Microsoft’s new Chromium-powered Edge browser, currently in canary, dev and beta Insider testing, makes over 130 network requests upon first launch. In comparison, Google Chrome makes only 32 requests, according to analysis conducted by Jonathan Sampson and shared on Twitter this week.
Out of all the browsers tested, including Chrome, Firefox, Opera, Vivaldi and Brave, Edge Chromium makes the most first-run network requests. Over 50 individual endpoints are visited.
Most of the domains are Microsoft properties but many others are owned by third parties. Some of the requests are used to collect data to configure the browser, while others deliver content for Edge’s new tab page. A minority of requests contain a unique user ID or set identifiable cookies.
What happens when you install the Edge (Chromium) Beta build and run it for the first time? I was curious.
On first-run, Edge fired off 130+ requests to nearly 50 endpoints. Here they are, sorted by total calls.
Time to take a closer look. pic.twitter.com/kIVaKIUNbJ
— Sampson (@jonathansampson) August 27, 2019
Third-party services contacted by the browser include Reddit, Facebook, Twitter Ads and Google Ad Services. Even before you’ve visited a webpage, Edge has already acquired data from some of the most pervasive online platforms. The list is supplemented by a bevy of Microsoft domains, including Bing and LinkedIn.
The volume of requests made is particularly egregious when compared to Google Chrome. After first launch, Chrome downloaded 7.26MB of data across 32 requests. The calls apply dynamic configuration settings and install a default suite of extensions.
Edge contacts many more services and for a wider array of reasons. Requests are made to configure speech-to-text functionality, get content for the MSN-powered New Tab page, review domain security using the online Microsoft SmartScreen service and establish connectivity with the Windows Activity History API. This latter API can track your use of apps and websites to power the Timeline interface in Windows 10.
In his analysis of the requests, Sampson noted that “right from the start, Edge knows more about me than any other browser can during the first-run experience,” owing to the browser’s deep integration into Windows. It supplements this with dozens of requests to first and third-party services, which users will be unaware of. Some of the requests include your email address; others are made over unsecured HTTP.
All of this adds fuel to criticism of Microsoft’s privacy approaches. The revelations are particularly significant given that many users are keen to use the Chromium-powered Edge as a way to escape Google’s internet monopoly. Next to Edge, Chrome’s first-run requests look relatively innocuous though – they’re confined to first-party domains and concentrate on configuring the browser.
Edge is far from the only browser with dubious first-run behaviour. Opera reaches out to a number of first and third-party platforms, including Facebook, Amazon, eBay, Walmart and AliExpress. It also sends unique user and device IDs to Google servers.
Firefox, billed as a privacy-minded browser, made “dozens” of requests totalling over 16MB. They included calls to Google Analytics and Google Tag Manager, present on an automatically-opened webpage titled “At Mozilla, we believe that privacy is fundamental to a healthy internet.”
Only Brave and Vivaldi were given a clean bill of health, with each constrained to first-party endpoints or known safe domains. Vivaldi still contacts Google servers but only to obtain the Google Cast extension, which is required for compatibility with Chromium casting features.
Sampson only assessed the first-run experience, so the findings cannot be considered representative of each browser’s overall security posture. In particular, it must be remembered that Edge is still in beta Insider testing. Many of the requests originated from the “Edge Insider” webpage, which is currently opened automatically. This shouldn’t be present in the final version.
Even so, a number of the requests seem likely to persist into the public release, which leaves Edge’s first-run activities looking distinctly suspect. Building Edge with a privacy-first standpoint could be a way for Microsoft to differentiate its browser and gain users from Chrome. Instead, users cannot start Edge without third-party services being contacted in the background.
