[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The Spirit of Free Software, or The Reality

On Jul 15 2015, Ian Jackson <ijackson@chiark.greenend.org.uk> wrote:
> Nikolaus Rath writes ("Re: The Spirit of Free Software, or The Reality"):
>> On Jul 15 2015, Jakub Wilk <jwilk@debian.org> wrote:
>> > So I made this experiment with Iceweasel. These are the requests it
>> > makes with a fresh profile, before you even type an URL: 
>> >
>> > POST https://location.services.mozilla.com/v1/country?key=no-mozilla-api-key
>> > GET http://www.ebay.com/favicon.ico
>> > GET http://en.wikipedia.org/favicon.ico
>> > GET http://www.yahoo.com/favicon.ico
>> > GET http://www.google.com/favicon.ico
>> > GET http://www.amazon.com/favicon.ico
> ...
>> 1. Were you surprised by this? I was certainly not, this is about what I
>>    would have guessed. If a program does what I expect it to do, I'm not
>>    sure if me starting it is "violating my privacy".
>
> I was surprised that it would download the icons from the installed
> search providers.  There is no need for it to do that.  And that means
> that the mere presence of an unused but configured search provider,
> causes every user's iceweasel to notify the search provider whenever
> the user starts the browser.  This is not desirable.

I agree that it's not desirable. But there's a lot of stuff in a lot of
packages that's not desirable, I don't see this as an especially severe
problem.

>> 2. Would it be ok if Firefox did all this at the time you visited the
>>    first webpage, rather than at the time of startup?
>
> I think that depends on what the first webpage is.
>
> If the first webpage is (say)
>   https://en.wikipedia.org/wiki/Embarrassing_medical_problem
>   https://act.eff.org/login
>   https://search.debian.org/cgi-bin/omega?DB=en&P=vulnerability+scanner
>   https://fetlife.com/home/v4
> then I don't see any reason why Ebay or Amazon would have to know even
> that I am running Iceweasel.
>
> To implement the unsafe sites protection, Google might need to know
> that I am running Iceweasel, but measures described elsewhere in this
> thread mean that its information about which actual URLs I am visiting
> is limited.
>
>>    If not, then what about all the tracking pages that Firefox is going
>>    to load because they're referenced in the page you asked for?
>>    Shouldn't you be much more worried about those?
>
> It is obviously not practical for us to do very much about that, other
> than by promoting (a) privacy-enhancing client-side tools
> (b) privacy-respecting websites, where relevant and (c) political
> change.

Yes. I guess what I'm trying to say is that calling Iceweasel isn't the
same as calling "ls" or make. Having the latter programs do the above
would be severe. But in order to protect your privacy when browsing with
Iceweasel, you have to run it through tor anyway (and probably add all
sorts of other measures to prevent fingerprinting). So why worry about a
few extra requests?


Best,
-Nikolaus

-- 
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

             »Time flies like an arrow, fruit flies like a Banana.«
Reply to: