Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Microsoft Privacy

Microsoft Edge is Leaking the Sites You Visit To Bing (theverge.com) 72

Microsoft's Edge browser appears to be sending URLs you visit to its Bing API website. Reddit users first spotted the privacy issues with Edge last week, noticing that the latest version of Microsoft Edge sends a request to bingapis.com with the full URL of nearly every page you navigate to. Microsoft tells The Verge it's investigating the reports. From a report: "Searching for references to this URL give very few results, no documentation on this feature at all," said hackermchackface, the Reddit user who first discovered the issue. While Reddit users weren't able to uncover why Microsoft Edge is sending the URLs you visit to its Bing API site, we asked Rafael Rivera, a software engineer and one of the developers behind EarTrumpet, to investigate, and he discovered it's part of a poorly implemented new feature in Edge. "Microsoft Edge now has a creator follow feature that is enabled by default," says Rivera in a conversation with The Verge. "It appears the intent was to notify Bing when you're on certain pages, such as YouTube, The Verge, and Reddit. But it doesn't appear to be working correctly, instead sending nearly every domain you visit to Bing."
This discussion has been archived. No new comments can be posted.

Microsoft Edge is Leaking the Sites You Visit To Bing

Comments Filter:
  • One has to wonder. I'd use a MSFT-produced browser umm, if they discontinued links. Maybe. And every other browser. Do we not remember the abomination that was IE?
    • by mysidia ( 191772 ) on Tuesday April 25, 2023 @03:48PM (#63476136)

      Yeah, but Edge is not IE, and there are some useful features Edge has such as Token Binding [microsoft.com]. This feature... which Google has refused to implement in Chorme (wonder why?) allows websites to bind your Session cookie to Private keys used with TLS - which would mean if a hacker/malware stole your cookie, they couldn't use it to Impersonate your logged in session And act as you without so much as having to authenticate (Protect against Hijacking sessions by stealing tokens from the browser - a very common attack strategy).

      • by HBI ( 10338492 )
        In certain versions it'll also preserve your selection in paged browser windows so you can cut/paste quickly. But those conveniences aren't enough to give MSFT any power over the browser. They misused it last time and will do so again.
        • >"But those conveniences aren't enough to give MSFT any power over the browser. They misused it last time and will do so again."

          Just like Google has been doing for years now.

        • by mysidia ( 191772 )

          But those conveniences aren't enough to give MSFT any power over the browser. They misused it last time and will do so again.

          Well; these issues are not unique to MSFT at all... There's a simple solution here though: switch between browsers often.

          eg. Use Edge for accessing websites that login to important resources, Firefox and Opera for general browsing.

          This way no single browser gets access to much of my browsing history as a whole.

  • So... Just like Chrome. Monkey see, monkey do. At least Firefox lets you turn this off.
  • by bill_mcgonigle ( 4333 ) * on Tuesday April 25, 2023 @03:46PM (#63476132) Homepage Journal

    Is each query a fineable GDPR violation?

    • A search query is not in principle a protected information. It would be a violation if Edge asked personal information like name and photo to supposedly personalize the home screen, and then leaked it elsewhere.

      • The browser and your IP address combined gives often a unique fingerprint that identifies you.
        So they have enough for targeted advertising based on your searches.

        • The GDPR does not prohibit the collection of such information. It limits what can be done with it, and defines the permissions a company needs to have. If you're using Edge you're using Windows, and if you read the Terms of Services you accepted when you installed Windows you will see you have allowed them to collect this information.

          • This is not the US, and that's not how the GDPR works. Regardless of what the ToS say. Consent is to be separately and voluntarily collected, not bundled with any other terms, and not as a prerequisite for the service to be usable. Otherwise it's not valid consent under the GDPR.
      • by Okind ( 556066 )

        A search query is not in principle a protected information. [...]

        Wrong. Requests to the Bing API always have an IP address (a technical necessity), which qualify as personal data in the EU. Also note that the GDPR term personal data extends beyond personally identifying information. So even if a bit of data does not uniquely identify you, it can still be personal data.

        This also means that sending, for example, data on a search query for a medical condition makes that entire request sensitive personal data. Having/collecting such data for commercial purposes is definitely

    • It would be if the users of Edge weren't also users of Windows who would have explicitly agreed to Microsoft collecting this information as part of the terms of service the user agreed to.

      The GDPR prohibits the processing of only a very limited amount of data. It requires a user to consent to collection of other data which users almost certainly will have done by agreeing to the ToS that they most certainly definitely did read right ;-)

    • by AmiMoJo ( 196126 )

      Potentially. I have sent them a Data Subject Access Request for the information, but first they will have to tell me how to find the identifier that Edge/Bing uses to associate the data with my installation.

      Once I have that and the data I will proceed to ask them what the legal basis for gathering it was. They may well try to claim it was essential to providing the service, but I don't recall any notification that the data would be collected. If there was one it certainly wasn't compliant, as collecting eve

  • by The New Guy 2.0 ( 3497907 ) on Tuesday April 25, 2023 @03:52PM (#63476154)

    Google did this for years with its Google Toolbar, now baked in to Chrome.

    • by AmiMoJo ( 196126 ) on Wednesday April 26, 2023 @05:57AM (#63477394) Homepage Journal

      Incorrect. I don't know about Google Toolbar, but Chrome definitely does not do this.

      If you enable phishing and malware protection it uses a local database of known bad URLs. Nothing is sent to Google.

      If you enable syncing history with your Google account (you can separately choose to sync individual items like saved passwords and payment info, omitting history if you prefer, or simply not sync anything) then you can encrypt it client side with a password. If you don't encrypt then your data can in theory be read by Google, but their ToS says they won't and at least in GDPR countries I believe that is the case because the legal consequences of lying would be catastrophic.

      Again, this is all opt in. Chrome does not send every URL you visit to Google unless you explicitly tell it to.

    • And they still do it inside Gmail and generic Google search. Every link listed goes to a Google address and is then redirected to the destination URL.

      Not that I think this gets Microsoft off the hook, but given how much traffic originates through Google search this seems like a small piece of a larger privacy problem.

  • It's working correctly. This was most definitely planned and scheduled, intended to send everyone dumb enough to use edge's net traffic to microsoft until they got caught.

    • and what is acceptable about spying on your visits to youtube etc?

    • by Xenx ( 2211586 )
      To be fair, Microsoft didn't say it was a bug. They only said they're looking into it. The reference to a bug was Rafael Rivera, who does not work for Microsoft. Now, given that clicking on the large "Discover" Bing icon in the upper right opens a site analytics break down for the page you're on, I can't imagine MS is trying to hide anything. It's pretty obvious that they're sending site info to Bing.

      To be clear, I get that Rafael was saying it's part of the Follow Creator feature. My point is only that th
  • by couchslug ( 175151 ) on Tuesday April 25, 2023 @03:54PM (#63476162)

    Of course it does. When the browser is "free" you are the product.

  • Considering I'm using Firefox.

  • by UnknowingFool ( 672806 ) on Tuesday April 25, 2023 @03:57PM (#63476172)
    Also I am surprised there was gambling happening in this establishment.
  • Water is wet.

  • you don't say ?
    how is that a surprise ?

    • by znrt ( 2424692 )

      apparently to the audience of "the verge" which i presume paid for this mind blowing piece of news being promoted.

  • by Oryan Quest ( 10291375 ) on Tuesday April 25, 2023 @04:05PM (#63476190)

    I was gonna be weirded out but then I read the part where they only want to spy on certain popular sites. Wow what a relief!

    Those fellas at Microsoft are a-ok!

  • Gee thanks Captain Obvious! Who would never have thought they would do such a thing /sarcasm
  • Burglars appear to be stealing goods you have in your home. Reddit users spotted the fact last week, noticing that the latest burglary in their town caused the theft of several valuable items from an unsuspecting person's flat. A burglars' spokesman tells The Verge they're investigating the reports.

  • They just do. I remember the optimism of Firefox 1.0 and how it would "take back the web". I remember when Microsoft tried to improve Internet Explorer and even made a "the browser you used to hate" advert campaign. Then everyone threw everything away just and become Chromium Crapium. I do consider Firefox to be a Chromium clone, even if they technically have a separate engine it has shims and hacks to be as Chromium like as possible. The fact that browsers are racing to the bottom by getting as much analyt
    • by markdavis ( 642305 ) on Tuesday April 25, 2023 @07:29PM (#63476694)

      >"I do consider Firefox to be a Chromium clone"

      Well, it isn't. Not at all.

      Yes, they made it LOOK more like Chrom*, which many of us don't like, but otherwise it is totally different. The controls are different, the engine is different, the UI is actually different, the organization behind it is different, etc. And it sucks a *lot* less than Chrom* for many, many reasons, mostly control, standards, and privacy.

  • by big-giant-head ( 148077 ) on Tuesday April 25, 2023 @04:21PM (#63476234)

    Not shocked, I have to run a bunch of M$ crap on my work machine. Only thing I have M$ on my home box is HALO, running through Steam and Proton.

  • I thought the Edge browser was just for porn...
  • not a leak (Score:4, Insightful)

    by sdinfoserv ( 1793266 ) on Tuesday April 25, 2023 @05:08PM (#63476378)
    This is not a "leak". A leak implies an error, a bug in the code, an accident. This is an intentional data harvest. This is an invasion of privacy by a corporate monolith that no regard for you or what you might consider "personal".
    • This is an invasion of privacy

      There is no invasion of privacy when a corporation explicitly asks your permission and you explicitly grant it. You did read the Microsoft ToS when you installed Windows right? RIGHT?

  • This doesn't help all those 5G vax chip conspiracies.

  • ... such as YouTube, The Verge, and Reddit ...

    I'd assume they're spying on the competition but Microsoft doesn't provide these services. Not yet, anyway.

    ... sending nearly every domain you visit ...

    It's not a bug, it's a feature, particularly for a corporation re-designing its products to include "personalized" marketing.

    • Every Windows setup I do for a new user: a bunch of questions from Microsoft that boil down to "can we spy on you a lot, or just the legal minimum we can force on you?"

      And no way to answer for the default, it's a major PITA to do anything other than click through it all for every new user who logs in.

      I'm still waiting for the Linux Year of the Desktop. I really would like to see that happen.

      • For at least ONE of us, the "Linux Year Of The Desktop" happened nearly 13 years ago, when I retired from a career as a "windows janitor" and decided I was done with anything MS.

      • >"I'm still waiting for the Linux Year of the Desktop. I really would like to see that happen."

        For me, that has been every year, for decades now. Linux + Firefox gives you the maximum amount of security, control, freedom, and privacy. Doesn't give you the maximum amount of software choices, but that is the trade-off. And for many, it is a very reasonable tradeoff, indeed.

        • The Gnome and KDE sprawls of unnecessary and incompatible utilities derailed that.

          • >"The Gnome and KDE sprawls of unnecessary and incompatible utilities derailed that."

            It might have slowed overall progress, but I was using KDE most of the time and didn't care about Gnome. Didn't affect me at all.

            • It affected me quite a lot, for international companies who preferred KDE in Europe and Gnome in the US, or where overlapping utilities hindered development. It didn't so much affect my personal console, for which I used even simpler window managers, but the distinct and incompatible passphrase wallets hindered releases.

  • As opposed to "Omg, all hands on deck, this has to get fixed ASAP!"

  • Yeah, I know it's low-hanging fruit, but I'd feel guilty if I didn't say it:

    "You say Edge is leaking your private data to Microsoft? I'm shocked! Shocked, I tell you!!!"

  • When we all know it was deliberate. This is just the underhanded evil sort of thing that Microsoft does.
  • Leaking it, implies a bug that someone else is taking advantage of.
    This is simply out and out theft.
  • Edge is acting like bloatware/nagware. I had hope for it when it started using Chromium. However, I'm watching it break down into this annoying nagging troll that wants to be my default browser but it doesn't want to earn that right be being good at anything. I always assumed it was spying and leaking everything. It would be weird if it didn't.
  • Comment removed based on user account deletion
  • That's a very long log file devoted to Pornhub

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...