Skip to main content

Microsoft Edge browser flunks privacy test, Redmond cries foul

Edge
Edge (Image credit: Windows Central)

What you need to know

  • A new study about browser privacy ranks Microsoft Edge last among several popular browsers.
  • A critical difference between Edge and other browsers is that Edge sends data about people's hardware.
  • Microsoft seems to disagree with the findings, or at least the conclusions people took from them.

Updated March 24, 2020: Added additional comments from a Microsoft spokesperson.

A recent study about browser privacy ranks the new Microsoft Edge last among several popular browsers. The study by Douglas Leith from the School of Computer Science and Statistics at Trinity College, Dublin, states that Microsoft Edge collects data about people's hardware. Over time, this collected data could reveal people's identities. The study ranks Microsoft Edge below Brave, Google Chrome, Mozilla Firefox, and Safari. Microsoft Edge is tied with a browser called Yandex.

The study by Leith breaks popular browsers into three groups, stating, "We find that the browsers split into three distinct groups from this privacy perspective. In the first (most private) group lies Brave, in the second Chrome, Firefox and Safari, and in the third (least private) group lie Edge and Yandex."

The study is lengthy and takes a deep dive into how popular browsers handle data and privacy. One excerpt states:

From a privacy perspective Microsoft Edge and Yandex are much more worrisome than the other browsers studied. Both send identifiers that are linked to the device hardware and so persist across fresh browser installs and can also be used to link different apps running on the same device. Edge sends the hardware UUID of the device to Microsoft, a strong and enduring identifier than cannot be easily changed or deleted.

Chris Matyszczyk took a deep dive into the study for ZDNet and also spoke with Microsoft about the findings. Matyszczyk says that he sensed Microsoft isn't happy with the study. A spokesperson from Microsoft had this to say:

Microsoft Edge sends diagnostic data used for product improvement purposes, which includes a device identifier. On Windows, this identifier enables a single-click ability to delete the related diagnostic data associated with the device ID stored on Microsoft servers at any time (from Windows settings), something which is not offered by all vendors.

The same spokesperson also added:

Microsoft Edge asks for permission to collect diagnostic data for product improvement purposes and provides the capability to turn it off at any later point. This diagnostic data may contain information about websites you visit. However, it is not used to track your browsing history or URLs specifically tied to you.

Microsoft seems to disagree with the conclusions made by Leith. Notably, Microsoft highlighted in its statement to Matyszczyk that people can delete collected diagnostics and turn them off. The study states that the UUID sent by Edge is "a strong and enduring identifier than cannot be easily changed or deleted." Microsoft's statement to ZDNet states that Windows "enables a single-click ability to delete the related diagnostic data associated with the device ID stored on Microsoft servers at any time."

In a statement to Windows Central, a Microsoft spokesperson said the study's suggestions that "browsing data associated with Search Suggestions can't be disabled" is not accurate. Other features designed to protect users, like Microsoft Defender Smartscreen, can be disabled as well, the spokesperson added.

"Additionally, Microsoft Edge includes default tracking prevention to help customers protect their online privacy by blocking third-party tracking across sites in both Windows and macOS," the spokesperson said. "The study did not take measures such as these into account."

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at sean.endicott@futurenet.com (opens in new tab).

18 Comments
  • I understand that Microsoft is not happy about the paper not mentioning that the diagnostic data associated to a hardware UUID can, in fact, be cleared (though then again, who' s going to regularly click on that "clear" button?). However, they are (deliberately?) missing part of the paper's point in their response: That this hardware UUID is in fact not only transmitted along with diagnostic data when that option is set accordingly (plus crash and installation data, which I'd say is legit), but also for: Address bar suggestions, SmartScreen and "websites you visit for product and service improvement". They confirm this in their own "Microsoft Edge Privacy Whitepaper" (https://docs.microsoft.com/en-us/microsoft-edge/privacy-whitepaper) but offer no reasoning whatsoever as to why these features require the transmission of a hardware UUID (referred to as "identifier unique to your device" in the whitepaper) in addition to the UID generated by the browser installation (referred to as "resettable identifier unique to your browser" in the whitepaper - notice how this one is explicitly called resettable while the other is not). Which is to say, a number of features *besides diagnostic data*, which is what they refer to in their response, transmit two UIDs and not just one, one of which is completely unclear as to why it is needed for those specific features. I think Microsoft should be more transparent here.
  • I'm always in favor of transparency, especially when it comes to data collection and sharing. I also just want to option to turn things off. I understand that some companies make money off data collection-related stuff, but just give me a master switch that says "I don't want anyone collecting my data."
  • > who' s going to regularly click on that "clear" button? I have set up my browser to clear everything on exit and for the longest time could not figure out why do I get search suggestions in Bing. Adding insult to injury, new Edge setting to suppress search suggestions has no effect (yes, reported to Microsoft).
  • The setting works for me, although I'm on Edge Beta.
  • I am on Dev... just to make sure that we are on the same page -- when you type into the address bar you get no suggested completions, right? Not even URLs of sites you have recently visited?
  • I do get URLs of sites I have visited. However, the option does say that it still suggests entries from favorites and history. Actually, I think I may have misunderstood you previously. Is your point that despite your history being cleared on exit, you still receive suggestions for pages you visited when you disable address bar suggestions?
  • > despite your history being cleared on exit, you still receive suggestions for pages you visited when you disable address bar suggestions? Yes.
  • Okay, I see. Apologies for the misunderstanding then. Does this bug happen on Chrome as well?
  • Who sponsored this study? I want to know the objectivity of the researcher.
  • You are free to reproduce the steps of the study as outlined in the paper for yourself, and come to your own conclusions about your and the paper's observations. It's a short paper, so you may be able to do this in an evening.
  • I suppose it depends what you consider a privacy risk. I think it reflects a significant bias, or at least a non-neutral spin on the results, that the study passed judgement on “hardware associated data” as somehow more of a privacy sin than intended use of the data. I’m not at all concerned with a hardware and software company being able to tie hardware data to the apps downloaded and sites visited, because that’s necessary for them to improve the quality of their products. I understand that it’s theoretically possible for them to abuse that data and use it to learn about individuals, but in the hands of a company where the sale of user data is not a core revenue driver in their business, the business model should factor into any concern over that kind of data. I am much more concerned about Google (and Facebook and others with an advertiser-driven business model), who collect individual data in order to sell and monetize it. It’s their core business model. We users are the product they sell to their customers (advertisers), so they would have an incentive to do what the study concludes MS COULD do. Microsoft collects data primarily to improve their products through aggregate data. The fact that did not factor into the conclusions demonstrates a problem with the analysis.
  • Ha. I'm please to see your article on Microsoft's reply. But I have a couple of other gripes with the so-called study The study writer's used a beta version of Edge. I looked up the Edge version number. It's from Dec 21, at the latest! Final Edge didn't come out until January 15. Not possible that they tested anything but a preview / beta. Not cool to not disclose that. And, tell me if I got this right : as I understand it, when I sign up to use a preview or beta software with Microsoft, I'm agreeing to letting them check how it's working, stuff like checking crashes, seeing how it works on my hardware. And telemetry, whatever that is. That's the whole point of it, to participate in testing! If that true, Microsoft was entirely entitled to ping the users usage etc. Don't want to be pinged? Don't use a beta. See what I mean? But geez man (the report writers, and the sites that covered the report) disclose that it's beta! It's simply lame otherwise
  • " in the second Chrome, Firefox", this already here makes the whole test questionable at best and one to throw in the garbage bin. Firefox / Mozilla values privacy way more than Google / Chrome. I think an important factor what this test misses is to who the data is send to.
  • The study has a lot of red flags honestly. It's a big reason I didn't run the story until we got more context and reached out to Microsoft.
  • I am equally in total disagreement with ZDNET's crappy study. How on earth is Google's Chrome browser better in Privacy. In what world is that remotely possible.
  • ZDNet didn't do the study. They reported on the study and got statements from Microsoft. ZDNet did a good job adding context and correction in my opinion.
  • The ability to delete data from Microsoft servers is worthless, that's like having someone tell you they'll forget about the good times they had with your wife. But regardless, since it's a well established fact that windows 10 itself is spyware it comes as no surprise to learn Edge is just as bad.
  • Sean, thanks for a clear, dispassionate reporting of the facts as we currently know them. I wouldn't exactly call the linked ZDNet article "a deep dive into the study". CM led with drama, reiterated the eye-brow-raising implications of the study, then called Microsoft. As both articles report, the Microsoft spokesperson points out that "Edge asks for permission to collect diagnostic data for product improvement purposes and provides the capability to turn it off at any later point" CM's response to that on ZDNet is: "Surely you're regularly turning your permissions on and off. Or perhaps not." IMO, this kind of innuendo only further muddies the water. As we can see—even in comments here on Windows Central—some now believe they can only clear this diagnostic data after-the-fact (which I agree would be unsatisfying to those seeking more robust privacy). Some are also implying we'd have to repeatedly clear the data over time and as CM insinuates "regularly [turn] permissions on and off" (whatever that means). The truth is, right up front during installation, Edge asks for permission to share browsing history and provides links to learn more about privacy and turning off diagnostic telemetry. I'd like to believe if these privacy lockdown steps are followed during install, things like hardware UUID would never be sent in the first place and no further action would be required in the future. Or is the study correct in claiming that an initial transmission of data including UUID is sent before you even get to these settings and no way can be found to turn this off? "Microsoft cries fowl" is a catchy headline, but we're left with doubts about whether Microsoft or the study is correct. A truly deep dive would run the Edge test again to relieve us of this residual ambiguity and settle the questions once and for all.