GUYS I WAS WRONG. I WAS NOT AN INVESTOR IN GOOGLE. I sold my positions long ago and forgot. Don’t worry, just bought some now :)

It's not scary because it spies on you. It's scary because it breaks the social contract of the open web.

It's very simple. If they want these features in Google Meet, then they must request we install the extension like every other website has to. Baking it into the browser is unfair and untrustworthy

No, it's still very bad, because it breaks the fundamental trust that all websites, including google's, play under the same rules, same API, same everything. Today they just watch some CPU usage so they can deliver a better service(than others), tomorrow they could decide to compete with MS' Replay and track user's desktop screen, or whatever. Who knows? The situation would be a little different, if the damned extension was at least visible in the extensions menu, even if it comes preinstalled, then people who don't use Hangouts/Meet/Google Whatever could at least find it there and disable it. But they hid it. This is very very clear abuse of their market position, and should be heavily punished, despite their "best intentions". Also, the sheer audacity to keep the extension in other chromium forks...

The problem here is that the extension is baked in and unlisted in chrome extensions. Yes, you can create your own extension to get enough CPU info for your website, but: 1. It won't be baked in, user must install it. 2. You don't have access to regular extension controls to disable it (this won't prevent meet to work, but it will prevent optimal CPU utilization). Even if the extension exists and enabled by default, it should still be visible on chrome extension page.

On the topic of Firefox not handling packets that are not perfectly sequential - is that the right way to do it? I've seen someone (I think from Firefox) comment that the way Google is doing it is wrong and goes against the standard. Even though I don't use Firefox I'm way more inclined to believe them, the "global nonprofit dedicated to keeping the Internet a public resource that is open and accessible to all", that they are implementing the standards correctly, rather than Google who's been known for shitty behavior all throughout the years.

With all that unique ID data it's a good job Google aren't an ad network or anything.

TLDR: Theo praises google for anticompetitive practices and also claims that updating a list of five domains every decade is too difficult for an indie company like Google

Its wild to me how Theo just casually uses his personal anecdotes to entirely discard serious discussions like Google throttling their services on other browsers. "I had a bad developer experience with Firefox, hence Google slowing down their services on other browsers must be bullsh*t" How does that even matter or make any sense. like do you even think before you speak or listen to yourself? Same goes for the whole video, the point is not about what that code can do, but more so about why does company specific code exist in an OS project.

Wish google shipped this a an extension in the web store and not installed it by default. Then they could tell users to install it when they visited Meet.

The use case is probably not as bad as it first appeared, but having it be installed and unlisted by default is gross. If it just was an extension that meet prompted you to install to use the service I'd have no issues with it.

Yes, that's how security works. I can rest assured this is not a problem because you couldn't exploit it yourself in a stream (granted, with help). Come on man, you know this is fucked up.

A comment about the DMA: There are already multiple cases open against Apple, Google or Meta because the European Commission is not satisfied with the way these companies “comply” with the law, because they do not do it. And from what the commission has said, the regulations will continue to evolve and they will not stop sanctioning companies until they comply with the law. But it's only been a few months since the DMA came into force and these things take time...

There's a bit too much copium here.. okay it's only scoped for meets. But that misses the problem that Google has preloaded it's own special extension, which by the way is completely exploitable. There's no reason this shouldn't be opt in only. The fact brave is even exposed says it all. And being open source doesn't mean anything. Because we can see their dark pattern doesn't make it less of an issue.

even if you put aside the severity of the access google has, the key issue you did not address is the competitive advantage. You can't hand-wave it away by saying that the devs had a good intention at heart. How about all other devs that try to compete? do they have the same freedom to have already installed backdoor unlisted unapproved extensions?

Google is investing so much in Chrome so that it can move the development of Chrome as fast as possible, which means, all the other browsers (non-chromium ofc) will be left behind. This is forcing everyone to switch to Chromium-based browsers, which is incentifying developers to optimise their websites for chromium as much as possible. Which means, stability for other browsers is highly impacted. Its unfortunate that so many websites don't even work on Firefox, and as soon as you switch the user-agent to chrome, they start working in Firefox. Its just nuts. With Manifest V3, and such backdoors, even if 100 Theos come out to defend Chrome, I don't think anyone should hear this guy. The point is, Firefox doesn't have to be completely similar to Chrome. They are different browsers, and they have different ways of interpreting the browser standards. Its weird that developers have gotten so used to Chromium's interpretations that they feel like if the same thing doesn't work in Firefox, its a bug in Firefox.

was there not a line in a youtube script that slept for 5 seconds if you were on firefox?

I have invested in Google. Google has a unfair competitive advantage over my product but I'm not too annoyed. Am I the only one who reads this as a conflict of interests ?

I don't entirely trust you

I am going to be honest im tired of the thumbnails, you make REALLY good content but PLEASE be normal,this is one of the better ones so it doesn't make that much sense to complain,but can you like not do that?

They should make it a pop up, like camera and microphone acces, so that all websites can use this feature

The Ladybird team is probably popping champaign this week. They should be launching a membership/pledge drive drive TODAY.

Reads tweet. Sees the word DMA. Immediately dismisses that sentence, 'DMA sucks, ignored'. Looks at source code. Wow it is so hard to make a video chat app, meanwhile Google hacks their own browser and cheats. This code looks okay though. Absolutely clueless on what the initial claim was.

even ignoring the possible security issues thats scary

It is THAT big of a deal, can't believe you came out with this opinion.

23:27 - I assume it's json5, which does allow comments. It was adopted by Chromium so it's a pretty reasonable assumption.

"If the packets aren't perfectly sequential" TCP?

Doesn't seem unreasonable. But let's see how Google does in European courts with this. It might take years, but if found illegal here, the monetary damages may be non-trivial.

I assumed this was the case the entire time. Everyone has been talking about 1st-party data advantage forever. Same goes for Apple blocking tracking for everyone except themselves (and then selling their own ads). It's the same reason Zuck wants his own platform---access & control. This is not new. (but that doesn't make it more okay). I just don't understand the shock all of the sudden.

I see what you did there with the thumbnail, I almost thought it was a LLL video. Great video Theo

2:47 maybe they have to push you to install native stuff because they can't control the browser, which leads to security vulnerabilities, which leads to you preferring google meet

Thumbnail made me think this was Low Level Learning lol

Holy crap am I glad that I stuck around and watched your entire tear down of the topic. You have started to grow on me and now I kind of understand the level on which you deep dive into things. However, I'd recommend you to read what other devs are saying here. I think I agree with them too, with Google preloading the extension being a bad thing. If it needs it to work Google meet, then it should've been OPTIONAL. Also, that particular piece of code that you showed can be exploited in no time. Just a hunch but idk the inner details of it. 😅 Previously I used to feel overwhelmed with your videos, with me not being able to match your level of depths. Phenomenal evaluation and great video as always!

lol, google does not protect user, they protect their bottom line (because with cache anyone can track)

I have an idea where this is used: Google Meet has a Troubleshooting & help section while in a call that gives you a graph over time of your Network and CPU usage. The CPU graph is available only on Chrome. It shows a "Try Google Chrome to see your CPU usage" if you're using Meet on Firefox. From what I can tell, the network bits is what's used for their "you're on a slow connection" warning. And maybe they're doing that too if your CPU usage is consistently high.

Is it illegal to create an unfair advantage for competitors by forcing your products to offer better performance for yourself but not others?

A corp can do no wrong or is always having a redemption arc when there's money invested.

I feel a lot better about telemetry if I get asked first, I understand the value of it but if it's collected without my consent that's a problem.

And you still don't understand why we need independent free browsers?

Loved hearing your deep knowledge in this space. Great video

Please let this convince more people to leave Chrome

All this time I was thinking Theo was in a completely dark room... I feel betrayed

At around the 6:50 mark, when discussing intent, that's fine; that is no excuse! Think about it. Just imagine how much better your own company's services would be if you had access to ALL my computer info so you could make the product absolutely perfect. Your intent is great; who doesn't want a PERFECT experience? Does not mean I want to GIVE you that info though! Additionally, as we are constantly seeing by these big companies, intent doesn't matter. "Oh, we don't intend to use your data for our AI." Sure, but your TOS are sure written wide enough to allow that so legally, I'm not trusting your statements! Same thing here.

Thumbnail looks like a low level learning video

This may not be as "big of a deal as it seems" - For now. But it certainly does set preciseness for Google to continue breaking standards, taking unfair advantage and slowly become what IE used to be (Except even worse)

At 21:13 Theo lost me on whatever he was saying. Perhaps make another video and with some evidence? I'm confused about that part.

It's not just chrome, it's all chromium browsers

On further consideration, these may be better as a browser API, that the user can be prompted to enable as needed.

This seems like a devastating security vulnerability. If someone sneaks a backdoor into a browser plugin or package or site hosted via a Google subdomain or GCP service, could that enable remote code execution via the browser? Help me understand. Say it ain't so.

If they wanted to be fair about it, they would have released it as a Chrome extensions of the WebRTC spec with a dedicated permission for sites to request it… or at least, you know, not hide the builtin addon, Chrome also comes with a builtin addon for Docs and its not hidden

Mostly seems like a damage control stream. Starts by saying i invested in google but always call them out and then slowly turns the holy shit situation into meh, it might not be that bad.

Does the slow-down stop when I change the User-Agent to Chrome?

regarding comments in plugin manifest json - are you sure it's not just JSON5? I'm not positive, a quick google search doesn't say it is, but why would they use their own format over something well defined? That's what makes me think it probably is.

I love your videos, but it’s not “nice” if other sites have access. The fact that it’s not the case is unethical, monopolistic, and outright illegal in certain parts of the world😅.

If you ever wondered why the Chrome monopoly is, in fact, a problem: This is why.

Unfair practices by Google? Expected. But I'm surprised how no-one seems to be concerned how this can be part of an attack vector by a hacker.

they could have at least made the extension/API available to all websites (behind a user permission same as camera/microphone if this is bad for something like user fingerprinting). that would still give them an unfair advantage as they can work on the API features that they need first, and be the first to adopt them, but it wouldn't be as bad as only giving their own sites increased functionality that their competitors don't get

comment on the firefox-youtube situation; it was brave aswell which is chromium based and was reportedly confirmed by youtube that they added a 5 second delay just to deter the usgae

Jonathan Blow rant video incoming

Remember when and why Google dropped the "Don't be evil" motto?

There is a new API (Compute Pressure) that tells if CPU is under too much load.

3:33 Brave could send a Firefox user agent to Google Meet.

twitch coughing in the back

and yet slack still has much better video quality

Including Google Sites that anyone can use?

Can't use JS benchmark?

Wait - that wildcard is overly permissive, isn't it? Wouldn't a totally different domain with just the google part in the path also match? 🤔🤔 EDIT: Ah - the docs for the extension match patterns specify that it is only for subdomains and not like a general regex (also confirmed by trying it out) 😅

Firefox might not be perfect, but Chrome and all Chromium based browsers can go suck it. If you complain about firefox that it has some flaws, maybe support it a bit more, maybe take a look at the HLS implementation and fix it yourself. You are a programmer after all aren't you?

don't worry guys, we installed tracker in your a**us to make our app 0 5% percent better its fine

Intent doesn't matter. Google is giving themselves an advantage for streaming video platforms in yheir browser.

Even the Chrome team is tired of Google constantly changing their messaging service 😆

FYI switch preforms slower than if in a number of JS runtimes.

Ahh yes HLS, the 30,000 line library you need to import. Never had any issue with HLS on Firefox?

Now I hope you understand the value of ladybird browser

I've never had issues using Firefox lol

This is one of the reasons Microsoft lost their anti-trust suit. Having APIs in windows that only their browser could use.

What about KZbin?

finally people are talking about webext and how insane chrome is

You are too much concerned by what page is able to read what data from your computer. But please don't forget that you are running the pages inside a browser, a binary program written in C you don't have source code for. Chrome is not the same as Chromium. This program has access to all everything, exactly the same as any other program running on your computer (under the same OS user).

Honestly sounds a bit anti-competitive.

Android > ios any day of the week.... butttt ios > android when it comes to stock operating system.

Firefox is still the best browser there is. All other browsers are privacy nightmares.

Is Ladybird done yet?

If cpu load is such a big issue for audio and video, making this information accessible to services should be a goal for browser APIs, right? Or is the tracking possibility to "scary" for that, even when the user would be queried like with other device properties like webcam access? I think the current state with only Google Meet having the information, and not in a transparent way for the user, is not desirable and that this code should get removed from chromium. But it feels like an opportunity to expose this information in a clean way and for other av services to use

I wonder if Google will comply with their own manifest v3 changes on this special extension of theirs 😂😂😂

I found you on the 11th page on google

edge has PressureObserver damn, and still sucks ass. also this was available publicly right? so why now is this called out?

Just a comment on the DMA comment: true for now, but the EU hasn’t stopped. They have 12 months to reach a non-compliance verdict so it’s still the early days for now. In the meantime Apple has the time to fix the stuff it needs to fix. If they’re found non compliant they will be given big fines

Have you actually used Android in the last 3 years, or just yap?

This is abuse of market position and im very sure the EU is not fine with google gettings this data without users consent.

That's an expensive debugging feature, 20% of turnover to be exact.

This could have all been avoided by just having a popup to ask if the site could get the cpu/gpu stats, and making it accesable to every site. I don't think this is malicious just careless spaghetti

Why do you use the word scary in such a contrived manner?

When is the ping chrome extension coming out?

So the company that syncs my browsing history and bookmarks to all my google and pc devices, and also can display the modelname of these devices are spying on me thru a old api in Chrome? that sounds not the best way.

EU commission will love to hear about this change. They need more money to send to Ukraine. Fines incoming.

So to me, this is not a privacy issue, but an anti-competition issue. If no other sites are able to access cpu info, google meets shouldn't.

DMA: What do you want to talk about. They are vendor and you are product. Only reason why you do not still work just to be given some food is that some rascal took power and created human rights through constitution. Keep calm, we are getting back, do not worry about korporate monarchy (?sarcasm)

I thought you were a capitalist. Don't you want a fair competition between companies so that the best ideas win? This is NOT fair competition.

Bullshit takes, as always, with a little bit of conflict of interests.