Vivaldi browser and privacy
Vivaldi Technologies AS was accused recently of incorporating spyware in the browser. A user claimed that Vivaldi Technologies incorporated spyware in the browser because the browser connects to https://update.vivaldi.com/stats/piwik.php regularly.
Piwik is a self-hosted analytics software that companies and individuals like to install if they don't want to use third-party hosted services such as Google Analytics. The main advantage of Piwik and other self-hosted solutions is that no one but the company hosting the solution gets access to the data.
It is a fact that the Vivaldi browser transfers data to Vivaldi's self-hosted analytics server. The following paragraphs look at the data that is transferred and how the data is used by Vivaldi.
Vivaldi is open about privacy
If you read the Vivaldi Browser privacy policy, you know that the browser assigns a unique ID to the installation and sends it along with other data to a Vivaldi server in Iceland.
The "other data", is the browser version, CPU architecture, screen resolution, time since last message and the first three octets of the IP address.
When you install Vivaldi browser (“Vivaldiâ€), each installation profile is assigned a unique user ID that is stored on your computer. Vivaldi will send a message using HTTPS directly to our servers located in Iceland every 24 hours containing this ID, version, cpu architecture, screen resolution and time since last message.
The company uses the data in the following manner:
- Unique ID: Only used to get an approximate count of users.
- IP address: Vivalid uses the three octets to get an approximate location using a local geoip solution. The company uses the data to "determine the total number of active users and their geographical distribution". Vivaldi turned off logging on updates.vivaldi.com so that it does not store IP addresses of users connecting to the server.
- Browser version: Used to make sure that part of the userbase is not left behind due to update issues.
- Screen resolution and CPU architecture: Vivaldi uses the information to set up test systems to test the browser on.
The data is sent over an encrypted HTTPS connection.
To sum it up: Vivaldi Technologies does not collect a lot of data and the data that it collects is used to improve the browser or get general statistics about the browser's userbase. The company reveals the data that it collects and what it uses the data for in the second paragraph of the privacy policy.
Closing Words
Privacy conscious Vivaldi users may object to the generating of a unique ID and the lack of an opt-out option the most. This is understandable as companies used IDs in the past to track users.
Vivaldi promises to use the ID only for counting the overall number of users. The company could use different means for that, for instance, the number of devices requesting an update plus an estimate of the number of devices without automatic updates turned on.
It is easy enough to delete the ID though and it is different anyway if you use Vivaldi on multiple devices.
Now You: What's your take on this?
Related articles
- Control Animations in Vivaldi
- How to speed up the Vivaldi web browser
- Intro to Customizing Vivaldi's interface with CSS
- Vivaldi: easier selection of same domain tabs
- Vivaldi Tip: Block all keyboard shortcuts
Vivaldi is not opensource and require root permission to run. Should be a big red flag to everyone ;-)
Vivaldi vs Chrome is best example, compared to Google information collecting (+ stored!?), IMO Vivaldi’s “telemetry” is nothing.
This is a minor variation of #PrivacyRaping as profit. There is no need for this fine grained information of individual [(behavior)
Without privacy one’s individuality is compromised which is why 3rd party ads are evil. It encourages the Thought Policy to spread their inanity through legislation as they, mostly unemployed, have vast swaths of free time on their hands.
Thanks for the article. I was thinking of giving Vivaldi a try, but I’m going to stick with Pale Moon now.
FWIW this data as presented is NOT anonymized under any realistic definition of the word, with or without the “unique ID”. If you have a dynamic IP, all it takes is 2 or maybe 3 phone-homes and a company like Google will identify you from the 3 octets of the IP and the screen resolution alone. (If you have a static IP or IPv6 you’re already toast for a host of other reasons.)
If it was just the unique ID, I’d understand it, but this is a needless liability.
I’m searching for alternatives. If both Firefox and Vivaldi is a NONO, what are the options? Could someone give me some suggestions?
Vivaldi’s privacy statement does not state that the Unique ID be used to identify. It mentions removing the last byte of IP, however what if the unique id was an algorithm having the IP of initial installation in it…
Example 192.168.1.1 + Algorithm = MN994723746432
Would it be possible to pin point a person by saying we know the general location from first set of IP (192.168.1.xxx), have their IP (assuming my algorithm unique idea), time and date of unique id generation be able to locate that person? I’m pretty sure ISP keep logs of IP address used by each customer for a very long time. Just something to think about.
Vivaldi has a unique ID? Golly gee, so does Chrome…imagine that! Vivaldi is collecting telemetry but promises to be good and not evil? Golly gee, so does Chrome…imagine that! Vivaldi has Piwik/Matomo? Golly gee, Chrome has Google Analytics…imagine that! Ahhh, what were we talking about again? Oh right, the differences between Vivaldi and Chrome. Duh, what differences?
At least Piwik/Matomo is far less “spread” than Google Analytics : browser is analyzed but with less cross-references.
Best is to defeat privacy intrusions ourselves because expressing irritation won’t change anything to browsers’ policies. Let them be and let us be accordingly by blocking what we can.
Oh look, the same Vivaldi fanboys who screech about Chrome RLZ are now trying to convince themselves Vivaldi is fine for doing the same thing.
What’s so great about Vivaldi, anyway? It uses a bloated layout engine, Blink, with the memory-hungry V8 JS engine and then builds a slow and responsive UI on top of HTML and JS. Pass.
> What’s so great about Vivaldi, anyway?
Besides his music I really don’t see :=)
I’m joking, haven’t tried ‘Vivaldi – The Browser’, maybe one day with Bach!
Oh! poor me, lol (laughing all by myself!)
Wait, Vivaldi AS gives me a free UID that’s unique for me only? Great !!
I HAVE NOTHING TO HIDE TO BE HONEST
Hey, Martin… if you’re going to delete comments with perfectly valid opinions because you don’t agree with the expressed sentiments, then you might want to rethink why you support comments here at all.
eol
I don’t delete comments. There are some exceptions: they break the law, attack other users, or are spam. You may have noticed that the comment system is as convenient as it gets for users. There is no forced registration, heck not even the need to enter an email address. Your comment was not deleted but I cannot find it either. Did you use the same username?
Martin, if it’s helpful, I noticed an oddity yesterday that seems to point to a bug that could be related to this.
I wrote a comment on the “Mozilla creates Shield study rules” article (comment timestamped January 31, 2018 at 9:00 pm). When I posted it, it appeared. Then when I checked later, it was gone. I think it blinked into and out of existence a couple of times yesterday — but it’s there now, and I think it’s decided to stay.
John, WordPress comments always puzzled me. I do know that there is a bug that involves comment editing. If you post a comment, then edit it, the chance of it ending up in moderation is high.
I don’t want to use third-party commenting system as I’d trade convenience and less bugs (probably) for user privacy and less control, and that’s not what I want.
I agree with your stance here. Personally, I tend to avoid sites that use third-party commenting systems. I don’t use them in part for the reasons you cite, and engaging in conversation with authors and other readers is about 90% of the reason that I frequent most sites.
I like how you handle comments here. Actually, I like almost everything about how you run this site. That reminds me, I need to kick some money your way.
Money kicked. :)
I have comments occasionally vanish (just had that happen today!) myself. I see no reason to believe that anyone is intentionally deleting them, though. It seems more likely that there’s a glitch somewhere.
I agree with Tom Hawack that i have never seen any comments deleted on this site. Have visited it for more than a year now.
Martin doesn’t delete comments, I know I’ve been here for years.
Either a new email, either an edited comment postpones the publication. Otherwise a possible hiccup, which I’ve encountered maybe 2-3 times over 10 years or so.
Early to jump to conclusions, username checks out
I think people here need a quiet reminder.
The internet is a PUBLIC place,
“The internet is a PUBLIC place,”
This is an overly simplistic assertion of something that is much more complicated than that. Regardless, it doesn’t seem relevant to the issue of telemetry.
No need to yell it… public, ok. Let’s whisper, all together now… “the internet is a public place” :=) (a whispered lol).
I still remember the privacy lectures of Jon von Tetzchner against evil Opera and Chrome. They all are bad and you are here to save us. Lies and lies and lies. You have proven to be nothing but a parasite copying chromium code and replacing the existing spyware with your own, because… your spyware are “better”.
Goodbye Vivaldi, I won’t miss you at all.
sudo apt -y remove vivaldi-stable
My intention was to switch from Pale Moon to Vivaldi, a soon as the long-promised email program has been implemented in Vivaldi (as it was in the earlier Opera), but now I’m not so sure…
If there is no opt-out, it is Windows 10 all over again.
“Vivaldi turned off logging on updates.vivaldi.com so that it does not store IP addresses of users connecting to the server.”
Really, so how do they send you an update? Crappy VPN’s use the same doubletalk, logging has to be defined, is it a year, a minute, a second, as long as it takes to send the update? Every web transaction is logged.
If you don’t mind sending information, fine, no big deal. It doesn’t bother me at all if a browser knows who I am when updating, having it periodically send info about my browsing without me knowing what is sent is unacceptable.
Most browsers do the same thing as Vivaldi’s “spyware.” When someone first starts digging into how the web works, it can be hair raising. Even if you turn off the Vivaldi call home, there are so many ways to ID a user or at least narrow down to just a few users, it won’t help much.
If this is new to you, try: https://panopticlick.eff.org/
If you ever get hacked and have to f*** with all your financial accounts for months to fix the damage, you’ll never again say “Who cares if the web knows who I am?” Wallets, virtual keyboards, AV, MWB, password managers(LOL!), blah, blah, won’t do much if you’re otherwise surfing wide open.
Learn as much as possible about privacy, the lack of it takes away free thought, and never ever fall in love with a particular software. Fanboys/girls have targets on their backs. :)
Assume everything online is fake, astroturf, eg., is everywhere, until you prove otherwise to yourself. The internet really isn’t regulated in any meaningful way; caveat emptor.
Being a bit paranoid is as healthy as being a bit skeptic.
I echo Malte above. Thank you Vivaldi for keeping it in house and being transparent. I understand their desire to know data on how widely their product is used. They’re not tracking your website visits.
If i am correct vivaldi is slapped on top of chromium is it not.?
So any talk of total privacy is nonsense.
unique-id..?..well your ISP has got you identified and located especially if you are on a static landline.
Might as well face the truth folks,there is nowhere left to hide and ironically your more private amongst the masses.
I agree with you Kubrick.. I don’t understand what they’re trying to hide. It’s like they’re being chased by some serial killer so they try to hide as much as possible.
It’s ironic that people are complaining when they get unrelated ads to their interest but when they’re being tracked to be served the right ads, they complain that they’re being tracked.
I think those people just want to hide their porn browsing habits.. Not funny when your computer get the porn ads all the time. Maybe that’s why they’re so desperate.
@Kole
“I don’t understand what they’re trying to hide.”
It’s not a matter of “trying to hide” stuff. It’s a matter of wanting to retain meaningful consent for sharing stuff.
“It’s ironic that people are complaining when they get unrelated ads to their interest but when they’re being tracked to be served the right ads, they complain that they’re being tracked.”
I rather suspect that you’re talking about two different groups of people as if they were the same group. I complain about tracking, and I have no issue with seeing unrelated ads.
“I think those people just want to hide their porn browsing habits”
Why do anti-privacy people feel the need to speak of people who value privacy in such disparaging terms? For that matter, why do you actually care whether or not other people value privacy? I’m not bothered by people who don’t value their privacy — each to his own, after all.
Not being concerned by our privacy and arguing that this position is natural given the fact only the guilty should be worried is also a trend nowadays to legitimate prostitution of one’s privacy when the deal is considered worth it. The contradictions flourish when many users denounce the invasion of their privacy but amazingly forget to once they are hypnotized by a so-called free service, by the hysterical excitement of social sites, by the fact of using what *everyone* states as the best, the best application, software : hey, if you aren’t running it you’re has been, man!
I think it all comes up to dignity. Being committed to privacy, if it is indeed a condition of guilt’s survival, remains a simple right, not only legally. Do we appreciate a foreigner trying to get into our lives with indiscreet questions? Then, when we get to know each other we start sharing episodes of our lives, of our privacy, which is relevant of the fact that we don’t hold to privacy as a dog a bone but that we aim at sharing our privacy, our “private garden” as we say in French, when we decide to, and that moment is most of the time related to confidence.
Finally, and this is specific to privacy evasion on the Web, information — ours — melts and feeds a global system of cross-references, which leads to far more knowledge of our lives than we would have supposed when letting leak what we believed was non essential to our privacy.
“well your ISP has got you identified and located especially if you are on a static landline.”
Yep. But so does my mailman and my bank.
The argument that because one entity knows a lot about you means that it doesn’t matter if other entities know a lot about you doesn’t make any logical sense whatsoever. Minimizing exposure is always worthwhile, even when it’s impossible to eliminate exposure.
@john fenderson.
i hear what your saying johnny.
only the guilty should be worried more or less.
its your choice if you use the mailman…do you know the mailman and can he be trusted lol.?
so what form of privacy are we expecting.?..they will only take what you give them and no more.
That’s a curious use of the word “give,” Kubrick.
Your failure to stop Bob from smacking your head with a bat is you consent to be bludgeoned?
“only the guilty should be worried more or less”
I greatly disagree with this statement. There are plenty of reasons why people would want strong privacy even if they are guilty of nothing at all.
Personally, the underlying principle is that it should be my decision what I will be revealing and to whom. The reason that I have for not wanting certain information to be funneled to certain people isn’t actually important. This is, to me, a fundamental human rights issue.
@John Fenderson: so, if you get a letter sent from company X with its logo on the envelope, do you decide beforehand whether the mailman can see the logo, or do you tell him after delivery that he should forget the logo from his “hard disk” in his brain?
And your bank: it sees all your financial transactions? Have you told the bank it is not allowed to see details about the parties you do transactions with?
Ahhh. Not just the hard drive in the posties brain.
Online reports following the pipe bombs in the mail from supposedly “main line” news organisations are that the USPS photographs back & front of all packages & it has been revealed that the Australian post Australia Post keeps a log of all letters & parcels permanently & tries to match deliveries with origins for advertising & security monetising purposes.
It would be a reasonable guess that many other government & private postal & parcel delivery organisations are doing exactly the same.
Of course not. I’m not sure of the point you’re making here. Perhaps my point was misunderstood…
What I was trying to demonstrate was that the notion that being OK with one party having access to your personal information means you should be OK with all parties having access to your personal information is silly.
If that were a logical stance, then the very notion of privacy itself is rendered meaningless, since I (and most people) willingly share very personal information with entities like mail services, banks, insurance companies, etc. That would mean that I should be OK sharing the same information with anybody and everybody.
“only the guilty should be worried more or lessâ€
That’s only true if those deciding “Guilt” or “Innocence” are impartial/unbiased.
As far as I’m concerned, corporate executives have proven themselves to be as trustworthy as paedophiles, politicians and terrorists.
“so what form of privacy are we expecting.?..they will only take what you give them and no more.”
That would be a good start.
@lehnerus2000: “That’s only true if those deciding “Guilt†or “Innocence†are impartial/unbiased.”
It’s not true even then.
I was only referring to those statements.
I think that carte blanche data collection should be banned. :)
another reason to abandon this bloated crap
Unique ID is a no-no for me
Sorry Vivaldi, but i’m out!
A unique ID is totally a NO-NO……………IMO.
I tried Vivaldi a while ago, but it was not for me anyway. There are damages to trust, wherever we look, and that’s just the way it is.
Much ado about nothing. We agree to it once we use the browser.
Besides we also use android phone and sell much of our data on using it. If you go privacy concious to the extreme, might as well use a phone which you dispose of every time you make a call (so the FBI wont trace you :))
“Privacy conscious Vivaldi users may object to the generating of a unique ID and the lack of an opt-out option the most.”
Yes, those are the two things that make this data collection unacceptable (particularly the lack of opt-out). Unique IDs count, in my opinion, as personally identifying information, and the inability to opt-out is just straight-up user hostile.
“Vivaldi promises to use the ID only for counting the overall number of users.”
Company promises about what they’ll do with collected data are meaningless. Even if the company is honest and conscientious, the company may get sold to someone else or otherwise come under new management with different intentions at any point in the future. Even if such an occurrence causes you to stop using the browser, there’s still the issue of the data that’s already been collected.
Personally, Vivaldi’s practices are unacceptable and ensure that I won’t be using their products.
a little OT, what do you think about this fx addon?
https://github.com/snyderp/web-api-manager
Cool, will take a look.
entdeckt aus reine zufall, aber ich finde es hat einigem sehr interessanten und hilfreiche features
Danke noch einmal, Artikel ist raus ;)
Thanks for the article Martin. I didn’t read the privacy statement until now. How do you remove the unique ID, say in Ubuntu? Would removing VIvaldi remove the ID as well?
I do not like to be tracked and I find that privacy policies change over time, sometimes without warning and you are giving away much information about your habits to whomever.
Vivaldi stores it in two locations: Local State in the Vivaldi profile directory and .vivaldi_user_id, created under XDG_DATA_HOME (or .local/share by default) on Linux.
Thanks Martin, I appreciate it. I will be making a donation to you soon.
To all the rest, I reserve the right to be paranoid.
Not that big a deal, was only curious. After backing up my profile, I deleted the Local State file to see what the results of that would be and the only thing I noticed is all of the chrome://flags I use were reset to their default state. I then replaced the profile folder with my backup. As long as Vivaldi is faithful to their privacy policy I’m not bothered by their user ID.
Thanks Martin. I was guessing the Local State file in Windows, would that be the only location in Windows?
Some people–aka “paranoids”–cannot differentiate between spyware and telemetry.
Because on Windows 10 there isn’t a difference.
@Tom
“Remains identification, telemetry, data collecting always aimed at our better experience, as we’re told so systematically that it sounds as a TV commercial.”
I don’t mind if they’re tracking me. I prefer ads with things I interested that unrelated at all. I never click ads I don’t have interest.
I’m happy, the site got click, the advertiser will get income if I buy the product, so what’s wrong?
Ads in internet is much better than TV ads, you can’t skip ads on TV and they’re advertising things you’re not interested in. Well unless you’re often browse questionable things.. I guess you don’t want to be tracked.
And some people, Earl, cannot differentiate between paranoid and hypervigilance. However this I believe is just a run of the mill vigilance, and quite warranted when looking at the big picture. When is the last time you read about someone finding another new tracker is an OS, web browser, app, addon,…?!? For me its never more than 24 hours.
BTW transparency dont mean jack if it isn’t checked and rechecked.
Quoting from the article,
“Privacy conscious Vivaldi users may object to the generating of a unique ID and the lack of an opt-out option the most. This is understandable as companies used IDs in the past to track users.”
Paranoia?
@Tom – Opera too, use an ID, and track you with it whenever you use their browser proxy, which they like to call a “Browser VPN”.
That gets sent of to China, I believe, and that’s not at all good.
I think its right to be sensitive about these things, because in almost all cases, organisations obfuscate, and do not come clean….and this is why we may be inclined to be quickly harsh or suspicious, even when our normal nature might be to be a little more forgiving.
When the Chinese leader came to the UK a few years ago, there were protests in the street. The police reaction? : to cosh some of those people over the head, while things got heated and they were trying to exercise their democratic right to protest.
Fast forward………and Opera=China=ID …………and you wonder why we may be a little sensitive!!!
Great post Sophia
Doesn’t Firefox use that to ? I think there is a unique ID in the registry in Windows.
There is indeed one I’m aware of, toolkit.telemetry.cachedClientID, disabled with:
user_pref(“toolkit.telemetry.cachedClientID”, “”);
You’re right to point that out, Stefan.
@Sophie, I’m not sure a country’s inquisition is proportional too its degree of democracy. Of course democracies include institutional firewalls aimed at limiting/blocking excessive zeal; do they succeed? Obviously no.
There’s also a Western-world strategy which is to replace warfare by propaganda. China, Russia, those two giants experience bashing mainly from those who believe in Good and Evil in terms of geopolitics. I don’t follow that path, I don’t believe virtue chooses its cultures. I believe the planet moves better with an honest and talented leader be it of a devil’s land than with a fanatic leading Heaven on Earth. All systems have their flaws and we often forget that democracy is not perfect.
Remains identification, telemetry, data collecting always aimed at our better experience, as we’re told so systematically that it sounds as a TV commercial. I doubt and because a user’s experience on the Web doesn’t really fit with doubts, I take dispositions as if I were sure that our experience is nothing but a crappy pretext. When you repeat fake, proven as fake, the day you say the truth people doubt. Would the world change now, immediately, there is such an inertia of lies — in democracies as well! — that it would take decades to get the last doubts vanish. Lying is the first thing anyone studying communication is brought to, not to avoid it but to make lies sound as truth.
What remains beautiful is an honest mind, then a talented one. IMO.
What’s wrong with unique ID? Different computer means different ID, how else the tracking system can differentiate between computer? The ID is randomly generated, I don’t understand what’s the fear for.
Look at the comment from Mark Hazard below. How can the four data gathered above determine your browsing habits?
Paranoia? Yes.
There’s a lot wrong with a unique ID!!!!
It pays to be paranoid, and actually….my tin foil hat shines very nicely in the sun, even if it means I don’t quite get all of my daily quota of vitamin D….
Now, where did I put those vitamin supplements????
Thumbs up on that Sophie !
“What’s wrong with unique ID?”
Nothing, as long as everyone understands that it’s an identifier. The issue is that companies tend to talk about these IDs as if they aren’t PII when, in fact, that’s exactly what they are.
Credulity isn’t the right state of mind for defining paranoia :=)
When people call others who are sensitive about privacy issues “paranoid”, it only shows that they don’t really understand what the word means.
@ohn Fenderson said on January 30, 2018 at 6:11 pm
So, you thought I was referring to you… ‘,:-)
No, I understand the difference between spyware and telemetry. :)
I just find it interesting that people are so eager to disparage others as “paranoid” because they value their privacy. BTW, I wasn’t responding to your comment specifically, I was just making a general observation about the abuse of the word.
My take on this? Thank you Vivaldi for not using Google Analytics. If only more companies/websites would host the data instead of sharing it with a 3rd party like Google.
Yes, this!
A bunch of upset over nothing. Vivaldi is open about it. I have no objections to it. I figure that’s a good trade off for not using firefox and google chrome on a daily basis.
I can be open about grabbing women by the pussy but that doesn’t make it okay and that doesn’t give me a free pass to doing it more.
According to Martin’s article and the yellow part of Vivaldi’s privacy policy, users have a uniquely identifying ID, the complete IP address is used to find out and store their location (because removing the last byte means the IP will look like, say, 200.125.125.x, and there are only 256 different IP in the world that look like this and they are all grouped in the same location), and you cannot opt out.
The last part bans Vivaldi from being used if privacy is of concern.
Trump reference, you do realize he’s still in office right? Unfortunately, however, Vivaldi isn’t grabbing me there, just collecting usage statistics.
Vivaldi is uniquely identifying you and your location and notably: you can’t opt out, which is a clear anti-privacy stance.
You can be okay with it yourself, my point is that 1/ it’s not “nothing” like you said, rather it’s “telling”; and 2/ being open about whatever doesn’t make it okay.
I agree and i will say this i am so happy that they are not using google analytics google is the umbrella corporation of the internet its becoming to be a serious monopoly. vivaldi has done nothing wrong in this situation. its simple if you do not like it then do not use it. but as far as i could tell i wouldn’t worry about it
Microsoft is the real Umbrella corporation. Umbrella now wants to take over Valve and EA. Thank God, ‎Gabe Newell will never allow it.