Sync privacy incident affecting our Snapshot test users

A privacy incident affected our Snapshot test users in versions 6.4.3160.25 through 6.4.3160.30 for desktop.

Padlock on a green door

Read this article in 日本語.

Vivaldi Sync is a free service from Vivaldi that keeps your bookmarks, passwords, browsing history, notes, and other data in sync between your devices. Your data is kept secure and private using end-to-end-encryption (E2EE); meaning that Vivaldi’s servers cannot see into your history. Only you have the keys to and can access your data.

Unfortunately, we had an incident in October where we did not live up to our privacy promises. The issue affected our Snapshot test users in versions 6.4.3160.25 through 6.4.3160.30 for desktop. (The issue never affected mobile platforms or the main stable release channel.)

Vivaldi’s underlying browser engine, Chromium, introduced support for synchronizing your full browsing history in its version 118. It is a neat feature that we knew our users have been eagerly awaiting for some time. We wanted to deliver this feature as quickly as possible.

That is where things went wrong: By default, the Chromium Sync engine does not use end-to-end-encryption when storing browsing history data. Although the network connection to the server was encrypted, the default configuration meant that we received and stored your browsing history unencrypted on our servers. (No one in a position to hijack your network traffic could see your browsing history.)

We failed to notice this default behavior in this new feature, and did not notice it in our test environment until after our Snapshot users had already begun uploading their unencrypted browsing history. Once we became aware of the situation, we quickly disabled the feature and issued an update. We have since corrected the problem, re-enabled the feature, and issued yet another update.

We have also deleted all accidentally unencrypted browsing history from our servers. Your data is your data. Vivaldi does not want to know what websites you visit!

Test releases sometimes have problems like this one. That is why we have them. Thank you to all our Snapshot testers for helping us deliver the best and most private browser possible.

To err is human, but we always have to try and make things right. Even when we don’t get it right on the first attempt.

Main photo by Kaffeebart.