The Debian *popularity-contest* package popcon is **disabled** Tails. [popcon readme](http://popcon.debian.org/README) | [popcon faq](http://popcon.debian.org/FAQ) | [popcon bugs](http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=popularity-contest) | [popularity contest mailing list](http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/popcon-developers) | [popularity contest mailing list: Drop atime and ctime for privacy reasons possible?](http://lists.alioth.debian.org/pipermail/popcon-developers/2012-October/002172.html)
Letting Tails users vote in popcon in a privacy friendly way is a desirable goal. Tails has quite some users, would have some weight in popcon and would also contribute to the estimation of Linux users (linuxcounter). However, the obstacles of activating popcon in Tails are too big. Some privacy considerations and reasons why it's disabled: * The connection would obviously need to go over it's own Tor circuit (stream isolation). At the moment popcon tries to go through http and if it fails (no internet connectivity) it goes into the mail queue. (sendmail) Sendmail probable works though TransPort, but I don't know if it can be torified for proper stream isolation. * (From the popcon readme) "*Each popularity-contest host is identified by a random 128bit uuid (MY_HOSTID in /etc/popularity-contest.conf).*" - This would allow to enumerate a quite good guess about the amount number of Tails users. We are not sure if boum.org or boum.org's internet service provider could already have an insight about that or about any other negative implications. * MY_HOSTID would probable get created at Tails build time and all Tails users would have the same MY_HOSTID, which would make it useless. A new MY_HOSTID would have to be created at first boot of Tails. * Popcon runs at a random day. Good. * If the machine is powered on: it runs at at 6:47, which is bad, because a local adversary (ISP or hotspot) could guess popcon runs over Tor which would likely be a Tails user. * If the machine as powered off at 6:47, it sends the report later, only if anachron is installed. It shouldn't run instantly after powering on, also for fingerprinting reasons. The time would have to be truly randomized. * The transmission is not encrypted, see [popularity-contest should encrypt contents](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480860) and it's not planed to encrypt it. Malicious Tor exit nodes could modify the transmission, but this is only a minor issue. Such malicious Tor exit nodes could send fake transmissions on their own. * It's questionable if and if yes, how long Debian will accept popularity contest transmissions from Tor exit nodes. There is potential for electoral fraud. * Few Live CD related issues: * Creating MY_HOSTID at run time for users who do not use persistence and who do not run the system for weeks without reboot, which is assumed to be quite a big percentage of Tails users wouldn't allow them to vote in popcon. (That requires recent access time and older creation time of an application.) * A persistent MY_HOSTID for users who do not run the system for weeks without reboot, wouldn't help either. Even when using persistence, most files are not persistent (binaries, /usr/bin/dpkg and so on, there is no need for them to be persistent). Therefore the last accessed time (atime) would be lost after reboot. Tails would have to remember and restore the atime, which would have to be an opt-in, because it has privacy implications. For these reasons it's not a good idea to add popcon to Tails. If you have suggestions or a different view, please get in contact. Without serious amounts of help from the popcon developers or contributors it won't happen. _______________________________________________ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev