15 comments

[ 2.9 ms ] story [ 41.2 ms ] thread
Isn't there a guideline about editorializing submission titles?
Flag those you don't like and don't bother starting meta discussions. The moderators will figure it out.
It happens in Chromium too... it's literally a 1 minute code search to find out where this is constructed:

https://code.google.com/p/chromium/codesearch#chromium/src/c...

https://code.google.com/p/chromium/codesearch#chromium/src/c...

Looks harmless enough. It just provides omnibox autocomplete timings to search engines.

if you click on the var you get on this page: https://code.google.com/p/chromium/codesearch#chromium/src/c...

ther is a link with more details: http://goto.google.com/binary-clients-logging

but for that you have to login with a google employ account...

Heh, that login page is marked up with a tabular layout. I wonder why Google as a "cool-kid" company never properly redesigned its internal applications. I can only shudder at the usability of "moma". Or is it just the login page?
It's been a while since I've been to Google Code, that's a really nice code browser they have there.
The autocomplete timings are one part of it. I am more concerned about other parts which are not publicly documented and seem to contain possibly identifiable information. I will be very happy if my suspicions are proven unfounded.

Aside, there seems to be an RLZ parameter in Chrome, which is purportedly absent from Chromium. The RLZ parameter comes from [1], which according to that page is now integrated into Chromium. By manual inspection of the AQS parameter value, there seems to be some identity of the browser included in it.

[1]: https://code.google.com/p/rlz/

The fact that it sends it in Incognito mode too, is very concerning.
>If you want to use Google, use the barebones search query (http://google.com/search?q=%s)

>Disable the webservice for finding navigation errors (happens via Google)

>Disable the autocomplete omnibox features (happens via Google)

>Disable the prediction of network actions (happens via Google)

>Disable protection against phising and malware (happens via Google)

>Disable requests for translating webpages (happens via Google)

>Disable HTTPS validity checks (happens via Google)

>Disable background apps

>Disable Google Cloudprinter detection

And with that, you have gotten rid of all tracking interaction via Google at browser level which is user configurable (i.e. accessible via chrome://settings).

Just noticed that for me (on ubuntu at least) the default provider sends a lot of stuff as well as the query!

{google:baseURL}search?q=%s&client=ubuntu&channel=cs&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}

"which is user configurable"

The vast majority of Chrome's users have no idea what any of those terms even mean, or what the tracking actually entails. Most people don't read EULAs and will never touch program defaults. They certainly don't fully understand the compromises they are making with their privacy. Having these options available is irrelevant for most people.

Out of curiousity... Are all those options in Chromium too?

Does anyone know for certain what differences between Chromium and the closed-source Chrome is?

I find it very hard to trust a browser from the internet's biggest user-tracking- and ad-agency.

These are the only options you can modify from the assigned UI for it (chrome://config). As far as I know, Chrome is the branded version of Chromium. Chromium development is done by open source contributions, but mostly they are on the Google payroll. What do they get from this? As you said: user-tracking so they can deliver even more targeted advertisements. It is great they also deliver a FOSS-ish browser, but there is only a small minority actually using Chromium. The majority gets to use Chrome which, due to Google branding, is vastly more popular.

Their search engine also greatly benefits from all the data hoarded.

At least on the desktop they bother sending autocomplete requests over https. On android, autocomplete is a security disaster. the stock browser up to 4.2 sends anything you type in the addressbox in cleartext over the "wire". Haven't checked if chrome does the same thing but i would guess they share some of their codebase.

I think it's time to start compiling your own browser..