info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Fwd: [liberationtech] Ghostery, NoScript.. add-ons frequently phone home
37 views
Skip to first unread message
Allen Gunn
Apr 27, 2015, 9:10:08 AM4/27/15
to dev-p...@lists.mozilla.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello dev-privacy friends and pre-acquaintences,
The thread below has been playing out over on the libtech mailing list
[1], and makes some assertions regarding Firefox's privacy behaviors.
For anyone not already familiar, libtech is arguably the text-based
telenovela of the "human rights tech" space. Trolls and steroid-backed
opinions abound, but it's an influential list with lots of smart folks
weighing in.
The latest post is asking for someone from Firefox to clarify and
respond to some of those assertions, and I this list would be the best
place I could think of to forward said request for feedback and
clarification.
peace,
gunner
[1]
https://mailman.stanford.edu/pipermail/liberationtech/2015-April/015236.html
- -------- Original Message --------
Subject: [liberationtech] Ghostery, NoScript.. add-ons frequently
phone home
Date: Sun, 26 Apr 2015 00:00:21 +0200
From: carlo von lynX <ly...@time.to.get.psyced.org>
Reply-To: liberationtech <liberat...@lists.stanford.edu>
To: liberat...@mailman.stanford.edu
Just so you know, frequently the add-ons you recommend have
phone-home functionality just as Firefox itself.
Firefox by default connects Google to let it know your current
IP of the day. Officially it is picking up precious info from
some safebrowsing*.google.com site.. you can disable it if you
dare to uncheck the "Block reported [evil cybercrimes]" boxes.
I was told it even lets Google have the cookie it uses to
identify you, so even if you use Tor, the five eyes immediately
know it is you. I didn't bother to check however.
Next thing it does is to connect a whole slew of
*addons.mozilla.org sites to make sure it won't miss out
on letting Mozilla know which version you are running etc.
Then it's the moment for the addons. NoScript immediately
sends a shout out to informaction.com while Ghostery...
Oh no! Ghostery! Weren't they supposed to be the good folks?
Yes, Ghostery has code in its init() function that looks
like this:
if (JUST_UPGRADED) {
metrics.recordUpgrade();
} else if (JUST_INSTALLED) {
SDK.timers.setTimeout(function () {
metrics.recordInstall();
}, 300000);
} else {
metrics.recordInstall();
}
You don't need to learn coding to understand that here is
a series of if/else-if/else which, whatever condition your
addon may be in, will result in some metrics.something()
getting executed. That function then happens to produce an
HTTP request targeted at "d.ghostery.com" which tells
Ghostery which IP address you are using today and whether
you are a nice person (Ghostrank=1) or not so nice (aka
Ghostrank=0). This allows Ghostery to measure how many
people are using their tool.. which sounds reasonable from
a business model point of view. Unfortunately, the problem
with business models is, there hardly seem to be any that
go together well with privacy. So once again a privacy tool
is protecting you really well from the truly nasty people,
but cutting out a little privileged exception for itself.
Is this a serious problem? Depends. I haven't checked whether
it sends identifying cookies along. Probably the information is
rather anonymous - you may consider this no reason to worry.
I was a bit surprised to find that Ghostery calls home even
if I unchecked all the appropriate preferences, but it does.
You can opt out by blocking the hostname in your firewall.
At least until they change it to "e." or "f."
What do you folks think about this.. should we worry about
software calling home to report things about us? Do we really
have to inspect each specific case or should we be angry anyhow?
Where is the boundary of well-educated privacy software?
How much more capitalism can the web take? I see a systemic
problem of capitalism not getting along well with
constitutional duties.
- --
E-mail is public! Talk to me in private using Tor.
torify telnet loupsycedyglgamf.onion DON'T SEND ME
irc://loupsycedyglgamf.onion:67/lynX PRIVATE EMAIL
http://loupsycedyglgamf.onion/LynX/ OR FACEBOOGLE
- --
Liberationtech is public & archives are searchable on Google.
Violations of list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech.
Unsubscribe, change to digest, or change password by emailing
moderator at comp...@stanford.edu.
- --
Allen Gunn
Executive Director, Aspiration
+1.415.216.7252
www.aspirationtech.org
Aspiration: "Better Tools for a Better World"
Read our Manifesto: http://aspirationtech.org/publications/manifesto
Follow us:
Facebook: www.facebook.com/aspirationtech
Twitter: www.twitter.com/aspirationtech
- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQEcBAEBAgAGBQJVPjULAAoJENVj9yFHsyq3ZU8IAL72fhVg+b0oZqYeVJ35rvxg
rKi34BQ3EBF1eBuUuuyxgu0GsAsIgOjtrZfn0NbcO0vu9mPONrZNHdkgYoDnQbYX
s78Nm7oCxKrbhiH3Uzld1nNCfChM1zt3ejgFuiLJR6MBOO6dKTPlsIbieVETDB/x
cqVeZW/qHPlYJLz88xToItrDx3xKWQDqbdTE6CLsyVDu9zN986I/Mb8rb9QPUn1S
ll6qZXE3fpJ6+WHPeFJfYAqle7BKomSN2qRbgdBfqg89Yl/syCkoxia+F0HO/SKr
VqdA49O6Y2El3+PqJ/ttvQopuo/4EkzzlICdJt2vQN6nShwVvz15Z0OUy56NE4g=
=WdI7
-----END PGP SIGNATURE-----
Hash: SHA1
Hello dev-privacy friends and pre-acquaintences,
The thread below has been playing out over on the libtech mailing list
[1], and makes some assertions regarding Firefox's privacy behaviors.
For anyone not already familiar, libtech is arguably the text-based
telenovela of the "human rights tech" space. Trolls and steroid-backed
opinions abound, but it's an influential list with lots of smart folks
weighing in.
The latest post is asking for someone from Firefox to clarify and
respond to some of those assertions, and I this list would be the best
place I could think of to forward said request for feedback and
clarification.
peace,
gunner
[1]
https://mailman.stanford.edu/pipermail/liberationtech/2015-April/015236.html
- -------- Original Message --------
Subject: [liberationtech] Ghostery, NoScript.. add-ons frequently
phone home
Date: Sun, 26 Apr 2015 00:00:21 +0200
From: carlo von lynX <ly...@time.to.get.psyced.org>
Reply-To: liberationtech <liberat...@lists.stanford.edu>
To: liberat...@mailman.stanford.edu
Just so you know, frequently the add-ons you recommend have
phone-home functionality just as Firefox itself.
Firefox by default connects Google to let it know your current
IP of the day. Officially it is picking up precious info from
some safebrowsing*.google.com site.. you can disable it if you
dare to uncheck the "Block reported [evil cybercrimes]" boxes.
I was told it even lets Google have the cookie it uses to
identify you, so even if you use Tor, the five eyes immediately
know it is you. I didn't bother to check however.
Next thing it does is to connect a whole slew of
*addons.mozilla.org sites to make sure it won't miss out
on letting Mozilla know which version you are running etc.
Then it's the moment for the addons. NoScript immediately
sends a shout out to informaction.com while Ghostery...
Oh no! Ghostery! Weren't they supposed to be the good folks?
Yes, Ghostery has code in its init() function that looks
like this:
if (JUST_UPGRADED) {
metrics.recordUpgrade();
} else if (JUST_INSTALLED) {
SDK.timers.setTimeout(function () {
metrics.recordInstall();
}, 300000);
} else {
metrics.recordInstall();
}
You don't need to learn coding to understand that here is
a series of if/else-if/else which, whatever condition your
addon may be in, will result in some metrics.something()
getting executed. That function then happens to produce an
HTTP request targeted at "d.ghostery.com" which tells
Ghostery which IP address you are using today and whether
you are a nice person (Ghostrank=1) or not so nice (aka
Ghostrank=0). This allows Ghostery to measure how many
people are using their tool.. which sounds reasonable from
a business model point of view. Unfortunately, the problem
with business models is, there hardly seem to be any that
go together well with privacy. So once again a privacy tool
is protecting you really well from the truly nasty people,
but cutting out a little privileged exception for itself.
Is this a serious problem? Depends. I haven't checked whether
it sends identifying cookies along. Probably the information is
rather anonymous - you may consider this no reason to worry.
I was a bit surprised to find that Ghostery calls home even
if I unchecked all the appropriate preferences, but it does.
You can opt out by blocking the hostname in your firewall.
At least until they change it to "e." or "f."
What do you folks think about this.. should we worry about
software calling home to report things about us? Do we really
have to inspect each specific case or should we be angry anyhow?
Where is the boundary of well-educated privacy software?
How much more capitalism can the web take? I see a systemic
problem of capitalism not getting along well with
constitutional duties.
- --
E-mail is public! Talk to me in private using Tor.
torify telnet loupsycedyglgamf.onion DON'T SEND ME
irc://loupsycedyglgamf.onion:67/lynX PRIVATE EMAIL
http://loupsycedyglgamf.onion/LynX/ OR FACEBOOGLE
- --
Liberationtech is public & archives are searchable on Google.
Violations of list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech.
Unsubscribe, change to digest, or change password by emailing
moderator at comp...@stanford.edu.
- --
Allen Gunn
Executive Director, Aspiration
+1.415.216.7252
www.aspirationtech.org
Aspiration: "Better Tools for a Better World"
Read our Manifesto: http://aspirationtech.org/publications/manifesto
Follow us:
Facebook: www.facebook.com/aspirationtech
Twitter: www.twitter.com/aspirationtech
- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQEcBAEBAgAGBQJVPjULAAoJENVj9yFHsyq3ZU8IAL72fhVg+b0oZqYeVJ35rvxg
rKi34BQ3EBF1eBuUuuyxgu0GsAsIgOjtrZfn0NbcO0vu9mPONrZNHdkgYoDnQbYX
s78Nm7oCxKrbhiH3Uzld1nNCfChM1zt3ejgFuiLJR6MBOO6dKTPlsIbieVETDB/x
cqVeZW/qHPlYJLz88xToItrDx3xKWQDqbdTE6CLsyVDu9zN986I/Mb8rb9QPUn1S
ll6qZXE3fpJ6+WHPeFJfYAqle7BKomSN2qRbgdBfqg89Yl/syCkoxia+F0HO/SKr
VqdA49O6Y2El3+PqJ/ttvQopuo/4EkzzlICdJt2vQN6nShwVvz15Z0OUy56NE4g=
=WdI7
-----END PGP SIGNATURE-----
0 new messages