DEV Community: Jane

Vivaldi presents: “Browser choices. A tale of two Gatekeepers.”

Jane — Wed, 14 Feb 2024 09:01:47 +0000

At Vivaldi, we have long advocated for people to be able to select their favorite browser. We picture a world where upon setting up a new device, you are presented with the option to choose your browser. Whether your device is an iPhone or an iPad, an Android device, or a Windows PC, your journey should start by selecting the app you use to go online. That choice should be made in an informed manner.

Doesn’t that sound like a dream?

Well soon, thanks to the EU Digital Market Act (DMA), we will be one step closer to this reality. This new regulation aimed to reign in the powers of Big Tech mandates among other things that they loosen their grasp on the web. One part of this is the requirement to implement Browser Choice Screens.

The new requirement applies to several big platform owners, such as Apple, Google, and Microsoft, dubbed Gatekeepers in the DMA.

Needless to say, we are pretty pleased with this.

Browser Choice Screens have been tried before by Microsoft, following a different EU ruling. At the time, we saw that it was absolutely possible to implement them in flawed ways. And there is a risk that they will be.

Indeed, gatekeepers, as platform owners, exert natural control over the software and apps available on their platforms. The ability to gather more data about their users through their own browser provides them with an incentive to impose that browser on their users. This incentive leads them to use their privileged position to stifle competition, favor their own products and apps, and dissuade them from installing competing software. With that in mind, they might decide not to care about implementing an effective choice screen.

To make matters worse, without choice, the platform owners’ apps do not need to compete on their merits. They may be ill-suited to their user’s needs and be of poor quality. In an environment built on standards such as the web, this can lower the quality of the web as a whole.

However, while gatekeepers can indeed choose to be a problem and act purely in their self-interest, they can also choose to do the right thing. We do believe that doing the right thing is going to be good for them in the long run as they will have a more sustainable relationship with their user base. To provide some guidance over what the right thing is, we present the following tale.

A Tale of Two Gatekeepers

Let us look at two archetypal companies to demonstrate how bad (or how good) a Browser Choice Screen can be. They are both large corporations, controlling popular platforms, and are the gatekeepers for this exercise.

IronGrip Inc. sees the DMA purely as a nuisance. They spend countless hours in frivolous meetings arguing over the best way to comply with the new regulation. They still want to make sure their users stick with their app.

As they explored the problem, someone proposed to weaponize the newly mandated Choice Screen. The idea resonated around the organization. Eventually, the decision was made, “These fools at the EU will know not to mess with us again! We will make this the most painful experience imaginable for anyone who dares to engage with it!”, they gleefully wrote in the memo from that meeting. “They will regret not having chosen the easy path out and stuck with us. And they will be convinced that the EU hates users,” they concluded.

Meanwhile, at the headquarters of FreeChoice Ltd, the news about the Choice Screen is met with a more measured response. They are not thrilled to admit it, but they agree with the EU regulators. FreeChoice Ltd had clearly gone astray in the past in trying to conquer the market. In doing so, they have built insurmountable barriers for all competitors and have alienated their own users. Clearly, the Browser Choice Screen is an opportunity to make things right.

And so, the two rivals set out to work on their Choice Screen. One reluctantly with malicious intent, and the other with a cautiously optimistic approach.

Now, let us compare the Choice Screens the two companies implemented.

IronGrip vs FreeChoice

The right time to show the Choice Screen

IronGrip: When the user clicks a browser icon.

FreeChoice: As early as possible during device/OS installation or update.

IronGrip Inc. through their market research discovers that once the user has started a browser, they are in the mindset of using that browser and surfing the web. They might be happy setting up that browser, but anything else is inconvenient. This will be the perfect time to show their Choice Screen.

Meanwhile, FreeChoice Ltd wants their user to pick a browser when they are in the mindset of setting things up. The best time for this is when first setting up or updating their device. They discover that users tend to hurry through the last step of the setup process as they lose interest in it. So they make sure to show the browser screen as early as possible, right after having asked the user for essential settings.

User influence

IronGrip: Makes sure the user has seen the gatekeeper’s browser icon or brand colors, before the choice screen.

FreeChoice: Avoid displaying even brand colors before browser choice occurs.

IronGrip makes sure that the user has seen what the icon of their browser looks like by the time the Choice Screen shows up. They will probably pick that one to get on with their day.

FreeChoice realizes that any hint of what might be the default for their platform will make the user subconsciously trust that choice more. Unfortunately, their brand colors show up a lot through the early stage of their setup process. They have to show their brand logo when starting the device — that is unavoidable. But they make sure to make the setup process look as neutral as possible up until the browser choice has happened

Impatience is the enemy of choice

IronGrip: Provide a way to skip the Choice Screen. No guarantee it will be shown again.

FreeChoice: Do not provide a way to skip the Shoice Screen.

IronGrip has already made their Choice Screen show up at a maximally inconvenient time and made sure users were likely to select them anyway. But if a user is hesitating, they don’t want to force them to take the time to think. They add a handy option to come back to the Choice Screen later. Then they can just ask again sometime soon. Or maybe not so soon. Or maybe ever? At any rate, if they ask again, it will probably be while the user is watching a video.

FreeChoice understands that the longer the user waits to make the choice, the more likely they are to stick with what they have. So, they make sure that they have to choose the first time.

Expose users to more choice

IronGrip: Keeps randomization limited and promotes some items over others.

FreeChoice: Show a random selection with plenty of choices.

IronGrip certainly has made it likely that users will recognize and choose their browser, but for this to have the best chance of working, they must make sure that their browser appears prominently on the Choice Screen. So, they come up with an excuse. The Choice Screen is supposed to be randomized, but, they argue, the choices the user is most likely to be familiar with should be closer to the top. That makes the user’s life easier. Of course, they then place themselves among the top contenders and randomize those separately from the rest. It doesn’t matter where they end up on that initial screen, so long as they are there. This considerably increases the odds that the user will choose IronGripBrowser

FreeChoice has the insight that with more browser diversity and competition in the market, there will be a lot of incentives for the web to develop in new and exciting directions and give them an incentive to improve FreeChoiceBrowser. Therefore, they make sure to calibrate their design to be readable while also showing as many options as possible on the screen. To fully give everyone an equal chance, they make sure that all the options have an equal chance of being shown.

Sometimes, the FreeChoiceBrowser is at the bottom of the list and users have to scroll all the way to find it, but that’s ok. They get to see what’s out there.

Help make a meaningful choice

IronGrip: Show just a name and icon. No description. Any browser the user doesn’t know will be a mystery.

FreeChoice: Add some descriptions. The most important information is always visible.

IronGrip certainly has made it likely that users will choose their browser, but if they are really in the mindset of trying something new, IronGrip doesn’t want to make it easy for them. After all, that might just help create one more serious competitor they have to deal with. So, they make sure to provide only minimal information. Just an icon and a name should be enough.

FreeChoice also understands that people are likely to choose something that looks familiar, but at least they want people to know what they are getting into. So, they request each vendor to provide a few lines to describe their browser. This lets users make a choice that aligns with their values and needs.

Make sure all choices are useful

IronGrip: Include some underwhelming or hard-to-use options and exclude some obvious competitors.

FreeChoice: Use a submission process. Push for all relevant browsers to be included. Keep to one browser per competitor.

IronGrip has already made its Choice Screen as confusing as possible. But if users decide to pick a less well-known option despite everything, it is best to make sure they get an underwhelming experience or even a bad one. Or one that’s still IronGrip in disguise. To achieve that, they add into the mix some browsers that are just copies of existing ones with different branding, or extremely minimal changes. Some of those copies are clones of IronGripBrowser itself. Some of them are abandoned projects with no updates. They also add a few experimental or specialized choices that are not designed for regular web browsing, or only intended for use in specialized circumstances or on very specific websites, and will not work well for anyone else. Finally, they also avoid adding some legitimate contenders, making the experience maximally frustrating for everyone.

FreeChoice has already made sure to have a clear description for every browser, so at least the experimental ones can be clear about the challenges involved. Even so, they make sure that only browsers that wish to be part of the selection are there and encourage featureful browsers to apply. They also ensure that each company has no more than one browser included and that the included browsers are updated regularly.

Ensure the chosen browser is easy to start

IronGrip: The chosen default browser is hidden away while the gatekeeper’s browser is easy to access.

FreeChoice: The chosen browser is easy to find.

Even if the user has managed to pick something they love from the convoluted IronGrip Choice Screen is not the end of their frustrations. First of all, the IronGripBrowser is still shown on the main screen and the one they set up is nowhere to be seen. It takes a while to discover that to launch it, they have to wade through the list of installed apps.

FreeChoice respects what the user has chosen. If it was not selected, FreeChoiceBrowser is nowhere to be seen and there is no obvious way to start it.

Ensure the chosen browser is easily used

IronGrip: Apps distributed by IronGrip always use the IronGripBrowser.

FreeChoice: The chosen browser is always started for browsing.

In addition to making the chosen browser hard to find, most of IronGrip’s own apps and services just ignore the default and start the IronGripBrowser when navigating. With that, IronGrip has made sure that the user would quickly forget what they have chosen and stick with the IronGripBrowser instead.

FreeChoice makes sure that opening any link anywhere results in the user’s chosen browser to be started.

Let people change their mind

IronGrip: There is no easy way to make a different choice.

FreeChoice: The Choice Screen can be restarted on demand.

IronGrip has put a lot of effort into having their browser ending on top, they’re not about to let someone change their mind and pick a different one later on. They make sure that if the user tries to change the default browser, they have to navigate a maze of settings and change every small detail that affects which browser gets started when in multiple unrelated places. In fact, it might be easier to just buy a new device if you want to switch the default browser.

FreeChoice has a single prominent option leading back to the Choice Screen. They also expose more advanced settings, for users who understand what they are doing, but in most cases, making a new selection via the Choice Screen does the right thing.

Handling of newly installed browsers

IronGrip: A newly installed browser cannot just become the new default.

FreeChoice: Provides an easy way for any browser to become the default.

IronGrip has made changing the default browser almost impossible, the same applies to any browser that the user manually installs.

FreeChoice makes a smaller version of the Choice Screen to deal with browsers installed manually. Whenever an installed browser requests it, this screen shows up, asking users if they wish to change the default to this new browser or keep the existing one. They rely on existing malware removal techniques to deal with any illegitimate software abusing this feature.

Don’t force people to change their minds

IronGrip: The platform regularly discourages using the chosen default and even attempts to hijack it.

FreeChoice: IronGrip is really pushing it now. We don’t do that.

If someone didn’t choose IronGripBrowser, IronGrip likes to remind them on every occasion that they have made the wrong choice. They will express concern about how secure the chosen alternative is and ask if the user really didn’t mean to use the secure default they provide. Not only that, but they are avidly using dark patterns, attempting to trick people into choosing IronGripBrowser whenever they ask. By now, it has become clear that their Choice Screen was never meant to provide an actual choice.

FreeChoice doesn’t do any of that and is putting out a statement complaining about IronGrip.

Bonus section: Allow procuring browsers from anywhere

IronGrip: The platform limits which browsers can be installed.

FreeChoice: The platform allows installing browsers from any source.

IronGrip only allows people to obtain new software through their store of which they have full control. In this store, they can freely decide whether a given browser is allowed or not. If they opt to not have a given browser there, then it’s tough luck for the people who want to use it. Even if a browser is present, they can make it arbitrarily hard to find, sometimes making competitors show up when looking for a specific browser.

FreeChoice happily lets anyone install software from any source they choose. They have some malware protection in place to weed out genuinely bad actors, but they use it responsibly.

What of the real Gatekeepers

With the Browser Choice Screen requirements soon to be effective in full force, we are starting to get to know more about how the actual gatekeepers are designing their Choice Screens.

Certainly, we hope to see everyone strive to be like FreeChoice. Most people stick with the default when selected so they must be able to make a meaningful informed choice from the start. All points presented here are crucial to achieve this result and skipping any of them would seriously erode the effectiveness of the Choice Screen. We believe that gatekeepers can get out of the mindset that they must coerce their users into using a given browser and truly embrace choice, allowing competition to flourish in the browser space once more to the benefit of everyone.

If browsers are offered and selected based on their merits, then the Choice Screen will truly have fulfilled its purpose.

Do any of the gatekeepers have a Browser Choice Screen that makes the cut? We will take a closer look when they get released in a few weeks. Meanwhile, if you encounter a Browser Choice Screen, you can use this handy table to remind yourself of what to look for.

IronGrip		FreeChoice
Shown when the user clicks a browser icon.	👎	Shown as early as possible during device/OS installation or update.	👍
Make sure the user has seen the gatekeeper’s browser icon or brand colors, before the Choice screen.	👎	Avoid displaying even brand colors before browser Choice occurs.	👍
Provide a way to skip the Choice Screen. No guarantee it will be shown again.	👎	Do not provide a way to skip the Choice Screen.	👍
Keeps randomization limited and promotes some items over others.	👎	Show a random selection with plenty of choices.	👍
Show just a name and icon. No description. Any browser the user doesn’t know will be a mystery.	👎	Add some descriptions. The most important information is always visible.	👍
Include some underwhelming or hard-to-use options and exclude some obvious competitors.	👎	Use a submission process. Push for all relevant browsers to be included. Keep to one browser per competitor.	👍
The chosen default browser is hidden away while the gatekeeper’s browser is easy to access.	👎	The chosen browser is easy to find.	👍
Apps distributed by IronGrip always use the IronGripBrowser	👎	The chosen browser is always started for browsing.	👍
There is no easy way to make a different choice.	👎	The Choice Screen can be restarted on demand.	👍
A newly installed browser cannot just become the new default.	👎	Provides an easy way for any browser to become the default.	👍
The platform regularly discourages using the chosen default and even attempts to hijack it.	👎	IronGrip is really pushing it now. We don’t do that.	👍
The platform limits which browsers can be installed.	👎	The platform allows installing browsers from any source.	👍

Why Vivaldi won’t follow the current AI trend?

Jane — Mon, 05 Feb 2024 13:22:48 +0000

ChatGPT came into the public eye a year and a few months ago. Ever since then, there has been an increasing trend in many sectors to try to put it to use to replace some of the things that people do, or to provide a new way to help people find answers to whatever they may wonder.

The world of web browsers has not been spared by this trend with multiple examples of web browsers integrating LLM (Large Language Model) functionality in one way or another.

Yet, even as they do so in the name of building the future, none of them seem to consider the glaring flaw in these features: The LLMs themselves are simply not suited as conversation partners, as summarization engines, and are only able to help with generating language with a significant risk of plagiarism.

In order to understand why all of those are fundamental problems, and not problems that are eventually going to be solved, we should examine the very nature of LLMs.

We do not want to get into a very long-winded explanation of the intricacies of LLMs here. Instead, we will settle for a shorter explanation. It might leave out some caveats, but everything said here does apply to the big popular generic LLMs out there.

Many experts in the field have already done an excellent job of this. Here is an interesting read: “You are not a parrot. And a chatbot is not a human“.

What are LLMs?

LLMs are just a model of what a written language looks like. That is a mathematical description of what it looks like. It is built by examining a large variety of sources and focuses on describing which word is the most likely to follow a large set of other words. There is a bit of randomness added to the system to make it feel more interesting and then the output is filtered by a second model which determines how “nice” that output sounds. In several cases, this second stage model was made by having many (underpaid) people to look at what comes out of the first stage and choose whether they liked it or not and whether it sounded plausible.

This has two fundamental issues:

Copyright and privacy violations

In order to have a good idea of which word is likely to follow a set of words, it is necessary to look at a lot of text. The more text, the better as every bit of text allows to tweak the model to be a more accurate representation of a language. Also, much of the text fed into it needs to be relatively recent to reflect the current usage of the language.

This means there is a tremendous incentive to consume text from all recent sources available, from social media to articles and books. Unfortunately, such text being baked into the model means that it is possible to cause it to output the same text verbatim. This happens if, for a given input sequence, there is no better choice than regurgitating this original text. As a result, these models will in some case just repeat copyrighted material, leading to plagiarism.

Similarly, the mass of text coming from social media and other user-provided sources may well contain sensitive, private information that can similarly be regurgitated. Some clever people have found ways to trigger this sort of behavior, and it is unlikely that it is possible to protect fully against it. Being clearly aware of the risk posed by exposing private information, we have never been thrilled by the idea of it possibly getting baked into those models.

Plausible-sounding lies

Since the text that an LLM is built out of originates in large part from the Internet in general, that means that a lot of it is complete trash. That goes from mere poorly written prose to factual error and actually offensive content. Early experiments with the technology would result in chatbots which quickly started spewing out offensive language themselves, proving that they are unfit for purpose. This is why modern LLMs are moderated by a second stage filtering their output.

Unfortunately, as written above, this second stage is built by people rating the output of the first stage. To make this useful, they need to examine huge amounts of outputs. Even the most knowledgeable people in the world could not hope to check everything for accuracy and even if they could, they cannot know every output that will ever be produced. For those, all the filter does is help set the tone. All this leads to favoring the kind of output that people like to see, which is confident-sounding text, regardless of accuracy. They will be right for the most part on widely known facts, but for the rest, it’s a gamble. More often than not, they will just give a politician-grade lie.

The right thing to do

So, as we have seen, LLMs are essentially confident-sounding lying machines with a penchant to occasionally disclose private data or plagiarise existing work. While they do this, they also use vast amounts of energy and are happy using all the GPUs you can throw at them which is a problem we’ve seen before in the field of cryptocurrencies.

As such, it does not feel right to bundle any such solution into Vivaldi. There is enough misinformation going around to risk adding more to the pile. We will not use an LLM to add a chatbot, a summarization solution or a suggestion engine to fill up forms for you until more rigorous ways to do those things are available.

Still, Vivaldi is about choice and we will continue to make it possible for people to use any LLM they wish online.

Despite all this, we feel that the field on machine learning in general remains an exciting one and may lead to features that are actually useful. In the future, we hope that it will allow us to bring good privacy-respecting features to our users with a focus on improving discoverability and accesibility.

We will keep striving to provide an featureful and ethical browsing experience.

Unpacking Google’s new “dangerous” Web-Environment-Integrity specification

Jane — Tue, 25 Jul 2023 17:51:43 +0000

Google seems to love creating specifications that are terrible for the open web and it feels like they find a way to create a new one every few months. This time, we have come across some controversy caused by a new Web Environment Integrity that Google seems to be working on.

At this time, I could not find any official message from Google about this spec, so it is possible that it is just the work of some misguided engineer at the company that has no backing from higher up, but it seems to be work that has gone on for more than a year, and the resulting spec is so toxic to the open Web that at this point, Google needs to at least give some explanation as to how it could go so far.

What is Web Environment Integrity? It is simply dangerous.

The spec in question, which is described at https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md, is called Web Environment Integrity. The idea of it is as simple as it is dangerous. It would provide websites with an API telling them whether the browser and the platform it is running on that is currently in use is trusted by an authoritative third party (called an attester). The details are nebulous, but the goal seems to be to prevent “fake” interactions with websites of all kinds. While this seems like a noble motivation, and the use cases listed seem very reasonable, the solution proposed is absolutely terrible and has already been equated with DRM for websites, with all that it implies.

It is also interesting to note that the first use case listed is about ensuring that interactions with ads are genuine. While this is not problematic on the surface, it certainly hints at the idea that Google is willing to use any means of bolstering its advertising platform, regardless of the potential harm to the users of the web.

Despite the text mentioning the incredible risk of excluding vendors (read, other browsers), it only makes a lukewarm attempt at addressing the issue and ends up without any real solution.

So, what is the issue?

Simply, if an entity has the power of deciding which browsers are trusted and which are not, there is no guarantee that they will trust any given browser. Any new browser would by default not be trusted until they have somehow demonstrated that they are trustworthy, to the discretion of the attesters. Also, anyone stuck running on legacy software where this spec is not supported would eventually be excluded from the web.

To make matters worse, the primary example given of an attester is Google Play on Android. This means Google decides which browser is trustworthy on its own platform. I do not see how they can be expected to be impartial.

On Windows, they would probably defer to Microsoft via the Windows Store, and on Mac, they would defer to Apple. So, we can expect that at least Edge and Safari are going to be trusted. Any other browser will be left to the good graces of those three companies.

Of course, you can note one glaring omission in the previous paragraph. What of Linux? Well, that is the big question. Will Linux be completely excluded from browsing the web? Or will Canonical become the decider by virtue of controlling the snaps package repositories? Who knows. But it’s not looking good for Linux.

This alone would be bad enough, but it gets worse. The spec hints heavily that one aim is to ensure that real people are interacting with the website. It does not clarify in any way how it aims to do that, so we are left with some big questions about how it will achieve this.

Will behavioral data be used to see if the user behaves in a human-like fashion? Will this data be presented to the attesters? Will accessibility tools that rely on automating input to the browser cause it to become untrusted? Will it affect extensions? The spec does currently specify a carveout for browser modifications and extensions, but those can make automating interactions with a website trivial. So, either the spec is useless or restrictions will eventually be applied there too. It would otherwise be trivial for an attacker to bypass the whole thing.

Can we just refuse to implement it?

Unfortunately, it’s not that simple this time. Any browser choosing not to implement this would not be trusted and any website choosing to use this API could therefore reject users from those browsers. Google also has ways to drive adoptions by websites themselves.

First, they can easily make all their properties depend on using these features, and not being able to use Google websites is a death sentence for most browsers already.

Furthermore, they could try to mandate that sites that use Google Ads use this API as well, which makes sense since the first goal is to prevent fake ad clicks. That would quickly ensure that any browser not supporting the API would be doomed.

There is hope.

There is an overwhelming likelihood that EU law will not allow a few companies to have a huge amount of power in deciding which browsers are allowed and which are not. There is no doubt that attesters would be under a huge amount of pressure to be as fair as possible.

Unfortunately, legislative and judicial machineries tend to be slow and there is no saying how much damage will be done while governments and judges are examining this. If this is allowed to move forward, it will be a hard time for the open web and might affect smaller vendors significantly.

It has been long known that Google’s dominance of the web browser market gives them the potential to become an existential threat to the web. With every bad idea they have brought to the table, like FLOC, TOPIC, and Client Hints, they have come closer to realizing that potential.

Web Environment Integrity is more of the same but also a step above the rest in the threat it represents, especially since it could be used to encourage Microsoft and Apple to cooperate with Google to restrict competition both in the browser space and the operating system space. It is imperative that they be called out on this and prevented from moving forward.

While our vigilance allows us to notice and push back against all these attempts to undermine the web, the only long-term solution is to get Google to be on an even playing field. Legislation helps there, but so does reducing their market share.

Similarly, our voice grows in strength for every Vivaldi user, allowing us to be more effective in these discussions. We hope that users of the web realize this and choose their browsers consequently.

The fight for the web to remain open is going to be a long one and there is much at stake. Let us fight together.

Manifest V3, webRequest, and ad blockers

Jane — Fri, 23 Sep 2022 10:32:08 +0000

Back in 2019, we were loud and clear: Ad blockers or not – your choice matters.

In 2020, Vivaldi’s Ad Blocker was built as a response to the deprecations announced in Manifest V3, with the intention that it would keep working when existing ad-blocking extensions would become inoperant. The goal is to keep it working regardless of what happens regarding the extension code.

Will the Vivaldi Ad Blocker be affected by the Manifest V3 changes?

I made some architectural choices early on that I believe should keep it functional, regardless of the Manifest V3 changes. Of course, there is always a possibility that the underlying Chromium architecture will change now or in the future, forcing us to do some extra work to keep this working.

Hopefully, a more in-depth description of the architecture and some of the facts surrounding the Manifest V3 changes should help to show why I believe that our implementation is safe for the time being.

How is Vivaldi’s Ad Blocker built?

The Vivaldi Ad Blocker available on desktop and Android and in cars is built on the same internal chromium API that is used by both the Manifest V2 version of webRequest and declarativeNetRequest.

It is also designed to allow Chromium/content embedders to interact with requests performed with the Chromium network service in general. The basic idea is that the requests from the network service get proxied through some piece of code provided by the embedder that can examine or modify the request through its different stages, pretty much like webRequest currently does.

What happens after the Manifest V3 changes?

The concern of course would be that, since webRequest is going away, this particular API would become useless and disappear with it.

This is unlikely for a few reasons:

webRequest isn’t completely going away. Only the ability to block requests from webRequest is disappearing. So, at the very least, a mechanism to proxy requests from the network services through extensions there needs to keep existing.
declarativeNetRequest is currently built on top of webRequest. It is conceivable that it would be rebuilt later on to handle the blocking at a deeper level. If this ever happens, it will use a new set of hooks to handle blocking that our Ad Blocker should be able to use, as well. But there doesn’t seem to be much reason for that to happen yet.
The blocking ability of webRequest is being kept for enterprise users (at least for the time being). So, all the underlying code for webRequest including the blocking abilities will have to remain intact.

So, to the best of my reckoning, I can say that it looks very likely that the Vivaldi Ad Blocker won’t suffer any adverse effects from the Manifest V3 changes. And, if it does, there should be relatively simple ways to fix it.

Could we keep using our ad-blocking extensions in Vivaldi?

But, “Wait”, I hear you say, “Doesn’t that mean that basically, Vivaldi might be able to keep webRequest intact just by bypassing the checks for enterprise environments? Could we keep using our adblocking extensions in Vivaldi?”

This certainly sounds plausible, but it is not something that we can promise without seeing what ends up happening in the code itself. If there is an easy way to keep webRequest functioning as it did for a while longer, we’ll consider doing it.

However, it is important to note that extension ad blockers often depend on other APIs that are removed in Manifest V3 (and probably much harder to bring back), so there is no guarantee that simply keeping the blocking version of webRequest alive is going to be enough, without some work from extension maintainers.

The road ahead

The move to Manifest V3 makes it more difficult to run content blockers and privacy extensions in Chrome. While some users may not notice a difference, users who use multiple extensions or add custom filter lists may run into artificial limitations set by Google. Perhaps, wise to move away from Chrome?

As Vivaldi is built on the Chromium code, how we tackle the API change depends on how Google implements the restriction. The assurance is, whatever restrictions Google adds, in the end, we’ll look into removing them.

Our mission will always be to ensure that you have the choice.

Good riddance, Internet Explorer!

Jane — Thu, 16 Jun 2022 15:30:00 +0000

On the 17th of August, Microsoft decided to kill off its Internet Explorer browser. The browser lives on as Edge which first appeared with an engine also called Edge, but finally, the original Internet Explorer has been put to rest.

It is unfortunate that we now have one less browser engine on the Internet. Competition is good and fewer browser engines means less innovation in browser engines. It is quite simple really.

But that being said, the loss of Internet Explorer is not really a loss. The loss of the Presto browser engine was a much bigger loss. In fact, I would say that the Web is better off without Internet Explorer, something even Microsoft has understood.

Internet Explorer: Embrace, extend, extinguish

The first Internet Explorer was based off the original Mosaic code, licensed from Spyglass. Microsoft was late to the Web game. Their original goal was to build their own Internet, but like other proprietary attempts at building Internet, such as AOL and Compuserve, they failed.

Having seen the growth of Netscape, Microsoft understood that they needed to act and they did. After getting the license from Spyglass, they started on their road of the infamous Embrace, extend, extinguish tactic.

The principle there was to embrace web standards and get the standards community on board. After “cutting off the air supply” from Netscape, by bundling IE with Windows and stopping any ability to get browsers bundled on Windows computers, they quickly took the lead in the browser market.

They then started to expand on the web standards, with total disregard for the standards community. During this time they introduced technology such as ActiveX and Silverlight, making it impossible to use competing browsers when accessing services that used those technologies.

They also added various proprietary tags in their HTML/CSS/JS code, which made life difficult for web developers. In reality, many web developers made sites optimized for IE, instead of for web standards, making it really hard for competing browsers.

Microsoft close to taking over the Web

At the time, I was leading the Opera browser which I had co-founded with Geir Ivarsøy.

As a competitor of Microsoft, we noticed a lot of the things they did to kill off competition.

Getting distribution with any Windows-based computer was impossible. Projects we were involved with, such as with Compaq and Intel, got canceled due to threats from Microsoft. We had to deal with compatibility issues across the board. Some examples include:

Microsoft made their own server software and in an update (to version 4), they included a file that made sure we would not be sent cookies. It took us a really long time to figure that one out. Websites, such as the BBC, broke, and we got the blame. After we discovered the issue, Microsoft fixed it.
Microsoft barred Opera users from accessing their MSN service, claiming we did not support XHTML. We wrote a press release rebutting them, in XHTML. The reality was that we supported XHTML, but they did not.
Microsoft sent Opera users a broken CSS file, which meant that text overlapped. We had a bit of fun with this one and made a special Bork edition of Opera that changed all the text on the MSN site to something resembling the way the Swedish Cook spoke in the Muppet show. It worked and Microsoft fixed their site.

But there were a lot more websites with issues. Given that Microsoft deviated from the standards and they had the most used browser, so many sites demanded that you use Internet Explorer to access their content.

Microsoft was really close to taking over the Web fully.

Jon von Tetzchner on stage.

Microsoft’s tactic backfires

Microsoft killed Netscape and although Netscape was replaced by Mozilla, Mozilla did not have a lot of clout in the early days.

Luckily Microsoft’s tactic backfired.

They stopped developing Internet Explorer after Internet Explorer 6, presumably because they wanted to move people over to Silverlight instead.

At the same time, Opera, Mozilla, and Apple, alongside the World Wide Web consortium, decided to work together on improving Web standards. Together we wrote HTML 4, which took the Web to another level.

Gradually our combined user base started to grow and Microsoft was forced to restart the development of Internet Explorer, but from this point onwards they were lagging behind. They still lead the market share, but they had lost momentum, and given that both the US government and the EU were watching Microsoft’s anti-competitive behavior, they were somewhat limited in their response.

Microsoft was pretty close to being split up over how they had used their domination in the browser market to kill off Netscape. With the government watching, they had to compete more on the merits and there they lost. Suddenly their incompatibility had moved from being an asset to being a liability.

Websites code for Web standards first, not Internet Explorer

Instead of sites coding for Internet Explorer first, more and more sites began coding for the standards first and then for Internet Explorer.

Microsoft was now dealing with the problem they had created. It became hard for them to both support the standards and their own deviations from those standards. Finally, they decided to drop their old code and embrace the standards. As doing that from scratch is hard and as there still is a lot of code there looking for their name in identification strings, they decided to use Chromium instead.

* * *

Microsoft can not be written off. Given that the focus of governments is now more on Google and Facebook, you can see how Microsoft is gradually trying to use their position to steal users in Windows, during updates and by making it hard for competing browsers to fully default.

At the same time, it is good to see that Internet Explorer is gone. As much as I want there to be choice on the Internet, Internet Explorer is not a choice we ever needed.

Photo by Aron Visuals on Unsplash.

Recent edit: This blog has been republished on 16th June 2022.

Ever get the feeling you’re being watched?

Jane — Mon, 16 May 2022 07:44:02 +0000

Massive information about us is collected from all quarters of our lives. And, as this information is compiled, it develops a highly detailed picture of us – one that reveals what we do in our daily lives, including in our most sensitive moments.

This Spy Cat video, produced by the Consumers’ Association of Iceland in collaboration with Vivaldi, takes a darkly humorous approach to make the pervasiveness and hazards of targeted profiling and advertising more relatable. Please view and share!

For more information about this campaign, as well as tips for avoiding or limiting the information being gathered about you, visit banspying.org.

And a special shout out goes to Flóki, Hneta, Lotta, Mandarína, Milla, Mirra, Móri and Stormur for channeling their inquisitive feline powers for this video. Fortunately for us, their true intentions were 0% evil, 100% adorable.

What do you think about this campaign? Let us know in the comments.

Heads up: Google’s going off Topics again.

Jane — Thu, 27 Jan 2022 17:18:28 +0000

Google recently released a proposal for a third-party cookie replacement technology called Topics. It’s move meant to satisfy the needs of advertisers while side-stepping many of the privacy pitfalls of their previous proposal, FLoC, the privacy nightmare we denounced earlier this year.

But with Topics, Google is just twisting user tracking and profiling in different ways.

Right from the start, the document outlining how the Topics API works, clearly shows its true purpose:

key use cases that browsers want to support […] is interest-based advertising […] a form of personalized advertising in which an ad is selected for the user based on interests derived from the sites that they’ve visited in the past

That is behavioral profiling.

How does Topics differ from FLoC?

Google limits the amount of information a site can gather to a few topics initially from a set that might be as big as a few thousands and only allows a single additional topic to be obtained every week. They also limit the topics advertisers can see to topics offered by sites on which those advertisers are present, giving topics approximately the same reach as third-party cookies. Some random topics might be offered as well and Google claims that this lessens the chance that sharing a given topic will automatically be compromising or identifying.

Google also claims that this will reduce the ability of advertisers to gather enough data themselves for building a profile, but it is clear that big advertisers that have sites covering all topics will be able to obtain a full list of topics of interest for a user quite fast. We also suspect that smaller advertisers will be able to easily build workarounds

The only really useful part is that users are able to disable the whole system or exclude certain topics in a way that can’t be easily detected. However, we expect that most users won’t change the defaults and will just fall victim to this anyway.

In addition, the wording in the specification is loose and ambiguous in a way that leaves it open to manipulation by Google, to expose more or less information. This is especially possible for websites that cover a large range of topics, such as Google and Facebook, which will be able to observe the widest range of behaviorally profiled information.

How Topics stays true to the FLoC spirit

Topics has the same fundamental problem as FLoC: it enables third parties to build profiles, which is always problematic, no matter how many privacy mitigations you put around it. Your browser would still learn about your interests as you move around the web. So, it’s basically spyware.

As we know, revealing information about the user’s interests to various entities, even slowly, will allow them over time to identify political affiliation, sexual orientation, and other personal information about the user. This can have real-world consequences. And, as has been shown by the Cambridge Analytica scandal, this identification can be done even with very few topics. The little randomness element Google has added will unlikely do much to counter this.

Indeed, in going back to the drawing board after FLoC, the only aspects Google seems to have looked into are the ability to identify someone and to get compromising information about them. But this is addressed less by making improvements than by creating a complex system that is harder to analyze for loopholes. But the loopholes remain and can be played.

The Verdict?

Based on this, and Google’s track record, we currently have no faith in the new Topics API. Adding tweaks upon tweaks to “fix” privacy issues of a system that’s specifically engineered to leak user information only ends up obscuring the real problem and leading nowhere. Even if a compromise could be reached for now, the system would not be safe from future tweaks that could lead to leaking more information about a user.

We believe that spying on people’s behavior and profiling them is wrong. Period. It is easy to get misled by this new variation of FLoC, since it does appear to have made some positive changes. However, it still violates your privacy. And pretending that behavioral profiling can be okay as long as you hide a few bits of information, or sometimes add false information, is really missing the point that you shouldn’t be profiling in the first place.

Instead of arguing endlessly about whether profiling can be made acceptable (it can’t), we would much rather start with a return to context-based advertising and then fine-tune that, if (as Google claims) there are indeed cases where it doesn’t work.

At least this time, we can just disable it without fearing that it will cause issues in the future.

Nice try, Google, but you are still off-topics on this one.

Input from Vivaldi developers Tarquin Wilton-Jones and Julien Picalausa

How (not) to track product usage

Jane — Fri, 23 Jul 2021 10:29:14 +0000

When it comes to tracking how users engage with products, there are two extremes.

At one end is the idea that your activities should be ultimately private, so companies won’t actively monitor how you use a product.

At the other extreme is the approach of monitoring each and every action that you take within a product.

In between? It’s a grey area.

As someone who works for a software company, I can see the appeal of knowing what product features users are actually using, or which version of a feature is more easily understood. But aside from the chance that data can be misinterpreted, there’s also the problem of how to gather usage information while respecting the privacy of users.

A basic check – mostly harmless?

Most companies will want to know how many users their system or product has – for statistical purposes or for financial purposes when making agreements with partners, for example.

For a server-side product such as a webmail service, counting accounts (perhaps checking if they’re active) is usually sufficient.

However, for a product that users download and install, counting users is more difficult. You could simply count downloads and hope it matches the number of installs. But this paints a false picture, since users may install software via third-party channels or via corporate software distribution, or – indeed – they may never run it again after installation.

For truer results, it may be necessary to count users by having the installations notify the vendor when they are installed or running. This requires some kind of identification to prevent reinstallations from being counted as new users and to make sure that repeatedly running the application does not increase the user count. To identify a single installation, an identification token must be kept in the user’s profile, to differentiate them from other users. This identification token is then sent as part of the notification to the vendor.

All this makes it possible to tie an installation to a user. The vendor can see how often you run the product, whether you change your IP address, whether you travel to other countries, whether you run the software daily or weekly.

This is all highly useful for a vendor who wants to know how their software is used and where their users are from, but it immediately invades your privacy and that of any user who just wants to use the software, not share their personal business.

When you agree to send back installation statistics, do you fully understand the privacy implications? Do you understand that just by allowing yourself to be counted, you also make it possible for a company to see other details? Because this privacy intrusion didn’t sit well with us, we developed a system for counting users that maintains your privacy.

How feature tracking starts

It is typically in a company’s interest to know where to spend their development resources. New features take time to produce and maintain. Is a recent feature being used? Should it be relocated to help more users find it? Does adding one feature cause other features to be used less? Is one language version performing better than others?

Tracking whether a feature is being used simply sends a ping – a minimal message saying “the feature was used”. This could be anonymised, or it could be tied to the user identifier. Either way, the server that receives the message gets to see that a user from that IP address was using that feature.

Progress is not always progress

Feature tracking can quickly become a go-to approach for driving development. Now that Developers can see whether you use a feature, they may want to see exactly how you’re using it.

This can be done with laboratory-style testing, using focus groups. However, that can be expensive and does not always represent how it will be used in the real world. So, some companies turn to feature tracking.

It can get highly detailed, timing how quickly you get through a certain section, checking which buttons you press, checking how you move your mouse, or whether you use a touch screen or keyboard to navigate.

As product development increases its data appetite, they might update the privacy policy and the end-user license agreement to allow more feature tracking to take place. And many users help them by blindly clicking “Accept” without realising what they are agreeing to.

As the huge amounts of tracking and profiling information roll in, it is collected in a user-profile database. This is normally anonymised to a degree; it is not stored with the user account tied to it, but each profile is the digital representation of a real person. It may be possible to tie that profile to that person, depending on whether the system links it to a specific user account. If the data were to be exposed, someone with access to other behavioural data may be able to tie that profile to the actual person.

Being a trustworthy company

This collected data is a valuable asset that can be sold to other companies, or advertising agencies, as “big data”. To some companies, this becomes a major source of revenue, while to others, user privacy remains paramount.

However, the reality is that corporate cultures can change over time. One day, even innocently collected feature-usage data can suddenly be seen as a financial gold mine. Frameworks built to improve products now become a privacy-invading money spinner, violating the trust of the users who agreed to tracking to help improve the product they’re using.

As a company grows, it can become more difficult to maintain the line between acceptable feature tracking and unacceptable user-behaviour monitoring. Perhaps the staff that adhered to the original spirit are no longer working on the product. Newer staff may not realise the bounds that they are overstepping. They may not feel that it is wrong to see how quickly a user moves their mouse towards a button or whether that correlates with whether the user has selected the high contrast mode first – essentially leaking information that the user is likely to have a physical disability.

More companies should just say “no”

This is one of the reasons that Vivaldi outright refuses to collect such statistics. It is easy to prevent data collection from escalating to the point of privacy invasion, and ensure that the data can never be leaked or compromised, if it is never collected in the first place. In our experience, it is also much easier to gain and retain your trust.

Even in cases where server-side services collect minimal information for debugging purposes, such as HTTP access logs, companies can and should remove this data as soon as it is no longer needed. This prevents it from becoming a statistical data store ripe for data mining, should the corporate culture shift. Companies should also clearly document the purpose of this collection in their privacy policies, so you, the user, are informed and reassured that nothing will be retained for future use.

Data privacy regulation and ethics

Perhaps feature-tracking may not sound all that threatening, but in many cases, the resulting behavioural profiles can reveal personality traits and, potentially even medical conditions.

Unless you have specifically signed up for a behavioural-profiling study, you may not realise just how much information is being gathered about the way you use a product.

Regulations may not go far enough to protect you from anonymised data collection. With legal systems slow to respond to the ever-evolving privacy-risk landscape, most nations don’t have sufficient protection for user data in place. GDPR has only recently become established within the EU, but other countries are still working on their equivalents.

Even if we assume that the vendor will always be trustworthy, storing user data must be done in such a way that in the event of a compromised server, it will not fall into untrusted hands.

Listening to users

With all this feature tracking going on, it can become all too easy for companies to rely on statistics to drive development, instead of doing the most important thing: listening to users. Users are the lifeblood of the industry. They are people, real human beings, with desires for the product that won’t show up in a statistic. Perhaps you may have wanted to use a feature, but couldn’t find it. Making it easier to find would be the right way forward, but instead – looking at the low usage statistics – the unused feature gets pulled, potentially damaging good will – and good word of mouth.

Even though direct feedback from users can often be negative – people are much quicker to complain about a problem than to offer praise for a positive experience – we believe it is important to engage, to listen to you and all our users. Apart from a channel for potentially product improvements, we see this as a vital part of community building.

In a privacy policy, which would you find more reassuring: “We do not collect usage statistics,” or “We collect statistics for the following 10 purposes, and we promise not to misuse the data, but we reserve the right to update this privacy policy in the future.”?

Vivaldi views you as a person, rather than a statistic. We prefer to interact with you in a welcoming community, rather than fixate on numbers. If more companies would follow Vivaldi’s path of connecting with and listening to users rather than tracking them, privacy would be better respected and protected – and products and services would improve their user experiences overall.

To submit or vote for a feature you’d like to see in the desktop browser, Android browser or our services, head over to the Feature Request Forum.

What’s your take on feature tracking? Something you take for granted? Something you hate? Something you haven’t really thought much about? Have your say in the comments! 👇

It’s time to ban surveillance-based advertising

Jane — Mon, 28 Jun 2021 14:21:15 +0000

For years, Big Tech has tried to speak for us. They tell anyone who will listen that we all want our data to be collected, so we can get “relevant ads”. At the same time, they have told us that, without the right to collect and harness our data, they couldn’t provide us with quality technology for free. Sadly, over time, they have managed to convince many people to accept this false bargain.

Would they have achieved the same success in their efforts had they more honestly called what they’re doing “surveillance-based advertising” instead of “relevant ads”?

Now, people are realizing just how much of their data is being collected. And while dramatic reveals of data breaches may have been what put it on their radar, it is the extent of surveillance-based advertising and data collection that should grab their attention. Because these practices have become so widespread that the damage not only impacts individuals, but also society itself.

Or, more plainly: Big Tech’s toxic business model based on surveillance-based advertising is undermining democracy. They have had more than enough chances to clean up their act. Now it’s time for them to be regulated.

The Norwegian Consumer Council stands up for what’s right

Fortunately for us all, government bodies and organizations are starting to take action to drive positive change on surveillance-based advertising and related privacy issues.

In April, for example, EU’s privacy watchdogs called for a ban on facial-recognition technology in public places – a welcome sign that the “privacy is dead” tide is beginning to turn.

The Norwegian Consumer Council weighed in last week, publishing a comprehensive paper that clearly states that surveillance-based advertising has gone too far. Their call for a ban is supported by 54 organizations worldwide. I recommend that everyone read this in-depth paper, to get a sense of the scale of the problem and how to start tackling it.

The paper deals directly with many statements that Big Tech rolls out when championing or defending their surveillance and surveillance-driven practices.

It describes various challenges caused by surveillance-based advertising such as privacy and data protection infringement, opaque business models, manipulation and discrimination at scale, serious security risks and more, including even fraud and other criminal activity.

It points out how today’s dominant online advertising model is a threat to consumers, democratic societies, the media, and even to the advertisers the model supposedly benefits.

The issues raised are significant and serious enough to justify banning these detrimental practices.

To support the Council’s position, the paper fact checks many of Big Tech’s claims about consumer attitudes on surveillance-based advertising and concludes with the following findings:

It is becoming clear that a majority of consumers do not want to be tracked and profiled for advertising purposes. In a population survey conducted by YouGov on behalf of the Norwegian Consumer Council, just one out of ten respondents were positive to commercial actors collecting personal information about them online, while only one out of five thought that serving ads based on personal information is acceptable. This resembles similar surveys from both sides of the Atlantic, and indicates that consumers do not regard commercial surveillance as an acceptable trade-off for the possibility of seeing tailored ads.”

As a result of the paper’s publication, Norwegian politicians are being quizzed on the record about what they think. So far, all of them have come out in favor of banning surveillance-based ads. We hope that politicians in other countries will take action, as well. I believe they should and will, as long as we make sure they know that we back them to do the right thing.

Together, we can reverse course and help reform and free the internet from advancing data breaches, privacy invasion, information distortion and sheer exploitation.

Vivaldi has long advocated against surveillance-driven practices

For years we have communicated clearly that surveillance-based ads should be banned. We have rallied against Big Tech’s unethical and noxious practices through our values, services and products. It has never been an afterthought for us.

So, it is gratifying to see this matter gaining traction in the political sphere and beyond. It is too important to shy away from, and I am pleased to see others speaking out so publicly.

I have dedicated much of my life to the Internet. And, like so many in this position, I am worried about where the Internet is heading. For many years, the Internet was synonymous with freedom of expression, helping to improve communication and develop democracy across the world. Unfortunately, the landscape has drastically changed for the worse.

In an interview with Wired a few years ago, I expressed my concerns about the web being misused and called for a ban on personalized ads. But we are still being followed every minute. Invasive technologies watch our every move.

Yet, there is just no reason for companies to collect vast amounts of data on their users. They could and should keep safe any data they do have on their users. They could and should avoid using that data for any purpose beyond providing the service. It should go without saying that they should not use user profiles for advertising purposes. These profiles should not exist in the first place.

It is just plain wrong.

What’s at stake: Big Tech makes billions, while society pays the price.

Over time, Big Tech has amassed incredible power due to its access to a treasure trove of user data. As Google, Facebook, and other players sought new ways to monetize their services and meet investor demand, they couldn’t resist. The data was easily available, so why not collect it? Why not use it to generate even more revenue by, for example, offering highly targeted ads? Gradually, the tactics, collection, and use of data expanded, until these companies were collecting virtually every move by everyone on the Internet – and beyond. The bigger issue is that these companies not only collect data but then provide the data or the ability to leverage it to third-parties willing to pay.

Companies have always had access to information about their customers. Your carpenter could likely gather a lot of information about you and your family from your home. Telecommunication companies could listen to your conversations. Your mail carrier could read your mail. These companies and service providers do not do this, because it would be wrong.

Big Tech has no such qualms. For them, the information is there for the taking, barring regulation and ethics getting in the way. And up to now, by disregarding both, these companies have gained massive advantages, which they have used to kill competition and change entire industries.

Reject “That’s just the way it is”.

Big Tech’s mission has been to convince us that it is necessary to pay for free services by allowing them to track us. But the Internet was fine without all of this surveillance.

These companies claim that their services would be more expensive if they couldn’t collect data. This is nonsense. It might be less profitable for them, but most of them would remain sufficiently profitable with traditional ads.

Moreover, by providing their services for “free”, in exchange for data, it makes it harder for other businesses to compete. As long as the consumer is the product, ethical companies will be at a disadvantage, reducing consumer choice. In other words, the true cost to consumers and to society as a whole is a lot higher when consumers are forced to pay with their data.

A number of small and large companies that rely on tracking and surveillance will claim that the industry won’t survive without it, but the reality is that ads existed online even before tracking. And they can survive without it.

We can heal the internet

Is there a glimmer of hope?

Finally, things are being taken seriously. Hopefully, we will see change. Many people believe that Big Tech cannot be stopped, but nothing is impossible. Over the years, other highly noxious things have been regulated for the public good. An example the paper cites is Asbestos, and frankly, the comparison is rather accurate.

When first launched, Asbestos was heralded as a wonder material that could keep homes, schools, businesses safe from fire. It took decades before the health hazards from asbestos came to light. The eventual ban on what had been viewed for decades as a necessary, desirable – and unstoppable – building material led to less hazardous materials being used in its place. This, in turn, improved the lives of those who might otherwise have suffered from its long-term effects.

Likewise, surveillance-based ads are hazardous to the health of the internet and our society.

A ban on surveillance-based advertising will force a change and rethink of the business models of companies addicted to tracking for profit.

As a result, it will help invigorate growth for technologies that respect consumer and fundamental rights, and restore consumer trust in digital services over the long run.

This madness has to stop

Today’s situation is frightening. More and more data about each of us is being collected and used with lightning speed.

Aware that users are increasingly privacy-conscious, Big Tech is getting more creative to keep the data stream from drying up. For example, initiatives like Google’s FLOC, which bills itself as a revolutionary “privacy technology”, despite being designed to harvest user data for Google’s benefit – and to evade browser settings that could prevent it from doing so.

We need our representatives to focus on these matters for the benefit of the people. The status quo is a losing game for us, our economy and society. A radical change is needed to secure our privacy over the long term, restore competition on the Internet, and reverse the damage brought by these unethical practices.

Ban the unnecessary collection of user data. Stop building targeted profiles of people. End surveillance-based advertising.

No, Google! Vivaldi users will not get FloC’ed.

Jane — Tue, 13 Apr 2021 14:53:15 +0000

Old habits die hard.

Google’s new data harvesting venture is nasty. Called FLoC, this new advertising technology intends to replace third-party cookies and related technologies like third-party localStorage.This clearly is a dangerous step that harms user privacy.

Currently, it is being trialled in Google Chrome and is a part of the Chromium browser engine.

Now the real question; What is Vivaldi’s position on this new technology by Google?

This is a pretty valid question as we are based on Chromium. But the truth is that while we rely on the Chromium engine to render pages correctly, this is where Vivaldi’s similarities with Chrome (and other Chromium-based browsers) end.

FLoC off! Vivaldi does not support FloC.

At Vivaldi, we stand up for the privacy rights of our users. We do not approve tracking and profiling, in any disguise. We certainly would not allow our products to build up local tracking profiles.

To us, the word “privacy” means actual privacy. We do not twist it into being the opposite. We do not even observe how you use our products. Our privacy policy is simple and clear; we do not want to track you.

FLoC, a privacy-invasive tracking technology.

Google will continue to build profiles, and track users, in the absence of third-party cookies and localStorage.

It presents FLoC as part of a set of so-called “privacy” technologies, but let’s remove the pretence here; FLoC is a privacy-invasive tracking technology.

Does FloC work in Vivaldi?

The FLoC experiment does not work in Vivaldi. It relies on some hidden settings that are not enabled in Vivaldi.

The FLoC component in Chrome needs to call Google’s servers to check if it can function since Google is only enabling it in parts of the world that are not covered by Europe’s GDPR. It seems there is still some discussion as to whether FLoC could even be legal under the GDPR regulations. We will continue to follow this closely.

Although Vivaldi uses the Chromium engine, we modify the engine in many ways to keep the good parts but to make it safe for users; we do not allow Vivaldi to make that sort of call to Google.

We will not support the FLoC API and plan to disable it, no matter how it is implemented. It does not protect privacy and it certainly is not beneficial to users, to unwittingly give away their privacy for the financial gain of Google.

Why FLoC? Because third-party cookies are dying.

Traditionally, many websites relied legitimately on third-party cookies to maintain logins. Blocking third-party cookies would break these logins. But because these were abused for tracking, some browsers started blocking third-party cookies anyway.

Websites have steadily moved towards alternative solutions for logins that do not rely on third-party cookies, and very soon, third-party cookies could be disabled by default in all browsers.

This presents a challenge for ‘tracking’ companies such as Google who want to remain dominant, and so they look for alternatives. FLoC is one of them.

Like many privacy-oriented products, Vivaldi has a tracker blocker built-in that blocks known third-party trackers, whether they use cookies, localStorage or fingerprinting for identification.

Third-party cookies explained.

Third-party cookies — one of the fundamental technologies relied upon by advertisers — can be used to build up behavioural profiles of users. Instead of contextual adverts based on what page the user is currently looking at, these behavioural profiles display targeted advertising that matches the user’s personality.

Such adverts may be seen as a way to make money but can be used to influence user behaviour and control people in large numbers. They can even be tied to a social media account, a name, an actual person, their friends and relatives, and everything they have ever posted about themselves.

The vast majority of online adverts and trackers belong to just a few major corporations such as Google and Facebook. These corporations gather vast amounts of data from all of the trackers they supply and get to know all those private aspects of your personality.

This sort of tracking — one of the biggest invasions of privacy of our time — threatens our individuality. It compromises our privacy. Yet it is allowed because we have become accustomed to it, and people do not have a voice loud enough.

At Vivaldi, we believe that it should not be legal for a company to build up profiles about you. There should be no right to build profiles, with or without permission. There should be no way to consent. Not by clicking on an “OK” button. Not in any other way.

How third-party cookies facilitate tracking?

Ads or tracking resources (scripts or “tracking pixels”) are included on pages where their adverts are hosted. The first time the browser loads one, the tracker sets a third party cookie with a unique identifier.

Every time the user requests a tracking resource, the cookie gets sent to the tracker, and the tracker associates it with the data from previous requests. Over time, as a visitor visits several websites which have trackers from that same company, the company can build up a picture of the user’s behaviour. What pages they look at, what their political views are, what medical conditions they might have, where they live, and how much of their time is spent online.

The more intrusive trackers can watch what you type on the page, and how you move your mouse.

How does FloC work? It will keep a tab on your browsing history

FLoC intends to do all of the profiling work within the browser. The browser sees everything you browse, so it gathers the data about your browsing habits and determines your preferences.

This is not like a browser maintaining your browsing history for you. It is analysing your personal behaviour, for Google. It decides which aspects of your browsing behaviour are important, and if enough other people share that behaviour, it assigns you the same ID as all of them.

Advertising companies no longer get to see a unique identifier so they cannot see exactly what you browsed — unless they also happen to be the same company that makes the browser you are using — so they cannot see you specifically. It does sound great.

But they can see that every person who buys certain medical products seems to be in the group (FLoC) 1324, or 98744, or 19287.

Now things start getting ugly.

So if you have one of those FLoC IDs, they can display ads for that product — even if that particular medical condition is something you would rather keep to yourself.

It’s all anonymised. Sounds like it should be all right, but that is far from the truth.

They can still work out that you have that certain medical issue. That you seem to be in a certain age group, or that you seem to have certain character traits because you share the same ID as other people that have those traits.

Statistical analysis of those IDs is harder for small ad companies. They don’t get quite so much data to work with. They don’t see every website where that FLoC ID appears.

The company that gets to know the most about that ID is the one that controls the largest amount of the advertising space — Google.

So once again, Google asserts more dominance.

FloC will expose your data. More than ever.

In the past, an ad company could only see the aspects of your personality relating to the websites where its ads were used. An ad provider that was only used for 1000 websites might only have seen each visitor on one or two of their sites, so they could not build up much tracking data about you.

FLoC changes this completely. Its core design involves sharing new information with advertisers.

Now every website will get to see an ID that was generated from your behaviour on every other website. Websites that only have contextual ads, or no ads at all, still could get used in the calculation. This may change in future since the technology is currently experimental.

You might visit a website that relates to a highly personal subject that may or may not use FLoC ads, and now every other site that you visit gets told your FLoC ID, which shows that you have visited that specific kind of site. A totally different advertising company, but it shares the same information about the websites you visited.

FLoC has serious implications on society as a whole.

FLoC does have very serious implications for people who live in an environment where aspects of their personality are persecuted — be it sexuality, political viewpoint, or religion. All can become a part of your FLoC ID.

A dictatorship may be able to work out that dissenters often seem to have one of the same five FLoC IDs. Now anyone who visits a nationally controlled website with that ID could be at risk. A country that outlaws certain religions or sexualities could do the same.

This is no longer about privacy but goes beyond. It crosses the line into personal safety.

Users first. Not FLoC.

It is extremely concerning that we have reached a stage that a number — FLoC ID — could be so dangerous. Could you ever imagine this?

The reality is that there were ads that existed even before tracking. But they were typically contextual; you were browsing a website selling car parts, so the ads were about cars. It’s what you were looking at, so you got relevant ads. You didn’t need to feel creeped out because you saw an advert for some very specific product that you were looking at a week ago on a completely different website. Ad companies made money. Websites made money from the ad companies.

In all likelihood, this approach would very quickly return to being the dominant type of ad, if only tracking would stop being used; after all, it still remains very effective today.

But instead of creating a world free from the problems of targeted ads, we are now facing a new reality of surveillance and individualized profiling through FLoC and ‘Privacy Sandbox’.

We reject FLoC. You should too.

Input from Vivaldi developers Tarquin Wilton Jones and Julien Picalausa

Vivaldi takes tabs to the next level, literally

Jane — Thu, 28 Jan 2021 07:50:24 +0000

The solution to too many tabs in a tab bar is here – a second tab bar in Vivaldi.

Six years ago, in Vivaldi’s first public appearance on desktop and notebooks, we unveiled Tab Stacks – the ability to group and manage tabs together. Today, we introduce Two-Level Tab Stacks, a feature that takes our tab functionality to the next level, literally.

With Two-Level Tab Stacks, in our latest version Vivaldi 3.6, stacked tabs are displayed in a second tab bar. This first-of-its-kind functionality opens up a new way of viewing and managing tabs on desktops and notebooks.

Tabs are an essential part of browsing but many struggle when it comes to organizing and managing tabs.

Over the years, we have strengthened our comprehensive tab functionality with modern, built-in features that adapt to how you work today (even more so in times of remote-working).

Our plethora of tab features such as Tab Stacks, Tab Tiling, Vertical Tabs, and Auto Stacking help you view, manage, and navigate between tabs in the browser easily.

Download Vivaldi

Two-Level Tab Stacks explained

https://vivaldi.com/wp-content/uploads/2-line-tab-stack_no-music-3.mp4

Tab Stacks in Vivaldi help you organize a group of tabs by dragging one tab over another.

In Vivaldi’s original implementation, stacks take up no more space than a single tab. This keeps the browser window tidy and is an efficient way to quickly access a large number of tabs. Clearly, the focus is on staying compact.

While Compact Stack is still a great view for those of you who wish to maximize screen space, Vivaldi’s new view – Two-Level Tab Stacks – goes a notch higher.

Tab Stacking – Compact and Two-Level

By simply clicking on a stack, you expand and show the content of the stack, with full-size tabs on a new line. Having full-size tabs means that you can manipulate them like any other tab, using the same methods to open, close, activate, move or select tabs within a stack.

Two-Level Tab Stacks on the side.

You can organize Tab Stacks any way you like while keeping a full overview – drag, hibernate, mute, and even rename as needed. All the tabs are instantly accessible, without the need to constantly switch windows, profiles, or workspaces.

The feature is enabled by default and you can easily switch between Compact and Two-Level Tab Stacks. Simply head to Tabs in Vivaldi Settings.

Switch between Compact View and Two-Level in Vivaldi Settings

Arild Fines

@rogue_code

@webtonull @kazukidevnull @siljel I use @vivaldibrowser which has tab search already built in. It also lets you put the tab well vertically with a scrollbar, which means you can always read tab titles and icons. This, in addition to automatic tab hibernation, makes the number of open tabs a non-issue.

17:51 PM - 09 Jan 2021

Two-Level Tab Stacks: better display, more control

The new feature is useful for people who would like to display their stacked tabs in full size. It works whether the tabs are placed on the top, bottom, or to the side.

Vertical view of Two-Level Tab Stacks

The new, second level makes reorganizing stacks or creating new tabs within a stack a breeze. For example, the “+” button on the new line lets you easily create tabs within the stack. The feature offers all the other benefits of normal-sized tabs, like easier to read page titles, tab notifications, and (if enabled) tab thumbnails.

In addition, Two-Level Tab Stacks can be locked, which avoids changing the page view height when switching between tabs, and makes it simpler to create new stacks from any single tab.

Vivaldi’s Tab Management: Tabs for an organized life

Turn into a Tab Master with Vivaldi’s built-in Tab functionality

The extensive tab management tools in Vivaldi are fun, efficient, and rewarding for tab hoarders. You are in control of tabs. Our built-in tools also stop you from being reliant on third-party add-ons.

There’s a variety of options: from placing tabs at the top, bottom, or to the side to rounding the corners of your tabs. The thoughtful structure and design benefit everyone from first-time Vivaldi users to the most demanding pros.

You can have a split-screen view of multiple sites with Vivaldi’s Tab Tiling or easily view open tabs in tree-style in the Window Panel.

Switching between tabs is seamless with Tab Cycling – the keyboard shortcut Ctrl + Tab lets you cycle through open tabs and display them as thumbnails (the horizontal cycler), or as a list of titles (the vertical cycler).

For speedy navigation, you can use the pre-set keyboard shortcuts for tab related commands or assign different keyboard shortcuts based on personal preference.

Similarly, editable Mouse Gestures help perform tab related commands. Instead of clicking on a tab, switching tabs is faster through Quick Commands.

There are multiple ways to open and close tabs. Jumping to the previously opened tab with one click is a nifty time-saving trick while an accidentally closed tab can be easily retrieved from the Trash.

Looking out for tabs is much easier when you display Tab Thumbnails. Tab Notifications, displayed on both pinned and regular tabs, act as reminders of new content waiting to be read – useful on social media sites.

View and Manage Two-Level Tab Stacks at the bottom.

Naming and saving a session works as a charm when you have a zillion tabs open especially while researching a topic. Placing tabs in a Web Panel avoids clutter and is handy when using a translation tool or a messenger app on a daily basis.

Fun customization options enable you to add personality to your tabs such as the ability to round tabs or make them angular, add custom window background to the Tab Bar or the accent color via Themes. Simply increasing the width of the active tab improves workflows and is useful when you have several tabs open.

Clive Thompson

@pomeranian99

@maximum_mew Yep, @vivaldibrowser has been my main browser for about six years now!

Loooooove it

The two features I love:
- tabs stacked vertically on the far left (maximizes up-down reading space)
- hotkey search for instantly locating open tabs (I have like 60+ open most often)

23:03 PM - 30 Dec 2020

There’s more in Vivaldi 3.6

The desire to meet individual needs is something that motivates us to continue to polish our existing features while we introduce new ones. Our work on configurable menus is ongoing. You’ll notice that working with right-click menus is much easier. Now you can change and configure the entries that you could not before, e.g. in Downloads Panel, Windows Panel.

Configuring menus is not just about adding entries or moving items around but also about removing items you know you will never use. This will help you work more efficiently.

New year, new version

With the new version, you can handle an extraordinary amount of information while staying organized. Two-Level Tab Stacks is an example of how we innovate for you. Thank you for putting your trust in us. You deserve it.

Do download Vivaldi 3.6 and try out the ‘next level’ of tab stacking. 😊 We’d love to know what you think.

Download Vivaldi

We reveal a security problem in the Google Cloud API Console

Jane — Thu, 26 Nov 2020 12:58:41 +0000

This week we released the Technical Preview of the Vivaldi Mail and Calendar client. One of the minor, but necessary features in this client is that it can, with your permission, access your Gmail account’s Email and Calendar info using APIs published by Google.

Access to these APIs has to be enabled in Google’s Cloud Platform’s API Console which is used to manage API keys and IDs for various projects. These keys and IDs are used by the client application to identify which services the user is asked to grant access to when logging in, using a protocol called OAuth.

Some of these services, such as sensitive ones like Gmail and Calendar access, have a significant limitation to how many accounts an application can access without being approved by Google.

At the time of writing, this process (which might deserve its own article) has still not been completed for Vivaldi’s Mail and Calendar client, despite starting the process in February.

Although we do understand the need to prevent bad actors from getting access, it’s not a pleasant situation when a company can dictate which clients can connect to their service, and essentially shut out the new competition for the best part of a year.

This is why so many of you still can’t connect to Google Mail using Vivaldi Mail.

While the approval process has been frustrating on many levels, the requirements for one small part of it, the support email address, revealed what we think is a security problem, possibly a security vulnerability.

When we reported it in early May, Google’s security team didn’t agree.

The Google Cloud API Console issue

When you approve an app’s access to your Gmail account, you do that via an “OAuth Consent Screen” that informs you about the app requesting access, and what it is requesting access to. Part of that screen is a support email address.

According to Google, this support email address MUST be either a Google mailing list or the email address of one of the project owners or editors. Hopefully, at this point you can see the problem – the support email is forced to be a project owner’s or editor.

Obviously, we are not interested in using a Google-hosted mailing list for our user support work. In fact, like most companies, we would rather avoid using email, and start our users in need of support by pointing them to our actual support channels, such as our bug tracking system, user support tracker, forums, and help pages. But that is not possible at present.

In fact, this requirement for a support email address of an owner or an editor of the Cloud API project owning the enabled APIs is a potential security problem, and possibly a vulnerability.

There are several aspects to why this is a problem, some of them not really related to security.

First of all, it should not be necessary to have a support email address as a member of the project, especially since the domain hosting the email has already been approved.

Second, in general, the support team has no special need to know about the Cloud API project or have access to it.

Where this enters security territory is that should the email address’s Google Account be hijacked, the attacker (whether external or internal) will get editing access to the API project account, and could break the application’s access by disabling the APIs, and possibly do other bad things.

This, of course, applies to all the accounts having access, but the problem with giving the support email account access is that it is publicly known, giving it a much larger external attack surface. Support email accounts shared by multiple people are easier targets, and should not have administrator privileges. Roles like this should always be separate.

Another problem is that support email addresses are frequently piped into a request tracking system, which creates an opportunity for an attacker that has gained access to it, to intercept emails about approving a password reset that can then be used to get control of the account. Your administration security gets reduced to the level of your support tracker, which might be accessed by multiple members of staff, perhaps even volunteers depending on your organization.

Two-factor authentication can mitigate against much of this, but it is not perfect, and an external attacker could use more targeted attacks against employees to obtain the second factor. A targeted attack against employees was used to take control of many verified Twitter accounts earlier this year.

In my opinion, Google should consider rethinking this part of the system to allow the use of any email in the verified domain as a support email (and the owner/editor accounts should not generally be allowed for this address in an approved consent screen), and should also allow a URL in the verified domain to be used instead.

The support team – whose job is to help users – should not be expected to act as trusted administrators of a project. And I also think it is very limiting, and controlling, for Google to force companies to only use email for support, rather than allowing standard support systems like support ticket systems, bug tracking systems, forums, troubleshooting tools, and help pages.

DEV Community: Jane

Vivaldi presents: “Browser choices. A tale of two Gatekeepers.”

A Tale of Two Gatekeepers

IronGrip vs FreeChoice

The right time to show the Choice Screen

User influence

Impatience is the enemy of choice

Expose users to more choice

Help make a meaningful choice

Make sure all choices are useful

Ensure the chosen browser is easy to start

Ensure the chosen browser is easily used

Let people change their mind

Handling of newly installed browsers

Don’t force people to change their minds

Bonus section: Allow procuring browsers from anywhere

What of the real Gatekeepers

Why Vivaldi won’t follow the current AI trend?

What are LLMs?

The right thing to do

Unpacking Google’s new “dangerous” Web-Environment-Integrity specification

What is Web Environment Integrity? It is simply dangerous.

So, what is the issue?

Can we just refuse to implement it?

There is hope.

Manifest V3, webRequest, and ad blockers

Will the Vivaldi Ad Blocker be affected by the Manifest V3 changes?

How is Vivaldi’s Ad Blocker built?

What happens after the Manifest V3 changes?​

Could we keep using our ad-blocking extensions in Vivaldi?

The road ahead

Good riddance, Internet Explorer!

Internet Explorer: Embrace, extend, extinguish

Microsoft close to taking over the Web

Microsoft’s tactic backfires

Websites code for Web standards first, not Internet Explorer

Ever get the feeling you’re being watched?

Heads up: Google’s going off Topics again.

How does Topics differ from FLoC?

How Topics stays true to the FLoC spirit

The Verdict?

How (not) to track product usage

A basic check – mostly harmless?

How feature tracking starts

Progress is not always progress

Being a trustworthy company

More companies should just say “no”

Data privacy regulation and ethics

Listening to users

It’s time to ban surveillance-based advertising

The Norwegian Consumer Council stands up for what’s right

Vivaldi has long advocated against surveillance-driven practices

What’s at stake: Big Tech makes billions, while society pays the price.

Reject “That’s just the way it is”.

We can heal the internet

This madness has to stop

No, Google! Vivaldi users will not get FloC’ed.

FLoC off! Vivaldi does not support FloC.

FLoC, a privacy-invasive tracking technology.

Does FloC work in Vivaldi?

Why FLoC? Because third-party cookies are dying.

Third-party cookies explained.

How third-party cookies facilitate tracking?

How does FloC work? It will keep a tab on your browsing history

FloC will expose your data. More than ever.

FLoC has serious implications on society as a whole.

Users first. Not FLoC.

Vivaldi takes tabs to the next level, literally

Two-Level Tab Stacks explained

Two-Level Tab Stacks: better display, more control

Vivaldi’s Tab Management: Tabs for an organized life

There’s more in Vivaldi 3.6

New year, new version

We reveal a security problem in the Google Cloud API Console

The Google Cloud API Console issue

What happens after the Manifest V3 changes?