[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] trackers in OONI Probe Mobile App / was: NEW RiseupVPN test in OONI Probe Mobile App
- To: Christian Pietsch <christian.pietsch@xxxxxxxxxxxxxxxxx>
- Subject: Re: [tor-talk] trackers in OONI Probe Mobile App / was: NEW RiseupVPN test in OONI Probe Mobile App
- From: Maria Xynou <maria@xxxxxxxxxxxxxxxxxxx>
- Date: Fri, 12 Feb 2021 19:09:32 +0100
- Autocrypt: addr=maria@xxxxxxxxxxxxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFTBumQBEADMQHFdgG0CJMpUxr3wRpfIGYBLhJCiMlFSI8SdlCM4aKtt4fh4jVqnaCEq ZkigQ3nCtcVMpTxvgFh7JCLRseBL5Za8dkO24vIrqwFDN5Qy1Twflo2D2ZTJshzO35161ugK L8o8YQGHHpKtdW/67Faakr34A8CG3MJkCU7OKm8DBGwdy7tPEGE3vPR+cjr0hGNa29CgD3oM 6jB9bQjudRy0MAc6fjTU9ZPskONztMoY6H9Lt/tKrcwaALRKJxxCvyldk+O6qQFn/JXt++4B q/n4twepUUd1Ijmw2blF0m2okEKZBHpFJuHAE2L3cttohg/IwevhRdKPEehaNYNoCkNVfTU1 /qRHmjkEON5AEwHweT7wf4gRAtXMSGb809hH0G8Fa8wjFbCWac1Pd+W+S+Wk6gtzGActkKNx 6mBVUPd4/RhMPvZXAESW8ISX4XX/4QdAGgmmAiD6SydhpTDbVOEUC2qWqTMpHIvW9w0jTPgI 9CPgF/VgLudi3QBl1FFdYA3feCLOkSxtRAX8p5AtmisnzEXYhQXBCrfgWlkeiDw4585xwdLR 6Vs75irqnpvv74hJKZdju0tVV77/HyKAptvONMn3Vzpkg3eXIc+kP2sudvfvaYUomlWqJouC UDeH7YJnQISinO2xwTkF0p+vZ0pN93JO3qROtaaf1B83+FZHTQARAQABzR9NYXJpYSBYeW5v dSA8bWFyaWEueEBlc3Bpdi5uZXQ+wsF+BBMBAgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIe AQIXgAUCXihmAwUJDSkSlQAKCRAhMbO+cMpBftz7D/wOWiLvnmY64YK7CLiAqqSONwz5HoDo QZMKE/1+JK+aL4/IPGJxuX/j7DfllERrEzMqR2I7Ee6AR/wRtOCl7/tRIoIgF0ofmvrOHGX5 W+dT6i/qhWLHnaXFVz+5WZRhPmu4VcnSxPLCYZVfqEtlzz9E0FKfcok3EujQC1HPV5AWdRmW 0ee4h10CWtJI8cVyeTbkum2CJhS41yoHtSB5JJMEzkm6I7l/W4SypMTordLLpt0e2rvSG3xV DNV8tvCPoI8c0m8ihdjC1zCGdKK8mNeqXdP3DwArgDKlsyHMJ73Lu7gtAHb9C0YnUUL/1kFN k2t3LpRvay9xdsD+p9t91cNvgOiUSZJEiSfVrs2uBR8jWAqXh43gXDNLu5Nme9TRKRqyHxia koBbgNM5TiPmW06Rn4Al5GvilYTmMdKWoM4/Nw+s3cJxEsJu57IbOPVOTMH1FnquqUSuBfmq G35s3d8bRYTV3gjFjAqCCV9WzmtX9JmsyIVWUS4c8McQzrmnwfZB4eVH+9axDO+c4FG7N3Hl lje6NpCO0/8m7kCGRK2IKDVzroT8W9C+duYeS9fZKaErilW+bU3EeIGA9vsnshvzkNHRWNOw zYWGRFjR6t5VMCBwsx4vWiVkGDwiziJ2nygH3MTEmnTo/gl432Zgd1BmPcm6LaRYMHAa0RA7 2EUAhs7BTQRUwbpkARAAnjGqtfmAvdt5qW52TpQZegI9luVtQNeSOejAV/3yKr+W5U0g0nyv KW872rCpZdtlrvU1hD1LGVvgSOJxTd8cg7Tq1tKNLMUTke5IiyihlmPsWRL2eG5ikLkdduuY vycAgbEJfkv5KW68x99K0xh7cB8LEB4lyXcgnB7Z7evrhDPK+EhebmXHdmuqjc3q+Pyb6+mV 5dtQ7X1Tl3PgLrNRO9Jxe2rrpN1HEeey+qUMoFqLsl+/uNkL4DsXiGLlFFhvp3nL+VuG7mL+ zpu2QO0nc/0NvBWNrtZA3GhlTpLv8Nj6PNGNgA636NgI5o/hwVSb8JmVok4ufOxFZO8qlPpv 2Gv3QaGf6oHSxmpmSaMpE75hknT3w7mtnmH9ixoTeNBKkTLw0OGBuR40CZE1J+Chq+XJy99n /Jqpn5pal1FgdPvzNNJU5qed+5nExuiYp5qXkw8neFPXE0twt9cHbgTgOxufXTiH+aQWHIv3 78H2VkPr7wxvoFguaco8ykEMl8DnPgya0zrvKIVZEUtgebMC52JOe3PWgY+QvvHcx2QQ+oAR iDQEi9+sORk+C/xyf568hS/pSCcUo+q7+C0ndDLTj/3BSUVi9VSi++b6TaRRfR+n6ASSAD2K LVLbvTjxi/xfcC6HPsCXu7VEYACZVrpWmPDXdY1hr++uelLCxGgEFOEAEQEAAcLBZQQYAQIA DwIbDAUCXihmAwUJDSkSnwAKCRAhMbO+cMpBfrKYEACdxV/d8CZgPq2kjKTZwPsYUACqCjvM UbEBLQK+ksEZnyHWoTogdJTU6Bn/evKDJuBrVckrlhVFnYSvIX+tCuwLLX2EGEINblIpGQeK l/T1vSJfpXyhlPQyBxkI9EISsS6XFKXzdecBTJsTF7pEjFRGZ1Gv4PuvsMtjmbq2A/4RdAuC sCLAd94s9gKoHf/C4ahOUHBdiSTPEwDaRkmEiW0cRhOcgKur8gFURFOsjn7Yxjo7lQf1dt0N 4ghKzLb9LydTmlfniyY43nsmk1XoQh9hzATgne5pNLHeEkcI5miREcIr65rtogL2R8Ct6/w3 DZk5j901Kw7j6nH5heOgTQc66y7m+jcI4W5L+knuPI8dv6OC5/rxTlrzuSjnOBepFRjv+FbF mM60jxLNdHipRB0Xntm27+++Edd8O+9pdJkMVd4bpJnIBKpUZaJ4wxeYQrD2SRp23KU47mtt HGKZKYnDKog5KpkfSYx5rbdRVn0AzANfFDDPY3dyvFsKGOb9SNNeN68xPsP33e3riyXoXPp0 OPnRfOVrcti30qTxdOg5eXbJ1e/Ft+RfQSUwYRLLKHFgMP/8G3mg6gFYswd4V3fI+ctOawC9 3oOA3jQcBeeG4mZRIuUrIGh2rt71kldGFWteINEyDEaHpSmfp6igVo/3Xb0s9uvbqkuYZa7b OEmbGQ==
- Cc: tor-talk@xxxxxxxxxxxxxxxxxxxx
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Fri, 12 Feb 2021 13:09:50 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openobservatory-org.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=LCqSiXKT43JIXov/dp0jfVc639LCD+ILZnj5Y5viD/g=; b=VS8fTldxPQ4S/sXHCI+kg5s+UztCfAEd1GSIoyeiZvFJgz3oTo6Nc0BIZ4n30WLF1W 90+5ex4JZARqcg+fmhvOTJtWWi+8ePB0qW1PZ+F0fQM0G5KFr1u5vEfSQApGSeYuS4sX zeFwuhkJvf3LhqGhVKqBllfYaSQPnqIWmuOq9BKI3jvm9KJJ1wyaMlN74JLSky/O9A3F L703tlfrwJI9reZnq7Bpq8dK9VVhqWJRZJHBQQLdEteOEfZN4pMCZvn3J4UXVqTiZT5U +B/2nqYZBtBf3SgRopNiwnf5D1NaEC/rTZNkqpR96WG27u2i5FFDAu4rvQrjwKf6LUOC NpCw==
- In-reply-to: <20210210105634.GE3825@localhost>
- List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
- List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
- List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
- List-post: <mailto:tor-talk@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
- References: <20210205174500.GA10422@localhost> <598d001f-1ef3-14c4-b558-3224dbcbe36c@openobservatory.org> <20210210105634.GE3825@localhost>
- Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
Hi Christian,
Thanks so much for sharing this detailed feedback and for helping us to
improve the OONI Probe apps.
We previously received legal consultation to ensure our apps and data
policies are GDPR compliant, but more eyes are always better!
Apart from GDPR compliance, we generally aim to adhere to best practices
when it comes to data collection, as we genuinely care about user
privacy and safety.
I have replied below:
On 10/02/21 11:56, Christian Pietsch wrote:
> Dear Maria,
>
> On Mon, Feb 08, 2021 at 11:15:43AM +0100, Maria Xynou wrote:
>> Importantly: You can opt-out of Countly and Firebase data collection by
>> disabling this in the Settings of your OONI Probe app.
> I'm afraid by the time users have found this opt-out, the app has
> already transmitted data to Google and Countly. This violates the
> GDPR. The GDPR also demands opt-ins for this kind of surveillance.
OONI Probe users opt-in to the collection of app usage metrics and crash
reports in 2 cases:
1. During the initial onboarding process (where the user is informed of
the collection of app usage metrics and crash reports, and they can opt
in to this)
2. When we added app usage collection, a modal appeared for OONI Probe
users, asking them if they want to opt-in to this (this modal also
appeared for users updating from older versions)
If users have opted-in and they change their mind, they can always go
back and opt-out through the settings of the app.
That said, your feedback made us realize that we should probably make
the opt-in process more clear in the onboarding, which is why we worked
yesterday on making relevant OONI Probe mobile and desktop app releases.
In the latest release:
* When you tap on "Change default settings" in the onboarding, you are
taken directly to settings where you can opt in to app usage metrics and
crash reports collection (it's disabled by default).
* We have removed Google Firebase Analytics entirely (it was previously
used as a dependency to make the use of Crashlytics better).
* We have removed Countly crash reports collection from F-Droid (this
was self-hosted).
>
>> We recently enabled Firebase because we were investigating several app
>> crashes that were not being displayed properly by Countly.
> This is not correct. According to the Ex0dus database, the OONI Probe
> app has included Google Firebase Analytics for many versions:
> https://reports.exodus-privacy.eu.org/en/reports/search/org.openobservatory.ooniprobe/
> The tracker you recently added is called Google CrashLytics:
> https://reports.exodus-privacy.eu.org/en/reports/163803/
What I meant is that we recently re-enabled Firebase Crashlytics, because:
* We realized that Countly doesn't do crash reporting well and we were
unable to investigate crashes.
* We weren't able to collect crash reports in countries where we're
blocked (when we were using the Countly self-hosted platform for crash
reports). While we agree that it's not optimal to use Google services
from a privacy perspective, Google services are less likely to get
blocked (due to the collateral damage that would cause).
Google Firebase Analytics was used alongside Google Firebase Crashlytics
because that is the recommended way to use Crashlytics (see:
https://firebase.google.com/docs/crashlytics/get-started?platform=android
&
https://firebase.googleblog.com/2020/09/crashlytics-analytics-together.html).
Yesterday we reviewed this more carefully, and concluded that since
Firebase Crashlytics seem to work well without Firebase Analytics, we
removed Firebase Analytics entirely from the latest OONI Probe mobile
release (2.9.3).
That said, we would prefer to use an alternative (non-Google) analytics
platform for crash reports, which is why we are temporarily using Sentry
(https://sentry.io/) for collecting crash reports on mobile too. We're
in the process of evaluating whether Sentry could serve as a replacement
for Firebase Crashlytics, and we're also evaluating other open source,
self-hosted options too (such as Acra recommended by Nathan).
It's worth noting that through the use of Countly (which is open source
and self-hosted), Firebase Crashlytics, and Sentry, we do *not* collect
any information that would enable us to identify users.
If you opt in to the collection of app usage metrics (which is not sent
to Google, as we host this), we will collect aggregate app usage data
(such as how many users tap on specific buttons), as this information
can help us better understand user needs and improve the app. We do not
collect the IP address of the user.
If you opt in to sharing crash reports with us, we will collect
sanitized technical data which will help us understand why the OONI
Probe app has crashed. We do not collect the IP address or a unique
identifier of the user (though Google may collect this, which is why we
would ideally like to replace Firebase Crashlytics).
All of this being said... the biggest risk to OONI Probe users is
probably not the aggregate/sanitized collection of app usage and crash
reports, but running OONI Probe itself: an investigatory tool
specifically designed to expose internet censorship.
For example, if a user runs OONI Probe in Iran, the biggest risk is
probably the fact that their ISP can likely see that they're running
OONI Probe, testing lots of censored/banned sites, and uploading test
results to servers hosted outside of Iran.
We inform users about this risk during the onboarding, where we present
users with a quiz that they have to answer correctly (demonstrating
their understanding of potential risks), as a prerequisite to using the
app and as part of practically acquiring their consent. We also link to
relevant documentation (written based on extensive legal consultation)
in the apps and on our website, and we discuss these risks during
workshops/meetings/presentations and other community interactions.
>
>> We are not sure if we are going to keep Firebase in the long-run, but
>> it's difficult to investigate app crashes without proper reports.
>>
>> Do you have any suggestions for better tools to collect app crashes on
>> Android?
> Are you looking for a replacement for Google CrashLytics or Google
> Firebase Analytics or both? I can ask around on Twitter and in the
> Fediverse if you need advice.
Thanks, that would be very helpful!
We have already removed Google Firebase Analytics (this was included as
it was the recommended integration for Firebase Crashlytics), and so
we're mainly evaluating to replace Google Firebase Crashlytics with an
open source and privacy-preserving alternative.
>
>> You can learn more about OONI data practices through our Data Policy:
>> https://ooni.org/about/data-policy
> This document does not mention Google or Countly. This is another
> reason why your app violates the GDPR. In case do did not know, the
> GDPR is applicable law for anyone targeting EU users.
To be completely honest, I had no idea that specifying the analytics
platforms was a GDPR requirement (this was not communicated to us when
we received legal consultation, nor do I recall seeing this in the data
policies of other organizations in our field).
The only reason why we didn't name the specific analytics platforms in
our Data Policy was because we were trying out different solutions, and
we weren't sure what we would keep. This is why we, instead, pointed to
https://github.com/ooni/sysadmin, which includes details about our
specific setup.
To ensure full transparency and clarity, I have updated OONI's Data
Policy to include details about every analytics tool we use in the OONI
Probe mobile app, OONI Probe desktop app, and ooni.org.
You can view the updated version of the OONI Data Policy here:
https://ooni.org/about/data-policy
Overall, we're mainly using open source, self-hosted analytics tools
that users can opt in to, and we don't collect IP addresses. We're
looking into potentially replacing Firebase Crashlytics with something
open source and privacy-preserving, and we're going to request further
legal consultation with regards to GDPR compliance.
If you (or lawyers in your team) have any further feedback, we would
greatly appreciate it! Feel free to follow up with us off-list.
Thanks so much for your time, and thanks for helping us to improve OONI
Probe and our Data Policy.
Cheers,
Maria.
>
> Cheers,
> C:
--
Maria Xynou
Research & Partnerships Director
Open Observatory of Network Interference (OONI)
https://ooni.org/
PGP Key Fingerprint: 2DC8 AFB6 CA11 B552 1081 FBDE 2131 B3BE 70CA 417E
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk