Thanks for sharing that info. That's what I was hoping to see from you when I asked you to show actual code in the web browsers thread.

What catches my eye is:
./android_webview/BUILD.gn

and

var n=analytics.getService("Data Saver Extension")

in detailed_data_usage_compiled.js. These make me think that the analytics may be part of the Android version or Chrome (where I assume that being tracked is inevitable).

It seems uBO and uMatrix can block any behind-the-scenes XHR but of course it is not safe to assume that as a guarantee.

> Maybe data are send every time 10 MB were collected, maybe only on Halloween day

I have thought about that too. Still I have no proof for or against it. Just like I don't have a proof that Firefox actually respects the telemetry disabling through about:config.

> maybe when a website using Google Analytics is visited (more than 60% of the top-100k sites according to https://trends.builtwith.com/analytics/Google-Analytics : scary), etc. With obfuscated JavaScript involved, it is hard to be sure...

When I have worked on sites which have GA and have monitored each and every XHR I have never seen data submission beyond what the actual site sends to GA. So I would exclude that (unless the spyware which we suspect sends data in a way which is not visible in browser console (not impossible, still no proof)).

BTW if https://www.google-analytics.com/analytics.js is unminified it is not impossible to understand what it does. I remember some time ago (> year) looking at that code and I didn't see any functionality which is not in GA documentation.

I wouldn't trust that scary stats. I would rather say it is incomplete because GA has an API which allows sending data to GA without JavaScript (e.g. from PHP). I have used it, it works. It can't report things like browser resolution etc. but it still can report the parameters which are available without JS. So just because there is no explicit HTTP request to google-analytics.com on the front-end doesn't mean the site is not using GA. I.e. - disabling JS does not save you from GA.

Something else which I noticed today: A bug report about Chromium with owner with email address @intel.com (What has Intel to do with Chromium?)

https://bugs.chromium.org/p/chromium/issues/detail?id=752375

> "This dependency is here temporarily".

Yes and it also says "#TODO(crbug/750327)". I tried to visit that bug:

https://bugs.chromium.org/p/chromium/issues/detail?id=750327

but I am getting:

"You do not have permission to view the requested page.

Reason: User is not allowed to view this issue"

which is quite strange for an "open source" project. Normally only specific security related bug reports are invisible to the general public (to avoid the possibility of privacy issues) but unrar?

> I have never heard of licensing issues in Firefox.

I think we have:

https://trisquel.info/en/forum/web-browser#comment-125929


> For instance, it states that the GPL is incompatible with the MPL.

Is that not an issue? And does it really matter if all the forks (including Tor browser) inherit the telemetry code (and who knows what else) and simply disable it through prefs?

I am still unclear which browser is safe to use.

Maybe we are way off-topic already but it is still a common question about all free software. When an organization like FSF recommends things it is not quite fair not to take certain responsibility in the quality of what they recommend. Otherwise the recommendation creates the impression that something has been thoroughly tested. "Does not include proprietary software at all" should be questioned more deeply because a feature like telemetry is a form of proprietary behavior in which the proprietor collects data. So I think FSF should not recommend any distro which includes a fork of Firefox unless it has been checked that the telemetry code has been completely removed (and not just disabled through prefs).

Reply via email to