[haswell]

This, to me, seems like the more salient point. A headline like “Major browsers allow websites to see your installed extensions” seems more appropriate here.

We’ve known for a long time that advertisers/“security” vendors use as many detectable characteristics as possible to constrict unique fingerprints. This seems like a major enabler of even more invasive fingerprinting and that seems like the bigger issue here.

[hsuduebc2]

Well it would be more appropriate headline if it would be about broken browser behavior.

But this is about major corporation sneakily abusing this to ilegally extract specific sensitive data which they are abusing.

[tomwheeler]

It's possible to write a headline that directs blames at both parties: "Major Browsers Fail to Block Websites that Invade Your Privacy"

The fact that the website is doing this is a bigger problem than the browser not preventing it. If someone breaks into a house, it's the burglar who is prosecuted, not the company that made the door.

If you scanned LinkedIn's private network, you'd be criminally charged. Why are they allowed to scan yours with impunity? And why is this being normalized?

The best solution is a layered defense: laws that prohibit this behavior by the website and browsers that protect you against bad actors who ignore the law.

[haswell]

> If you scanned LinkedIn's private network, you'd be criminally charged. Why are they allowed to scan yours with impunity? And why is this being normalized?

First, I think it’s a major issue that Chrome is allowing websites to check for installed extensions.

With that said, scanning LinkedIn’s private network is not analogous to what is going on here. As problematic as it is, they’re getting information isolated to the browser itself and are not crossing the boundary to the rest of the OS much less the rest of the internal network.

Problematic for privacy? Yes. Should be locked down? Yes. But also surprisingly similar to other APIs that provide information like screen resolution, installed fonts, etc. Calling those APIs is not illegal. I’m curious to know what the technical legal ramifications are of calling these extension APIs.

[forgotaccount3]

What law is it breaking?

If a company leaks my sensitive data, I get some nice junkmail offering me some period of time of credit monitoring or whatever so what are browsers doing to prevent this?

The issue should never be 'We want entities to have this data but only use it in some constrained and arbitrary manner that we can't even agree about it's definition.' instead 'This data shouldn't be made available to X'

[acheron]

This is a Chrome thing. It’s a safe bet that if you use Google products you don’t care about privacy anyway. “Google product collects info about you: news at 11.”

[taneq]

Google cares deeply about privacy. Google defines privacy as them not giving your private data that they have collected to anyone else unless you ask them to.

[dmoose]

Google cares deeply about privacy. Google defines privacy as them not giving your private data that they have collected to anyone who hasn't paid them for it or can compel them to give it up.

[seanw444]

There's a fourth amendment case on the Supreme Court docket (Chatrie v. U.S.) about Google searching a massive amount of user data to find people in a location at a specific time, at police request. The case is about whether the police's warrant warranted such a wide scope of search (if general warrants are allowed).

Point being: Google will 100% give your info to the police, regardless of whether the police have the legal right to it or not, and regardless of whether you actually committed a crime or not.

Bonus points: the federal court that ruled on the case said that it likely violated the fourth amendment, but they allowed the police to admit the evidence anyway because of the "good faith" clause, which is a new one for me. Time to add it to the list of horribly abusable exceptions (qualified immunity, civil asset forfeiture, and eminent domain coming to mind).

[ImPostingOnHN]

They knowingly participated in PRISM, too.

[iso1631]

Why would the police go to all that hassle of compelling google to give it up when it can simply buy it on the open market.

[taneq]

The breaking point with me that caused me to de-google myself was finding out that Google was buying Mastercard records in order to cross-reference them with Android phone data. That shit is not okay.

[autoexec]

Police do hit up google for data though. https://www.nbcnews.com/news/us-news/google-tracked-his-bike...

[iso1631]

So no compelling here. The police asked for it and google gave it, either for free or in exchange for money. They didn't say "no" to the police, they didn't wait for a court order.

The bad guy here is google. And the people that champion data collection by private companies because of free market == good.

[taneq]

Ah yes, I should have said I was describing the official line, not the behaviour. In all fairness the “can compel them to give it up” doesn’t seem to be optional but otherwise, yeah. Agreed.

[armadyl]

> This is a Chrome thing.

This is blatant misinformation. Firefox (and all of its derivatives) also does this.

https://bugzilla.mozilla.org/show_bug.cgi?id=1372288

[Aloisius]

This only works if the web page knows the random per-install id associated with an extension.

That can only happen if the extension itself leaks it to the web page and if that happens, scanning isn't necessary since it already leaked what it is to the webpage. It also doesn't tell you what extension it is, unless again, the extension leaks it to the webpage.

The attack on Chrome is far more useful for attackers as web pages can scan using the chrome store's extension ID instead.

[p-e-w]

And this bug was reported eight years ago, with no serious attempt to fix it since.