Is Microsoft Stealing People’s Bookmarks?

I received email from two people who told me that Microsoft Edge enabled synching without warning or consent, which means that Microsoft sucked up all of their bookmarks. Of course they can turn synching off, but it’s too late.

Has this happened to anyone else, or was this user error of some sort? If this is real, can some reporter write about it?

(Not that “user error” is a good justification. Any system where making a simple mistake means that you’ve forever lost your privacy isn’t a good one. We see this same situation with sharing contact lists with apps on smartphones. Apps will repeatedly ask, and only need you to accidentally click “okay” once.)

EDITED TO ADD: It’s actually worse than I thought. Edge urges users to store passwords, ID numbers, and even passport numbers, all of which get uploaded to Microsoft by default when synch is enabled.

Tags: , , ,

Posted on November 17, 2021 at 7:53 AM67 Comments

Comments

Paweł Komarnicki November 17, 2021 8:16 AM

This whole “keep asking” loop is such a shady antipattern that it’s high time to have a proper guideline for that. I would just make it an opt-in system like the good email newsletters are: you are presented with the button to share your data with the app, and then (and only then) a system dialog is shown. Nothing around that should be automated in any way!

saladpope November 17, 2021 8:32 AM

Agreed that user error is a bad term for this, but it requires user action (I think). Edge prompts for a switch to “default browser settings” at startup, and that appears to include synch. Gross.

Enamel B November 17, 2021 9:17 AM

@Ted “Only a 472” read is hilarious. Thanks for the heads-up though, we can now finally enable this setting for our users. I can see the problem for normal users but for enterprise making sure users can drop their PC in the water and have everything synced down on a new PC is a godsent.

Ted November 17, 2021 9:24 AM

Ps: I opened Microsoft Edge (Home) for the first time ever. And nothing was synced yet as far as I know.

I had to go to Settings > Profiles > Import Browser Data to select which Browser and its corresponding data I wanted to import.

There I could select one of my other browsers and its corresponding data (i.e. Favorites or bookmarks, saved passwords, payment info, etc.)

In my Edge browser, Sync (listed under Settings and Profiles) is grayed out and I can’t open it. (Maybe this is because I’m not signed in with a Microsoft account for the purpose of syncing data across devices?)

Winter November 17, 2021 9:31 AM

“which means that Micorosoft sucked up all of their bookmarks”

I think that if MS stores such data outside of the originating computer without prior consent (!= opt-out) of the user that would be a breach of the GDPR in Europe.

“User Error” is not a good defense here as the GDPR requires “Meaningful Consent”, which means the user has to actively do something that indicates they understood what they were doing.

But we first have to see that this actually is the case. Not that Google does not go through great lengths trying to get me to sync Chrome whenever I use it.

Patricia November 17, 2021 9:46 AM

The ONLY thing I’ve found truly useful about edge is the ability to easily display/edit/annotate pdf files. That should have been in all browsers decades ago. Anyway, it reminds me of detroit cars always being decades out-of-date.

Bear November 17, 2021 11:09 AM

I was thinking about new features for browsers the other day, Forced synchronization was not amongst them, but two settings related to sync were.

Sync profiles however, were. There’s a browser I use for work and research, and there’s a browser I use for private stuff.

If there were separate profiles, and the browser gave me a dialog box every time I started it up to ask which one, then I could sync the business profile but not the private profile, on the same browser.

The other was encrypted block sync. Your browser saves your sync information as an encrypted block using a key you specify, and transmits the block to whatever server you sync with. When you sync, you get that block – still encrypted – back, and your browser reloads its information. So when you sync you need to specify a key, or at least you need a high-entropy passphrase. Which is something I’ve wanted for years, and would be fairly easy to implement. With encrypted block sync, I would be entirely okay with a browser syncing by default – although it couldn’t do so silently without access to my keys and passwords, which is desirable behavior from my POV but most people would allow it just to shut up the dialog box asking for the key.

Additional desirable features not related to sync:

A WYSYWIG editor that saves in correct standards-conforming HTML.

A Search bar that can do unit conversions, solve or plot equations, call up and display maps, and do basic language translation locally, without even generating a request.

A ‘Cache’ that stores local copies of reference material – pages drawn from some sites that I need to read fairly often and look things up in have stable content. I should be able to tell the browser what sites those are and let it maintain a local cache. With the option to search local resources first and generate a request if not found, OR display the local cache to avoid delays while sending a request and verifying that the stable content is still stable, or using local cache for fallback only in case of network disconnection. Or maybe a debug function that runs a diff and displays changes.

mexaly November 17, 2021 12:13 PM

When I got to passport numbers, wondering how brazen can it get, that I remind myself: feed garbage to the information tyrannosaurs.

A friend of mine despises grocery store loyalty cards, so he trades them with his friends. It fogs the data that he hates to provide, and he still gets the discounts.

Martin Ewing November 17, 2021 12:56 PM

Users need to know that everything in the cloud is available to our corporate overlords by default. And most everything is moving to the cloud.

So why am I trusting all my data to Google Drive, gmail, etc.? Reliable, convenient, and cheap seem to trump privacy…

Terry Cloth November 17, 2021 4:50 PM

@mexaly: I just lie on the application. I don’t mind the store knowing there’s someone who usually buys Oreos and milk together, but they have no need to know it’s me. If they send a check for a reward, I’ll never see it, but that’s small beer.

Zian November 17, 2021 5:30 PM

@Robert

Thanks for the Mozilla link. It’s refreshing to see someone implement it with those goals. I had ignored the Firefox sync feature because I assumed it had been implemented in a way that I would not like.

Clive Robinson November 17, 2021 11:24 PM

@ Petre Peter,

My soul is crying for how technology has been prostituted.

Wrong word, it implies there was an equitable transaction. There is a more appropriate word for when some one forces themselves on others.

Winter November 18, 2021 2:43 AM

@noone
“I don’t know why they want all the bookmarks. They already have all URLs one visits.”

I agree, we can laugh about the bookmarks, they get literally everything you do, all with a client ID included.

Compare that to the other browsers. I checked Vivaldi, Chrome, and Mozilla Firefox. None of them submitted “obvious” data about user behavior. However, they do send enough to do browser fingerprinting. I am not qualified to see whether there might be obfuscated PII included.

Francesco Mantovani November 18, 2021 2:51 AM

Interesting. And in their Policy Statement I don’t see nowhere the word “encrypted”.
Are they storing this in plain text?

How do they handle my privacy on their side is not explained.
Are my Swiss data staying in Switzerland or travelling across Europe or going to US?

Vladimir Katalov November 18, 2021 3:07 AM

Well, all the vendors (not just Microsoft but also Google and Apple) allow to sync browser history, passwords and lots of other sensitive data. The only difference is that Microsoft did not implement additional encryption. In contrary, Apple use “end to end encryption” (well, sort of).

Gert-Jan November 18, 2021 5:32 AM

The “keep asking” loop can be countered the way Android handles permission requests. The first time you get to see the request. The second time you see the request with the additional checkbox “don’t show again”. When checked, there is no third time.

On newer Android versions, this “don’t show again” is not asked anymore, but implied when the user rejects the request.

But the argument about meaningful consent (to conform to GDPR) is a valid one.

I’ve accidentally clicked “Yes” on some request simply due to timing. I wanted to click on something on the page, but just at that exact moment a permission request popped up exactly where my pointer was.

If vendors wanted too, they could mitigate that issue by delaying the opt-in button; only enabling it after a second or two. For meaningful consent, I’d argue that a 2 second delay is always justified.

Who? November 18, 2021 5:41 AM

Time to move to software that works for us, and not the other way. These days not only corporations that offer “free stuff” like Google or Facebook –whatever it is named now– but even those that sell the right to use their software/hardware tools must not be trusted.

Open source and, in some way, free software too are the way to go; but even in this case keep an eye on any project you depend on and do not trust blindly on something just because it is under a BSD/MIT/GPL licensing.

And, of course, keep offline anything you can. Only a few of my computers have Internet access and, most of these computers with some sort of Internet reachability, have HTTP/HTTPS traffic blocked or —to be more precise— do not have a rule allowing that class of traffic on a ‘block all’ default firewall set up.

Who? November 18, 2021 5:51 AM

One more thing… they key is not why it happened, but why let us it happen yet.

The first step is not allowing it occur, and not whimper when it happens. It happened because we allowed it to happen. I would certainly not use a browser from a corporation that a few years ago broke into millions of computers running its operating system to remove a “bad patch” that locked the upgrading mechanism without even requiring a user consent. From my point of view it was a “zero click” exploit. By the way, access was through the browser.

It is clear when your hardware runs operating systems like Windows, OS X, Android, IOS (both Apple and Cisco’s one) you do not own the computer.

JonKnowsNothing November 18, 2021 7:51 AM

@ Winter @noone

re: All the bookmarks

  • Some bookmark systems allow tags and sometimes comments (comments can be written into the text part of the URL).
  • Some will assign a Key Word keyboard link (open up multiple links).
  • They may also get the layout of how you store bookmarks if you folder them.
  • Some systems can keep date/time of access and recent viewing or other ranking methods which show which sites are most active and which sites are dormant but still On Your List. (1)

If you are a “person of interest” its could be interesting to some.

There is a direction that LEAs have been moving for their PoliceItAll, which is using AI/ML systems to do predictive policing. A recent MSM article about one (of many) systems used by the LAPD (Los Angeles, California USA) that pulled in all social media and interactions not just of the person of interest but all their friends, their online groups, reading sites etc. Every aspect of Meta that the software vendor could collect and calculated a “probability of future crime”.

Guilt by technical association. Makes a nice graph.

===

  1. Not too long back there were discussions of JSON vs HTML file extensions. FireFox native bookmark backup can use JSON or HTML and both of the resulting file sizes are huge. 3d party bookmark backups export to HTML and are only a fraction of the size.

Not Gonna Get It! November 18, 2021 9:00 AM

Is M$ doing X,Y,Z? Try it and find out!

No.

But you should try it!

No.

Could you just check if…

No.

I don’t play with proprietary bullshit, especially turds flowing from the mouth of One Microsoft Way.

Clive Robinson November 18, 2021 11:57 AM

@ JonKnowsNothing, ALL,

If you are a “person of interest” its could be interesting to some.

Who is not a person of interest these days?

You have agencies within central government that regard and treat “the citizens as the enemy”.

Then you have regional and local “guard labour” bring funded and supplied by Central Government. To increase not just surveillance, but tactical deployment.

Even if you are dead and six feet down you are probably still on somebodies list…

In reality crime is dropping for reasons other than LEO’s abilities. All new technology from the likrs of Palantir is giving LEO’s is bigger suspect lists, that actually hampers most investigations…

Why because the “machine learning” behind it is runing from rules in files upto 20years old when a “good kicking around the back” was a standard investigative tool.

Thus the thugish mentality we had hoped was going via computers is being given a new lease of life to come back and haunt us.

In the US the statistics on plea deals tells you exactly how the system works. They just throw charge after charge at you untill you plead guilty to anything…

In other parts of the world that behaviour is regarded as mental tourture and an abuse of human rights.

Oh and it is actually illegal in the US to deny somebody a jury trial, something they forget to tell you for some reason…

And it is said that technology is improving things… But from what viepoint,

1, Politicians
2, Guard Labour
3, Lawyers
4, Private Prison profiteers
5, Those selling the technology
6, Press
7, Victims
8, Society
9, Suspects

It appears that money is the driving force behind all but a couple in that list…

Jon November 18, 2021 4:45 PM

@ mexaly, Terry Cloth

I just didn’t sign up at all. After a few times the cashiers got exasperated enough that they just gave me a ‘discount’ card.

Now, I’m sure that because I’ve used credit cards with them, they have put two and two together and know roughly who I am, but not that I have consented to anything besides “Take my money in exchange for groceries”.

Still, I highly encourage pissing in the databases. The more rot they have in them, the more worthless they become.

JonKnowsNothing November 18, 2021 6:10 PM

@Clive, @All

re: Jury Trial and other missed Civics Lessons

IANAL

In the USA we also have the right to a “Speedy Trial”.

Not too long ago over on Marcy Wheeler’s site there was a review of what “speedy trial” means as there was a SCOTUS ruling on “tolling”.

So.. IANAL and I didn’t know what any of that meant…

There is a court timer called “toll” and when the timer starts the “tolling” starts. It governs the amount of time allowed between different parts of the trial. If the “tolling time expires” and the step has not completed then other aspects of the procedure may change with all timers becoming unlimited timers.

Think of it like a competition chess clock, once you make your move you punch the toggle button which starts the clock on the other side. Once they make a move they punch their clock and the timer shifts to your side again. If your timer expires you lose even if you have numerical advantage.

One might think it is in the person’s best interest to have a speedy trial and get things sorted out ASAP. Except it appears that rarely happens.

There must be some advantages to not punching the tolling timer, one of them maybe for the prosecution and another for all the legal fees that get racked up.

The person, if not among the wealthy, sits in jail for the duration even if they are supposed to be “innocent until proven guilty”.

It also seems that “pretrial detention” counts extra towards the ultimate sentence. So having the tolling bell expire means you get bonus credit for sitting in jail, even if the jury finds you Not Guilty.

All very confusing. ymmv IANAL

===

(1) MW has the sentencing guideline tables for the 37thDec group.

SpaceLifeForm November 18, 2021 7:07 PM

@ Robert, Who?, Ted, Clive, Freezing_in_Brazil, ALL

Grease leaks

Try FF.

Not saying it is perfect, but the alternatives are not your friend.

Justa Comment November 19, 2021 1:16 AM

I had an even worse (in my opinion) experience on a Samsung phone:

I used the YouTube app to copy links that I wanted to share with friends. I was (still do the same) very careful to not give permissions to my contact app to, for instance, YouTube. In the same way I gave no permissions to the YouTube app.

Everything fine with that for a few years.

Then, suddenly, I think it was during the spring 2019 when I was doing exactly that (ie copying the link to a video inside the YouTube app) the same YouTube app suddenly suggested people that I could share the clip with. I recognised the names from my contact list (nick-names and so forth).

I checked the permissions for the contact list app and the YouTube app instantly and there were no changes. The permissions were exactly as I had set them. But still, the YouTube app obviously had a look at my contact list.

I have never used the YouTube app in a smart phone since (but of course, the damage is done).

br
X

Robin November 19, 2021 2:51 AM

  1. On store cards: very soon paper till receipts will disappear, replaced by some sort of electronic communication. This will probably be managed via store cards, so to have a proof of purchase a store card will be obligatory. How this will be managed if I buy an item in one shop and walk into another with no proof I’ve bought the items I’m carrying, I have no idea. But the number of store cards I carry and the completeness of the data stored therein will be startling.
  2. An alternative to obligatory store cards will be dedicated phone apps for every trader you buy from. I have a handful of apps on my phone and I really don’t want any more. I am very conscious of the fact that I have zero knowledge, and even less control, about what information these apps are sharing. At least with a browser I can install privacy add-ons; with apps I can do … nothing.

Peter A. November 19, 2021 4:29 AM

@Robin:

Poland have just enacted electronic receipts for customers (optional – for now).

Before, it was obligatory to give every customer a paper receipt with all legal/tax data on it (failure to do it risks a steep fine for the merchant; there were even a few widely reported provocation/entrapment cases stipulated by tax officers). From now, there’s a possibility of providing e-receipt “with the consent of and in a form agreed with the customer”. It is not clear yet what would be the offered method(s) – initially probably SMS/email, but how the customer would provide the phone number/email address is not specified; and how the merchant would collect and protect that data. Some big chains already announced they are ready to provide e-receipts via dedicated apps. Some have been doing it for some time already in addition to official paper receipts, offering extra perks for using their apps.

The other end of the receipt is worse. Before 2020, all sales (there are still some exceptions for small businesses, but are being closed gradually) had to be recorded on a certified register with non-volatile append-only memory system, reports needed to be retained for several (5?) years. This is a problem for merchants as the commonly used thermal print paper bleaks. Since 2020, more and more areas of business (starting, not surprisingly, with automotive: gas stations, repair shops etc.) have to use registers with obligatory Internet connection to the tax office, to send out each sales receipt in real time.

Robin November 19, 2021 5:38 AM

@Peter A

Yes, here in France things are moving iun the same direction. I assume it’s an EU wide initiatrive but on a quick search I didn’t turn up any links to EU or EC law.

Who? November 19, 2021 9:45 AM

@ SpaceLifeForm

I am running FireFox on OpenBSD; it is my only browser (ok, sometimes I use the Tor-targeted flavour too). Some years ago I started setting up FireFox with some enterprise features (like a restrictive policies.json and a hardened mozilla.cfg), so I cannot inadvertently set an insecure parameter.

lurker November 19, 2021 10:34 AM

@Justa Comment: but of course, the damage is done

The damage was done of course in Palo Alto. It’s getting harder and harder to run a stock commercial Android phone without a Google account. If you run thru the standard setup procedure on a new device, and login to an existing G acct, before you can get to the settings Do Not Sync [default is Yes, Sync], it will have started to populate a Contacts list on your device, derived from the archived mail and phone history. Yup, those phones sure are smart…

name.withheld.for.obvious.reasons November 19, 2021 3:33 PM

If I understand it correctly, Apple does the same thing. If does a bookmark synchronization with the apple cloud storage system to keep your favorites “safe”. There does not appear to be a way to turn this off either, unless of course you forgo using Apple’s browser.

It also is to allow your iPhone to be married up to your Apple computer to share that data “seamlessly”. I often wonder who this mysteriously named “seamlessly” is. Do they have a first name, like Effortlessly?

insert.barcode.here November 20, 2021 7:16 AM

crApple, Goggle, Microsuck, Faceboot … none of them have any power if you take their TCP/IP away from them.

Those who don’t know TCP/IP are doomed to be enslaved by it.

Stop feeding the beasts and they will stop growing out of control.

You have the technology to seize and keep absolute control over your online footprint.

All you have to do is use it.

Install OpenVPN.
Route your devices to that host.
Configure that host firewall to block icloud.
No more crApple cloud.
Configure the iptables to block all domains in Goggle’s ASN.
No more goggles.
Configure the iptables to block all domains in Faceboot’s ASN.
No more faceboots.

If you want a nice blueprint for a Pi of Terror, add the following to the OpenVPN/iptables host:

Pihole with whitelisting/blacklist redirecting to dnscrypt-proxy to Quad9 DNS for DNS resolution.

Squid with whitelisting/blacklisting redirecting everything else to privoxy to Tor.

OpenVPN on that with your devices set to use the host for DNS and web proxying.
Make the data hoarders requests run the gauntlet of fear and block them at any point you like.
Don’t resolve their DNS.
Don’t request their HTTPs.
Let IPfilter block anything you missed.

And yeah, this is all in addition to browser plugins like NoScript, CanvasBlocker, Ghostery, PrivacyBadger, uBlock, DecentralEyes, etc.

Ted November 20, 2021 7:50 AM

@insert.barcode.here

Re: Install OpenVPN

If you have that technical level of understanding, you are most likely ahead of the game. However…

@SpaceLifeForm posted a link to an article about securing your digital life a few days ago. It was the finale in a four part series.

The author has this to say about VPN’s:

That’s about it. Otherwise, VPNs aren’t much more effective in protecting your privacy than what you already get from visiting sites that use modern Secure HTTP (HTTPS).

Your thoughts?

https://arstechnica.com/information-technology/2021/11/securing-your-digital-life-part-4/

Jakob November 20, 2021 12:53 PM

The best option is probably to avoid having a Microsoft account at all/logging in with a Microsoft account on your device. Not exactly easy to do these days, when setting up a newly bought computer the setup wizard will not allow that unless you skip the “connect to the Internet” step before (or switch to airplane mode and disconnect the Ethernet cable at the time it asks you to set up an account).

The same also goes for Android, as soon as you log in with a Google account you basically loose control of what is uploaded to Google. With Aurora store you can still get apps from Google Play without having to log in the whole device.

SpaceLifeForm November 20, 2021 3:33 PM

@ Ted, ALL

Actually, I purposely did not post the link. You were just paying attention, and connected dots. Kudos to you.

The reason I did not post the link was because Bruce was already covering the series, and I thought he was going to put up another article on that.

I do agree with the point. Use of VPN or TOR is painting a target on your back.

https://techgenix.com/webrtc-leaks/

Those of you using VPN or TOR, may want to check out

https://ipleak.net/

And see if you are leaking your real WAN ip.

SpaceLifeForm November 20, 2021 5:35 PM

@ FBI, Clive

This applies to you too

https://ipleak.net/

And see if you are leaking your real WAN ip.

And, then goto

https://www.schneier.com/blog/archives/2021/11/friday-squid-blogging-squid-game-cryptocurrency-was-a-scam.html/#comment-393958

read, scroll down, and connect dots.

Just Do It. I know you are paying attention.

If you have to, because you are missing some dots, the Library of Congress has them. You wlll not find them on the net anymore. But LoC has a copy. I am not going to expound for security reasons.

I highly recommend you get a copy.

And I would pay attention to the GREASE.

For internal security reasons.

lurker November 20, 2021 6:06 PM

@SpaceLifeForm, re ipleak

hmmm, are they looking up my ISP physical address from whois? because they place me 400km away from the switch that connects my ISP to the ocean cable, which is what most other geolocators use, and is also 300km away from my actual location.

SpaceLifeForm November 20, 2021 6:35 PM

@ FBI

It’s all BS. Get my drift?

hxtps://www.scmagazine.com/analysis/apt/nsas-cybersecurity-collaboration-center-marks-a-shift-in-spy-agencys-public-profile

insert.barcode.here November 22, 2021 5:01 AM

@Ted

I have differenet opinions of two different uses of VPN:
are you running your own?
are you using someone elses?

If you run your own that allows you to funnel your connections from vulnerable devices that want to connect to everything down to something where you can do your own proxy and filter as you like.

You are the master or disaster of your own destiny – good or bad – live or die on your own know-how.

This is not the life for everyone.

Using someone else’s VPN, to me, is no more security than just HTTPS to your destination – but with added latency.

While I barely trust myself to run a VPN correctly, I certainly don’t trust someone else to do it for me with my best interest in mind.

insert.barcode.here November 22, 2021 5:14 AM

@SpaceLifeForm

Nifty links – nice validation that I am somewhere in Georgia or Wyoming, or Stockholm (I’m not)
Love it.
Reminds me of some of the browserspy stuff.

Really like the check to see if DNS is leaking – which is a pretty fundamental Tor piece of work to secure and part of why I wanted to build the PiHole -> dnscrypt-proxy -> Quad9 for any non-Tor DNS as well.

In the iOS advanced settings are controls to opt in or out of tons of features including webRTC.
Same for Firefox.
The practical lesson is that every new “features” piled into a browser is going to be another exploitable tracking system and the only real way around is to turn it all off OR be very deliberate on what you turn on site by site.
Plugins, privoxy, and IPtables can help and enforce that.

The main problems with living this sort of life (beyond the massive paranoia it spawns) that I can see is 90% of the “modern goggleweb” is partly broken or just unusable.

But, I came from an earlier version of the web where BBSes, gopher, and plaintext ruled.
That’s pretty much what I’ve gone back to – or maybe Gemini.

I hope that most people read your material carefully – it sounds spot on from the bits I’ve seen so far.

Clive Robinson November 22, 2021 6:45 AM

@ , SpaceLifeForm, All,

The practical lesson is that every new “features” piled into a browser is going to be another exploitable tracking system and the only real way around is to turn it all off OR be very deliberate on what you turn on site by site.

The first important lesson is,

1, Turn off javascript.
2, Turn off cookies.

Very few sites actually need either, it’s lazy use of “frameworks” and the like that make people think they are a necessity.

Funny thing is javascript slows down the loading of pages rather more than the latency in VPN’s

The third lesson to learn is easy to understand but very difficult for most people to do.

3, Remove old/insecure ciphers.

If they are not there they can not be used by MITM “fall back” attacks.

Alternatively,

3, Never ever put in your connected computer anything that might embarrass or hurt you financially, emotionally, physically or that would endanger your liberty or standing.

Those that try to force you against these three rules are not your friends, nor are they providing you with honest service. They are in short parasites, at best forcing you to carry the cost of what they do, at worst leaching every thing they can to be used against you for profit or worse.

You don’t have to play their game, so don’t, is my advice.

Always remember, just because other people do stupid things, you don’t have to be like them. After all sticking your head out of a car window to feel the breeze in your hair, is a good way to get the top of your head removed, like you do to a boiled egg with a teaspoon and potentially just as messy but on a larger scale[1].

Sometimes it is hard to know when things you are doing should be classified as “stupid” ICT in less than a biblical life time has had so many it’s impossible to know them all.

Remember once it was “considered OK” to send paswords in “plaintext” across an open communications network that got changed for terminal access such as telnet. But even with that lesson well understood sending passwords in “plaintext” was still “considered OK” by very many, so went on for many more years via HTTP…

I’d like to say “we are smarter now” but we are not I could give a list so long that it would take more than a book to hold them. For instance having login names the same as the personal part of an Email address is really quite stupid when you think avout it, but how many still follow the “considered OK” view point?

[1] I’ve had the misfortune to see the inside of a persons head spread freshly across the scenery twice in my life, once at Clapham Junction the other much more recently in Wimbledon. Railways tend to attract people that want to die. Balham in South London attracts a lot of those who do not understand what they are doing so mainly get it wrong, sometimes they are lucky and only get broken bones that can be set straight and heal, others not so much and have life altering injuries or life long disabilities. Tending to such people as you are the first to respond is not just unpleasent, it can also be dangerous, when staff can not be bothered to activate the safety proceadures or lend assistance. It also tends to stay with you not just at night but in your waking thoughts. There is an unpleasant truth in “No good deed goes unpunished” saying, and it can be a life sentance.

Clive Robinson November 22, 2021 6:53 AM

@ insert.barcode.here,

My comnent above was ment primarily to respond to one of the comments you had made to @SpaceLifeForm.

Sorry I did not cut-n-paste your handle in at the front of the list (put it down to being an early lunch time today).

JonKnowsNothing November 22, 2021 8:31 AM

@Clive, @insert.barcode.here @All

re: new “features” piled into a browser is going to be another exploitable tracking system

Firefox runs regular nagware to upgrade their browser to the latest edition. Software updates rarely separate Important Fixes from GloopWare now, so I check to see what sort of Gloop is being Pushed.

Currently in order to get the Fixes, the Gloop is “COLORS”! Yes, indeed that all important wonderful feature that lets you color your browser (embarrassed).

Browser fingerprinting is already easy enough, which leads to system finger printing (fonts, graphics, drivers, updates, code loaded, etc).

Just what everyone needs to survive the holiday: Yet Another Tracking System.

It is not credible that any major software vendor/provider/organization/opensource or other is not aware of this backwash.

EvilKiru November 22, 2021 1:00 PM

@All: I guess Microsoft is TRYING to steal all your bookmarks and contacts. On the one computer where I use the new Edge browser, with Sync Disabled, a recent Windows update resulted in Edge telling me something like, Congratulations, your data is now being synced, so yes, Microsoft are blithely enabling syncing in the new Edge, WITHOUT ANY LEVEL OF PROMPTING! I quickly located the sync setting and set it back to off.

SpaceLifeForm November 22, 2021 6:11 PM

@ EvilKiru, Clive, ALL

Also, the damage has been done.

As part of the unexpected ‘sync’, the browser may now have a unique key that can be leaked via GREASE. Probably stored in the registry.

So, they have your ID, and ip traffic can be correlated.

I hope this is being used for good.

Clive Robinson November 22, 2021 7:04 PM

@ SpaceLifeForm, ALL,

I hope this is being used for good.

You are joking right?

Alphabet’s Google is now about the “most evil” of the “big five” with Microsoft running a close second[1].

Alphabet have the advantage of not yet having their monopoly subjected to “official” anti-trust investigation,

https://pluralistic.net/2021/11/22/amr-vs-babies/#jam-to-day

[1] I know many think the worst is Facecrook but that’s only because the US “hill slugs” are punishing Zuckerturd for failing them when the Cambridge Analytica story broke and the finger got pointed at the Mercer family who at the time were trying to grab control of the GOP and was doing illegal things in Europe and apparently trying to hide the money trail by pushing it through Russia. The Old Man of the family has dropped back but his Daughter is “Do’in er ting” which is frankly even more scary than knowing Trump has about a quater of a billion to play with…

JonKnowsNothing November 22, 2021 9:16 PM

@ Clive, @SpaceLifeForm, @ALL,

re: They have your ID, and ip traffic can be correlated.

Over on Marcy Wheeler’s site, she has a post up about the Dec 37th festivities (she has many such).

The post details how a person became a person of interest and then a person of much interest and then a person of high interest. Along with some cautionary lines about things Not To Do and Not TO Wear when being interviewed by LEAs, even if the interview ends with No Comment…

The interesting bit, is a screenie of one of the tech exhibits for this person that went from NoOne to SomeOne. It’s a map of the Google Geofence for the person during the excitement on the 37th.

There are @16 points indicated inside the red dash geofence lines.

Per her posting, these points were used to cross reference with cameras, videos and other media with the who-all-hoohaa who were standing around those locations.

Didn’t take a lot to make the correlation; the cuffed trousers was a freebee.

===

h ttps://w ww.emp tywh eel.n et/2021/11/22/false-identifications-and-two-delayed-arrests-jeremy-baouche-and-mark-mazza/

ht t ps://ww w.emp tyw heel.n e t/wp-content/uploads/2021/11/Screen-Shot-2021-11-22-at-2.53.30-PM.png

SpaceLifeForm November 23, 2021 2:28 PM

@ Clive

No. Not joking. Hope is the keyword.

This may be useful to help track Money Laundering happening via CryptoCurrencies.

Think outside the box on this angle.

ip Fragmentation Allowed.

anton v November 23, 2021 4:01 PM

What I kinda don’t like about Microsoft is that they often have exactly same search results as DuckDuckGo and that ad-links on DuckDuckGo often flow (if you click on them) through a Microsoft “bing” server.

Clive Robinson November 24, 2021 2:37 AM

@ anton v,

What I kinda don’t like about Microsoft is that they often have exactly same search results as DuckDuckGo…

It’s the other way around, or it used to be…

Have a read up on how DuckDuck used to send off your search query to other search engines and then returned those semi-anonymized results back to you,

https://en.m.wikipedia.org/wiki/DuckDuckGo

TRX December 10, 2021 7:33 AM

1, Turn off javascript.
2, Turn off cookies.

You’re not going very far in 2021’s web without them, though.

Clive Robinson December 10, 2021 8:20 AM

@ TRX, ALL,

You’re not going very far in 2021’s web without them, though.

You’ld be surprised…

It’s “social media” and “crank websites” that demand you have one or both turned on.

Most of those “accept our terms smash over” pop ups don’t happen with many news sites and others that tackd them on for EU GDPR reasons.

Then there is the load speed… No crapy adds getting in the way stealing the bandwidth you’ve paid for.

And much else in benifit besides.

Michael Babcock December 15, 2021 12:32 PM

I think its worth pointing out that Google’s Chrome has an option to set a custom sync passphrase to encrypt your data before its shared through the cloud, which I feel should be the very base standard applied to such things.

PetroBras May 6, 2022 5:43 AM

@Paweł Komarnicki
“This whole “keep asking” loop is such a shady antipattern that it’s high time to have a proper guideline for that.”

This is plain harassment, and I think guidelines and even laws exist for that.

Andre Vogt November 15, 2022 3:06 AM

Happened to me about a two weeks ago. When I opened the browser, a notification popped up telling me “Your bookmarks are now being synced”.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.