Microsoft Edge is Leaking the Sites You Visit To Bing (theverge.com) 72
Microsoft's Edge browser appears to be sending URLs you visit to its Bing API website. Reddit users first spotted the privacy issues with Edge last week, noticing that the latest version of Microsoft Edge sends a request to bingapis.com with the full URL of nearly every page you navigate to. Microsoft tells The Verge it's investigating the reports. From a report: "Searching for references to this URL give very few results, no documentation on this feature at all," said hackermchackface, the Reddit user who first discovered the issue. While Reddit users weren't able to uncover why Microsoft Edge is sending the URLs you visit to its Bing API site, we asked Rafael Rivera, a software engineer and one of the developers behind EarTrumpet, to investigate, and he discovered it's part of a poorly implemented new feature in Edge. "Microsoft Edge now has a creator follow feature that is enabled by default," says Rivera in a conversation with The Verge. "It appears the intent was to notify Bing when you're on certain pages, such as YouTube, The Verge, and Reddit. But it doesn't appear to be working correctly, instead sending nearly every domain you visit to Bing."
If you're using Edge... (Score:1)
Re:If you're using Edge... (Score:5, Informative)
Yeah, but Edge is not IE, and there are some useful features Edge has such as Token Binding [microsoft.com]. This feature... which Google has refused to implement in Chorme (wonder why?) allows websites to bind your Session cookie to Private keys used with TLS - which would mean if a hacker/malware stole your cookie, they couldn't use it to Impersonate your logged in session And act as you without so much as having to authenticate (Protect against Hijacking sessions by stealing tokens from the browser - a very common attack strategy).
Re: (Score:3)
Re: (Score:2)
>"But those conveniences aren't enough to give MSFT any power over the browser. They misused it last time and will do so again."
Just like Google has been doing for years now.
Re: (Score:2)
But those conveniences aren't enough to give MSFT any power over the browser. They misused it last time and will do so again.
Well; these issues are not unique to MSFT at all... There's a simple solution here though: switch between browsers often.
eg. Use Edge for accessing websites that login to important resources, Firefox and Opera for general browsing.
This way no single browser gets access to much of my browsing history as a whole.
So... Just like Chrome. (Score:2)
GDPR? (Score:3)
Is each query a fineable GDPR violation?
Re: (Score:2)
A search query is not in principle a protected information. It would be a violation if Edge asked personal information like name and photo to supposedly personalize the home screen, and then leaked it elsewhere.
Re: GDPR? (Score:2)
The browser and your IP address combined gives often a unique fingerprint that identifies you.
So they have enough for targeted advertising based on your searches.
Re: (Score:2)
The GDPR does not prohibit the collection of such information. It limits what can be done with it, and defines the permissions a company needs to have. If you're using Edge you're using Windows, and if you read the Terms of Services you accepted when you installed Windows you will see you have allowed them to collect this information.
Re: (Score:1)
Re: (Score:2)
A search query is not in principle a protected information. [...]
Wrong. Requests to the Bing API always have an IP address (a technical necessity), which qualify as personal data in the EU. Also note that the GDPR term personal data extends beyond personally identifying information. So even if a bit of data does not uniquely identify you, it can still be personal data.
This also means that sending, for example, data on a search query for a medical condition makes that entire request sensitive personal data. Having/collecting such data for commercial purposes is definitely
Re: (Score:2)
It would be if the users of Edge weren't also users of Windows who would have explicitly agreed to Microsoft collecting this information as part of the terms of service the user agreed to.
The GDPR prohibits the processing of only a very limited amount of data. It requires a user to consent to collection of other data which users almost certainly will have done by agreeing to the ToS that they most certainly definitely did read right ;-)
Re: (Score:2)
Potentially. I have sent them a Data Subject Access Request for the information, but first they will have to tell me how to find the identifier that Edge/Bing uses to associate the data with my installation.
Once I have that and the data I will proceed to ask them what the legal basis for gathering it was. They may well try to claim it was essential to providing the service, but I don't recall any notification that the data would be collected. If there was one it certainly wasn't compliant, as collecting eve
Just another search engine... (Score:5, Informative)
Google did this for years with its Google Toolbar, now baked in to Chrome.
Re:Just another search engine... (Score:4, Insightful)
Incorrect. I don't know about Google Toolbar, but Chrome definitely does not do this.
If you enable phishing and malware protection it uses a local database of known bad URLs. Nothing is sent to Google.
If you enable syncing history with your Google account (you can separately choose to sync individual items like saved passwords and payment info, omitting history if you prefer, or simply not sync anything) then you can encrypt it client side with a password. If you don't encrypt then your data can in theory be read by Google, but their ToS says they won't and at least in GDPR countries I believe that is the case because the legal consequences of lying would be catastrophic.
Again, this is all opt in. Chrome does not send every URL you visit to Google unless you explicitly tell it to.
Re: (Score:2)
And they still do it inside Gmail and generic Google search. Every link listed goes to a Google address and is then redirected to the destination URL.
Not that I think this gets Microsoft off the hook, but given how much traffic originates through Google search this seems like a small piece of a larger privacy problem.
Oh right, a bug (Score:2)
It's working correctly. This was most definitely planned and scheduled, intended to send everyone dumb enough to use edge's net traffic to microsoft until they got caught.
Re: (Score:2)
and what is acceptable about spying on your visits to youtube etc?
Re: (Score:3)
To be clear, I get that Rafael was saying it's part of the Follow Creator feature. My point is only that th
Newsflash! Water is wet. (Score:5, Insightful)
Of course it does. When the browser is "free" you are the product.
Re: Newsflash! Water is wet. (Score:2)
Data is used for stock investing? (Score:4, Insightful)
Re: (Score:1)
The browser isn't free. It's a feature included in a paid for product.
News flash! Edge is on Linux now (Score:2)
Microsoft Edge for Linux has been generally available since November 2021.[1] When a user of Xubuntu operating system uses Microsoft Edge for Linux, what is the paid-for product?
[1] "Microsoft’s Edge browser is now available on Linux" by Tom Warren [theverge.com]
That's quite impressive... (Score:2, Funny)
Considering I'm using Firefox.
Re: (Score:2)
life's hard. do you need a hug? :o)
Shocked, I tell you! (Score:4, Funny)
Re: (Score:3)
Your winning, sir. [youtube.com]
In Other News (Score:1)
Water is wet.
oh... (Score:2)
you don't say ?
how is that a surprise ?
Re: (Score:2)
apparently to the audience of "the verge" which i presume paid for this mind blowing piece of news being promoted.
Oh that’s all (Score:3)
I was gonna be weirded out but then I read the part where they only want to spy on certain popular sites. Wow what a relief!
Those fellas at Microsoft are a-ok!
Oh, no! How could they do this to... (Score:2)
...not me!
Say it isn't so (Score:1)
In other news (Score:2)
Burglars appear to be stealing goods you have in your home. Reddit users spotted the fact last week, noticing that the latest burglary in their town caused the theft of several valuable items from an unsuspecting person's flat. A burglars' spokesman tells The Verge they're investigating the reports.
All browsers suck now (Score:1)
Web platform has larger usage share than any OS (Score:2)
Problem is that the browser has morphed into a platform now. Now folks are writing apps for the browser instead of native.
I don't blame them. An application developed for the web platform will reach more users than, say, an application developed for the macOS platform.
Re:All browsers suck now (Score:4, Informative)
>"I do consider Firefox to be a Chromium clone"
Well, it isn't. Not at all.
Yes, they made it LOOK more like Chrom*, which many of us don't like, but otherwise it is totally different. The controls are different, the engine is different, the UI is actually different, the organization behind it is different, etc. And it sucks a *lot* less than Chrom* for many, many reasons, mostly control, standards, and privacy.
Shocked I Tell You, Shocked !!! (Score:3)
Not shocked, I have to run a bunch of M$ crap on my work machine. Only thing I have M$ on my home box is HALO, running through Steam and Proton.
Edge Browser qu'est-ce c'est? (Score:1)
Re: (Score:1)
Re: (Score:1)
not a leak (Score:4, Insightful)
Re: (Score:1)
This is an invasion of privacy
There is no invasion of privacy when a corporation explicitly asks your permission and you explicitly grant it. You did read the Microsoft ToS when you installed Windows right? RIGHT?
Oh gees (Score:2)
This doesn't help all those 5G vax chip conspiracies.
Explained (Score:2)
I'd assume they're spying on the competition but Microsoft doesn't provide these services. Not yet, anyway.
It's not a bug, it's a feature, particularly for a corporation re-designing its products to include "personalized" marketing.
Re: (Score:2)
Every Windows setup I do for a new user: a bunch of questions from Microsoft that boil down to "can we spy on you a lot, or just the legal minimum we can force on you?"
And no way to answer for the default, it's a major PITA to do anything other than click through it all for every new user who logs in.
I'm still waiting for the Linux Year of the Desktop. I really would like to see that happen.
Re: (Score:2)
For at least ONE of us, the "Linux Year Of The Desktop" happened nearly 13 years ago, when I retired from a career as a "windows janitor" and decided I was done with anything MS.
Re: (Score:2)
>"I'm still waiting for the Linux Year of the Desktop. I really would like to see that happen."
For me, that has been every year, for decades now. Linux + Firefox gives you the maximum amount of security, control, freedom, and privacy. Doesn't give you the maximum amount of software choices, but that is the trade-off. And for many, it is a very reasonable tradeoff, indeed.
Re: (Score:1)
The Gnome and KDE sprawls of unnecessary and incompatible utilities derailed that.
Re: (Score:2)
>"The Gnome and KDE sprawls of unnecessary and incompatible utilities derailed that."
It might have slowed overall progress, but I was using KDE most of the time and didn't care about Gnome. Didn't affect me at all.
Re: (Score:2)
It affected me quite a lot, for international companies who preferred KDE in Europe and Gnome in the US, or where overlapping utilities hindered development. It didn't so much affect my personal console, for which I used even simpler window managers, but the distinct and incompatible passphrase wallets hindered releases.
"Excellent" (Score:2)
As opposed to "Omg, all hands on deck, this has to get fixed ASAP!"
It has to be said... (Score:2)
Yeah, I know it's low-hanging fruit, but I'd feel guilty if I didn't say it:
"You say Edge is leaking your private data to Microsoft? I'm shocked! Shocked, I tell you!!!"
Leaking implies it wasn't deliberate (Score:2)
It is NOT leaking it. (Score:2)
This is simply out and out theft.
In other news... (Score:1)
Re: (Score:1)
log files (Score:2)
That's a very long log file devoted to Pornhub