-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello dev-privacy friends and pre-acquaintences,
The thread below has been playing out over on the libtech mailing list [1], and makes some assertions regarding Firefox's privacy behaviors. For anyone not already familiar, libtech is arguably the text-based telenovela of the "human rights tech" space. Trolls and steroid-backed opinions abound, but it's an influential list with lots of smart folks weighing in. The latest post is asking for someone from Firefox to clarify and respond to some of those assertions, and I this list would be the best place I could think of to forward said request for feedback and clarification. peace, gunner [1] https://mailman.stanford.edu/pipermail/liberationtech/2015-April/015236.html - -------- Original Message -------- Subject: [liberationtech] Ghostery, NoScript.. add-ons frequently phone home Date: Sun, 26 Apr 2015 00:00:21 +0200 From: carlo von lynX <[email protected]> Reply-To: liberationtech <[email protected]> To: [email protected] Just so you know, frequently the add-ons you recommend have phone-home functionality just as Firefox itself. Firefox by default connects Google to let it know your current IP of the day. Officially it is picking up precious info from some safebrowsing*.google.com site.. you can disable it if you dare to uncheck the "Block reported [evil cybercrimes]" boxes. I was told it even lets Google have the cookie it uses to identify you, so even if you use Tor, the five eyes immediately know it is you. I didn't bother to check however. Next thing it does is to connect a whole slew of *addons.mozilla.org sites to make sure it won't miss out on letting Mozilla know which version you are running etc. Then it's the moment for the addons. NoScript immediately sends a shout out to informaction.com while Ghostery... Oh no! Ghostery! Weren't they supposed to be the good folks? Yes, Ghostery has code in its init() function that looks like this: if (JUST_UPGRADED) { metrics.recordUpgrade(); } else if (JUST_INSTALLED) { SDK.timers.setTimeout(function () { metrics.recordInstall(); }, 300000); } else { metrics.recordInstall(); } You don't need to learn coding to understand that here is a series of if/else-if/else which, whatever condition your addon may be in, will result in some metrics.something() getting executed. That function then happens to produce an HTTP request targeted at "d.ghostery.com" which tells Ghostery which IP address you are using today and whether you are a nice person (Ghostrank=1) or not so nice (aka Ghostrank=0). This allows Ghostery to measure how many people are using their tool.. which sounds reasonable from a business model point of view. Unfortunately, the problem with business models is, there hardly seem to be any that go together well with privacy. So once again a privacy tool is protecting you really well from the truly nasty people, but cutting out a little privileged exception for itself. Is this a serious problem? Depends. I haven't checked whether it sends identifying cookies along. Probably the information is rather anonymous - you may consider this no reason to worry. I was a bit surprised to find that Ghostery calls home even if I unchecked all the appropriate preferences, but it does. You can opt out by blocking the hostname in your firewall. At least until they change it to "e." or "f." What do you folks think about this.. should we worry about software calling home to report things about us? Do we really have to inspect each specific case or should we be angry anyhow? Where is the boundary of well-educated privacy software? How much more capitalism can the web take? I see a systemic problem of capitalism not getting along well with constitutional duties. - -- E-mail is public! Talk to me in private using Tor. torify telnet loupsycedyglgamf.onion DON'T SEND ME irc://loupsycedyglgamf.onion:67/lynX PRIVATE EMAIL http://loupsycedyglgamf.onion/LynX/ OR FACEBOOGLE - -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected]. - -- Allen Gunn Executive Director, Aspiration +1.415.216.7252 www.aspirationtech.org Aspiration: "Better Tools for a Better World" Read our Manifesto: http://aspirationtech.org/publications/manifesto Follow us: Facebook: www.facebook.com/aspirationtech Twitter: www.twitter.com/aspirationtech - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQEcBAEBAgAGBQJVPjULAAoJENVj9yFHsyq3ZU8IAL72fhVg+b0oZqYeVJ35rvxg rKi34BQ3EBF1eBuUuuyxgu0GsAsIgOjtrZfn0NbcO0vu9mPONrZNHdkgYoDnQbYX s78Nm7oCxKrbhiH3Uzld1nNCfChM1zt3ejgFuiLJR6MBOO6dKTPlsIbieVETDB/x cqVeZW/qHPlYJLz88xToItrDx3xKWQDqbdTE6CLsyVDu9zN986I/Mb8rb9QPUn1S ll6qZXE3fpJ6+WHPeFJfYAqle7BKomSN2qRbgdBfqg89Yl/syCkoxia+F0HO/SKr VqdA49O6Y2El3+PqJ/ttvQopuo/4EkzzlICdJt2vQN6nShwVvz15Z0OUy56NE4g= =WdI7 -----END PGP SIGNATURE----- _______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
