Is this spyware?

[nothingismagick]

In #907 I began looking into the EULA required of developers / end consumers, and was particularly bothered by the following:

3.    DATA.
a)   Data Collection. The software may collect information about you and your end users’ 
use of the software, and send that to Microsoft. Microsoft may use this information to 
provide services and improve our products and services

This scares me, but what is worse - I as a developer am now an Agent responsible for enforcement and compliance notification, essentially making me the bad guy. If you read section 9, it just gets more wow:

9.    REQUIRED NOTICES TO END USERS.
a)   Required notice to all end users. Per Section 3 (a) above, you must provide notice 
to all users that your software includes software provided by Microsoft and that it may 
collect information about the end user’s use of the software, and send that information 
to Microsoft to provide services as disclosed in Microsoft’s Privacy Statement 
at https://aka.ms/privacy.

I would VERY MUCH like to see example language that suffices from the perspective of MS Legal such that 9a is complied with.

[liminzhu]

Thanks for the question @nothingismagick . We will work with our license folks and get back to you shortly!

[liminzhu]

Sorry following up with our legal folks, will report back.

[ghost]

@liminzhu, one does not want to end up at the Court just because one would have displayed one's application UI within the webview 2 runtime. Anyway to avoid that ?

[ghost]

@liminzhu, is this the same in Edge browser ?

[liminzhu]

Privacy model for Edge and WebView2 is very similar on Win10. More details in https://github.com/MicrosoftEdge/WebView2Feedback/issues/1059#issuecomment-796348416. We are working with legal folks to provide some example language that developers can include in their EULA to comply with WebView2's license. This might be a bit delayed since we have some personnel change on the legal side.

[ghost]

"Is this spyware? #916"

Yes. On top of all, the installer ignores registry and group policy configuration to block installation. #1223

[nothingismagick]

@liminzhu - we are getting close to 5 months in, and I would appreciate you signalling to the new personnel in your legal dept. that this is still very much a concern.

[liminzhu]

@nothingismagick sorry to reply very late here. We got in touch with our legal folks internally and we were explicitly advised against providing legal counsel and example languages (as in, Microsoft shouldn't be providing legal advices to external entities). It is recommended that the developers have their own legal counsel drafting their license language.

[liminzhu]

That said, and this is not a legal advice nor any sort of example language for other developers' EULA, this is our own end user license (as opposed to developer license). See https://developer.microsoft.com/en-us/microsoft-edge/webview2/consumer/ and hit "Download WebView2".

[ghost]

So, if I understand correctly, it is not possible to use Webview 2 without sending personal information from the end users to Microsoft... And this implicit trade of personal information is made in a totally opaque way for developers and end-users...

Developers are thus instrumentalized by Microsoft so that they are used as a third-party "legal wall" between Microsoft and the end users. Developers serve as a kind of legal protection for Microsoft, because all the risks are then put onto the developers who decide to use Microsoft's "free" products according to Microsoft's terms...

All the responsibility for Microsoft's actions thus incombs to the developers who accept to use Microsoft's products for their end users... It is not acceptable.

In legal terms, it is an abusive dominant position associated with a monopolistic technology, as only Microsoft actually intends to provide a cross-platform webview whose freeness is tightly dependent on the total opacity regarding the personal information extracted from the end user by Microsoft with the unvolontary help of developers used as a legal shield.

Developers should be paid to use Microsoft's free products.

[nothingismagick]

Ok, in order for our legal council to begin drafting such paperwork for the Tauri community, it is essential for me to know what telemetry data MS is harvesting, how EU citizens can file GDPR requests to have insight into the data being collected, and what if any options are actually available to completely disable such telemetry.

[ukandrewc]

it is not possible to use Webview 2 without sending personal information from the end users to Microsoft

Is this serious? MS is using WebView2 to harvest personal details? ????

[nothingismagick]

I mean this in the most professional way possible, but the fallout from products that leverage open source software (chromium, ffmpeg, et al) in order to force harvest telemetry data is likely to be quite high. It is a very slippery slope, especially given the way in which companies can be compelled to hand off data via legally binding law enforcement subpoenas. Also not out of the realm of possibility is the extent that such telemetry could be instrumentalised in the context of US Embargo proceedings (like the way in which residents of embargoed nations are e.g. prevented from owning or using private github repositories.)

https://appleinsider.com/articles/21/07/04/open-source-audacity-deemed-spyware-over-data-collection-changes

[ukandrewc]

@liminzhu Can we please have clarification on exactly what capability MS has, to harvest details from end users of WebView2.

It's extremely suspicious that your legal department's advice is not to comment.

I have always assumed MS was an ethical company, am I wrong in that assumption?

[ghost]

Without access to the telemetry data, developers can not assess if such data can effectively comply with their own privacy policy or with the legal directives and policies that may apply locally, in that regard, whether it is from local governments, organizations or companies.

Any collected data should be traced, logged, auditable and inspectable by developers and end-users, with a warranty of truthiness that is legally bound to MS's contract.

[liminzhu]

This is mostly explained in https://github.com/MicrosoftEdge/WebView2Feedback/issues/1059#issuecomment-796348416, but I wanted to add clarification here as well -

• WebView2 is considered a Windows component, and the data collection consent is governed by Windows Diagnostic setting on Windows 10 as a centralized switch.
• End users are empowered to control the data collection of WebView2 and can do so via toggling the Windows Diagnostic setting on Windows 10. This is also what the Edge browser does. On Windows 7/8.1, because there is no Windows Diagnostic setting, we treat this as no consent for optional data. There is very limited required data that the OS always collects, unless you're on some specific SKUs. Developers are definitely welcomed to convey that to their end users and ask them to use the OS toggle.
• Developer currently has no control over this, similar to the Windows APIs you use.

[ukandrewc]

@liminzhu OK, thanks that sounds a lot better, at least our users will have control.

[ghost]

@liminzhu Thanks for your detailed explanation, but it actually increases our concerns concerning privacy data.

First of all, all over the internet one can find many comments about Windows OS itself being a spyware, particularly Windows 10. Here for example an excerpt from a popular answer on Quora:

"Unlike Windows 8 and all previous Windows before it, Windows 10 is a “Software as a Service” OS. It is not primarily designed to run your computer. It is designed to nickel and dime you by letting Microsoft take control of your life — in similar ways to how Google does it.

But the problem is, Microsoft does it in really terrible ways. Spyware is built into the core of Windows 10. It knows your every move and it reports your every move to Microsoft. Required Updates happen all the time and this is so Microsoft can thwart people who mod their Windows to get around these “problems.”

Such description, which is not the only one and only a little excerpt, does not dispell our worries about privacy data with WebView2 as a Windows component that is directly and tightly linked to the OS.

One also noticed on your resource about "Windows Diagnostic Settings", that the Windows 11 tab does not present any information about it.

How does Windows 11 deal with those issues compared to Windows 10 ? Are the same issues still there in Windows 11 ? One heard that Windows 11 was a total revamp of Windows 10 for the best, so one is in hope that those issues will not be a concern anymore.

Moreover, some sites also depict "Microsoft's software" as "malware"... listing all kinds of mischiefs such as "backdoors", "DRM" and "insecurity". Microsoft's Software is Malware, at GNU.org

Are those issues fixed with Windows 11 as well, so that we can have the warranty that using WebView2 is not a threat for our end users ?

[ghost]

@liminzhu If one may kindly ask about another concern that we have and that we would like to ask to your legal department.

It concerns our users who would use WebView2 from a Linux (#645 ) or a Mac (#1314).

As you stated that WebView2 is a Windows OS Component... Does it mean that WebView2 would act like a Trojan Horse for Windows OS into those foreign OS, with perhaps the objective to replace those OS with Windows ? Is that the intention in making WebView2 cross-platform ?

In that case, our legal department indicates that we should receive a financial compensation for using WebView2 into our application that would run on Linux or Mac, and that this implicit help for spreading the Windows OS to other users having non Windows OS should be contractualized within our license agreement.

[ukandrewc]

There was a huge scandal about Huawei's alleged use of telemetry, and here's MS doing exactly the same. Better all round if MS didn't taint WebView2, and just not have any telemetry at all. @liminzhu Defeature request: Please remove all MS telemetry from WebView2.

[nothingismagick]

I am not generally one to defend any corporate interests, but I don't think your comment makes sense or helps the situation outlined in this issue, @abflow. No one is going to switch to Windows from e.g. macOS just because Microsoft provides WebView2 for other operating systems and your claim to compensation is frivolous at best.

I am trying to get clarity on the scope of the issue here, specifically with regards to my team's (Tauri) obligations, not point fingers or start the blame game.

It could be argued that the issue subject is confrontational, but my intention is honourable and I expect we will all come to a positive conclusion.

[ghost]

@nothingismagick One didn't mean to make the thread more confuse, but our legal department strongly opposes to accept a license agreement that would imply an implicit trade of personal data from our users and which would promote at the same time a third-party product, in that case, the Windows OS or any of MS's commercial partners, or any other third-parties.

What if the computing habits of our users on Linux or Mac, like app activities, etc, are collected and analyzed by MS in order to build user profiles for then targeting them with personal advertising on internet ? Our legal department says it is possible according to the resources provided by MS and that such process should deserve a financial compensation and a clear agreement between MS and us if it actually exists.

The collected data goes very deep:

"Information about your device, its settings and capabilities, including applications and drivers installed on your device"

Moreover no information about the collected data on Windows 11 is delivered. To one, it is a fair question to ask to MS's legal department about why they would make a Windows OS "component" cross-platform and what exactly are the collected data onto the other OS too.

[ghost]

@ukandrewc It is worth noting that MS's infrastructure has been compromised by many breaches (cf SolarWinds), so if our user's personal data is exploited by MS, our users are also exposed to external threats.

[ghost]

@nothingismagick Let's be clear. One does not mean to be confrontational at all, and one does not know about the policy in Tauri organization, but here, on our side, we are taking the security and privacy of our users and end-users very seriously, and we have very high expectations about privacy and security for the open-source projects that we use.

We consider it as a matter of life and death. Imagine that our users end up finding their own personal information on the dark net. The data collected by WebView2 is apparently able to make highly individualized user profiles, down to the level of identifying individual computers on a network, and displaying information able to compromise users, companies and organizations. It may open the door to external attacks on networks, individuals, companies and organizations. It is a very serious concern, and we know that MS's infrastructure is like a strainer with many security holes in it, as they are now regularly discovering new breaches made by hackers into their infrastructure. It is all in the news.

We also know that MS is making business with militaries and governments, so that's why we are confident that MS is also taking security and privacy seriously, otherwise we would not even consider using MS's software. But also, that's why we are here in this thread in order to kindly ask MS to clarify the situation about security and privacy of the data collected by WebView2.

[ukandrewc]

@liminzhu I'm rather disgusted by this concept that MS just thinks it has the right to spy on anyone that uses it's software.

I've spent a lot of time, helping on this forum, finding and reporting bugs, in what I thought was a passive and mutual relationship, which turns out the be an aggressive and abusive one.

DISGUSTING MS, DISGUSTING.

[ghost]

@liminzhu It seems to one that MS's legal department takes the WebView2 project with a bit of nonchalance. It is not helping the open-source community.

[ghost]

@liminzhu Here is what our legal department suggests:

• Collected data in WebView 2 and MSEdge should be inspectable in developer tools
• A "Privacy" tab in developer tools should log and display any collected data sent to the network by the browser itself in a time-stamped manner.
• The data should be persistent on disk for future inspections, unless manually deleted by the user via the Privacy tab with a delete button.
• The ability to turn off telemetry or any collected data by the browser should be available as well into that Privacy tab via a toggle button.

We thank in advance MS's legal department for considering moving together into the right direction for the whole community of developers.

[ukandrewc]

@abflow They shouldn't be collecting anything at all. Having it developer tools is no use to end users of our products.

This needs to be spread wider than this thread, the world needs to know about MS' Big Brother tactics.

[ghost]

@ukandrewc We should acknowledge MS's right to gather some information from their own software, as it may be needed concerning its installation and update, like for example a version number. But apparently, the level of information that is permitted by the current MS's licence goes far beyond such practical information. It covers many information that are not essential for a webview, as the license is in fact the same as an OS license. It also allows the gathering of personal information from the user, such as what softwares, hardwares and what computing activities the user may have. That is not acceptable for a webview.

[ukandrewc]

@abflow Yes, anonymous stats and metrics about THEIR product and crash dumps. Nothing related to users, such as browsing habits. In the UK we have a General Data Protection law that basically means users have to EXPLICITLY OPT IN to any data gathering. What MS is doing is illegal in the UK and EU, unless the user has given express permission.

[nothingismagick]

Excerpt from: https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319#ID0EBD=Windows_10

What data is collected and why

Microsoft uses diagnostic data to keep Windows secure and up to date, troubleshoot problems, and make product improvements as described in more detail below. Regardless of whether you choose to send Optional diagnostic data, your device will be just as secure and will operate normally. This data is transmitted to Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device's service issues and use patterns.

Required diagnostic data is information about your device, its settings and capabilities, and whether it is performing properly. This is the minimum level of diagnostic data needed to help keep your device reliable, secure, and operating normally.

[ukandrewc]

@nothingismagick Yes, VERY VERY BAD "... can help us recognize an individual user on an individual device..."

[ghost]

@nothingismagick Let's not be mesmerized by the words.

The license covers a potential monumental amount of information, not only about the Operating System but also about the device itself. We have to understand that potentially, all the environment variables (including custom secret keys), the location of softwares on disk, the list of softwares, their version, the name and location of hard drives, the information about local networks and devices, the WIFI, bluetooth and VPN network information, the history and habits of computing, the MS's accounts identifiers, phone hardware information (if appaired with the OS), the personal habits of computing (time of uses, etc) and many other things that one may not even think about may potentially be harvested by MS in the name of gathering the OS settings and "use patterns".

Why would anyone give to MS legal access (even if they may not use it at the time) to any OS-wide and personal information when displaying HTML markup into a webview ?

Such licensing terms for WebView2 have a very bad legal design, more similar to something like ChromiumOS than to webview, but in much much worse:

"It is designed to nickel and dime you by letting Microsoft take control of your life — in similar ways to how Google does it."

Is it done intentionally, by mere idnavertance or by lack of interest for Webview2 from MS's legal department ? One does not know and we are not here to judge anyone or MS as a company. What we can say only is that what MS's legal department presently suggests for WebView2 is inappropriate and even insulting for developers who care about the privacy and security of their users.

Only unethical developers who badly need a webview would consciously give their consent to such abusive license in terms of privacy & security. As a matter of fact, with such licensing, MS actually contributes to the rise of privacy & security unwareness within the developer community. It is something that clearly we have to change, collectively, in the field of browser and web technologies. That is something we really care about.

[ukandrewc]

@abflow Absolutely!!

[ghost]

@ukandrewc

One checked onto one's windows 10 machine and you were right. The optional data includes all the browsing habits and history of users. So the required data seems to be basically everything excepted the browsing history.

Plus when they say:

"This data is transmitted to Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device's service issues and use patterns."

Actually, there is the explicit mention in the settings of an "advertising identifier" in order to make targeted advertising according to the individualized data.

[ukandrewc]

Personally I think this is extremely unethical on MS' part. @liminzhu Can you pass this up, I'd like a response from Satya Nadella on this please.

[ghost]

The license covers a potential monumental amount of information

For who thinks it is a joke, in the windows setting Start > Settings > Privacy > Diagnostics & feedback, it is clearly stated that the data on disk for diagnostic is about 1GB when running the Diagnostic Data Viewer.

@liminzhu , please tell us why one should accept the possibility to send 1GB of personal data from our users to the network when using WebView2. What is the need to have a license that would allow that when using WebView2 and on any OS ?

[ghost]

Personally I think this is extremely unethical on MS' part. @liminzhu Can you pass this up, I'd like a response from Satya Nadella on this please.

You can email him yourself at satyan@***.com

[ghost]

"You can email him yourself at satyan@***.com"

Why would one discuss of such things privately by email and not openly ?

[ghost]

"You can email him yourself at satyan@***.com"

Why would one discuss of such things privately by email and not openly ?

Not "discuss privately", but have a bunch of folks "email to ceo to raise awareness".

[ghost]

Not "discuss privately", but have a bunch of folks "email to ceo to raise awareness".

One is in hope first that MS's legal department would become aware of the situation and revise its copy, thanks to @liminzhu 's clear undertanding of what developers are asking in order to be able to work normally, with the warranty that their users' privacy and security are not compromised. Our users do not want to send any personal data to MS without their informed consent. And developers do not want to send any of their users' data to MS without compensation.

[nothingismagick]

And developers do not want to send any of their users' data to MS without compensation.

C'mon. This is not about "it somehow magically being ok for developers to get paid for prostituting their users".

[ghost]

C'mon. This is not about "it somehow magically being ok for developers to get paid for prostituting their users".

Of course not... it is not and has never been the intention. User's informed consent should be key before sending any data to MS. And if consent there is, then developers should received compensation from MS.

[ghost]

And developers do not want to send any of their users' data to MS without compensation.

C'mon. This is not about "it somehow magically being ok for developers to get paid for prostituting their users".

6 months since this issue was created.

If I were to guess, I'd say nothing's changing unless the higher ups have awareness of the problem.

[ukandrewc]

This a world scale privacy issue, it needs to be removed. Anyone else want to email CEO, please do, this ball needs to get bigger very quickly.

There are already hundreds of developers using WebView2 and I suspect without a clue what they are party to.

[ghost]

@ukandrewc

The thing is that it makes actually no sense for WebView2 to be considered as an OS component with the same licensing than Window OS regarding to data privacy.

It makes even less sense when it comes to Webview 2 on Mac and on Linux. The licensing needs to be changed and to be the same for all OS.

As for the data that is actually potentially collected by WebView2, developers and users should be transparently informed about it and be able to give or not their consent to such trade of information if it goes beyond the normal data needed for running the webview itself. A webview does not need 1GB of diagnostic data from the OS to be maintained.

It is very problematic that MS reserves itself the legal ability to scavenge "personal information" from the user in the webview without the actual informed consent of developers and users about it and about what it is exactly.

[ghost]

Anyway, it is not acceptable, and on our side , we will not use WebView2 unless there is a significant change in the licensing and a transparency regarding the data collection, which is very very opaque and worrying as for now.

Current MS's explanations and licensing scheme do not comply with our security and privacy policy needed for the safety of our users.

[nothingismagick]

Look everybody, I understand that you are all quite worried about MS suddenly out of left-field becoming some soul-crushing behemoth and thinking that writing the CEO or flaming this issue in this thread (or heaven forbid on Twitter) has a chance of solving anything, but this issue is starting to read like some paranoid theory that the COVID vaccine include chips in the bloodstream to track us all. Please, let's come back to the issue at hand and leave fantasy-land behind, because its really getting to the point where I am ashamed to point people here to elicit their feedback.

WebView2 isn't licensed as open source (even though it uses billions of dollars of value invested in open source innovation). Please correct if I am wrong and show me where I can find the Apache-2 or MIT or GPL-3 declaration of WebView2. I didn't find it. This means we are discussing proprietary software (and if this wasn't clear to you sooner, then the clause about non-use should have made that abundantly clear). Technically, this status of "its proprietary, duh" ends the entire discussion. You can take it, or leave it. Use it, or use something else. If you use it, then worry about the licensing. Everything else is politics and inappropriate for a civil discussion, because really nobody cares about our feelings of misappropriation, disregard, or whatever. Seriously. Nobody cares except the world's smallest violin playing the world's saddest song.

If you are really, truly, honourably concerned about privacy and security, then you wouldn't be shipping to the MS platform, or macOS, or Ubuntu. You would use and promote a truly respectable, privacy-respecting system like Tails, ParrotOS, or PureOS. Everything else is capitalism. (Don't get me wrong here, everybody has to eat, and I fully respect the people who work at MS and use the MS ecosystem.)

Anyway, we all know that Chrome / Chromium slurp data wherever possible. We know that the data exchanges enable deep access to our transit. We know that WebView2 startup is faster if you aren't connected to the internet. We know that governments have a vested interest in gaining deeper insight into our behaviour and private communications. We know that corporations avoid taxes but can't ignore FISA. We know that operating systems (and browsers) exist to collect, sell, and disclose user's information as a business model.

What we as Users (and in Tauri's case distributors) needed, was clarity as to what our rights and obligations are. MS Legal clearly said that we are entirely on our own here, that they will collect whatever data they want whenever and however they want. While we at Tauri are less than excited about the prospect of paying legal fees "to ride the pony", we will do it because our consumers and their users are important to us. They will be empowered to know the EXACT extent of the situation, because it is our responsibility to tell them.

At any rate, I am satisfied that my question was answered, which is why I am closing this issue. I am personally no longer interested in the vane "pay me" type of argumentation, or the "dox him and get his attention" sharing of email addresses. Feel free to open your own issue and continue discussion there.

[ghost]

If you are really, truly, honourably concerned about privacy and security, then you wouldn't be shipping to the MS platform, or macOS, or Ubuntu. You would use and promote a truly respectable, privacy-respecting system like Tails, ParrotOS, or PureOS. Everything else is capitalism. (Don't get me wrong here, everybody has to eat, and I fully respect the people who work at MS and use the MS ecosystem.)

We have to do with what is there for our users. But we don't have to agree with opaque data policies just in exchange of being able to use a WebView. It is good to have had this topic in order to clarify that actual MS's approach is not acceptable for us.

[cremor]

WebView2 isn't licensed as open source (even though it uses billions of dollars of value invested in open source innovation). Please correct if I am wrong and show me where I can find the Apache-2 or MIT or GPL-3 declaration of WebView2. I didn't find it.

@nothingismagick The WebView2 NuGet package contains the 3-Clause BSD license: https://www.nuget.org/packages/Microsoft.Web.WebView2/1.0.864.35/License Although I suspect this only applies to the SDK, but not the runtime?