[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Data collection by Tor Browser



Thanks Georg and Roger.



I have taken some time to read the links given by Roger and try to understand various terms related to tracking/privacy on the internet.


Basically, I understand that there would be a need to gather some technical data to keep the Tor network running and also improve the Tor network and if there is any sensitive data gathered at all then it would be for as short as time as possible depending on the requirements and also not made public.

Further, I would like to ask:
1. Whether any extensions (such as HTTPS, NoScript) or other technologies/tools in-built (preinstalled) in Tor browser would be gathering data?
(or in other words: Should I go through their terms or contact them separately?)

2. Can Tor browser or Tor client be used in a commercial environment? (by an organization or individuals who are self-employed)

Thank you.


---- On Wed, 06 Mar 2019 00:32:00 -0800 Georg Koppen <mailto:gk@xxxxxxxxxxxxxx> wrote ----


npdflr: 
> Hi, 
> 
> 
> Does Tor browser itself collect any data (Technical data, Web activity data, Personal data etc)? 
> 
> 
> 
> As Tor is a modified Firefox ESR, does Tor browser follow the Firefox Data Collection Practice? (https://wiki.mozilla.org/Firefox/Data_Collection) 
 
No, there is no such data collection by the browser itself. We try 
pretty hard to disable things like telemetry and other potential data 
collection mechanisms. If we have overlooked something here then this is 
a bug we should fix. 
 
Georg








---- On Fri, 01 Mar 2019 21:13:32 -0800 Roger Dingledine <mailto:arma@xxxxxxxxxxxxxx> wrote ----



On Fri, Mar 01, 2019 at 08:00:17PM -0800, npdflr wrote:

> Does Tor browser itself collect any data (Technical data, Web activity data, Personal data etc)?

> 

> As Tor is a modified Firefox ESR, does Tor browser follow the Firefox Data Collection Practice? (https://wiki.mozilla.org/Firefox/Data_Collection)



I believe the answer is no, Tor Browser shouldn't tell anybody else

any of these things about you.



You can read the Tor Browser design goals here:

https://www.torproject.org/projects/torbrowser/design/

and anything where it reveals your browsing activity would count as a

bug -- and depending on the type of information leak, could qualify for

a bug bounty: https://hackerone.com/torproject ;.



Three caveats to my answer though:



(1) This word 'collect' is confusing, because that word sure makes it

sound like it includes internal program data structures. The browser

needs to know something about your web activity while it's loading web

pages for you, and that by itself isn't harmful. The key question is

whether it shares that information with anybody else. For this sort of

user info, we aim to stick to the principle of "no secret databases",

that is, anything that we gather should be so sanitized, and so safe to

collect, that we share it with everybody else too. That way we're never

in the position where attackers might want to break into our systems to

learn more about our users.

https://www.freehaven.net/anonbib/#wecsr10measuring-tor

For browser activity, the obvious simple approach to only publishing

safe things is to publish nothing at all, which is what we try to do.



(2) I might not be up on the latest Tor Browser moves, so it's possible

there are some open tickets for disabling telemetry or the like which

aren't yet fixed. Keeping up with the constant changes to Firefox is tough

to do perfectly. I'll let the browser team jump in here if they want.



(3) Other places on the Internet could still keep statistics, based

on your connections to them. I'm thinking in particular of:



(3a) the addons.mozilla.org server, which ought to see just anonymized

connections over Tor, but that still lets them gather general statistics

like how many Tor users there are, what extensions they have installed,

etc. Similarly, the periodic update pings, and update fetches, happen

over Tor but can still be counted in the aggregate:

https://metrics.torproject.org/webstats-tb.html

https://blog.torproject.org/making-tor-browser-updates-stable-and-reliable-fastly



and



(3b) the Tor relays, which see connections from the Tor client that is

part of Tor Browser. Because of the decentralized Tor design, no single

relay should be able to learn both who you are and also what you do on

the Tor network. But they can still collect what they observe about who

you are. Relays collect and publish aggregate statistics about the users

they see (but not what they do, because they can't learn that). For much

more info, see https://metrics.torproject.org/about.html



and



(3c) other researchers might perform experiments using their own

internet connections to try to answer questions about Tor performance,

usage, safety, etc. The ones who are doing it right will consider how

to minimize risks while doing their experiments:

https://research.torproject.org/safetyboard.html



Hope this helps!

--Roger



-- 

tor-talk mailing list - mailto:tor-talk@xxxxxxxxxxxxxxxxxxxx

To unsubscribe or change other settings go to

https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk