
Ghostery and NoScript-like add-ons frequently phone home - blueflow
https://mailman.stanford.edu/pipermail/liberationtech/2015-April/015236.html
======
brudgers
The fundamental dilemma in privacy is the same as for security and Ken
Thompson nailed it thirty years ago.[1] You have to trust somebody.

If I didn't trust the folks at Mozilla and Ghostery and NoScript more than
Google, I'd run Chrome and leave JavaScript and Cookies on by default. If I
trusted Facebook and LinkedIn more, I'd stay logged in. I don't so I don't.

[1]: [http://cm.bell-labs.com/who/ken/trust.html](http://cm.bell-
labs.com/who/ken/trust.html)

------
SippinLean
Ghostery has addressed this elsewhere:

[http://www.reddit.com/r/IAmA/comments/1c4wjz/we_are_the_ghos...](http://www.reddit.com/r/IAmA/comments/1c4wjz/we_are_the_ghostery_team_askusanything_especially/c9d1chg)

>Ghostery is supported by Ghostrank, our 100% opt-in feature that collects
information about the trackers you see and the sites on which you see them.
Our parent company, Evidon, packages that information and sells it back to
sites who use it for privacy, performance, and security audits; and also ad
tech companies who use it for competitive intelligence about each other.

>That information is totally anonymous - it's all intelligence about the
tracking industry, none about our users. And Ghostery works exactly the same
whether you choose to share that with us or not.

~~~
samspot
According to the article this phone home feature activates even when you
uncheck all the share options.

~~~
talmand
But at that point, what exactly is it phoning home about? If it's still
sharing the data you explicitly refused to share, then that's one thing. If
it's simply asking home if there's an update, then that's something totally
different.

~~~
bsder
No, it's not.

Firefox is managing extension updates already. As an app developer, you _don
't need to know_ this data.

As a security surface, you really don't _want_ this data in real-time. It
makes you a target.

I presume the problem is that Firefox isn't sharing this install/update data
with the extension developers. So, they're trying to collect it themselves.

~~~
mook
Getting updates published on the Firefox add-on site takes a few weeks [1],
and as I understand it (haven't needed to do it myself recently) queuing a new
version bumps you all the way to the back of the line. If the add-on needs to
update non-code things (such as what sites to block) on a shorter time frame
having its own service is pretty necessary.

See also the various lists adblock plus / uBlock / lightbeam use. Or for that
matter the safe browsing lists Mozilla uses instead of shipping it in a new
version of the app.

(I still don't use Ghostery because their relationship with the advertising
industry freaks me out, but that doesn't mean I have to be critical of them
about the list updates.)

[1] latest status update seems to be
[https://blog.mozilla.org/addons/2015/04/08/add-ons-
update-63...](https://blog.mozilla.org/addons/2015/04/08/add-ons-update-63/)

------
rockdoe
So what would the author prefer? That security sensitive software doesn't
check for updates? WHAT COULD POSSIBLY GO WRONG.

Somewhat later there is this remark: _Why are these add-ons? Why are they not
designed-in and built-in to the browser?_

Well, this _is_ actually built-into Firefox Nightly. It's called Tracking
Protection...and it updates its lists using the exact same SafeBrowsing the
original author whines about.

It's hard to take these people seriously, which is bad, because privacy is a
serious problem. Not worthy to be left over to whiners that offer no
solutions.

~~~
arbitrage
> Not worthy to be left over to whiners that offer no solutions.

This is not a fair criticism. I can tell someone, "Hey dude, your house is on
fire" without having to offer them either a bucket of water or a new house.

This type of argument is frequently used to forestall any criticism
whatsoever. Bad supervisors often say things like, "don't give me complaints
without also giving me a solution."

It's sloppy thinking, and rejects valuable feedback.

~~~
danudey
> Bad supervisors often say things like, "don't give me complaints without
> also giving me a solution."

This is true, but bad employees often say "Hey this sucks" without providing
any constructive reasoning, and expecting someone else to fix a problem that
you've seen but they haven't usually results in a lousy fix.

Sure, it's not their job to fix it, but if you come to me and say 'our art
pipeline sucks, it's too inefficient' and then walk away, I literally have
nothing at all to work on.

~~~
rando3826
> if you come to me and say 'our art pipeline sucks, it's too inefficient' and
> then walk away, I literally have nothing at all to work on.

The 'art pipeline' might be something you could work on...

------
ikeboy
What exactly is the problem here? If you care about security, use the TBB,
each session is still unique because private browsing. If you really care and
use tails or whonix, this still won't de-anonymize you. If you aren't doing
that, any website you visit gets your ip.

I'm trying to figure out what attack model you'd have a reasonable basis to
think you were protected against, except for the fact that these plugins
"phone" home. If you're using a setup in which that matters, you've already
lost.

~~~
rockdoe
You've articulated this better than I have.

By default, combinations like Firefox+SafeBrowsing+Ghostery+Adblock make an
uninformed user (or informed users who prefers convenience) safer against a
given adversary: advertising agencies, trackers, malicious sites. They do not
protect you from the government, and they won't protect you from Google. To
reach this level of protection and user-friendliness, they rely on automated
updates, and the use of metrics to improve the software.

If your thread model is different, and your adversary includes Google or the
government, there are solutions too like TBB. But you will give up on the
convenience that (drumroll) companies like Google provide.

~~~
rockboe
TBB offers a speedy and modern browsing experience. I use it for everything,
and wouldn't hesitate to recommend it. You can watch Youtube videos, download
large files, and browse most websites without a hitch.

You could sign up for G+ over Tor and get most of the purported benefits of
being tracked by Google without tying your browsing activity to your real name
or IP.

~~~
ikeboy
Doesn't Google now require a phone verification to sign up, thus tying
everything to a real id? And you don't get Cloudflare bs all the time on tor?

And have you ever compared speed on downloading large files, or latency? It's
bad enough to make me only use it when really needed and not everyday usage.

------
longsleep
Check out Iridium Browser. We try hard to build a Chromium which does not
phone home (to Google). It's work in progress but completely open and
transparent.

[https://iridiumbrowser.de/about](https://iridiumbrowser.de/about)

------
wsha
Reading the source code, I find this:

function recordInstall() { if (utils.prefs('install_recorded')) { return; }

sendReq('install'); }

So the if statement that the OP highlights does not actually phone every time
it is called like the OP claims, but only on the first install. The message
that the add-on sends to ghostery.com includes the Ghostrank preference, the
version of Ghostery, the OS, and the Firefox version (Android or desktop).
That said, it does appear that the add-on phones home on each upgrade, and I
don't see anything in the Ghostery Privacy Policy about this (it only
discusses GhostRank).

~~~
nijiko
Yes, its an ongoing issue that people are increasingly unable to read simple
if statements. The world has been plagued with academics attempting to analyze
the simplest of statements without success. This is what led us to form the
"Leave No Academic Behind" (LNAB) group. To inform academics in the err of
their ways and show them the path to success.

There have been increase in tin-foil theories about these scripts even when
the source is available and very easy to read through. It honestly blows my
mind.

------
Animats
Several popular Firefox privacy/security add-ons have become much worse in the
last year. BlockSite added ads and full tracking of user browsing. (That one
is really bad.) AdBlock Plus added a "whitelist" of ads they let through. (The
advertisers pay AdBlock)

Firefox itself reports installed add-ons to Mozilla AMO each day for tracking
and update purposes. Add-ons don't need to check for updates themselves.

~~~
flanbiscuit
Is this there an open source alternative to Adblock plus?

~~~
rockdoe
uBlock is getting popular fast, but note AdBlock Plus itself is also open
source.

~~~
flanbiscuit
I didn't realize that. I'm going to check out the source to see just which
sites that are whitelisting

~~~
lewisje
It's not in the source code, but instead in a subscription that ABP uses by
default (it remembers if you unchecked "Allow some non-intrusive advertising"
so it doesn't re-enable this list on every update):
[https://adblockplus.org/en/acceptable-
ads](https://adblockplus.org/en/acceptable-ads)

This is the subscription, which was originally linked from that page (but it
now links to the Acceptable Ads subforum, which has a sticky that links to
this subscription): [https://easylist-
downloads.adblockplus.org/exceptionrules.tx...](https://easylist-
downloads.adblockplus.org/exceptionrules.txt)

------
Dirlewanger
How else is one supposed to react to this other than with cynicism? This is
the nature of going on the Internet, you _will_ be tracked whether you like it
or not. _No one_ is anonymous. The Internet, while being one of the greatest
inventions by mankind, has succumbed like all the others to the maladies of
greed. Unless some billionaire Elon Musk-esque figure funds a private service
to actually not, really, no-for-real track you, it won't happen. Personal
incentives motivate people, and until this hypothetical billionaire sees an
incentive other than profit, it's not happening.

~~~
6a68
> How else is one supposed to react to this other than with cynicism?

How about empowerment instead of cynicism?

Maybe it's possible to build browsers and advertising and mobile devices that
don't relentlessly erode privacy. I work at Mozilla to help build that tech. I
firmly believe the dystopian corporate future isn't the only option.

You should check us out:
[https://www.mozilla.org/mission](https://www.mozilla.org/mission)

~~~
whoopdedo
> Maybe it's possible to build browsers and advertising and mobile devices
> that don't relentlessly erode privacy.

That's nice a nice sentiment. I'd be less skeptical if Firefox didn't change
my default search engine behind my back. (After updating Android from 31 to
36.)

~~~
rockdoe
If you changed the defaults, it was kept. If you never set a search engine,
the shipped default was changed (and clearly mentioned as such in the release
notes not to mention all over the press, so saying "behind my back" is quite
funny).

~~~
talmand
Just to play devil's advocate, what if the default was the choice the user
wanted?

~~~
rockdoe
Then he can switch it after having read the release notes pointing it out? The
behind the back part was unwarranted, so the only thing that's remaining
really is "I preferred the previous default" which doesn't quite jive with the
"I'm skeptical regarding privacy" complaint that was made.

~~~
talmand
Then that's just bad design. If there was a possibility of them switching out
the pre-determined defaults then the default choices should have been asked of
the user from the beginning.

But then, it's hard to make money that way so I can understand why they
wouldn't do that.

EDIT: you edited, but I agree the "behind the back" isn't quite right.

~~~
rockdoe
Presenting modal dialogs to the users on first run is considered terrible UX
design with a high bounce rate.

The way you state it, you'd have to ask the user to verify every single
setting in your app. That is problematic.

Making money doesn't even have to factor in. (Ok, if nobody uses the apps,
you're not making money either, but you get what I mean)

~~~
whoopdedo
There's default settings, and then there's "default" settings. I think of
Debian's debconf and how there are different levels of prompts when installing
a package.

A good compromise would be to ask on use. The first time someone searches say
"What service do you want to complete this with?" and have Yahoo/Yandex pre-
selected. Then never ask again.

The never asking again is the key part. IE's setup dialog is a problem because
it's either answer a bunch of annoying questions now or answer a bunch of
annoying questions later. It should be a choice of setup now or don't bother
me again (unless I activate the setup wizard myself).

~~~
ikeboy
Doesn't IE offer "recommended" settings?

------
xorcist
Move to uBlock already!

It's faster, on less resources, does what Adblock and Ghostery does, and is so
far void of any dubious business model.

Back on topic, I believe the author points out things that you need to be
aware of, especially if you use tor. They made the Tor Browser for a reason.
Use it!

~~~
ikeboy
Last I heard the person controlling the repo was doing funny stuff like
removing the info of the creators and there was some dispute over control. Any
idea what's up?

~~~
gorhill
> removing the info of the creators

More accurately it was about importing code changes manually without
attribution, thus forfeiting authorship info in the commits. I believe it's
all resolved now. The person is a kid (to me), I had no idea, so when I
learned this I see this differently now, he was just being misguided. I
originally thought I was dealing with a fully grown adult, so I did not hold
back on the criticism. My own mistake was to not consider I was maybe dealing
with such a young person.

------
raintrees
Possibly a naive question: Wouldn't hosts entries block this? i.e.
informaction.com 127.0.0.1, etc.

If so, then one would only comment out the entries when specifically after
updates, otherwise they run as-is, and no phone home problem.

Although this depends on a browser using the host system's specified DNS: I
seem to have caught Chrome ignoring my entries in favor of Goggle's DNS (on
Linux) whilst doing web design for a client. :(

~~~
oldmanjay
Useless comment, downvote/ignore at will; If this were Slashdot, you would
have just made a friend for life in APK.

~~~
raintrees
Thanks for the reference, I had never run into APK as a meme/topic.

As to the HOSTS question, I am currently working through Terpstra's SAMBA-3 By
Example, and after spending enough time on small business networks chasing
down odd stuff every time a Microsoft Small Business Server goes down (runs
its own DNS and DHCP servers for the LANs in question), I am beginning to
consider static mapping some of these smaller networks for better resiliency,
which seems to be a frequent consideration of that author.

I apologize for the naivete, but I did specifically label my comment as such,
and my question was an honest one with a simplistic security model in mind,
when it comes to specific outside resources that may be untrustworthy.

edit: And that search for APK derived my answer at pineight.com, so again,
thanks.

~~~
oldmanjay
Just to be clear, I was saying my comment was useless, not yours.

~~~
raintrees
Thank you, I did misunderstand and was a bit disappointed my comment was taken
as useless. It concerns me when I misunderstand protocol...

------
ddp
So Ghostery phones home. Until someone tells me that it doesn't block what it
purports to block, the alternative is worse.

------
dicknuckle
Hasnt done enough research.

~~~
blueflow
They indeed do in the default settings (checked with wireshark).

NoScript for example queries informaction.com to get the own WAN-IP.

~~~
dicknuckle
If you are on a VPN, who cares.

------
wiggumz
To me the key question is whether these checks are anonymous. If not -- if
Firefox or a plug-in is sending a unique ID, than any advertiser or government
agency could pay for that tracking information and then your privacy would be
toast, at least until you can reset that ID.

~~~
aw3c2
I consider my IP address to be private information. If I chose to disclose it
to a site, ok, but I don't mean to tell third-parties about it.

~~~
ivanhoe
Well, technically you are not talking to 3rd parties, you are checking for
updates on the author's site. For extensions that rely on up-to-date lists and
definitions to work this is a crucial step, otherwise they'll be pointless.
Antivirus software does the same thing. OS does the same thing. How it is now
all of the sudden a problem?

