Google implemented a controversial feature in Chrome
Google has implemented a new feature in version 80 of the company's Chrome web browser called Scroll To Text Fragment designed as a global method to deep link to any part of a web document.
Unlike HTML's anchor functionality, Scroll To Text Fragment links may be created by anyone to point to different parts of a document; this is done by specifying a text snippet in the URL. The text snippet has to be provided in the form #:~:text=, e.g. https://www.ghacks.net/#:~:text=firefox.
Use cases include search engines that may link to content on a page but also resource sites such as Wikipedia and users who want to share links that point to a specific part of a document (similarly how you may share video links on YouTube that point to a specific playtime).
The feature emerged from the W3Câ€™s Web Platform Incubator Community Group which is heavily dominated by Google. Three of the four code reviews of the feature were conducted by Google employees.
Google has been criticized heavily for implementing the feature in Chrome by default. Mozilla employee David Baron posted this last December:
My high-level opinion here is that this a really valuable feature, but it might also be one where all of the possible solutions have major issues/problems.
Brave's Peter Snyder put it more bluntly on Twitter:
Imposing privacy and security leaks to existing sites (many of which will never be updated) REALLY should be a "don't break the web", never cross, redline. This spec does that.
The feature could enable new privacy attacks according to Snyder who published an example of a potential issue on GitHub:
For example: Consider a situation where I can view DNS traffic (e.g. company network), and I send a link to the company health portal, with #:~:text=cancer. On certain page layouts, i might be able tell if the employee has cancer by looking for lower-on-the-page resources being requested.
Google has created a document and made it public in which it collected potential issues linked to the Scroll To Text Fragment feature. In it, Google highlights potential attack vectors and potential mitigations.
One of the main takeaways from the controversy is that Google acts from a position of power thanks to Chrome's dominance on the web. Google will push features into Chrome that it considers worthwhile (for whatever reason) even if there is strong opposition.
Now You: What is your take on the controversy surrounding the new feature?
Seems pretty harmless to me. A search engine spider will be picking all those words up anyway.
In which case you (and a few others in this thread) either didn’t read and or don’t comprehend the problems but just had to comment. It even gave you an example in the article.
This will be a quite interesting thing regarding Edge and Firefox or any other so called privacy respecting browser come to that. We will see what they are really like and if they also include it despite the obvious concerns and problems.
I understand the issue, but it’s very minor. Anyone that stores medical data as in the example should be ashamed in 2020. The danger is outbalanced by the value of this new feature.
I care about privacy and I use Firefox, but I’m not a knee-jerk anti-Google zealot either.
No, you don’t understand, that was just an example of how it could be used, it’s nothing to do with medical records pre se. I care about privacy so use Brave which is based on chromium so not exactly an anti-google zealot. I prefer it to Firefox who pretend to care about privacy.
“Consider a situation where I can view DNS traffic (e.g. company network)”
In that example, people are traversing over a network subject to observation by a third party (owner of that network, or man in the middle attack?) of that DNS traffic.
They can stop using that network, if they value their privacy and this is a concern, or use a VPN to encrypt their own traffic over that network (of course, they have to trust that VPN provider too).
There is a reason why browsers like Firefox are integrating VPN features.
Where should that line be drawn – where we should stop new features or block existing ones in order to save people from themselves?
There is all kinds of alarmism from all quarters of our society over the theoretical possibilities of the worst case scenarios over a variety of issues, but few considerations about the downside or opportunity cost of adopting measures based on those concerns.
After a while it starts to sound like advocating for mandatory helmets for walking – because someone, somewhere might possibly have a debilitating or fatal accident when crossing in the middle of the street (which they should already have enough sense to know not to do).
Attorney General Balderas Sues Google for Illegally Collecting Personal Data of
New Mexican School Children
I mean, you can just send the string separately and anyone can Ctrl + F it and even mobile browsers support Find in Page. Not that difficult. In other cases, people can take snippets of the page if they thing the website will modify it due to outcry
It is silly to ASSume a person has cancer just because they search on the word. The objections to the discussed Chrome changes are just a new twist on an old problem where algorithms and their human authors insist on continuing to err as they assume.
@chesscanoe, Martin’s article described the very definition of tracking.
You can put your head in sand, but that doesn’t mean it isn’t happening.
That you’re apologizing for Google enabling more methods of procuring even more personal information from users is pathetic.
I hope that your insurance rates skyrocket, when your health insurer & all potential health insurers know you have cancer. It’s not a joke, wake up idiot. This kind of privacy breach is the reason we have the HIPAA in America, with penalties of $250,000 & 10 years in prison for any criminal violation. People had their personal information sold to insurance companies & they couldn’t afford insurance as a consequence, that’s why HIPAA was codified into law.
Stop shilling for Google/Chrome all the time, it’s embarassing.
I totally agree, all examples I’ve seen are totally made up and often technically incorrect.
If someone on corporate proxy can read URL, they can decrypt all traffic.
I don’t understand the problem with this. It’s like phpBB hilit functionality. I usually strip the URL off that stuff because I hate it, but I don’t find this to be harmful.
So Chrome did something bad and you just shrug it off?
@Dude without a suit.
Please… Mozilla supported heavy duty DRM back in the day. You now have closed source DRM plug-ins in the browser that are basically blackboxes.
And this coming from Mozilla…
> My high-level opinion here is that this a really valuable feature, but it might also be one where all of the possible solutions have major issues/problems.
…doesn’t sound like a strong stance against the new standard described in the article, at all. As usual, Google-funded Mozilla will follow their master’s commands like a good lackey. Wait and see.
Another reason why Chrome sucks.
The reason Google is talking about “mitigating” security & privacy problems with their new “feature” is because you can’t turn it off.
Everything in Firefox has a switch in about:config or the menus that allow you to disable/enable it.
Chrome only has “experiments” in chrome://flags, which frequently has cryptic descriptions & may disappear without notice (if Google even gives you an option to toggle something, like this “scroll to text fragment” that can’t be disabled).
Firefox is the ONLY browser engine that’s not controlled by Google for Windows users (everything else runs on the Blink engine [Chromium] that’s controlled by Google). Yet all the MORONS attack Mozilla at every turn.
For all the Chrome users, enjoy Google tracking you everywhere, on top of allowing more security vulnerabilities in Chrome by default.
You cant remove Adjust, Google Firebase Analytics, LeanPlum, Mozilla Telemetry from about:config in firefox. Toggling a telemetry preference is no guarantee they wont sneak a system addon that does the same thing or turns it back on.
Maybe pressure your collegues to remove trackers, user identities and telemetry from finished products before posturing? or are you ok with these things?
> Everything in Firefox has a switch in about:config or the menus that allow you to disable/enable it.
That’s outright wrong.
> Firefox is the ONLY browser engine thatâ€™s not controlled by Google for Windows users (everything else runs on the Blink engine [Chromium] thatâ€™s controlled by Google).
Mozilla, developer of Firefox, gets its funding from daddy Google. Plus, more and more code derived from Blink makes its way into Gecko, take a look at Bugzilla.
> Yet all the MORONS attack Mozilla at every turn.
Maybe because Firefox enables tracking just as much as Chrome does? That could be the reason why Mozilla gets flak. Firefox’s default privacy configuration is absolute shit (due to them not wanting to piss daddy Google off), and 95%+ of its user base uses said default configuration of course.
> on top of allowing more security vulnerabilities in Chrome by default.
Typical writeup by you, @notanon, one of the greatest Firefox shills on this website. He recommends against the browser directly controlled by Google, and then goes on to suggest the browser indirectly controlled by Google – Firefox, as Google funds Mozilla. How stupid is that? Only goes to show that you have understood absolutely nothing.
The relationship between Google and Mozilla is similar to the relationship of the “WTO” and “The Order” in the game Deus Ex: Invisible War. The World Trade Organization are the cold-hearted capitalist strongmen (Google), and due to them understanding that people might rise up against their corrupt rule, they created “The Order” (Mozilla), nature-loving and spiritual rebels. At the end of the game, it is revealed that the “WTO” and “The Order” were run by the very same people, and that “The Order” was controlled opposition and a scam all along. That’s exactly what is going on here as well. @notanon still thinks that “The Order” (Mozilla) is for real, despite me hinting at the – admittedly disappointing – truth all the time (pointing at Mozilla’s financial background).
@Ironheart, I don’t have time to refute all your lies.
Unlike you, I don’t get a paycheck from Google to shill for Chrome.
I have a life.
You’re a Google shill constantly spouting lies.
Where’s you’re proof???
Why do I always have to defend my positions, but you act like your nonsense is fact.
That’s a play out of the leftist handbook, Rules for Radicals.
I don’t have time for your nonsense.
From what I’ve read, this feature is the tipping point where Google goes all-in on Evil. It has convinced me to accelerate my avoidance of Google products and services.
I guess it sounds like Google people have the majority say with the W3C? Disturbing really how much control Google has.
I don’t understand how people keep using that nefarious browser.
Because the competition are deliberately not trying and most often do exactly the same things.
Google keeps deliberately causing Google-owned websites to ‘break’ on browsers not controlled by Google – even chromium and other chromium-based browsers. They’re always a single serverside flick away from sending you slow or badly formatted pages and they can make sure to only cause this to a small audience at a time rather than everyone under the guise of “just an experiment bros!”.
Microsoft in the days deliberately sent Opera broken css for msn.com and google complained as well, google nowadays is the villain it once denounced.
Does not surprise me at all
Nooooo, chrome has more controversial features that make chrome destroying the internet has been 2018
Just me, but this would be a really good feature to have. I don’t see how this anymore unsafe than sending someone a link about cancer already.
WE WANNA PUT INK ALL OVER THE FECKIN’ PLACE!?
“…users who want to share links that point to a specific part of a document…”
That would be nice if it always happened. Often a link just opens a page at the top, not where the link subject appears. Frustrating on a long page.
I don’t know enough about web development to understand the concerns voiced by the Googlepeople; whether they’re plausible exploits or esoterica.
Iain Cheyne: The privacy concerns are for personal data only visible when you are logged in.
chesscanoe: You are not searching for cancer. You just follow a link to a health portal with your medical history, where it may say that you have cancer. Then, if e.g. in this health portal there are images, the browser may just download the ones around the part that you are seeing. So if you don’t have cancer, the browser will fetch the images around the top. If you have cancer, this feature will scroll to that part and the browser will fetch other images. So, even if the page was delivered using encrypted HTTPS, whoever controls the network may end up knowing whether you have cancer or not depending on the image requests.
Yuliya: I don’t know much about hilit. But it seems it only highlights text, it doesn’t scroll to it. So the attack described above wouldn’t work.
JohnIL: The ScrollToTextFragment spec (https://wicg.github.io/ScrollToTextFragment/) is just a WICG unofficial draft, written by Google employees. It’s not endorsed by the W3C as a whole.
As an additional note, people are not complaining against the feature per se. They are complaining against this feature being forced everywhere instead of being opt-in. And against Google unilaterally shipping it, ignoring previously raised privacy concerns.
My view is that the Internet shall be regulated by a public body, just like the ILO for example, were every nation has exactly one vote.
On the other hand, there is no global organisation not controlled by the US.
A definition of what is the internet on the African Continent is already defined by a select few US Corporations. For example private payment systems, mobile communication
This alone should ring warning bells by default.
“there is no global organisation not controlled by the US”
So Interpol, World Socialist Movement, UNESCO, Club of Rome, World Bank, Interpol, United Nations Industrial Development Organization, the International Telecommunication Union, Doctors Without Borders, International Civil Aviation Organization, are all controlled by the US?
What about China’s control over such?
Things may not be so simple as you assume they are.
“African Continent is already defined by a select few US Corporations. For example private payment systems, mobile communication”
Mobile money payment methods by telecoms providers is very popular in many African countries. The most popular ones are: M-Pesa, Airtel Money, MTN Mobile Money, Tigo Pesa, Ecocash, and Orange Money.
None of those are US companies.
Furthermore, many huge corporations from all over the world are in Africa, and not “defined by a select few US Corporations”.
You are clearly a liar.
So what’s your agenda? Are you a Russian troll?
Google’s power over Internet “open” standards is very concerning. Google has a very specific agenda: To increase Google’s (Alphabet’s) corporate profits. It’s all about money, power, and control. I don’t think they care much about people (if at all).
Note that this functionality has been available for years in Firefox, Pale Moon, Basilisk, GNU IceCat, and Waterfox via any one of several excellent extensions. And none of those extensions have the privacy or security leaks that the Google proposal, if adopted, would create.
Google has announced this week plans to crack down on Android apps that abuse the OS permissions system and request access to user geo-location data when the app is not in use
It should be in all browsers. No more screenshots of text that use a lot of data.
As far as privacy leaks go, the “cancer” attack as proposed is really unstealthy as it literally scrolls the page to focus on whatever valuable data you’re trying to leak. Not saying that the actual criticism is invalid, but it’s no NSA-level exploit yet.
>For example: Consider a situation where I can view DNS traffic (e.g. company network), and I send a link to the company health portal, with #:~:text=cancer
since when does DNS contain anything more then the TLD? it’s a poor example, and if you’re an employee on a corporate network that information would be visible anyway(and much more), so… what’s the issue?
I agree, this seems at the very least an tremendous exaggeration or even a non-issue.
This will allow even more user-specific personalization, and more efficient ad placement locations.
Google would be able to personalize your web history according to not just which pages you visit, but which parts of a page you and your friends are more interested by and actively share around.
This sounds like a great feature. I’m sure google knows what’s best.
Seems fine to me. Now hyperlinking to a part of a page is controversial and dangerous? Get a life people. This is just an improved fragment identifier which is part of hyperlinks since forever.
Just some people as part of their anti-Google rhetoric trying to make a mountain out of a molehill… lots of “the sky is falling” sound and fury.
Doesn’t DNSCrypt solve this issue already?
If a bad actor can read your DNS/HTTP traffic, you’re already vulnerable. Talking about additional vulnerabilities some features might add in an environment where you can’t be protected anyway is pointless.
Chrome forces HTTPS which makes the described “read the lower-on-the-page resources” impossible. There’s also support for DNS over HTTPS in Chrome. If you still trust HTTP sites don’t pretend to care about your privacy.
But oh well, one must shamelessly self-promote his not-so-popular browser alternative every now and then, mustn’t one?