Thanks for sharing that info. That's what I was hoping to see from you when I
asked you to show actual code in the web browsers thread.
What catches my eye is:
./android_webview/BUILD.gn
and
var n=analytics.getService("Data Saver Extension")
in detailed_data_usage_compiled.js. These make me think that the analytics
may be part of the Android version or Chrome (where I assume that being
tracked is inevitable).
It seems uBO and uMatrix can block any behind-the-scenes XHR but of course it
is not safe to assume that as a guarantee.
> Maybe data are send every time 10 MB were collected, maybe only on
Halloween day
I have thought about that too. Still I have no proof for or against it. Just
like I don't have a proof that Firefox actually respects the telemetry
disabling through about:config.
> maybe when a website using Google Analytics is visited (more than 60% of
the top-100k sites according to
https://trends.builtwith.com/analytics/Google-Analytics : scary), etc. With
obfuscated JavaScript involved, it is hard to be sure...
When I have worked on sites which have GA and have monitored each and every
XHR I have never seen data submission beyond what the actual site sends to
GA. So I would exclude that (unless the spyware which we suspect sends data
in a way which is not visible in browser console (not impossible, still no
proof)).
BTW if https://www.google-analytics.com/analytics.js is unminified it is not
impossible to understand what it does. I remember some time ago (> year)
looking at that code and I didn't see any functionality which is not in GA
documentation.
I wouldn't trust that scary stats. I would rather say it is incomplete
because GA has an API which allows sending data to GA without JavaScript
(e.g. from PHP). I have used it, it works. It can't report things like
browser resolution etc. but it still can report the parameters which are
available without JS. So just because there is no explicit HTTP request to
google-analytics.com on the front-end doesn't mean the site is not using GA.
I.e. - disabling JS does not save you from GA.
Something else which I noticed today: A bug report about Chromium with owner
with email address @intel.com (What has Intel to do with Chromium?)
https://bugs.chromium.org/p/chromium/issues/detail?id=752375
> "This dependency is here temporarily".
Yes and it also says "#TODO(crbug/750327)". I tried to visit that bug:
https://bugs.chromium.org/p/chromium/issues/detail?id=750327
but I am getting:
"You do not have permission to view the requested page.
Reason: User is not allowed to view this issue"
which is quite strange for an "open source" project. Normally only specific
security related bug reports are invisible to the general public (to avoid
the possibility of privacy issues) but unrar?
> I have never heard of licensing issues in Firefox.
I think we have:
https://trisquel.info/en/forum/web-browser#comment-125929
> For instance, it states that the GPL is incompatible with the MPL.
Is that not an issue? And does it really matter if all the forks (including
Tor browser) inherit the telemetry code (and who knows what else) and simply
disable it through prefs?
I am still unclear which browser is safe to use.
Maybe we are way off-topic already but it is still a common question about
all free software. When an organization like FSF recommends things it is not
quite fair not to take certain responsibility in the quality of what they
recommend. Otherwise the recommendation creates the impression that something
has been thoroughly tested. "Does not include proprietary software at all"
should be questioned more deeply because a feature like telemetry is a form
of proprietary behavior in which the proprietor collects data. So I think FSF
should not recommend any distro which includes a fork of Firefox unless it
has been checked that the telemetry code has been completely removed (and not
just disabled through prefs).