Wanted: an assessment of tactics against privacy-invasions by Chrome browser

Wait, you actually think Snowden was trying to keep that a secret?

Google ads can be blocked at the domain level. It also has nothing to do with Chrome.

 

If I were Snowden, I be worried:
http://www.cnn.com/2012/01/11/world/meast/iran-who-kills-scientists/

 

If I was for a minute to go along with the scepticism in that article I'd say this, sarcastically:

Yeah I forgot that Iranian nuclear scientists have a background in working for the NSA knowing exactly how they tick, and the technical knowledge to maintain their privacy, doh.

I'm done wasting my time here.

 

No matter how many sites have You Name It Analytics, they can all be defeated with the following, no?

 

Is there any way for the same user/machine unique identifier to become accessible to sandboxed instances?

• Was a user-specific GUID bundled with the installer/program when you downloaded it?
  
• Was a user-specific GUID generated or acquired when running the installer or configuring the program? When installing extensions from an online store? When manually updating it? Wouldn't those steps be done outside of the sandbox?
  
• Are there any components that aren't being sandboxed and that create/acquire/pass user-specific identifiers, such as a separate updating program running as a service?
• Can separate sandboxed instances of the program acquire/generate the same unique identifiers via some other means, such as from hardware/system identifiers, by sniffing the same WiFi info, by checking public IP Address, based on program configuration, by being configured to automatically log into the same account?

If so, I think you'd have to somehow make sure that those unique identifiers don't leave the machine or otherwise serve to correlate your instances. You'd want to consider the more general case of sticky/static IP Address and browser or activity based fingerprinting too.

 

Sandboxie will not keep a hacker from stealing info you generate while online, such as your banking info, logins.

 

Well I guess now we know what you would do.

Now, did it ever occur to you that what Adblock+ does can be objectively verified against what it says it does? You can look at the code, you can step execute the code, you can use various tools to look at the network traffic, from within and outside the browser. Making unsubstantiated wild statements is quite easy. Taking the time to gather evidences for/against is less easy, it requires a certain amount of work. And intellectual honesty. I encourage you to switch to this approach.

 

Thanks for the thorough list. Tempted to propose countermeasures for each one of your bullet points but that would make a huge post.

Any tag in the installer seems unlikely, and can be detected by simply downloading several times using different browsers and ideally through proxies in different countries, and comparing the downloads with diff.

Installing chrome in a sandbox when an instance is needed comes to mind. And for the sake of performance it would be nice if sandboxie (or which similar software?) could freeze an instance of chrome saving its memory to disk as if it were hibernated (like some linux software can do), then many installations of chrome could be done in advance and be started and frozen, and thawed one by one for each new instance needed for a new link. Then there could be no common ID's between instances.

Except any spied upon hardware ID's. IP-check.info could seek common ID's and hopefully find none.

If something like the volume UUID of the system partition or a MAC address or a windows license number is detected by ip-check or a sniffer, what can be done?

 

Hey Gordon, Are you smarter than Google? The NSA? Did you know what the NSA was doing before Snowden? Stuxnet? MyDoom? How many backdoors are in your computer and you have no idea? Your communications, all of them, are monitored. How about your personal guarantee that your system is 100% safe. If so, why aren't you putting your Gordon Anti-Everything software on the market? I live in the world of the possible. There's always a bigger fish. And, yeah, I'd take the check, and so would you.

 

Good advice. Also, after implementing all the advice given in the second post of this thread, I also recommend starting Chromium with the following command line switch:

--disable-background-networking

 

That's the mantra of corrupt people to rationalize their own corruption.

 

I'm guessing all that switch does is the same as unticking the "predict network actions" feature in the privacy section.

 

If you think the browser is invading your privacy - don't use it. There's a tactic.
Mrk

 

No, there is no relation to that setting. It is a setting that was added to remove all unexpected network connection for benchmarking purposes. However it fits the privacy purposes perfectly

More information here: https://codereview.chromium.org/3312014

 

Nice! That's the first thing I wanted to know when I saw the switch, an accurate description of what it does. I am collating these switches of interest here so eventually maybe we can find a "recipe" to launch the browser in such a way to avoid any and all unwanted network connections.

 

Thumbs up to not using it if you think it's invading your privacy!

 

On year 1999 hardware, there's no up to date alternative.

 

Thanks. I read that and it would appear that the switch gives you no privacy bonuses whatsoever. I do not recommend using it as it will disable checking for extension updates.

Only 2 of the features it disabled could be connected to privacy, but both of those features have checkboxes in Chrome's privacy section already. (Safebrowsing & prediction service).