The problem with this statement is that you know (or rather can check) only
what happens on the sending side.
That is correct. But there is no magic: if you send little information, then
little information is received on the other side. If you add noise, the
receiver can exploit it even less.
That is a basic test which shows if there is a communication or not.
Too basic. Looking at what is communicated is relevant.
If there is communication and it is not anonymized through TOR (it is not) -
that obviously is a privacy issue. That is quite simple.
If you consider that having the receiver know your Web browser is opened,
then yes. And you should be able to disable the service it provides to stop
that communication... but if that service is useful and cannot be achieved on
your own computer (it is not SaaSS), then it does require communication and
you may decide it is worth giving the information required to get the
service.
Are privacy and security 2 incompatible mutually exclusive concepts? Or
rather because someone has designed a program in a way in which you must
sacrifice one for the other?
It is physically impossible to request information from a third party without
communication. For example, you cannot ask whether a site is phishing
without communication. You have to either choose choose privacy (no
communication) over security (no warning about phishing) or the opposite
(communicating the relevant information to receive the warnings). To make
that choice, looking at what is actually communicated (how much privacy is
sacrificed) is relevant to most users. If you consider that no service is
worth communicating your IP address, then, really, there is no need to look
at what is communicated... and you should stay offline (when you access this
forum, Trisquel knows about it, your ISP too). Since you are online, you
actually accept to send the relevant information (lose some privacy) to do
whatever you do online.
If you seek for compromise what happens is giving up freedom in exchange for
convenience?
You need not compromise on freedom. You should always stay in control of
your own life. In computing, that means only using free software. There is
no physical impossibility here (whereas requesting information without
communication is impossible): every piece of software can be and should be
free software.
Meanwhile Intel ME can be sending data to organization X "User N, located ...
is currently admiring the source code of Hello world".
Yes. Intel ME, like any piece of software, can be and should be free
software.
There are organizations which consider that censoring entire geographic
regions from accessing particular websites is a useful feature for the safety
of the region. Should we agree to that too?
No. And that has absolutely nothing to do with our conversation.
There is enough evidence that the price people pay for using all kinds of
"useful features" is pretty high.
"All kinds of useful features" is too general to state anything about them.
Again: details matter. I explained you the price of receiving warnings about
phishing. You can consider that price too high. Other users, most users I
believe, consider it is not. I have Safe Browsing disabled because I do not
think I need it. However, I let it enabled on my parents' computer (that I
administrate).
I disagree to the centralized nature of it held in the hands of a single
entity which can control it.
There is a performance compromise too. I do not think (I may be wrong)
anybody knows how to have a distributed Safe Browsing system that would not
significantly slow down page loading. Do you know?
As long as we cannot check for ourselves what exactly is happening on the
other side of the wire it is all wishful thinking.
There is no magic: if you send little information, then little information is
received on the other side. If you add noise (like Firefox does with Safe
Browsing), the receiver can exploit it even less.
uppose I am the victim. I (a layman) don't know. I (a non-programmer) have
not checked the source code. I (an average user) am forced to trust because
there is a huge mountain of information which I need to dig in order to find
out the truth, it is growing every day and a lifetime wouldn't suffice for
it. But still I refuse to trust articles and want truth, not words, because I
don't want to depend on another. I don't want my child (if I have one) to be
tracked, logged, turned into a cog of a huge machine. What am I to do?
You trust the community. Even if you were a programmer, it is impossible to
read all the software you run: a life time is not enough. Exercising a
collective control over the software is the reason for freedom 3.
If you do not want to trust the community, then you should stop using
software. I see no other possibility. The four freedoms do not solve all
problems but it is the best we have.
We all know very well that each server stores logs. Also one doesn't need to
be a professor to know how this works with a company part of PRISM program.
What do you think happens when NSA comes and says "We will take these servers
to search them"?
The logs can only contain the information that was received. In the case of
Safe Browsing's phishing protection: what IP had a Web browser opened at what
time (with a 30-minute precision) and hashes of some URLs (without what is
following "?", if present) that the browser may have visited, or not. Hashes
associated with (a) phishing page(s). But the user may have actually visited
a safe page with the same hash. If you think that the phishing protection is
not worth giving up that information, then disable it. Again: I believe most
users consider it is worth it.
If we believe that, we can easily install Microsoft Windows and turn on
Windows Defender because it is a useful feature.
Windows is proprietary software. Its users are denied the essential right
freedom to know what it is actually doing. The worst should be assumed.
My test does not pretend anything - it proves something, providing actual,
verifiable facts.
Your bug reports for Firefox's Telemetry component says: "If the user says
"No" to data reporting one expects no data will be sent (and home directory
will not be filled with unnecessary data) without the permission and
knowledge of the user". So, yes, you pretended telemetry was not disabled
after unchecking "Allow Firefox to send technical and interaction data to
Mozilla".
And your test actually show no connection to incoming.telemetry.mozilla.org:
Telemetry was disabled, as expected.
This means that those additional settings do something and they are not
insignificant in relation to other disabled flags.
Not the additional *telemetry* settings, no. Georg Fritzsche explained it to
you in https://bugzilla.mozilla.org/show_bug.cgi?id=1424781#c11
Even if we assume that we know what Google knows (which we don't) that 'only'
piece is still a form of analytics.
We do know what Google receives through Safe Browsing. Safe Browsing is
documented and Firefox's source code can be studied. Your text then jumps to
telemetry again. Do you understand they are separate components? No
telemetry data is sent to Google.
But the very fact that telemetry was created in the first place is a clever
trick. For the improving of a program there is absolutely no need to know
that user X is currently online and has his browser open.
It is useful to know how a program is used, what was its state when it
crashed, etc. to improve it. With telemetry enabled, the program itself
sends the data. So the receiver knows it is currently used.
I don't see one should install a surveillence camera in one's bedroom, taking
and uploading snapshots every 30 minutes just to inform organization X that
he is (or is not) having sex right now, so that organization X can send a
message "You are with a (non) trustful partner".
What information is sent matters to decide whether the service is worth the
loss in privacy. Your example makes it clearer. If, instead of sending the
camera snapshots, you would have a Safe-Browsing-like system (you receive
from time to time the hashes of the ids of the non-trustful partners, sending
such a hash if your partner happen to have its hash in the list to get the
actual names of the corresponding non-trustful partners, sending random
hashes to make it harder for the service to guess who your partners are), the
system would be better for you... although unacceptable for your partners,
who deserve privacy too, contrary to Web pages.
Security and privacy are not a matter of compromise between the two. If one
has to compromise that is poor design, therefor dependency, not freedom.
Communicating to request (security) information from a third party is not
poor design. It is physically impossible to do request information from a
third party without communicating.
Poor design ever implies a loss of freedom. Again, imperfection is not the
same as oppression:
https://www.gnu.org/philosophy/imperfection-isnt-oppression.html
Are you saying you have actually studied the full code of Firefox and do it
for every new release
I have only read documentation on the matter. I could take a look at the
source code though. Any programmer could (and many certainly ave done so).
That alone makes it improbable that Mozilla would be lying when describing
its implementation: their reputation is at stake.
Mozilla also receives your IP address even if they don't send it to Google
(which we have no way to know). Surely they do share it with Amazon, Akamai
etc.
Do you have any evidence to ground your accusations?
