Wiki

• FrontPage
• RecentChanges
• FindPage
• HelpContents
• PrivacyIssues

Documentation

• Debian Privacy Policy

• Privacy-related web technologies

Detection tools

• wireshark

• opensnitch

• nsntrace

• unoon

• picosnitch

• Safing Portmaster

• qemu with filter-dump

Mitigations

• Some of the detection tools can also block access
• There are environment variables that disable telemetry:

  • Opt-out from telemetry collection https://github.com/beatcracker/toptout

  • DO_NOT_TRACK=1 is somewhat standardised according to https://consoledonottrack.com/

Issue categories

• logging & verbose logging

• homephoning without user consent
  • cleartext
  • TLS
• featurebug: when a bug is also a feature
• privacy defaults
  • optin
  • optout
• traceability
• no deletion of config files when uninstalling a package
• data leakage
  • software names and version numbers

Reports

• usertagged under debian-devel

• Debtags privacy facet

• lintian privacy-breach tags: generic donation facebook google-adsense google-cse google-plus logo piwik statistics-website twitter uses-embedded-file w3c-valid-html

Privacy issues in Debian packages

Phone home

There are some common categories of phoning home:

• version checks: gmic, basex

These packages either don't fit those categories or do lots of them and more:

• gnome-calculator - fetches currencies

• Firefox - multiple issues

• Thunderbird - as of Oct 2023, there is opt-out telemetry that is not yet patched for Debian: 972761

• Chromium - phones home in various ways, e.g. 792580, binary blob downloads, site engagement profiles, Google login tied-in with the browser

• syncthing - data transfer volume, unique ID submission, version check and lots more, public data report

• cura - phones home in various ways, patched out in Debian.

• azure-cli - collects "anonymous" telemetry by default

• glances - connects to several online services to discover public IP 850258

• Web browsers and extensions load pages on first start of new browser profiles:

  • Firefox ironically loads the Mozilla Firefox Privacy Notice page

  • webext-bulk-media-downloader loads the website and includes version info in the parameters (908450)

• Golang is planning on implementing enabled-by-default telemetry.

Phone elsewhere

Connectivity

Some services need to know when system is "online". Best practice is to only rely on system services, optionally coupled with distro-specific public service like network-manager-config-connectivity-debian . An antipattern is to hardcode probing of a public service.

Packages determining connectivity by probing Apple website and Google DNS resolvers:

• python3-aiorpcx - source

Packages determining connectivity by probing Google DNS resolvers:

• byobu - source

• paris-traceroute - source

• r-cran-curl - source

DHCP

When dynamically requesting an IP number using DHCP, something unique needs to be provided to keep track of provided IP numbers. Tracking here is not inherently bad - it is a tradeoff: Some systems want a long-term stable IP address (e.g. your public IP from an ISP), whereas others may want a quick throwaway address (e.g. a laptop at an airport).

Also, DHCP servers may ask for additional information that is not strictly needed, or DHCP clients may provide information that was not asked for.

Systemd-networkd supports option DHCPv4.Anonymize to optionally avoid several identifiers.

DNS

Many network protocols need a nameserver. Best practice is to only rely on user input or system resolver. An antipattern is to hardcode one or more nameservers, either exclusively or as internal default.

Packages using Cloudflare and Freenom and Google DNS resolvers by default:

• libanyevent-perl - source

Packages using Cloudflare and Google DNS resolvers by default:

• ruby-github-pages-health-check - source

• systemd - see "FallbackDNS" in resolved.conf, 923081, patched in Debian

Packages using Cloudflare and Google and Qaud9 DNS resolvers by default:

• i2p-router - source

Packages using Google DNS resolvers by default:

• anbox - source

• python3-dnslib - source

• dirmngr - source

• dnss - source

• electrum - source

• gnunet - source

• haci - source

• libnetty-java - source

• ltsp - source

• movim - source

• ocproxy - source

• patator - source

• php-react-socket - source

• posman - source

• python3-tempest - source

• recon-ng - source

• rtl-433 - source (embedded mongoose webserver)

• smplayer - internal default of embedded mongoose webserver: 1023546; hardcoded test in Chromecast feature: 1023547

• srsepc - source

• swupdate - internal default of embedded mongoose webserver: 1023544

Packages using Google and UncensoredDNS DNS resolvers by default:

• parallel - source

Packages using Google and 77.88.39.152 DNS resolvers by default:

• libjreen-qt5-1 - source

ICE

WebRTC and SIP and similar protocols need a public-accessible TUN/STUN/TURN service across public networks. Best practice is to only rely on local configuration. an antipattern is to hardcode public STUN services, either exclusively or as internal default.

Packages using Ekiga STUN resolvers by default:

• golang-github-ccding-go-stun-dev - source

Packages using Ekiga and GNUnet and Mozilla STUN resolvers by default:

• gnunet source

Packages using Ekiga and SIPgate and Stuntman and more STUN resolvers by default:

• psi - source

• psi-plus - source

Packages using Ekiga and SIPphone and Google and Stuntman and Xten and more STUN resolvers by default:

• movim - source

Packages using Google STUN resolvers by default:

• chromium - source1 (embedded libwebrtc), source2

• janus - patched in Debian

• libqt5webenginecore5 - source (embedded libwebrtc)

• thunderbird - source

Packages using Google and Stuntman STUN resolvers by default:

• supertuxcart - source

Packages using SIPgate and SIPphone STUN resolvers by default:

• twinkle - source

Packages using SIPphone STUN resolvers by default:

• coccinella - source1 source2

Packages using Stuntman STUN resolvers by default:

• libglobus-xio-udt-driver - source

• libjs-jsxc - source

• ruby-rails-assets-diaspora-jsxc - source (embedded jsxc)

Packages using Xten STUN resolvers by default:

• siproxd - source

Data sharing

• remmina - shares the clipboard with remote hosts over RDP by default
• pidgin - shares typing notifications with remote peers by default
• hw-probe - includes truncated salted hashes of MAC addresses and serial numbers in hardware probe reports
• lspci - looks up local PCI devices in DNS if given the -q/-qq/-Q options
• git-remote-bzr (all implementations) - leaks the local git branch name into the "branch nick" field of commits, which could get pushed to a remote repository

Data leakage

• Lots of different software leaks software names and version numbers into output

  • DNS servers respond with it to this command: dig +short @f.root-servers.net version.bind chaos txt

    • These DNS servers are definitely affected: unbound, bind

  • Mail user agents leak this into one of several headers: User-Agent Mailer X-Mailer

    • These MUAs are definitely affected: evolution

  • XMMP clients leak this in resource names or the Operating System and or Client fields of responses to "Get Info" requests

    • These clients are definitely affected: bitlbee libpurple conversations profanity psi

  • Mail servers leak this into the Received header

    • These MTAs are definitely affected: exim

  • Web browsers leak this into the User-Agent header

    • Almost all HTTP clients do this by default
  • File format writing software leaks this into files

    • Inkscape leaks this into the inkscape:version attribute of the svg element of SVG files.

• Some software leaks the local time or timezone
  • Probably almost all protocols and clients do this

  • Web browsers leak this to the getTimezoneOffset() ?JavaScript

    • All modern web browsers do this, less modern ones may or may not

  • XMMP clients leak this in the Local Time field of responses to "Get Info" requests

    • These clients are definitely affected: bitlbee libpurple psi
• Some software leaks hostname
  • DHCP servers may ask for hostname, and DHCP clients may provide hostname even without being asked
• Some software leaks local paths

  • Inkscape leaks the local path to the exported PNG file into the inkscape:export-filename attribute of the svg element of SVG files.

Data storage

• web and other servers of various kinds default to logging information about requests over the network from external entities

Telemetry libraries

Debian contains some telemetry client libraries and some packages depend or build-depend on them. The code calling these libraries may or may not be active by default, often API keys are required before data may be submitted.

• Sentry: requires something called a DSN before the client libraries will send to the server. Server side is BSL licensed, Apache2 licensed after 36 months, so it is self-hostable. Client libraries in Debian: golang-github-getsentry-sentry-go golang-raven-go ruby-sentry-raven sentry-python node-raven-js

• Glean: setting true as the value of the uploadEnabled parameter to the Glean initialize function enables uploading telemetry information.

• OpenTelemetry: Client libraries in Debian: golang-opentelemetry-otel

• Socket's list of JavaScript telemetry libraries

Logging

Servers listening on the network may log information about visitors to the service.

There are many kinds of servers that do this:

• Web (listen on port 80/443):
  • apache2: logs client IP addresses by default, default retention period 2 weeks

See also

• KDE telemetry policy and use.