Debunking misinformation about Opera’s browsers

Opera Comments Bot

Opera Comments Bot

At Opera, we take the privacy and security of our users very seriously. Even so, we have recently noticed some articles that spread misinformation about our browser, labeling it as “spyware”. In this post, we aim to debunk these misconceptions and reaffirm our commitment to user privacy and security.

Read full blog post: Debunking misinformation about Opera’s browsers

leocg

leocg Moderator Volunteer

Nice article.

shintoplasm01

shintoplasm01

Well, you have not really addressed some very specific concerns raised elsewhere. A good summary can be found here: https://www.reddit.com/r/browsers/comments/14bisgq/comment/jog0c1x/

shintoplasm01

shintoplasm01 @shintoplasm01

NOTE: I'm pasting the full comment's text for better visibility. I did not write it myself.


"This video doesn't say anything that hasn't been said a million times before. Opera isn't a privacy-focused browser. I figure most people who are using it don't really care that much and enjoy its features.

Not sure why it focuses on the Geolocation stuff, of all things, to point out though. That's kind of whatever. The browser will be pinging Opera's own servers to check for updates periodically anyway, which will give them your IP which can then be narrowed down to a location.

I'd say a more concerning issue with Opera is the fact that everything you type in the address bar, and every site you visit, is sent to their servers. Sometimes in multiple ways. Every time you enter a keystroke into the address bar, it will attempt to send it to two places:

1. To your default search engine to provide search suggestions based on what you just typed (which can be disabled through settings by disabling "Improve search suggestions.") This is kinda whatever since you're probably going to send them the full query anyway and are already trusting them with your searches.

2. To weather.opera-api2.com/autocomplete to attempt to look for a corresponding location to display the weather for places in the suggestions area. This can only be disabled via opera://flags by setting the #address-bar-dropdown-cities option to Disabled. Having everything typed get sent to their servers essentially gives them the ability to profile your search queries. Are they using this data to profile you? Obviously we don't know for sure, but a small tooltip showing you the weather in the search suggestions of a potential location that you're typing certainly isn't worth every keystroke being sent to, and potentially stored on, their servers and tied to you.

Additionally every time you visit a website, when it is finished loading, Opera will make a call to its own servers to an API containing the domain name. Let's say I visit privacyguides.org in Opera, when it is finished loading Opera will make a call to: speeddials.opera.com/api/v1/thumbnails/www.privacyguides.org. This allows for a complete profiling by Opera of every site you visit with their browser. There is no way to disable this, even through flags. The only way around this is by nullrouting speeddials.opera.com, which will also break the news feed on the new tab page if you have it enabled. This service seemingly innocuously fetches thumbnail images for sites for the speeddial squares, but again the privacy cost here is very high for something so trivial that could be accomplished through other means like caching a site's favicon without phoning home, for example. And why does the browser need to acquire these images for every single site that you visit? Why not just a single time when you add a site intentionally to the speed dial section? It makes no sense. Again, we don't know for sure if they're using this data to profile you and store the sites you visit but it would be very trivial for them to do so.

Furthermore to that, when you visit a site in Opera the domain name will be sent to another location. Assuming we're visiting example.com, before loading the page Opera will make a POST request to sitecheck.opera.com/api/v2/check with a payload containing the example.com domain. This, again, allows for an entire collection of your browsing history on their servers. This can be disabled by turning off the "Protect me from malicious sites" option under "Privacy and Security". There are much better ways from a privacy perspective of performing a malicious site look-up, such as periodically downloading a complete list of problematic domains and performing a comparison entirely locally which is what Firefox does. The way this is implemented in Opera is sloppy, at best, and intentionally poor if you're being cynical since it allows for trivial collection of your entire browsing history.

These are the real big deal issues with Opera. Everyone using it with anything resembling default settings is essentially sending their entire browsing and search history to the Opera servers, which can be tied to you. And unless you've carefully disabled all the required options AND nullrouted speeddials.opera.com this basically applies to everyone using the browser.

There aren't many browsers brazen enough to outright collect data directly on every single domain you visit and every keystroke you enter into its address bar. Opera is one of the ones that does. These are the real, tangible issues with this software. People talk a lot about their connections to China, point out their shady dealings in other areas etc. but most people will just brush those off. People need to know, in no uncertain terms, that this browser is sending your entire browsing history to their servers. I'd like to say these issues are just bad design under the hood and not intentionally malicious, but that would be giving them the benefit of the doubt which they've really not earned as a company. Through cynical eyes, it seems they've tried to implement hardcore tracking of what their users type and visit and attempted to hide it behind "innocent" services that they can potentially excuse away as trivial functions if it were brought up.

If Opera were interested in privacy, they would remove these invasive functions and re-implement them in a more privacy-respecting way, which wouldn't be particularly difficult to do. The fact it would be relatively easy to avoid doing these things and the fact they've kept them how they are for many versions now brings out the cynic in me and tells me they probably want them just the way they are."

burnout426

burnout426 Volunteer

That’s why we only offer opt-in choices for targeted advertising.

Actually, "Personalized content", "Ads personalized based on your interests", "General location", "General interests based on web sites you may visit or search" are enabled by default. You have to opt out of them in the installer or at opera://settings/privacy/consentFlow if you don't opt out via the installer.

Same thing with "Help improve Opera by sending feature usage information". You have to opt out.

(Opting out is fine for me personally.)

burnout426

burnout426 Volunteer @shintoplasm01

@shintoplasm01 said in Debunking misinformation about Opera’s browsers:

Additionally every time you visit a website, when it is finished loading, Opera will make a call to its own servers to an API containing the domain name. Let's say I visit privacyguides.org in Opera, when it is finished loading Opera will make a call to: speeddials.opera.com/api/v1/thumbnails/www.privacyguides.org. This allows for a complete profiling by Opera of every site you visit with their browser. There is no way to disable this, even through flags. The only way around this is by nullrouting speeddials.opera.com, which will also break the news feed on the new tab page if you have it enabled. This service seemingly innocuously fetches thumbnail images for sites for the speeddial squares, but again the privacy cost here is very high for something so trivial that could be accomplished through other means like caching a site's favicon without phoning home, for example. And why does the browser need to acquire these images for every single site that you visit? Why not just a single time when you add a site intentionally to the speed dial section? It makes no sense. Again, we don't know for sure if they're using this data to profile you and store the sites you visit but it would be very trivial for them to do so.

I didn't check myself if this is true, but if it is true, as a resource management concern, I can see wanting to avoid those connections until they're actually needed. Might make those thumbnail previews in the heart icon dialog take longer to show up though in that case. I don't personally see this as a privacy concern, but I can understand why some might.

burnout426

burnout426 Volunteer

The main issue that comes up in r/browsers is that Opera is mostly owned by a Chinese company and therefore the Chinese government can (and is likely to) force the company to force Opera to spy on its users (via the browser itself or MITM methods with Opera's VPN/proxy service) regardless of Opera's headquarter locations, Opera following EU laws and Opera's privacy policy etc. I don't think Opera can do anything to put those concerned people at ease though.

shintoplasm01

shintoplasm01 @burnout426

@burnout426 Thanks for your responses!
Didn't Opera recently buy back some/all of their shares from that Chinese consortium? Or am I getting this wrong?

Locutus

Locutus

Articles about Opera being spyware have been around since Opera was purchased by a company in China. They're no going away any time soon. Brave is the one that peeps should be concerned about. They claim to be privacy centric while having a ads rewards program.

shintoplasm01

shintoplasm01 @Locutus

@locutus Not really relevant. Firstly, this thread is about Opera specifically - and the specific concerns raised in that post I linked to.

Secondly, while I agree that Brave has its own share of (rather small IMHO) controversies, but AFAIK no-one's identified any suspicious connections being made to Brave's servers.

burnout426

burnout426 Volunteer @shintoplasm01

@shintoplasm01 From one of the companies, yes.

Locutus

Locutus @shintoplasm01

@shintoplasm01 said in Debunking misinformation about Opera’s browsers:

@locutus Not really relevant. Firstly, this thread is about Opera specifically - and the specific concerns raised in that post I linked to.

Secondly, while I agree that Brave has its own share of (rather small IMHO) controversies, but AFAIK no-one's identified any suspicious connections being made to Brave's servers.

Lets try that again with the truth this time. As I clearly stated the articles about Opera being spyware do do back a lot loner than you imply. Second Brave has more than their share of controversies.

canadagoose4everreturns

canadagoose4everreturns @Locutus

@locutus What does Brave have to do with accusations made against Opera?

Locutus

Locutus @canadagoose4everreturns This post is deleted!

canadagoose4everreturns

canadagoose4everreturns @Locutus This post is deleted!

Locutus

Locutus @canadagoose4everreturns This post is deleted!

A Former User

Thank you for publishing this original Tweet as a blog post.
After using Opera for almost one and a half year I still see myself being confronted with those „information“ about Opera. Still I‘m trusting you with my browsing and I hope, that I won‘t be disappointed by you. And that your own information like this one is for real.

A Former User

Adding another thank you for this intriguing post. It's very helpful that Opera handles privacy and security concerns very transparently.

edu2703

edu2703

The 'Opera sends its data to the CCP' myth is something that unfortunately is being widespread on Reddit.

There's a guy there that I don't know whether he's a bot or a normal person, who in any post or comment on Reddit where Opera is mentioned positively, he spreads his nonsense like 'Opera is owned by a Chinese company', 'Chinese companies are obliged by law to send their data to the CCP, so your Opera data is sent there.

I think this is subject to a lawsuit, as he's managing to damage Opera's image on Reddit and many users are parroting his nonsense. If I speak well of Opera in some subs, they call me 'CCP shill'.

A Former User @edu2703

@edu2703 I don‘t know, why browsers and especially Opera in my view, evoke such heated responses. As I see it, it‘s mostly from users of other non mainstream browsers that have a strong following like Brave, Vivaldi and in the meantime even Firefox.
Brave‘s main selling point is its strong focus on user privacy, so they especially have their users attack competing offerings as not being private. It‘s part of their self consciousness, so to say.
But that doesn’t mean, that they aren‘t attacked by other tribes as well.
Of course, it‘s true that Opera Software‘s greatest stakeholder is Kunlun Tech from China. But that doesn’t mean, they‘re selling or transferring data to China mainland.
I‘m using Opera right now for it fits my needs and is platform independent and not bound to one of the big three directly.