1. Download IceCat 2. Unpack it to a directory and run it 3. Set the following preferences: Startup: Show a blank page Search: Engine: DuckDuckGo Provide search suggestions: off All other search engines: disabled Privacy: Set "Use custom settings for history" and uncheck "Accept cookies from sites" (without exceptions) Security: Uncheck "Block dangeroous and deceptive content" (to prevent connections to Google's host where blacklists are hosted) Sync: off Advanced: Uncheck "Query OCSP responder servers" (to prevent automatic connections to those hosts upon start up) Add-ons: Disable SpyBlock - to prevent list updates during the test Purge all browser data (if any) and close the browser. 4. Turn off other system network services (like ntpd) to prevent "parasite" connections during the test 5. Reboot the system 6. Login, open a root console and run tcpdump 7. Start IceCat Expected: No connections whatsoever. With default settings (even without having to fine-tune preferences) nobody should know when the user starts his browser and so on. Actual: At the moment of IceCat starting various connections to different hosts are made (firefox.com, akamai etc) which means the organizations on the other side of the wire are notified about what the user does on his own computer (starts the browser etc). This is a privacy issue, like hidden telemetry. Here is a short excerpt from tcpdump: ... 23:54:16.835220 IP pc.60056 > router.domain: 7355+ A? detectportal.firefox.com. (42) 23:54:16.835238 IP pc.60056 > router.domain: 31623+ AAAA? detectportal.firefox.com. (42) 23:54:16.880274 IP router.domain > pc.60056: 31623 2/0/4 CNAME detectportal.firefox.com.edgesuite.net., CNAME a1089.d.akamai.net. (187) 23:54:16.898359 IP router.domain > pc.60056: 7355 4/0/0 CNAME detectportal.firefox.com.edgesuite.net., CNAME a1089.d.akamai.net., A 88.221.211.17, A 88.221.211.33 (155) 23:54:16.898584 IP pc.42696 > a88-221-211-17.deploy.akamaitechnologies.com.http: Flags [S], seq 4249617264, win 29200, options [mss 1460,sackOK,TS val 4294922998 ecr 0,nop,wscale 7], length 0 23:54:16.929240 IP a88-221-211-17.deploy.akamaitechnologies.com.http > pc.42696: Flags [S.], seq 2707991918, ack 4249617265, win 28960, options [mss 1460,sackOK,TS val 595239407 ecr 4294922998,nop,wscale 5], length 0 23:54:16.929298 IP pc.42696 > a88-221-211-17.deploy.akamaitechnologies.com.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 4294923005 ecr 595239407], length 0 23:54:16.929406 IP pc.42696 > a88-221-211-17.deploy.akamaitechnologies.com.http: Flags [P.], seq 1:294, ack 1, win 229, options [nop,nop,TS val 4294923005 ecr 595239407], length 293: HTTP: GET /success.txt HTTP/1.1 23:54:16.959767 IP a88-221-211-17.deploy.akamaitechnologies.com.http > pc.42696: Flags [.], ack 294, win 939, options [nop,nop,TS val 595239438 ecr 4294923005], length 0 23:54:16.960017 IP a88-221-211-17.deploy.akamaitechnologies.com.http > pc.42696: Flags [P.], seq 1:385, ack 294, win 939, options [nop,nop,TS val 595239438 ecr 4294923005], length 384: HTTP: HTTP/1.1 200 OK 23:54:16.960046 IP pc.42696 > a88-221-211-17.deploy.akamaitechnologies.com.http: Flags [.], ack 385, win 237, options [nop,nop,TS val 4294923013 ecr 595239438], length 0 ...