s just straight to profit, via monopoly over the data.

The brilliant/terrible thing about this is that third party cookie tracking is not great so it’s hard to set up a defensible argument where leaving things as they are is the better alternative. Apple and others have been waging a war on third party tracking for years now, and pushing public opinion in that direction, and it seems to me that Google is playing 4D chess here and using it against them (and frankly, the entire internet).

[smashed]

The solution is very easy for consumers looking for a real privacy solution:

Use a browser that is not made by an advertising company.

In other words, just drop chrome. It has never been easier to do, with Edge and Safari readily available on all major platforms and Firefox for those who prefer it, and of course the many other chromium forks that are around.

There is no reason to be dependent on chrome today. There was a few years where it was overly dominant and very hard to avoid for compatibility and performance reasons, but that is just not true today.

Personally I use Firefox on android and desktop and I don't miss chrome at all. I uninstalled (technically, disabled) it on mobile as Google widgets like to open links in it otherwise.

I have chrome on the desktop as I work in software so I need to test compatibility with it, but that's it.

[lxgr]

I agree in principle, but wouldn't wish the coupon catalog emulator that Edge has become onto anyone. It's beyond bizarre.

My personal picks are Firefox on Windows and Linux, and Firefox or Safari on macOS.

[SoftTalker]

Firefox with Ublock Origin here.

[ummonk]

I use Safari on Mac OS with Brave on Windows, with iCloud keychain passwords sync between the two.

[blindhippo]

Isn't Brave basically what Google is trying to turn Chrome into? I use Brave on my mobile phone, but honestly I'm kinda turned off by the weird advertising it shoves on me despite theoretically protecting my privacy.

I just go with Firefox on any actual computer since I can lock it down with whatever extension/config I want.

[nosefurhairdo]

On Brave many of their ads can be permanently disabled in various settings menus. I use Brave on my phone and laptop and can't recall the last Brave ad I've seen.

[Schnitz]

How do you sync that?

[lxgr]

There's an official Apple extension for Chrome for that now, surprisingly: https://chrome.google.com/webstore/detail/icloud-passwords/p...

[thorncorona]

believe it or not, these features are liked by edge users.

[doubleg72]

Saved me 20% the other day

[Gibbon1]

> Use a browser that is not made by an advertising company.

Personal opinion we need to tweak business incorporation rules to firewall ad business from all other types of businesses. Meaning General Motors can't sell ads. And ad companies can't sell cars.

And as someone on this site suggested extend antitrust dumping laws to services.

[hedora]

and/or make it illegal to gather consumer information without explicit, periodic consent. Make it doubly-illegal to sell data or rent it. (If "rent" doesn't cover it, also outlaw whatever thing google claims it does when it monetizes user profiles for ads.)

[Gibbon1]

Yeah as in if data broker is your business it's your only business with very specific rules about what the data can be used for.

[jmbwell]

I’m so hurt by how Edge has turned out. I was ready for a tier-1 browser experience on Windows comparable to Safari on Mac. Microsoft has utterly wasted its leadership opportunity here, cramming in scammy garbage.

Firefox, god love it, is a rough and clunky browser by comparison. Sure you can make it what you want, but it’s an investment. As the only viable noncommercial cross-platform option though, what else are we gonna do

[jgilias]

What’s so ‘rough and clunky’ about Firefox? To me it just works everywhere I have installed it!

Genuinely curious!

[wkat4242]

Yeah it works amazingly well. And offers some great features like offline translation and container tabs.

I have absolutely no issues with it. Websites all show perfectly, if I ever have an issue it's down to my many adblocking plugins blocking a little too much.

[jmbwell]

You know, I shouldn’t malign it. It’s really not bad at all in and of itself. I just wish it was as well integrated and as polished as some of the others can be.

[jgilias]

Do you have any examples of that? I really don’t get what’s unpolished about it. That may be because I’m a Linux user though!

[yakubin]

I have F13 bound to open KeePassXC on Mac. It works in every application except Firefox. Firefox blocks it somehow. It’s the reason I don’t use it.

[TX81Z]

Microsoft is also a web display ads company, what exactly do you think the business model for Bing is?

There’s zero point in switching from Chrome to Edge.

Firefox to my knowledge has no ads revenue, apples limited ads revenue doesn’t come from the web.

Brave I think is a low-key crypto grift run by a homophobe, but still better than Chrome.

[alwaysbeconsing]

On Apple OS also two alternative browsers rising: Arc https://arc.net and Orion https://browser.kagi.com Both making nice progress with their own strong points.

[sanderjd]

I really really love Arc. But I don't understand how they will make enough money to support the amount of work they've done. Their website seems to say nothing about this, and everything I've found about it so far is hand waving and speculation.

[drc500free]

Arc is fantastic. Their product team is really well focused - the PIP view for google meet that dropped out of nowhere has been a game changer for getting through my day.

Going back to the alternatives from Arc for browsing and Hey for email management is always jarring. They aren't massive UX changes, but they sure are well thought out and impactful.

[miked85]

https://mullvad.net/en/browser as well

[nottorp]

> Use a browser that is not made by an advertising company.

> In other words, just drop chrome. It has never been easier to do, with Edge and Safari readily available

Considering Windows 11 has ads in the operating system, how is Edge not made by an advertising company these days?

[jacquesm]

This is why the worlds largest advertising company should not be fielding a search engine, a massive email platform and a browser as well.

[flagrant_taco]

At least it anti-trust laws are hard at work! Glad it's not like the dark ages, when your operating shipped with a default browser that could be used to install any other browser you wanted.

[dceddia]

They sure have done a job at positioning themselves at the intersection of maximum control over the web.

[taneq]

> stuff they brand as “privacy respecting” that actually collects data for their own use

The kool-aid is in their definition of the word "privacy." You and I might think "privacy" means "other entities aren't observing you" but Google in their benevolence knows that it really means "Google will keep your data safe from third parties." Their newspeak doesn't even allow the concept of "data that Google does not collect."

(A friend of mine was involved in the launch of Google Allo. I asked them if it would be possible to use the virtual assistant features offline without sending everything to Google. They never spoke to me again.)

[soraminazuki]

I don't think there's any 4D chess going on here. Nobody is buying Google's "privacy" argument. This is a simple case of other browser vendors improving actual web privacy and Google undermining that effort.

[petre]

I hope the regulators are not and wish Google would be hit with huge antitrust fees in the EU due to this. We shall see.

[conradev]

That is Apple's plan, too, except for the collecting data or profiting part. They still have a monopoly on your data, it's just locked on your devices.

[rovr138]

> except for the collecting data or profiting part

Isn’t that pretty much the issue here?

Anyway, what’s really locked? Text messages?

Because I can export pretty much everything else. Images, videos, documents, passwords, bookmarks.

Maybe Apple Music’s playlists?

[taneq]

In what sense is this Apple having a monopoly on your data? If it's "locked on your device" then they don't have it. This is literally what we're asking for, or at least half of it. I agree it'd be nice if we could retrieve everything from the device ourselves, but I'll settle for this (and ensure I never give my iPhone the last copy of anything I care about) over carrying a hostile observer everywhere I go.

[Tagbert]

Data collection isn’t really central to Apple business model though. I’m not too worried about them.

[raydiatian]

It’s the AI thing. Everybody is building walls around their data.

[bagels]

Same playbook with apple vs Facebook

[lukev]

This doesn't make sense. The browser provides the user agent as a header in HTTP requests. They can't detect if or how the server is using that information.

Or do you mean your friend's product is a browser plugin? In which case, um, yes, I don't want it having access to any more information than it it needs to do it's job (and honestly, probably not even that.)

[re-thc]

> The browser provides the user agent as a header in HTTP requests.

They (Chrome) are taking it away [0].

[0]: https://developer.chrome.com/en/docs/privacy-sandbox/user-ag...

[matheusmoreira]

Excellent. Sites shouldn't know what user agent we're using anyway. Pretty much the only thing they use this for is to lock us out when we use "unsupported" browsers. The less information they get, the better. Hopefully they'll get rid of referrer too and weaken fingerprinting methods.

I have no doubt Google has self-serving motivations here but the result is still a win for us. I wish Firefox had enough leverage to force decisions like this down people's throats whether they like it or not but it just ain't so. Reality is imperfect so I'll take what I can get.

[sanderjd]

Yeah I tend to agree here... It really seems like none of the server's business what agent I'm using.

[matheusmoreira]

Yup. It's none of their business. They can't discriminate against us if they don't know anything about us.

[Fordec]

Can't trust you either. Are you a bot? Well it's good to assume you are by default, since it's the majority of internet traffic anyway. And for your privacy, you're not exactly forthcoming with data to now prove otherwise.

So sorry, until you pay with a unique individual bank account to prove identity, you can't post on future social media sites. You are a bot after all.

[technion]

I've always advocated for feature detection. If you test for typeof Object.assign !== 'function' you can be sure you have a reasonably recent browser. If you want fetch, test for window.fetch.

This sort of thing always feels like it's going against the grain, with someone always asking "why wouldn't you do this properly. You know, build an allow list of user agents and match against them". I fully support people being forced into detecting the features they want and doing away with this nonsense,

[matheusmoreira]

I don't think web developers should be able to detect stuff like that either. Their ability to detect stuff provides identifying bits for fingerprinting. As far as I'm concerned, all the browsers should normalize the return values of those typeofs and all related functions so that Javascript can figure out exactly zero bits of information about the environment it's running on. Just like browsers will lie to Javascript when it tries to figure out your browsing history by checking the color of links.

The web platform gave web developers way too much freedom and they're abusing it. God giveth and god taketh away.

[Groxx]

There's simply no way that can ever be built though. "Browser v2 provides X which will call argument 1 in 2 seconds" -> how would browser v1 possibly hide that it is not v2? Anyone can build a thing that checks for that behavior, and now you have a piece of information.

Or for more useful stuff, "X gets you data from URL Y". Either you get that data or you don't. Voila, data about the browser.

The only alternative is that you never ever release any new features or fix any bugs.

[raincole]

> Feature detection is too much power for developers

- People on HN.

[SoftTalker]

There are plugins for Firefox that can make the user agent string anything you want.

[matheusmoreira]

It doesn't matter. Actually those plugins are straight up counterproductive.

The best user agent is the one that offers them the fewest identifying bits. In other words, the user agent of the most popular version of Chrome. The ability to set it to "anything we want" is actually a trap. What we really want is for everyone to use the exact same user agent so they can't tell us apart.

If everyone has the same user agent, it's nothing but a waste of bandwidth and it should be removed. Google is actually achieving our objective here.

[SoftTalker]

Well yeah, they have a pre-configured set of choices, e.g. "Chrome on Windows" but you can do something custom too, if you want.

[eru]

Firefox has plugins to set your user agent to Chrome.

[infogulch]

I'm all on board calling Google out for slowly implementing a user data protection racket, where Google owns all the data and everyone else is squeezed out and has to go through Google as The central data broker. At the same time this user agent reduction thing seems like a decent idea at first blush and good for users privacy.

[dpkirchner]

TBH I'm surprised the User-Agent header has survived as long as it has. Referer, too.

[omoikane]

Referer is not quite the same as how it was. In recent years, the default behavior in most cases is for the browser to either send just the origin, or no referer at all.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Re...

"Origin" means no path, so the referer might tell me which search engine the user used, but not what search query was done. It's much better than in the old days, where I might even see someone's session ID in the referer.

[judge2020]

YouTube got around this in the earlier days since the referer header didn’t sent query strings. Maybe if referer hadn’t existed, YouTube urls would look like /watch/ViDeOID

[ravenstine]

That header and Referer were always a mistake. I don't think The Google's motivation is pure, but I agree in principle.

A lot of sites will break for people as a result, though. Maybe that's what The Google wants, though.

[satvikpendem]

> Referer were always a mistake

Yeah, it's even spelled wrong!

[elashri]

My web development knowledge is very limited. But isn't this the main method where simple websites (most static generators) used to decide if the user is browsing from a mobile or not and serve a version based on that?

I would appreciate it if someone explain what other things people do to tackle this, or if I'm completely wrong?

[jrajav]

Most responsive design is based on screen dimensions with CSS media queries these days, not on the actual class of device.

[matheusmoreira]

The modern solution is to use CSS with media queries. You tell the client how the site is supposed to look on various screen sizes. The client applies the rules without leaking any information about which rules it chose to apply.

[yjftsjthsd-h]

That's mostly done client-side these days; having the server treat clients differently doesn't happen as much anymore.

[rascul]

I think media queries have been the way to do that for awhile. Or I think there's some javascript trick to do it.

[cpburns2009]

The server now needs to respond with the Accept-CH header specifying it wants the client to send the mobile client header by including the "UA-Mobile" value. A compliant client will then send the Sec-CH-UA-Mobile header in its next request with either the value "?0" or "?1".

[jamesfinlayson]

I agree that user agent is not the best idea but it helps endlessly when you need to find out what browser a non techy person is using - just ask them to go to one of the endless sites that tells you what browser you're using based on the user agent string.

[xref]

Without Referer how will jwz dot org troll HN users?!

[soulofmischief]

If that were really their motive, a better strategy would be making user agent string customization a first-class feature.

[fiddlerwoaroof]

No, because approximately nobody would customize it.

[soulofmischief]

Then generalize it by default. I just can't buy that Google really has this motive when they simultaneously are introducing WEI.

[hedora]

They could also use the user agent: "", or omit the http header entirely.

[eru]

You can already do that with extension, can't you?

[soulofmischief]

An extension isn't first-class support, first-class means supported directly in the browser and easily discoverable.

[ben-schaaf]

Will that finally bring an end to having to use user-agent-switcher to get some sites to work on Firefox?

[afavour]

> Meanwhile Google has access to all this data

I’m loathe the defend Google but I don’t think this is the case. The replacement for user agent sniffing (client hints? I forget) is a universal thing and I don’t think Google has a secret back door tracking mechanism their ad network is able to use. It would certainly be a big story if they did.

[riku_iki]

> I don’t think Google has a secret back door tracking mechanism their ad network is able to use.

they have 80% population using search, youtube, storing browsing history etc while logged into google account, so they have lots of data about most of the people.

[afavour]

Right but that’s not a secret back door tracking mechanism. It’s a pretty blatant one!

My point is that even this blatant logged in user tracking won’t be able to use user agent strings to track either.

[riku_iki]

yeah, no need some secret backdoor..

[asddubs]

you're the one who introduced the concept of it being secret, your quote just said they have access

[afavour]

> you're the one who introduced the concept of it being secret

There is no publicly known method by which Google’s ad network is able to siphon extra data from Chrome users for targeting etc. If there is one, as OP’s friend suggested, definitionally it must be secret.

[rhaway84773]

Google’s ad network might not have access. But does Google have access?

Because there are many ways Google can leverage this data without giving their ad network access.

Privacy isn’t just about privacy from ads. There are all sorts of non ad related privacy abuses that can exist.

[foobarian]

A while ago now I booked a room on Expedia, which ended in me getting a confirmation email with an itinerary to my Gmail backed address. Lo and behold, few minutes later a CTA pops up on my Android phone offering to create a matching trip in Google's trip planning product. I'm sure it's all above board once you got into the fine print but it was not a pleasant experience.

[notatoad]

yes, client hints.

google "has access to all this data" in exactly the same way any other website does. you request the information you need from the client, and the client can choose to provide it or not. clients provide it by default.

hate on google all you want, but UA reduction is objectively a good thing. "my friend jacob wants to slurp up everything from the user-agent string on the first request" is not a good argument.

[jacquesm]

You only need a backdoor if you do not also have a 6 lane highway to your users premises.

[hotstickyballs]

> I don’t think Google has a secret back door tracking mechanism their ad network is able to use. It would certainly be a big story if they did.

Like Chrome??

[makeitdouble]

> Meanwhile Google has access to all this data, so he tells me all this is just gaslighting so they can illicitly protect their monopoly on web data.

To throw them in the same pit, they're taking a page from Apple's playbook: the privacy benefits for the user will justify any market effect from closing the platform and keeping all user data internals. Platform owner gets to protect the user from some of the abuse, while gaining a critical edge on the competition.

In the current climate, I'm not sure there is any good angle to solve this, short of strong regulation limiting the advantage they get from doing these "privacy first" moves (basically find a way to forbid the platform owners from using their own users' data...I'm not holding my breath)

[eru]

> In the current climate, I'm not sure there is any good angle to solve this, short of strong regulation limiting the advantage they get from doing these "privacy first" moves (basically find a way to forbid the platform owners from using their own users' data...I'm not holding my breath)

Well, you could also look into removing some rules, in addition or instead of piling on new ones. Eg you could weaken intellectual property rights, to make it easier for upstart competitors to take on the established giants.

Or you could make it easier for foreign competitors to enter local markets. (As an example, the US has become more protectionist of their tech markets. And the EU has a lot of red tape that's even harder to follow, if you are from outside the area.)

[makeitdouble]

> make it easier for upstart competitors to take on the established giants

No specific regulation is stopping this. If anything, all the regulation that are getting added have as a goal to reduce the red tape around smaller players and limit the extent of the giant players' monopoly.

If you were thinking about the rules forbidding dark patterns to suck client infos and accelerate growth, it would be a tough sell to be honest.

[eru]

> If anything, all the regulation that are getting added have as a goal to reduce the red tape around smaller players and limit the extent of the giant players' monopoly.

No?

Lots of regulation just adds red tape in general, and there are clear economics of scale in compliance: larger companies have proportionally an easier time affording the legal experts they need to make sure they are compliant.

[scarface_74]

Are we suppose to feel bad for your friend’s analytic company?

[bhaney]

I took it more as an anecdote to show how Google is intentionally using its size and influence to engage in anticompetitive practices by forcing the adtech industry to standardize on technologies that only Google can use effectively.

More of a "be upset with Google" than a "feel bad for my friend" kind of thing

[wbl]

The privacy preserving ads tech has been around a while and a lot developed outside of Google and Meta. I made a stab at it while an intern at Mozilla, and we basically succeeded at the very easy part of accounting. Training the bandit is a lot harder.

Also the adtech industry in it's current form is harmful to users. First of it exploits tracking vectors. Secondly it's a malware distribution technique second to none.

[raincole]

You're supposed to feel bad for people who use Chrome.

That is about the entire desktop user base btw.

[swader999]

We all suffer when competition is stifled.

[soraminazuki]

The market for private user data should not even exist. So the call for more competition in that area is absurd.

[paulryanrogers]

I don't think folks are arguing for such a market. Rather that Google owning the market is also bad, maybe even worse.

[notatoad]

it's not stifling any competition. the data that used to be in the user-agent header is now in the sec-ch-ua header. servers can set response headers to request more information if they want it, assuming the website makes more than one http request, which every website does.

[matheusmoreira]

Surveillance capitalism corporations should not even exist at all. They should be illegal.

[midoridensha]

So it's bad when there's less competition for organized crime?

[tough]

That just means a more powerful mafia boss in town so probably yeah

[scarface_74]

We’ve seen time again that’s it’s better to have one strongman than a power vacuum with a lot of local warlords.

If Google wipes out all of the other analytics companies, I can just not use Chrome.

[paulryanrogers]

Until everything important in your life requires Chrome.

[raincole]

Yes, exactly. It's a no brainer.

[Scoundreller]

> not to mention its impossible to know about search traffic and even referring urls.

I think it was the migration to https everywhere that killed that. Not sure why it went down that way, or if Google was responsible.

But yeah, when I ran a blog, I would look through the referrer URLs to see what people were actually searching for and write articles about that because it was obviously an untapped void in the market.

[jacquesm]

That's exactly what it is. Google spends a fortune on lobbying Brussels to let the natives know that they have their best interests at heart. That's proof of the opposite as far as I'm concerned. Check out the ads on Zaventem airport (right next to Brussels) if you're ever passing through there, it's comical.

Or check this video if you can't make it in person:

https://www.youtube.com/watch?v=f0UevGxfXXY

[avs733]

Years ago I remember having a very similar reaction to many online platforms switch to https. It was pitched as protecting people from isp packet based ads but it always felt more motivated by locking the competition out of the data stream

[sensanaty]

No offence, but your friend Jake can go fuck himself.

I have very little trust for Google and other megacorps like it, but I have even less trust for parasitic entities like Jake that just piggyback on top of Google's already horrid practices to extract wealth from, so you'll find no sympathy for Jake from me.

[kyle-rb]

I just don't want Google adding extra tracking, I don't mind if they stop your friend Jake from tracking me.

[wnc3141]

Such is the issue with any business connected to a single large and private infrastructure provider. Of course this is, in part, why we have anti-trust laws.

[judge2020]

Is there a write up examining the replacement (cohorts I guess) and showing how it is worse for user privacy?

[shadowgovt]

It's arguably not, depending on how you slice "worse."

Google's philosophy on this sort of thing has been pretty consistent for over a decade: they trust themselves with user data. It goes in a vault, it's very hard to access inappropriately, and they have some of the best security possible on the modern web. Practically speaking, yes, it's still a risk; if the data collections get breached, that's all the data. But they don't see themselves as more of a risk than anything else out there, so for them it's not philosophically inconsistent to claim other companies doing what they are doing should be considered a privacy threat.

... And honestly, I think there's a good case to be made that if you don't trust Google to respect your privacy and secure your data, You shouldn't be using Chrome period, because the organization you don't trust controls the source code of that browser.

[judge2020]

I guess my question is: how is Google getting that data now? Is FLoC or Topics beamed to Google ad preferences? Is it included in chrome sync?

[matheusmoreira]

Sounds great. Now we just need to figure out a way to stop Google instead of Google and numerous other surveillance capitalism corporations.