[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Data collection by Tor Browser
Thanks Georg and Roger.
I have taken some time to read the links given by Roger and try to understand various terms related to tracking/privacy on the internet.
Basically, I understand that there would be a need to gather some technical data to keep the Tor network running and also improve the Tor network and if there is any sensitive data gathered at all then it would be for as short as time as possible depending on the requirements and also not made public.
Further, I would like to ask:
1. Whether any extensions (such as HTTPS, NoScript) or other technologies/tools in-built (preinstalled) in Tor browser would be gathering data?
(or in other words: Should I go through their terms or contact them separately?)
2. Can Tor browser or Tor client be used in a commercial environment? (by an organization or individuals who are self-employed)
Thank you.
---- On Wed, 06 Mar 2019 00:32:00 -0800 Georg Koppen <mailto:gk@xxxxxxxxxxxxxx> wrote ----
npdflr:
> Hi,
>
>
> Does Tor browser itself collect any data (Technical data, Web activity data, Personal data etc)?
>
>
>
> As Tor is a modified Firefox ESR, does Tor browser follow the Firefox Data Collection Practice? (https://wiki.mozilla.org/Firefox/Data_Collection)
No, there is no such data collection by the browser itself. We try
pretty hard to disable things like telemetry and other potential data
collection mechanisms. If we have overlooked something here then this is
a bug we should fix.
Georg
---- On Fri, 01 Mar 2019 21:13:32 -0800 Roger Dingledine <mailto:arma@xxxxxxxxxxxxxx> wrote ----
On Fri, Mar 01, 2019 at 08:00:17PM -0800, npdflr wrote:
> Does Tor browser itself collect any data (Technical data, Web activity data, Personal data etc)?
>
> As Tor is a modified Firefox ESR, does Tor browser follow the Firefox Data Collection Practice? (https://wiki.mozilla.org/Firefox/Data_Collection)
I believe the answer is no, Tor Browser shouldn't tell anybody else
any of these things about you.
You can read the Tor Browser design goals here:
https://www.torproject.org/projects/torbrowser/design/
and anything where it reveals your browsing activity would count as a
bug -- and depending on the type of information leak, could qualify for
a bug bounty: https://hackerone.com/torproject ;.
Three caveats to my answer though:
(1) This word 'collect' is confusing, because that word sure makes it
sound like it includes internal program data structures. The browser
needs to know something about your web activity while it's loading web
pages for you, and that by itself isn't harmful. The key question is
whether it shares that information with anybody else. For this sort of
user info, we aim to stick to the principle of "no secret databases",
that is, anything that we gather should be so sanitized, and so safe to
collect, that we share it with everybody else too. That way we're never
in the position where attackers might want to break into our systems to
learn more about our users.
https://www.freehaven.net/anonbib/#wecsr10measuring-tor
For browser activity, the obvious simple approach to only publishing
safe things is to publish nothing at all, which is what we try to do.
(2) I might not be up on the latest Tor Browser moves, so it's possible
there are some open tickets for disabling telemetry or the like which
aren't yet fixed. Keeping up with the constant changes to Firefox is tough
to do perfectly. I'll let the browser team jump in here if they want.
(3) Other places on the Internet could still keep statistics, based
on your connections to them. I'm thinking in particular of:
(3a) the addons.mozilla.org server, which ought to see just anonymized
connections over Tor, but that still lets them gather general statistics
like how many Tor users there are, what extensions they have installed,
etc. Similarly, the periodic update pings, and update fetches, happen
over Tor but can still be counted in the aggregate:
https://metrics.torproject.org/webstats-tb.html
https://blog.torproject.org/making-tor-browser-updates-stable-and-reliable-fastly
and
(3b) the Tor relays, which see connections from the Tor client that is
part of Tor Browser. Because of the decentralized Tor design, no single
relay should be able to learn both who you are and also what you do on
the Tor network. But they can still collect what they observe about who
you are. Relays collect and publish aggregate statistics about the users
they see (but not what they do, because they can't learn that). For much
more info, see https://metrics.torproject.org/about.html
and
(3c) other researchers might perform experiments using their own
internet connections to try to answer questions about Tor performance,
usage, safety, etc. The ones who are doing it right will consider how
to minimize risks while doing their experiments:
https://research.torproject.org/safetyboard.html
Hope this helps!
--Roger
--
tor-talk mailing list - mailto:tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk