purebrowser leaks data to third-parties
Open, NormalPublic

Description

Dear friends of freedom and privacy,

I would like to share with you some of my recent findings about popular FOSS browsers which (imo) disrespect user privacy.

I am sharing with you direct links to the reported issues:

Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1424781
Chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=795526
IceCat: I have reported this directly to GNU and FSF, so there is no link but I will try to attach it here icecat-privacy.txt

I am using openSUSE Leap 42.3. I still haven't tried PureOS or PureBrowser but I thought I would share these with you as you might want to check more in-depth the validity of my concern and hopefully prevent code disrespecting privacy to propagate in your systems.

FWIW here is also a discussion I started in the openSUSE forums about all this (others seem to confirm what I notice through testing via wireshark):

https://forums.opensuse.org/showthread.php/528559-Paranoid-browser-test-is-there-privacy-in-FOSS

george created this task.Dec 16 2017, 1:02 PM
jonas.smedegaard lowered the priority of this task from "95" to "Normal".Dec 24 2017, 3:25 PM

Thanks for sharing!

This is - in our use of the term - not a freedom issue but a privacy issue. Or rather it is multiple privacy issues some related and some unrelated.

I will separate the distinct actionable issues I can identify from your - similarly convoluted - referenced discussions, and will quite likely close this issue as too convoluted to act on directly.

NB! We value your concerns and your work on identifying/proving the issues involved, but please in the future break down your research and report in issue trackers only distinct actionable items. Broader principal "issues" covering multiple features or (as here) even multiple independent code projects are hard to sensibly track in an issue/bug tracker, and such convoluted bugreports are at high risk of not being taken seriously but closed without action.
Write an essay on the broader principal aspects instead - e.g. in a blog - and link between your essay(s) and the distinct issues you report. Such essay is then also accessible to others than geeks reading issue trackers, and promote all the places you dive in technically (which is impressive!).

jonas.smedegaard changed the title from "[FREEDOM ISSUE] purebrowser" to "purebrowser leaks data to third-parties".Dec 24 2017, 3:26 PM
jonas.smedegaard edited projects, added Restricted Project; removed Freedom.Dec 24 2017, 4:56 PM
george added a comment.EditedJan 3 2018, 3:26 PM

Sorry for the late reply. Happy new year!

I reported this as a freedom issue as I was advised to do so by Mladen (to whom I emailed the info initially). You are right that privacy is more specific as it illustrates the particular aspect of freedom which is broken. In any case I hope the info and the comments in the linked external reports make it clear enough that it is not a case of free software but of software which uses the user for the purposes of an organization without first asking and without even a post-factum option for complete privacy. Obviously that is not a priority (if at all) neither for Firefox, nor for Chromium developers, so those browsers are not fully free software, at least to my understanding.

FWIW I also received direct reply from the developer of IceCat:

I'll be working on more a more strict cleanup of those "features" for the next IceCat release cycle.

ETA: The output of tcpdump shows that even with telemetry and data reporting turned off from about:config, and after all privacy tuning of settings there is still background communication going on to various networks of Amazon, Akamai etc. which results in what I call "indirect telemetry" as explained in the bug at Mozilla's tracker. In that sense the output of tcpdump when testing Chromium seems much better as well as the reply received by chromium devs is much more sensical. It seems Chromium is fine as a browser if safe browsing and other Google's tools are not used and all it lacks is a default setting which ensures that privacy level.

jonas.smedegaard removed jonas.smedegaard as the assignee of this task.Aug 20 2018, 7:27 AM
jonas.smedegaard added a subscriber: jonas.smedegaard.
jonas.smedegaard removed a subscriber: jonas.smedegaard.

Add Comment