I am sorry to be obtuse, but I have been curious about Vivaldi’s privacy for a long time. Why does it have such a stellar reputation here and in the computer security press for users’ privacy? From its own Privacy Policy:
“When you install Vivaldi browser (“Vivaldi”), each installation profile is assigned a unique user ID that is stored on your device. Vivaldi will send a message using HTTPS directly to our servers located in Iceland every 24 hours containing this ID, version, cpu architecture, screen resolution and time since last message. We anonymize the IP address of Vivaldi users by removing the last octet of the IP address from your Vivaldi client then we store the resolved approximate location after using a local geoip lookup.” <I am snipping the rest, including its reason for wanting this data.>
Vivaldi removes the last octet. So what? Using the ID, it can still correlate me each day with which VPN I am using when this message gets sent. GeoIP lookup? (Yes, that is turned off on my current browser, and it would get the VPN’s from the IP..) The other data could be gathered if I visit its site, but here it is regularly sent.
Can someone please educate me? I have considered Vivaldi, but this has always bothered me. Especially among this audience, I hope I am not one of the few that actually reads Privacy Policies (for what they are worth).
Most software developers want feedback and metrics. Vivaldi tried to transparently create a more or less privacy preserving way to do that. That is a separate thing. Most in these circles don’t like even that but some do (as it may actually help make apps better - as long as personal info is not sold) . As for why Vivaldi may be considered good - or better than some - in other regards for privacy, I suggest looking at the comparison table of some of the browsers out there, for instance from https://privacytests.org/ Perhaps the reputation is… not all that it may be hyped up to be (although not everything about the browser is on those linked tests in that table).
Vivaldi makes a browser with as I recall some good AI translation help which when installed from their ARM .deb even adds a repo to your /etc/apt/sources
it is a bit crunched but the UI works, you can do most everything by rotating your phone enough unlike some desktop apps.
not sure about absolute privacy and anonymity though, I decided it was unneeded, I didnt have time for the privacy research, and wiped it out also removed the repo.
If you still want to use Vivaldi, I would try to block this message at the network level (details would depend on what type of device you want to install Vivaldi on). Warning though … sometimes doing this will prevent other functionality from working e.g. checking for updates either of the software or of configuration data, if any. If it actually prevents the browser itself from working then I would not consider further using the browser.
Transparent? OK but a browser that respects privacy would give you an option to turn off “phoning home”, no matter how much they want basic telemetry.
If it really bothers you and you still want to use this browser … download the source, build from source, with the transmission of data suppressed.
Worth also questioning whose servers those are. If it’s rented VPS or similar then you are transmitting not only to Vivaldi but also to whoever runs those servers.
And of course you are transmitting something to whoever can intercept that transmission. (If it’s a really accurate 24 hours and it’s a niche browser then traffic analysis might be enough to track the IP address. So hopefully they fuzz the timing a bit. And acknowledging that the IP address is just the VPN IP address anyway, for you but not necessarily for every user of this browser.)
It is not crystal clear whether this means local to the browser or local to their server. I took it to mean local to their server and hence browser settings wouldn’t affect this.
@JR-Fi I like the table, but it will require study. My developer days are behind me and my areas were not in web development anyway. Some of those things are unfamiliar to me.
@irvinewade My reaction was much like yours; you confirmed some of my instincts and gave me some more items to think about.
It is not inevitable that I will move. I like my current browser, but I cannot abide AI being forced upon me. Thinking back to my neural net days, I think AI is good for some things, but I see little value in general and want the choice.
That’s odd. The main reason to use vivaldi is their openly anti-AI stance, as mentioned here for example: Fighting for a better web
Is this a recent development?
Where Vivaldi seems worse than even Microsoft Edge in the sense that wherever Edge has an “X” Vivaldi has one too … and Edge has fewer X’s.
Vivaldi does not even have all of its source available. In particular, other than the layout engine component (which comes from Chromium), the UI is not even “source available”.
We anonymize the IP address of Vivaldi users by removing the last octet of the IP address …
is funny. It’s not much of an “anonymization”. The first three octets of an IPV4 address have a name: It’s called the “Network ID”.
Furthermore, forcing an IP change doesn’t help much either because, if you recall, Vivaldi also says:
When you install Vivaldi browser (“Vivaldi”), each installation profile is assigned a unique user ID that is stored on your device. Vivaldi will send a message using HTTPS directly to our servers located in Iceland every 24 hours containing this ID,
In other words, Vivaldi potentially saves the “unique user ID” along with a history of these possibly changing Network IDs.
However I think the point might be that they use an external geoip service and the anonymisation, such as it is, hides you from that external service. They may still store the full IP address. They don’t make that explicit in the quoted text. Maybe they don’t store the IP address at all (just the resulting geo). Maybe they store three octets. Maybe they store the full IP address.
Goodness knows what they do with IPv6. Dropping just the last octet would be relatively pointless (with a 16-byte IP address). Maybe they don’t support IPv6 for this interface at all or maybe they do support it but the exact behaviour is not documented (doco never updated for IPv6) or not quoted above.
Can you find where that ID is stored and re-randomise it each time you start the browser / start the computer?
Privacy is something many organizations promote for themselves to create a good feeling for customers. But the reality is, you only can trust those who always act in the most respectful way. Firefox shipped Perplexity AI search engine per default, LibreWolf as fork shipped it, too. After it got reported on their git issues list, it was removed and merged in less than 24h. This way you see how serious people take their promises. But the moment a browser calls home without asking for permission in first place is already a red flag, no matter what.
Of cause there is no black and white and a browser can also be a little bit more privacy respecting than the bad alternatives and this is already a win compared to no privacy. But it is also already a sign that they don’t mean it serious and just go as far as they think it provides some benefit to them. And does it benefit them any longer if they get the main market share in future? Probably not and they become less privacy respecting. So we can only trust those who already do more than they have to, because it shows that their promise has actual a value above the required minimum.