Differences between revisions 1 and 37 (spanning 36 versions)

Contents

Privacy issues in Debian packages
Detection tools
Reports
Issue categories
Documentation
See also

Privacy issues in Debian packages

Phone home

There are some common categories of phoning home:

version checks: gmic, basex

These packages either don't fit those categories or do lots of them and more:

gnome-calculator - fetches currencies
Firefox - multiple issues
Chromium - phones home in various ways, e.g. 792580, binary blob downloads, site engagement profiles, Google login tied-in with the browser
syncthing - data transfer volume, unique ID submission, version check and lots more, public data report
cura - phones home in various ways, patched out in Debian.
azure-cli - collects "anonymous" telemetry by default

Phone elsewhere

Connectivity

Some services need to know when system is "online". Best practice is to only rely on system services, optionally coupled with distro-specific public service like network-manager-config-connectivity-debian . An antipattern is to hardcode probing of a public service.

Packages determining connectivity by probing Apple website and Google DNS resolvers:

python3-aiorpcx - source

Packages determining connectivity by probing Google DNS resolvers:

DNS

Many network protocols need a nameserver. Best practice is to only rely on user input or system resolver. An antipattern is to hardcode one or more nameservers, either exclusively or as internal default.

Packages using Cloudflare and Freenom and Google DNS resolvers by default:

libanyevent-perl - source

Packages using Cloudflare and Google DNS resolvers by default:

ruby-github-pages-health-check - source
systemd - see "FallbackDNS" in systemd-resolved manpage, 923081, patched in Debian

Packages using Cloudflare and Google and Qaud9 DNS resolvers by default:

i2p-router - source

Packages using Google DNS resolvers by default:

anbox - source
python3-dnslib - source
dirmngr - source
dnss - source
electrum - source
gnunet - source
haci - source
libnetty-java - source
ltsp - source
movim - source
ocproxy - source
patator - source
php-react-socket - source
posman - source
python3-tempest - source
recon-ng - source
rtl-433 - source (embedded mongoose webserver)
smplayer - source (embedded mongoose webserver)
srsepc - source
swupdate - source (embedded mongoose webserver)

Packages using Google and UncensoredDNS DNS resolvers by default:

parallel - source

Packages using Google and 77.88.39.152 DNS resolvers by default:

libjreen-qt5-1 - source

ICE

WebRTC and SIP and similar protocols need a public-accessible TUN/STUN/TURN service across public networks. Best practice is to only rely on local configuration. an antipattern is to hardcode public STUN services, either exclusively or as internal default.

Packages using Ekiga STUN resolvers by default:

golang-github-ccding-go-stun-dev - source

Packages using Ekiga and GNUnet and Mozilla STUN resolvers by default:

gnunet source

Packages using Ekiga and SIPgate and Stuntman and more STUN resolvers by default:

psi - source
psi-plus - source

Packages using Ekiga and SIPphone and Google and Stuntman and Xten and more STUN resolvers by default:

movim - source

Packages using Google STUN resolvers by default:

Packages using Google and Stuntman STUN resolvers by default:

supertuxcart - source

Packages using SIPgate and SIPphone STUN resolvers by default:

twinkle - source

Packages using SIPphone STUN resolvers by default:

coccinella - source1 source2

Packages using Stuntman STUN resolvers by default:

Packages using Xten STUN resolvers by default:

siproxd - source

Data sharing

remmina - shares the clipboard with remote hosts over RDP by default
pidgin - shares typing notifications with remote peers by default
hw-probe - includes truncated salted hashes of MAC addresses and serial numbers in hardware probe reports
git-remote-bzr (all implementations) - leaks the local git branch name into the "branch nick" field of commits, which could get pushed to a remote repository

Data storage

web and other servers of various kinds default to logging information about requests over the network from external entities

Detection tools

Reports

usertagged under debian-devel
Debtags privacy facet
lintian privacy-breach tags: generic donation facebook google-adsense google-cse google-plus logo piwik statistics-website twitter uses-embedded-file w3c-valid-html

Issue categories

logging & verbose logging
homephoning without user consent
- cleartext
- TLS
featurebug: when a bug is also a feature
privacy defaults
- optin
- optout
traceability
no deletion of config files when uninstalling a package

Documentation

Debian Privacy Policy

-  ⇤ ← Revision 1 as of 2018-07-31 07:33:29 → 
  Size: 116
  Editor: JonasSmedegaard
  Comment: Initial draft.
+   ← Revision 37 as of 2020-10-19 13:34:41 → ⇥
  Size: 14326
  Editor: JonasSmedegaard
  Comment: Add link to Mozilla page on Privacy-related web technologies
-Deletions are marked like this.
+Additions are marked like this.
 Line 1:
+<<TableOfContents>>
-Line 5:
+Line 7:
- * gnome-calculator - fetches currencies when started
+There are some common categories of phoning home:

 * version checks: DebianPackage:gmic, DebianPackage:basex

These packages either don't fit those categories or do lots of them and more:

## please always include link to either bugreport (preferred) or documentation or source

 * gnome-calculator - [[https://gitlab.gnome.org/GNOME/gnome-calculator/issues/34|fetches currencies]]
 * Firefox - [[Firefox#Automatic_connections|multiple issues]]
 * Chromium - phones home in various ways, e.g. DebianBug:792580, [[https://lwn.net/Articles/648392/|binary blob downloads]], [[https://www.chromium.org/developers/design-documents/site-engagement|site engagement profiles]], [[https://blog.cryptographyengineering.com/2018/09/23/why-im-leaving-chrome/|Google login tied-in with the browser]]
 * syncthing - [[https://blog.harterrt.com/syncthing_data.html|data transfer volume, unique ID submission, version check and lots more]], [[https://data.syncthing.net/|public data report]]
 * cura - [[https://github.com/Ultimaker/Cura/issues/2810|phones home]] in various ways, [[https://salsa.debian.org/3dprinting-team/cura/blob/master/debian/patches/2001-no-default-telemetry.patch|patched out in Debian]].
 * azure-cli - collects "anonymous" telemetry by default

== Phone elsewhere ==

=== Connectivity ===

Some services need to know when system is "online".
Best practice is to only rely on system services,
optionally coupled with distro-specific public service like DebianPackage:network-manager-config-connectivity-debian .
An antipattern is to hardcode probing of a public service.

## please always include link to either bugreport (preferred) or documentation or source
Packages determining connectivity by probing Apple website and Google DNS resolvers:
 * DebianPackage:python3-aiorpcx - [[https://sources.debian.org/src/aiorpcx/0.18.4-1/aiorpcx/socks.py/?hl=361#L361|source]]

## please always include link to either bugreport (preferred) or documentation or source
Packages determining connectivity by probing Google DNS resolvers:
 * DebianPackage:byobu - [[https://sources.debian.org/src/byobu/5.133-1/usr/bin/wifi-status/?hl=33#L33|source]]
 * DebianPackage:paris-traceroute - [[https://sources.debian.org/src/paris-traceroute/0.93+git20160927-1/traceroute/traceroute.c/?hl=68#L68|source]]
 * DebianPackage:r-cran-curl - [[https://sources.debian.org/src/r-cran-curl/4.3+dfsg-1/R/nslookup.R/?hl=46#L46|source]]

=== DNS ===

Many network protocols need a nameserver.
Best practice is to only rely on user input or system resolver.
An antipattern is to hardcode one or more nameservers,
either exclusively or as internal default.

## please always include link to either bugreport (preferred) or documentation or source
Packages using Cloudflare and Freenom and Google DNS resolvers by default:
 * DebianPackage:libanyevent-perl - [[https://sources.debian.org/src/libanyevent-perl/7.170-2/lib/AnyEvent/DNS.pm/?hl=49#L49|source]]

## please always include link to either bugreport (preferred) or documentation or source
Packages using Cloudflare and Google DNS resolvers by default:
 * DebianPackage:ruby-github-pages-health-check - [[https://sources.debian.org/src/ruby-github-pages-health-check/1.16.1-2/lib/github-pages-health-check/resolver.rb/?hl=13#L13|source]]
 * DebianPackage:systemd - see "FallbackDNS" in [[https://manpages.debian.org/stretch/systemd/resolved.conf.5.en.html|systemd-resolved manpage]], DebianBug:923081, patched in Debian

## please always include link to either bugreport (preferred) or documentation or source
Packages using Cloudflare and Google and Qaud9 DNS resolvers by default:
 * DebianPackage:i2p-router - [[https://sources.debian.org/src/i2p/0.9.45-1/core/java/src/net/i2p/util/DNSOverHTTPS.java/?hl=67#L67|source]]

## please always include link to either bugreport (preferred) or documentation or source
Packages using Google DNS resolvers by default:
 * DebianPackage:anbox - [[https://sources.debian.org/src/anbox/0.0%7Egit20200526-1/src/anbox/container/lxc_container.cpp/?hl=50#L50|source]]
 * DebianPackage:python3-dnslib - [[https://sources.debian.org/src/python-dnslib/0.9.14-1/dnslib/proxy.py/?hl=115#L115|source]]
 * DebianPackage:dirmngr - [[https://sources.debian.org/src/gnupg2/2.2.20-1/doc/dirmngr.texi/?hl=341#L341|source]]
 * DebianPackage:dnss - [[https://sources.debian.org/src/dnss/0.0%7Egit20180721.0.2de63ab0-1/dnss.go/?hl=40#L40|source]]
 * DebianPackage:electrum - [[https://sources.debian.org/src/electrum/3.3.8-0.1/electrum/dnssec.py/?hl=261#L261|source]]
 * DebianPackage:gnunet - [[https://sources.debian.org/src/gnunet/0.13.1-1/src/dns/dns.conf.in/?hl=33#L33|source]]
 * DebianPackage:haci - [[https://sources.debian.org/src/haci/0.98c-2/modules/HaCi/Plugins/CrossRootNetTrace.pm/?hl=39#L39|source]]
 * DebianPackage:libnetty-java - [[https://sources.debian.org/src/netty/1:4.1.48-1/resolver-dns/src/main/java/io/netty/resolver/dns/DefaultDnsServerAddressStreamProvider.java/?hl=96#L96|source]]
 * DebianPackage:ltsp - [[https://sources.debian.org/src/ltsp/20.06-1/ltsp/client/init/45-networking.sh/?hl=29#L29|source]]
 * DebianPackage:movim - [[https://sources.debian.org/src/movim/0.17.1-1/linker.php/?hl=21#L21|source]]
 * DebianPackage:ocproxy - [[https://sources.debian.org/src/ocproxy/1.60-1/src/vpnns.c/?hl=60#L60|source]]
 * DebianPackage:patator - [[https://sources.debian.org/src/patator/0.8-1/patator.py/?hl=4466#L4466|source]]
 * DebianPackage:php-react-socket - [[https://sources.debian.org/src/reactphp-socket/1.4.0-1/src/Connector.php/?hl=64#L64|source]]
 * DebianPackage:posman - [[https://sources.debian.org/src/libpod/1.6.4+dfsg1-4/pkg/resolvconf/resolvconf.go/?hl=24#L24|source]]
 * DebianPackage:python3-tempest - [[https://sources.debian.org/src/tempest/1:24.0.0-4/tempest/config.py/?hl=726#L726|source]]
 * DebianPackage:recon-ng - [[https://sources.debian.org/src/recon-ng/5.1.1-2/recon/core/base.py/?hl=88#L88|source]]
 * DebianPackage:rtl-433 - [[https://sources.debian.org/src/rtl-433/20.02-1/src/mongoose.c/?hl=12007#L12007|source (embedded mongoose webserver)]]
 * DebianPackage:smplayer - [[https://sources.debian.org/src/smplayer/19.10.2%7Eds0-1/webserver/mongoose.c/?hl=11421#L11421|source (embedded mongoose webserver)]]
 * DebianPackage:srsepc - [[https://sources.debian.org/src/srslte/18.06.1-9/srsepc/src/main.cc/?hl=110#L110|source]]
 * DebianPackage:swupdate - [[https://sources.debian.org/src/swupdate/2020.04-1/mongoose/mongoose.c/?hl=11819#L11819|source (embedded mongoose webserver)]]

## please always include link to either bugreport (preferred) or documentation or source
Packages using Google and UncensoredDNS DNS resolvers by default:
 * DebianPackage:parallel - [[https://sources.debian.org/src/parallel/20161222-1.1/src/niceload/?hl=532#L532|source]]

## please always include link to either bugreport (preferred) or documentation or source
Packages using Google and `77.88.39.152` DNS resolvers by default:
 * DebianPackage:libjreen-qt5-1 - [[https://sources.debian.org/src/jreen/1.2.0-2.1/src/sjdns.cpp/?hl=56#L56|source]]

=== ICE ===

WebRTC and SIP and similar protocols need a public-accessible TUN/STUN/TURN service
across public networks.
Best practice is to only rely on local configuration.
an antipattern is to hardcode public STUN services,
either exclusively or as internal default.

## please always include link to either bugreport (preferred) or documentation or source
Packages using Ekiga STUN resolvers by default:
 * DebianPackage:golang-github-ccding-go-stun-dev - [[https://sources.debian.org/src/golang-github-ccding-go-stun/0.1.2-1/stun/const.go/?hl=21#L21|source]]

## please always include link to either bugreport (preferred) or documentation or source
Packages using Ekiga and GNUnet and Mozilla STUN resolvers by default:
 * DebianPackage:gnunet [[https://sources.debian.org/src/gnunet/0.13.1-1/src/nat/nat.conf.in/?hl=39#L39|source]]

## please always include link to either bugreport (preferred) or documentation or source
Packages using Ekiga and SIPgate and Stuntman and more STUN resolvers by default:
 * DebianPackage:psi - [[https://sources.debian.org/src/psi/1.3-6/src/psi_profiles.cpp/?hl=130#L130|source]]
 * DebianPackage:psi-plus - [[https://sources.debian.org/src/psi-plus/1.4.554-4/src/psi_profiles.cpp/?hl=130#L130|source]]

## please always include link to either bugreport (preferred) or documentation or source
Packages using Ekiga and SIPphone and Google and Stuntman and Xten and more STUN resolvers by default:
 * DebianPackage:movim - [[https://sources.debian.org/src/movim/0.17.1-1/app/widgets/Visio/visio.js/?hl=29#L29|source]]

## please always include link to either bugreport (preferred) or documentation or source
Packages using Google STUN resolvers by default:
 * DebianPackage:chromium - [[https://sources.debian.org/src/chromium/83.0.4103.116-3/chrome/browser/resources/media_router/extension/src/webrtc/peer_connection.js/?hl=225#L225|source1 (embedded libwebrtc)]], [[https://sources.debian.org/src/chromium/83.0.4103.116-3/chrome/browser/sharing/webrtc/ice_config_fetcher.cc/?hl=158#L158|source2]]
 * DebianPackage:janus - [[https://sources.debian.org/src/janus/0.10.3-1/debian/patches/2004_avoid_stun_privacy_breach.patch/?hl=13#L13|patched in Debian]]
 * DebianPackage:libqt5webenginecore5 - [[https://sources.debian.org/src/qtwebengine-opensource-src/5.14.2+dfsg1-2/src/3rdparty/chromium/chrome/browser/resources/media_router/extension/src/webrtc/peer_connection.js/?hl=225#L225|source (embedded libwebrtc)]]
 * DebianPackage:thunderbird - [[https://sources.debian.org/src/thunderbird/1:68.10.0-1/comm/chat/protocols/matrix/matrix-sdk/webrtc/call.js/?hl=74#L74|source]]

## please always include link to either bugreport (preferred) or documentation or source
Packages using Google and Stuntman STUN resolvers by default:
 * DebianPackage:supertuxcart - [[https://sources.debian.org/src/supertuxkart/1.1+ds-1/src/config/user_config.hpp/?hl=770#L770|source]]

## please always include link to either bugreport (preferred) or documentation or source
Packages using SIPgate and SIPphone STUN resolvers by default:
 * DebianPackage:twinkle - [[https://sources.debian.org/src/twinkle/1:1.10.1+dfsg-4/data/providers.csv/?hl=5#L5|source]]

## please always include link to either bugreport (preferred) or documentation or source
Packages using SIPphone STUN resolvers by default:
 * DebianPackage:coccinella - [[https://sources.debian.org/src/coccinella/0.96.20-9/components/Phone/IAX/JingleIax.tcl/?hl=151#L151|source1]] [[https://sources.debian.org/src/coccinella/0.96.20-9/lib/Proxy.tcl/?hl=287#L287|source2]]

## please always include link to either bugreport (preferred) or documentation or source
Packages using Stuntman STUN resolvers by default:
 * DebianPackage:libglobus-xio-udt-driver - [[https://sources.debian.org/src/globus-xio-udt-driver/2.2-1/globus_xio_udt_ref.cpp/?hl=271#L271|source]]
 * DebianPackage:libjs-jsxc - [[https://sources.debian.org/src/libjs-jsxc/3.0.0+dfsg3-2/src/jsxc.lib.options.js/?hl=243#L243|source]]
 * DebianPackage:ruby-rails-assets-diaspora-jsxc - [[https://sources.debian.org/src/ruby-rails-assets-diaspora-jsxc/0.1.5+dfsg2%7Edevelop.7-4/app/assets/javascripts/diaspora_jsxc/jsxc.js/?hl=7776#L7776|source (embedded jsxc)]]

## please always include link to either bugreport (preferred) or documentation or source
Packages using Xten STUN resolvers by default:
 * DebianPackage:siproxd - [[https://sources.debian.org/src/siproxd/1:0.8.1-4.1/doc/siproxd.conf.example/?hl=397#L397|source]]

== Data sharing ==

## please always include link to either bugreport (preferred) or documentation or source
 * remmina - shares the clipboard with remote hosts over RDP by default
 * pidgin - shares typing notifications with remote peers by default
 * hw-probe - includes truncated salted hashes of MAC addresses and serial numbers in hardware probe reports
 * git-remote-bzr (all implementations) - leaks the local git branch name into the "branch nick" field of commits, which could get pushed to a remote repository

== Data storage ==

 * web and other servers of various kinds default to logging information about requests over the network from external entities

= Detection tools =

 * DebianPackage:wireshark
 * [[https://github.com/evilsocket/opensnitch/|opensnitch]]
 * [[https://github.com/jonasdn/nsntrace/|nsntrace]]
 * [[https://github.com/kushaldas/unoon/|unoon]]

= Reports =

 * [[https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=debian-devel@lists.debian.org;tag=privacy|usertagged under debian-devel]]
 * [[https://debtags.debian.org/reports/facets/privacy|Debtags privacy facet]]
 * lintian privacy-breach tags: [[https://lintian.debian.org/tags/privacy-breach-generic.html|generic]] [[https://lintian.debian.org/tags/privacy-breach-donation.html|donation]] [[https://lintian.debian.org/tags/privacy-breach-facebook.html|facebook]] [[https://lintian.debian.org/tags/privacy-breach-google-adsense.html|google-adsense]] [[https://lintian.debian.org/tags/privacy-breach-google-cse.html|google-cse]] [[https://lintian.debian.org/tags/privacy-breach-google-plus.html|google-plus]] [[https://lintian.debian.org/tags/privacy-breach-logo.html|logo]] [[https://lintian.debian.org/tags/privacy-breach-piwik.html|piwik]] [[https://lintian.debian.org/tags/privacy-breach-statistics-website.html|statistics-website]] [[https://lintian.debian.org/tags/privacy-breach-twitter.html|twitter]] [[https://lintian.debian.org/tags/privacy-breach-uses-embedded-file.html|uses-embedded-file]] [[https://lintian.debian.org/tags/privacy-breach-w3c-valid-html.html|w3c-valid-html]]

= Issue categories =

 * logging & verbose logging
 * homephoning without user consent
   * cleartext
   * TLS
 * featurebug: when a bug is also a feature
 * privacy defaults
   * optin
   * optout
 * traceability
 * no deletion of config files when uninstalling a package

= Documentation =

 * [[https://www.debian.org/legal/privacy|Debian Privacy Policy]]

= See also =

 * [[https://developer.mozilla.org/en-US/docs/Web/Privacy|Privacy-related web technologies]]

Diff for "PrivacyIssues"