Privacy issues in Debian packages

Phone home

There are some common categories of phoning home:

• version checks: gmic, basex

These packages either don't fit those categories or do lots of them and more:

• gnome-calculator - fetches currencies

• Firefox - multiple issues

• Chromium - phones home in various ways, e.g. 792580, binary blob downloads, site engagement profiles, Google login tied-in with the browser

• syncthing - data transfer volume, unique ID submission, version check and lots more, public data report

• cura - phones home in various ways, patched out in Debian.

• azure-cli - collects "anonymous" telemetry by default

Phone elsewhere

• systemd - Uses Google DNS resolvers as internal default, not explicitly documented: See "FallbackDNS" in systemd-resolved manpage

Data sharing

• remmina - shares the clipboard with remote hosts over RDP by default
• pidgin - shares typing notifications with remote peers by default
• hw-probe - includes truncated salted hashes of MAC addresses and serial numbers in hardware probe reports

Data storage

• web and other servers of various kinds default to logging information about requests over the network from external entities

Detection tools

• wireshark

• opensnitch

• nsntrace

• unoon

Reports

• usertagged under debian-devel

• Debtags privacy facet

• lintian privacy-breach tags: generic donation facebook google-adsense google-cse google-plus logo piwik statistics-website twitter uses-embedded-file w3c-valid-html

Issue categories

• logging & verbose logging

• homephoning without user consent
  • cleartext
  • TLS
• featurebug: when a bug is also a feature
• privacy defaults
  • optin
  • optout
• traceability
• no deletion of config files when uninstalling a package