I don't have time to respond to everything here right now, so I'm going to respond to the simple stuff now and get back to you on the complicated stuff later.
> Maybe the 4 freedoms are not enough and we need a new form > of evaluating qualities which considers the deeper issues of > today. What's wrong with just calling it "privacy"? Privacy is important enough on its own that I don't think we need to reframe the discussion in ways that might cause confusion. > If you have Trisquel you could probably repeat the test for > yourself and share the result. From your bug reports it sounds like you had two findings. The first was the logs in ~/.mozilla, which I can confirm exist in Abrowser. I briefly attempted your second test, but the command immediately exited and /tmp/tcpdump.log was not created, so I must have done something wrong. I will figure it out when I have more time. > Now you have actual facts from tcpdump too :) According to your bug reports neither Firefox nor Chromium passed this test, so I don't see how it is an argument for either. If I understand correctly, your test creates a lower-bound, not an upper-bound, on what data is sent. It doesn't seem to prove that no additional data is sent by Firefox or Chromium during browsing, just that this data at minimum is sent on startup. > It seems invalid because current version of Chromium doesn't do > what that bug describes. ... > This is a valid concern but the question is: why would you trust > a "free software" which sends packets to Amazon etc. or would you > use one which is weaker (OSS) but shows better privacy? I said that it had been closed, but it's alarming that it ever happened. If Chromium were downstream from Chrome it could have been something implemented in Chrome that Chromium developers simply did not notice. However, Chrome is downstream, so this was apparently intentional. That makes me unwilling to trust Chromium developers that there there are no similar issues in Chromium not yet discoved by the Debian community. However, right now I am more concerned with the issues linked to by Magic Banana, since they are active and haven't been adequately addressed after several years. > but considering that Replicant is not 100% deblobbed Replicant, the operating system, is 100% libre. You are likely referring to the modem or bootloader that the device itself uses regardless of what operating system it runs. > Maybe we can rather > wait for the Librem 5 phone? :P Maybe the emoticon there was meant to indicate that this is a joke, but since I'm not familiar with Purism's phones I took a quick look at the page on their site (https://puri.sm/shop/librem-5) and just sighed. I don't have time to pick the whole thing apart, so I'll just focus on the big lie "Does Not Track You". If pressed in the matter, I'm sure they'd say that only the main operating system PureOS (like Replicant) does not track you, but they're clearly trying to imply that the phone itself won't track you, which it will whenever the modem is turned on. A kill switch for the modem is a good idea (the Neo 900 will have kill switches too) but most people will choose to leave it on so that they can receive calls. I hope anyone who buys this phone is informed that they must turn the modem off to avoid being tracked. I suggest looking into JMP if you live in North America (unfortunately it is not available elsewhere yet). It allows you to send and receive calls/texts from a device that has no modem, so that you can actually avoid being tracked. For now you have to rely on being in range of WiFi, although the main developer Denver Gingerich is now working on a radio mesh that if adopted by enough people in year area would allow you to use JMP without being in range of WiFi. That's at least a few years out though. > One problem which I see is that one cannot use login-based sites In this case the advantage of using Tor is that you do not reveal your location. This is especially important if it is a site or account you use frequently (like an email provider) as otherwise they can track you to the point of detecting behavioral patterns. > you need an email > address (or phone no.) to create a login You can you a temporary email address that self destructs when you're done with it (see link in next point). > 2) I cannot find any > email service provider where one can register for free without > javascript. Here is a good resource that also links to some disposable email address sites that do not require proprietary JavaScript. https://www.fsf.org/resources/webmail-systems > We hate to give information yet we want to > receive freely available one. ... > How is that different from what PRISM does? Asymmetrical protections are warranted when one party has much more power than the other, and when one of those parties is an individual and the other is a corporation, human rights only apply to the individual. We can't really harm, manipulate, or profile Google, Amazon, Facebook, Apple, even Mozilla, with the information we get from using their websites, browsers, or other software. However, they can do a great deal with the information they get from use. Moreover, they have the power of aggregating data about many users, while we don't have the power to aggregate data about many browsers, for instance. And finally, while the individuals who work for these companies deserve privacy and we are not entitled to their personal information, the corporations they work for are not people (sorry Mitt) and are not entitled to human rights. This is why I think it was reasonable for you to request in your bug reports that Google and Mozilla not collect or send your personal information, even though you benefit from receiving information through their browsers. > The other day I've been thinking about a new way of > communication. A new network if you will. AFAIK UDP does not > require response from the other peer. So in that sense: what if > we have a network of anonymous UDP peers sending encrytped info. > It will be available to all other nodes but only those which know > how to read it (the recepient) will be able to. Of course this is > just a very rough concept but maybe worth considering... Share > your thoughts please. I'd be very interested to hear more about this but don't have time to ask follow-up questions at the moment. > Thanks. I find it amusing that the page ask to enable Javascript :) You are right not to have Javascript allowed by default. On this particular page the Javascript is free software, so if you don't trust the EFF you don't have to. You can inspect the source code yourself or show it to someone else with more knowledge. Or better yet, screw JavaScript. If you don't care whether the page is interactive and don't mind an extra minute to collect the information, the urls to the four images can be found in the text following the JS message (you can often navigate JavaShit heavy sites this way. It works especially well in a command line browser like lynx or elinks). If you haven't already done this, here they are: No Tor and No HTTPS: https://www.eff.org/files/tor-https-0.png No Tor and HTTPS: https://www.eff.org/files/tor-https-1.png Tor and No HTTPS: https://www.eff.org/files/tor-https-2.png Tor and HTTPS: https://www.eff.org/files/tor-https-3.png
