schwit1 shares a Forbes article by Joe Toscano, a former experience design consultant for Google who in 2017 "decided to step away from my role consulting with Google, due to ethical concerns."

This summer he got a big surprise when he looked in Chrome's "addresses" panel at chrome://settings/addresses It turns out Google has info connecting me to my grandma (on my dad's side) who's alive and well but has never had the internet, and my grandpa (on my mom's side), who recently passed away in March 2019 and also never had the internet. This was disturbing for several reasons, the biggest of which being that neither of them had ever logged onto the internet in their lives. Neither even had the internet in their homes their entire lives! Beyond that, Google knew their exact addresses and their middle initials. I couldn't even have told you those things about my grandparents...

[T]he data wasn't manually entered by me or anyone using my account, but yet the data is associated with my account? How did that happen? The only thing I can think of is that at one point in history my grandpa gave his information to someone or some company in real life and his information was sold to Google at one point or another... But then that led me to another question: How did his data get associated with my Google account...?

Other questions I have: What other information does Google have about me/my family/others that I don't know about...?
He's now asking readers if they have any idea how Google connected him to his dead grandpa -- and whether Google is somehow creating an ancestry database.

Toscano also discovered Chrome has been creating a list of "Never Saved" passwords at chrome://settings/passwords?search=credentials even though "At no point did I tell Google to create and store a list of websites I had logged into that they didn't get access to but would like access to at some point in the future. Maybe in the Terms of Service/Privacy Policy I agreed to this, but who knows? Not the majority of us, and it's just creepy."

And in an update Toscano writes that he hopes the article will "provoke thought" about "why we willingly allow this to happen": Why is it okay that the internet is designed to be a surveillance machine? Why isn't it designed to be private by design? Is this how we want to carry on? Just because something is legal doesn't mean it's right. What would you like to see done? How would you like to see things changed?

Long-time Slashdot reader AmiMoJo quotes VentureBeat: Google, which has already paid security researchers over $15 million since launching its bug bounty program in 2010, today increased the scope of its Google Play Security Reward Program (GPSRP). Security researchers will now be rewarded for finding bugs across all apps in Google Play with 100 million or more installs. At the same time, the company launched the Developer Data Protection Reward Program (DDPRP) in collaboration with [bug bounty platform] HackerOne. That program is for data abuses in Android apps, OAuth projects, and Chrome extensions....

Google also uses this vulnerability data to create automated checks that scan all Google Play apps for similar vulnerabilities. Affected app developers are notified via the Play Console. The App Security Improvement (ASI) program provides them with information on the vulnerability and how to fix it. In February, Google revealed that ASI has helped over 300,000 developers fix over 1,000,000 apps on Google Play.
The article also notes that Android apps and Chrome extensions found to be abusing data "will be removed from Google Play and the Chrome Web Store."

A mobile security company has carried out a research investigation to address the popular conspiracy theory that tech giants are listening to conversations. From a report: The internet is awash with posts and videos on social media where people claim to have proof that the likes of Facebook and Google are spying on users in order to serve hyper-targeted adverts. Videos have gone viral in recent months showing people talking about products and then ads for those exact items appear online. Now, cyber security-specialists at Wandera have emulated the online experiments and found no evidence that phones or apps were secretly listening. Researchers put two phones -- one Samsung Android phone and one Apple iPhone -- into a "audio room". For 30 minutes they played the sound of cat and dog food adverts on loop. They also put two identical phones in a silent room.

The security specialists kept apps open for Facebook, Instagram, Chrome, SnapChat, YouTube, and Amazon with full permissions granted to each platform. They then looked for ads related to pet food on each platform and webpage they subsequently visited. They also analyzed the battery usage and data consumption on the phones during the test phase. They repeated the experiment at the same time for three days, and noted no relevant pet food adverts on the "audio room" phones and no significant spike in data or battery usage.

New submitter q4Fry writes: When Google released its changes to the Chrome WebExtensions API for comment, many groups criticized them for cutting off ad-blockers at the knees. Now, Mozilla has released its plan for following (and departing from) the APIs that Chrome may adopt.

Mozilla has switched on Firefox's tracking protection feature for everyone on Windows and Android, dialing up its effort to protect privacy from website publishers and advertisers that would like to keep tabs on your online behavior. From a report: Mozilla enabled tracking protection for new Firefox users in June, but now it's on for everyone, the nonprofit said Tuesday. Tracking protection is all the rage among browser makers, including Apple's Safari, Brave Software's Brave and Microsoft's new Chromium-based Edge. Even Google's Chrome, long the laggard among major browsers, is starting to tackle the problem. It's a thorny issue for websites and advertisers that seek to improve advertising revenue by targeting ads based on their assessment of your interests. "Currently over 20% of Firefox users have Enhanced Tracking Protection on. With today's release, we expect to provide protection for 100% of ours users by default," Mozilla said in a blog post Tuesday.

thegarbz writes: It seems not a day goes by without yet another story reflecting poorly on major browsers. Not uncommon are stories that are mixed with a degree of bloat, either discussing rarely used features or directly criticizing memory consumption of major browsers. Unfortunately memory consumption is quite often the result of complete feature implementation of technologies used on the web, including DRM for streaming services and WebRTC. Other times it's the result of security measures, feature creep, or poor coding.

So in 2019 for those of us with slower tablets, what browser do you use as an alternative to the big two? How well does it work with the modern HTML5 internet? Are websites frequently broken does the simplicity of other browsers largely go unnoticed?

An EFF analysis looks at the problems with some of Google's new "Privacy Sandbox" proposals, a few of which it calls "downright dangerous": Perhaps the most fleshed-out proposal in the Sandbox is the conversion measurement API. This is trying to tackle a problem as old as online ads: how can you know whether the people clicking on an ad ultimately buy the product it advertised....? Google's ID field can contain 64 bits of information -- a number between 1 and 18 quintillion. This will allow advertisers to attach a unique ID to each and every ad impression they serve, and, potentially, to connect ad conversions with individual users. If a user interacts with multiple ads from the same advertiser around the web, these IDs can help the advertiser build a profile of the user's browsing habits.

Even worse is Google's proposal for Federated Learning of Cohorts (or "FLoC").... FLoC would use Chrome users' browsing history to do clustering. At a high level, it will study browsing patterns and generate groups of similar users, then assign each user to a group (called a "flock"). At the end of the process, each browser will receive a "flock name" which identifies it as a certain kind of web user. In Google's proposal, users would then share their flock name, as an HTTP header, with everyone they interact with on the web. This is, in a word, bad for privacy. A flock name would essentially be a behavioral credit score: a tattoo on your digital forehead that gives a succinct summary of who you are, what you like, where you go, what you buy, and with whom you associate...

If the Privacy Sandbox won't actually help users, why is Google proposing all these changes? Google can probably see which way the wind is blowing. Safari's Intelligent Tracking Prevention and Firefox's Enhanced Tracking Protection have severely curtailed third-party trackers' access to data. Meanwhile, users and lawmakers continue to demand stronger privacy protections from Big Tech. While Chrome still dominates the browser market, Google might suspect that the days of unlimited access to third-party cookies are numbered. As a result, Google has apparently decided to defend its business model on two fronts. First, it's continuing to argue that third-party cookies are actually fine, and companies like Apple and Mozilla who would restrict trackers' access to user data will end up harming user privacy. This argument is absurd. But unfortunately, as long as Chrome remains the most popular browser in the world, Google will be able to single-handedly dictate whether cookies remain a viable option for tracking most users.

At the same time, Google seems to be hedging its bets. The "Privacy Sandbox" proposals for conversion measurement, FLoC, and PIGIN are each aimed at replacing one of the existing ways that third-party cookies are used for targeted ads. Google is brainstorming ways to continue serving targeted ads in a post-third-party-cookie world. If cookies go the way of the pop-up ad, Google's targeting business will continue as usual.

The Sandbox isn't about your privacy. It's about Google's bottom line. At the end of the day, Google is an advertising company that happens to make a browser.

Google is launching new Chromebook Enterprise devices that it hopes will draw more businesses away from Windows-powered laptops. From a report: Microsoft has dominated enterprise computing for years, but as businesses increasingly look to modernize their fleet of devices, there's an opportunity for competitors to challenge Windows. Google is teaming up with one of Microsoft's biggest partners, Dell, to help push new Chromebook Enterprise laptops into businesses. Dell is launching Chrome OS on a pair of its popular business-focused Latitude laptops, offering both a regular clamshell design and a 2-in-1 option. While it might sound like just two existing Windows laptops repurposed for Chrome OS, Google and Dell have been working together for more than a year to ensure these new Chromebook Enterprise devices are ready for IT needs. That includes bundling a range of Dell's cloud-based support services that allow admins to have greater control over how these Chromebooks are rolled out inside businesses.

It means IT admins can more easily integrate these Chromebooks into existing Windows environments and manage them through tools like VMware Workspace One. Microsoft and its partners have offered a range of admin tools for years, making it easy to customize and control Windows-based devices. Google has also tweaked its Chrome Admin console to improve load times, add search on every page, and overhaul it with material design elements. Businesses will be able to choose from Dell's 14-inch Latitude 5400 ($699) or the 13-inch Latitude 5300 2-in-1 ($819). Both can be configured with up to Intel's 8th Gen Core i7 processors, up to 32GB of RAM, and even up to 1TB of SSD storage.

Exactly 28 years ago today, a 21-year-old student named Linus Torvalds made a fateful announcement on the Usenet newsgroup comp.os.minix.

i-Programmer commemorates today's anniversary with some interesting trivia: Back in 1991 the fledgling operating system didn't have a name, according to Joey Sneddon's 27 Interesting Facts about Linux:

Linux very nearly wasn't called Linux! Linus wanted to call his "hobby" project "FreaX" (a combination of "free", "freak" and "Unix"). Thankfully, he was persuaded otherwise by the owner of the server hosting his early code, who happened to prefer the name "Linux" (a combination of "Linus" and "Unix").

One fact I had been unaware of is that the original version of Linux wasn't open source software. It was free but was distributed with a license forbidding commercial use or redistribution. However, for version 0.12, released in 1992, the GPL was adopted making the code freely available.
Android Authority describes the rest of the revolution: Torvalds announced to the internet that he was working on a project he said was "just a hobby, won't be big and professional." Less than one month later, Torvalds released the Linux kernel to the public. The world hasn't been the same since...

To commemorate the nearly 30 years that Linux has been available, we compiled a shortlist of ways Linux has fundamentally changed our lives.

- Linux-based operating systems are the number-one choice for servers around the world... As of 2015, web analytics and market share company W3Cook estimated that as many as 96.4% of all servers ran Linux or one of its derivatives. No matter the exact number, it's safe to say that the kernel nearly powers the entire web...

- In Oct. 2003, a team of developers forked Android from Linux to run on digital cameras. Nearly 16 years later, it's the single most popular operating system in the world, running on more than 2 billion devices. Even Chrome OS, Android TV, and Wear OS are all forked from Linux. Google isn't the only one to do this either. Samsung's own in-house operating system, Tizen, is forked from Linux as well, and it's is even backed by The Linux Foundation.

- Linux has even changed how we study the universe at large. For similar reasons cars and supercomputers use Linux, NASA uses it for most of the computers aboard the International Space Station. Astronauts use these computers to carry out research and perform tasks related to their assignments. But NASA isn't the only galaxy studying organization using Linux. The privately-owned SpaceX also uses Linux for many of its projects. In 2017, SpaceX sent a Linux-powered supercomputer developed by HP to space and, according to an AMA on Reddit, even the Dragon and Falcon 9 run Linux.
"Without it," the article concludes, "there would be no science or social human development, and we would all still be cave-people."

Google's Chrome team proposed a "privacy sandbox" Thursday that's designed to give us the best of both worlds: ads that publishers can target toward our interests but that don't infringe our privacy. From a report: It's a major development in an area where Chrome, the dominant browser, has lagged competitors. Browsers already include security sandboxes, restrictions designed to confine malware to limit its possible damage. Google's proposed privacy sandbox would similarly restrict tracking technology, according to proposal details Google published.

The privacy sandbox is "a secure environment for personalization that also protects user privacy," said Justin Schuh, a director of Chrome Engineering focused on security matters, in a privacy sandbox blog post. "Our goal is to create a set of standards that is more consistent with users' expectations of privacy." For example, Chrome would restrict some private data to the browser -- an approach rival Brave Software has taken with its privacy-focused rival web browser. And it could restrict sharing personal data until it's shared across a large group of people using technologies called differential privacy and federated learning.

Apple, Google, and Mozilla have moved in to ban a root certificate the Kazakhstan government used in the past month to spy on its citizens' web traffic. From a report: Starting today, Chrome, Firefox, and Safari will show errors if any HTTPS web traffic is encrypted with the Kazakh government's root or leaf certificates. This coordinated action will ensure the safety of Kazakh users who were forced last month by their local Kazakh ISPs to install this certificate under the threat of not being allowed to use the internet otherwise. Kazakh ISPs forced their customers to install the government's root certificate after the Kazakh government issued a decree and said the measure was "aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats." But in reality, the Kazakh government abused this root certificate installed in millions of users browsers to intercept and decrypt HTTPS traffic users were making to 37 domains, such as such Facebook, Google, Twitter, Instagram, and YouTube.

"Earlier this year I gave a talk at FullStack conference in London about making iFrames cool again," writes a lead engineer at PayPal. In a nutshell: iframes let you build user experiences into embeddable 'cross-domain components', which let users interact with other sites without being redirected. There are a metric ton of awesome uses for that other than tracking and advertizing. Nothing else comes close for this purpose; and as a result, I feel we're not using iframes to their full potential.

There are big problems, though... My talk went into how at PayPal, we built Zoid to solve some of the major problems with iframes and popups:

- Pre-render to avoid the perception of slow rendering

- Automatically resize frames to fit child content

- Automatically resize frames to fit child content

- Pass down any kind of data and functions/callbacks as props (just like React), and avoid the nightmare of cross-domain messaging between windows.

- Make iframes and popups feel like first class (cross-domain) components.

Zoid goes a long way. But there are certain problems a mere javascript library can not solve. This is my bucket list for browser vendors, to make iframes more of a first class citizen on the web... Because fundamentally: the idea of cross-domain embeddable components is actually pretty useful once you start talking about shareable user experiences, rather than just user-tracking and advertizing which are obviously pills nobody enjoys swallowing.
He acknowledges that he "really likes" the work that's been done on Google Chrome's Portals (which he earlier described as "like iframes, but better, and worse.")

"I just hope iframes don't get left behind."

An anonymous reader quotes MSPoweruser: Google Chrome always had a bit of a love-hate relationship when it comes to managing FTP links. The web browser usually downloads instead of rendering it like other web browsers. However, if you're using FTP then you might have to look elsewhere soon as Google is planning to remove FTP support altogether.

In a post (via Techdows), Google, today announced its intention to deprecate FTP support starting with Chrome v80. The main issue with FTP right now is security and the protocol doesn't support encryption which makes it vulnerable and Google has decided it's no longer feasible to support it.

"Upcoming changes in Google Chrome and Mozilla Firefox may finally spark the end for Extended Validation certificates as the browsers plan to do away with showing a company's name in the address bar," reports Bleeping Computer. When connecting to a secure web site, an installed SSL/TLS certificate will encrypt the communication between the browser and web server. These certificates come in a few different flavors, with some claiming to offer a more thorough verification process or extra perks. One certificate, called EV Certificates, are known for having a browser display the owner of the certificate directly in the browser's address bar. This allegedly makes the site feel more trustworthy to a visitor.

In reality, the different types of SSL/TLS certificates all serve a single purpose and that is to encrypt the communication between a browser and web site. Anything extra is seen by many as just a marketing gimmick to charge customers for a more expensive "trustworthy" certificate. In numerous blog posts, security researcher Troy Hunt has stated that EV Certificates will soon be dead as more and more sites switch away from them, because they are much harder to manage due to extra verification times, and because people have become to associate a padlock with a secure site rather than a company name.

With Safari already removing EV Certificate company info from the address bar, most mobile browsers not showing it, and Chrome and Mozilla desktop browsers soon to remove it, Hunt's predictions are coming true. EV Certificates will soon be dead.
AmiMoJo shared this post from Google's Chromium blog: Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.

A new Google study this week confirmed the obvious: internet users need to stop using the same password for multiple websites unless they're keen on having their data hijacked, their identity stolen, or worse. From a report: It seems like not a day goes by without a major company being hacked or leaving user email addresses and passwords exposed to the public internet. These login credentials are then routinely used by hackers to hijack your accounts, a threat that's largely mitigated by using a password manager and unique password for each site you visit. Sites like "have I been pwned?" can help users track if their data has been exposed, and whether they need to worry about their credentials bouncing around the dark web. But it's still a confusing process for many users unsure of which passwords need updating.

To that end, last February Google unveiled a new experimental Password Checkup extension for Chrome. The extension warns you any time you log into a website using one of over 4 billion publicly-accessible usernames and passwords that have been previously exposed by a major hack or breach, and prompts you to change your password when necessary. The extension was built in concert with cryptography experts at Stanford University to ensure that Google never learns your usernames or passwords, the company says in an explainer. Anonymous telemetry data culled from the extension has provided Google with some interesting information on how widespread the practice of account hijacking and non-unique passwords really is.

If you're an Android user, you can now sign into some of Google's services using your fingerprint, rather than having to type in a password. "The feature is available starting today for some Android phones, and it will be rolling out to all phones running Android 7 or later 'over the next few days,'" reports The Verge. "According to a Google help page, the feature also allows you to log in using whichever method you have set up to unlock your phone, which can include pins and pattern unlock." From the report: Android phones already let you use your fingerprint to authenticate Google Pay purchases and log in to apps. What's new here is being able to use that same fingerprint to log in to one of Google's web services within the Chrome browser. At the moment, you can use the functionality to view and edit the passwords that Google has saved for you at passwords.google.com, but Google says it plans to add the functionality to more Google and Google Cloud services in the future.

If you have a compatible Android handset, then you can try the functionality out now by heading over to passwords.google.com using the Chrome app on your phone. This service lets you manage all of the passwords that Chrome has saved for you. If you tap on any one of these saved passwords, then Google will prompt you to "Verify that it's you," at which point, you can authenticate using your fingerprint or any other method you'd usually use to unlock your phone. You'll need to already have your personal Google Account added to your Android device for this to work.

An anonymous reader quotes a report from Ars Technica: The Electron development platform is a key part of many applications, thanks to its cross-platform capabilities. Based on JavaScript and Node.js, Electron has been used to create client applications for Internet communications tools (including Skype, WhatsApp, and Slack) and even Microsoft's Visual Studio Code development tool. But Electron can also pose a significant security risk because of how easily Electron-based applications can be modified without triggering warnings. At the BSides LV security conference on Tuesday, Pavel Tsakalidis demonstrated a tool he created called BEEMKA, a Python-based tool that allows someone to unpack Electron ASAR archive files and inject new code into Electron's JavaScript libraries and built-in Chrome browser extensions. The vulnerability is not part of the applications themselves but of the underlying Electron framework -- and that vulnerability allows malicious activities to be hidden within processes that appear to be benign. Tsakalidis said that he had contacted Electron about the vulnerability but that he had gotten no response -- and the vulnerability remains.

While making these changes required administrator access on Linux and MacOS, it only requires local access on Windows. Those modifications can create new event-based "features" that can access the file system, activate a Web cam, and exfiltrate information from systems using the functionality of trusted applications -- including user credentials and sensitive data. In his demonstration, Tsakalidis showed a backdoored version of Microsoft Visual Studio Code that sent the contents of every code tab opened to a remote website. The problem lies in the fact that Electron ASAR files themselves are not encrypted or signed, allowing them to be modified without changing the signature of the affected applications. A request from developers to be able to encrypt ASAR files was closed by the Electron team without action.

Google is expanding its Advanced Protection Program to its Chrome browser. From a report: If you're an Advanced Protection Program user and you have sync turned on in Chrome, you will now automatically receive stronger protections against risky downloads. Google didn't go into much detail regarding the protections, likely not to publicly give away how they work. But the company did say that when users attempt to download "certain risky files," Chrome will now show additional warnings, or in some cases even block the downloads outright. The warnings are, however, only available in Chrome for Windows, Mac, and Linux. Google is not rolling out the Advanced Protection Program to Chrome for Android and iOS.

There are 188,620 extensions available on the Chrome Web Store, and while you might think this provides a wide variety of choices for Chrome users, in reality, most of these extensions are dead or dwindling, with very few having active installations. From a report: All in all, about 50% of all Chrome extensions have fewer than 16 installs, meaning that half of the Chrome extension ecosystem is actually more of a ghost town, according to a recent scan of the entire Chrome Web Store conducted by Extension Monitor. Further, 19,379 extensions (just over 10%) have zero installs, and 25,540 extensions (13% of the total) have just one user. The scan found that there are very few Chrome extensions that managed to establish a dedicated userbase. According to Extension Monitor, around 87% of all extensions have fewer than 1,000 installs.

Is Google making the wrong response to the DataSpii report on a "catastrophic data leak"? The EFF writes: In response to questions about DataSpii from Ars Technica, Google officials pointed out that they have "announced technical changes to how extensions work that will mitigate or prevent this behavior." Here, Google is referring to its controversial set of proposed changes to curtail extension capabilities, known as Manifest V3.

As both security experts and the developers of extensions that will be greatly harmed by Manifest V3, we're here to tell you: Google's statement just isn't true. Manifest V3 is a blunt instrument that will do little to improve security while severely limiting future innovation... The only part of Manifest V3 that goes directly to the heart of stopping DataSpii-like abuses is banning remotely hosted code. You can't ensure extensions are what they appear to be if you give them the ability to download new instructions after they're installed.

But you don't need the rest of Google's proposed API changes to stop this narrow form of bad extension behavior. What Manifest V3 does do is stifle innovation...
The EFF makes the following arguments Google's proposal:

• Manifest V3 will still allow extensions to observe the same data as before, including what URLs users visit and the contents of pages users visit
• Manifest V3 won't change anything about how "content scripts" work...another way to extract user browsing data.
• Chrome will still allow users to give extensions permission to run on all sites.

In response Google argued to Forbes that the EFF "fails to account for the proposed changes to how permissions work. It is the combination of these two changes, along with others included in the proposal, that would have prevented or significantly mitigated incidents such as this one."

But the EFF's technology projects director also gave Forbes their response. "We agree that Google isn't killing ad-blockers. But they are killing a wide range of security and privacy enhancing extensions, and so far they haven't justified why that's necessary."

And in the same article, security researcher Sean Wright added that Google's proposed change "appears to do little to prevent rogue extensions from obtaining information from loaded sites, which is certainly a privacy issue and it looks as if the V3 changes don't help."

The EFF suggests Google just do a better job of reviewing extensions.