[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Data collection by Tor Browser



npdflr

I'm sorry to top post, but it was the easiest way to get my message
across. If you're worried about information leakage, have you perhaps
looked into running Tails from a USB stick or on a VM?

Thanks,

Conrad

On Wed, May 15, 2019 at 4:49 AM Georg Koppen <gk@xxxxxxxxxxxxxx> wrote:
>
> npdflr:
> > Thanks Georg and Roger.
> >
> >
> >
> > I have taken some time to read the links given by Roger and try to understand various terms related to tracking/privacy on the internet.
> >
> >
> > Basically, I understand that there would be a need to gather some technical data to keep the Tor network running and also improve the Tor network and if there is any sensitive data gathered at all then it would be for as short as time as possible depending on the requirements and also not made public.
> >
> > Further, I would like to ask:
> > 1. Whether any extensions (such as HTTPS, NoScript) or other technologies/tools in-built (preinstalled) in Tor browser would be gathering data?
> > (or in other words: Should I go through their terms or contact them separately?)
>
> As far as I can tell, no, they should not gather data. If that's the
> case then this is a bug we should fix.
>
> > 2. Can Tor browser or Tor client be used in a commercial environment? (by an organization or individuals who are self-employed)
>
> Yes. There is nothing that speaks against that from the Tor side at least.
>
> Georg
>
> > Thank you.
> >
> >
> > ---- On Wed, 06 Mar 2019 00:32:00 -0800 Georg Koppen <mailto:gk@xxxxxxxxxxxxxx> wrote ----
> >
> >
> > npdflr:
> >> Hi,
> >>
> >>
> >> Does Tor browser itself collect any data (Technical data, Web activity data, Personal data etc)?
> >>
> >>
> >>
> >> As Tor is a modified Firefox ESR, does Tor browser follow the Firefox Data Collection Practice? (https://wiki.mozilla.org/Firefox/Data_Collection)
> >
> > No, there is no such data collection by the browser itself. We try
> > pretty hard to disable things like telemetry and other potential data
> > collection mechanisms. If we have overlooked something here then this is
> > a bug we should fix.
> >
> > Georg
> >
> >
> >
> >
> >
> >
> >
> >
> > ---- On Fri, 01 Mar 2019 21:13:32 -0800 Roger Dingledine <mailto:arma@xxxxxxxxxxxxxx> wrote ----
> >
> >
> >
> > On Fri, Mar 01, 2019 at 08:00:17PM -0800, npdflr wrote:
> >
> >> Does Tor browser itself collect any data (Technical data, Web activity data, Personal data etc)?
> >
> >>
> >
> >> As Tor is a modified Firefox ESR, does Tor browser follow the Firefox Data Collection Practice? (https://wiki.mozilla.org/Firefox/Data_Collection)
> >
> >
> >
> > I believe the answer is no, Tor Browser shouldn't tell anybody else
> >
> > any of these things about you.
> >
> >
> >
> > You can read the Tor Browser design goals here:
> >
> > https://www.torproject.org/projects/torbrowser/design/
> >
> > and anything where it reveals your browsing activity would count as a
> >
> > bug -- and depending on the type of information leak, could qualify for
> >
> > a bug bounty: https://hackerone.com/torproject .
> >
> >
> >
> > Three caveats to my answer though:
> >
> >
> >
> > (1) This word 'collect' is confusing, because that word sure makes it
> >
> > sound like it includes internal program data structures. The browser
> >
> > needs to know something about your web activity while it's loading web
> >
> > pages for you, and that by itself isn't harmful. The key question is
> >
> > whether it shares that information with anybody else. For this sort of
> >
> > user info, we aim to stick to the principle of "no secret databases",
> >
> > that is, anything that we gather should be so sanitized, and so safe to
> >
> > collect, that we share it with everybody else too. That way we're never
> >
> > in the position where attackers might want to break into our systems to
> >
> > learn more about our users.
> >
> > https://www.freehaven.net/anonbib/#wecsr10measuring-tor
> >
> > For browser activity, the obvious simple approach to only publishing
> >
> > safe things is to publish nothing at all, which is what we try to do.
> >
> >
> >
> > (2) I might not be up on the latest Tor Browser moves, so it's possible
> >
> > there are some open tickets for disabling telemetry or the like which
> >
> > aren't yet fixed. Keeping up with the constant changes to Firefox is tough
> >
> > to do perfectly. I'll let the browser team jump in here if they want.
> >
> >
> >
> > (3) Other places on the Internet could still keep statistics, based
> >
> > on your connections to them. I'm thinking in particular of:
> >
> >
> >
> > (3a) the addons.mozilla.org server, which ought to see just anonymized
> >
> > connections over Tor, but that still lets them gather general statistics
> >
> > like how many Tor users there are, what extensions they have installed,
> >
> > etc. Similarly, the periodic update pings, and update fetches, happen
> >
> > over Tor but can still be counted in the aggregate:
> >
> > https://metrics.torproject.org/webstats-tb.html
> >
> > https://blog.torproject.org/making-tor-browser-updates-stable-and-reliable-fastly
> >
> >
> >
> > and
> >
> >
> >
> > (3b) the Tor relays, which see connections from the Tor client that is
> >
> > part of Tor Browser. Because of the decentralized Tor design, no single
> >
> > relay should be able to learn both who you are and also what you do on
> >
> > the Tor network. But they can still collect what they observe about who
> >
> > you are. Relays collect and publish aggregate statistics about the users
> >
> > they see (but not what they do, because they can't learn that). For much
> >
> > more info, see https://metrics.torproject.org/about.html
> >
> >
> >
> > and
> >
> >
> >
> > (3c) other researchers might perform experiments using their own
> >
> > internet connections to try to answer questions about Tor performance,
> >
> > usage, safety, etc. The ones who are doing it right will consider how
> >
> > to minimize risks while doing their experiments:
> >
> > https://research.torproject.org/safetyboard.html
> >
> >
> >
> > Hope this helps!
> >
> > --Roger
> >
> >
> >
> > --
> >
> > tor-talk mailing list - mailto:tor-talk@xxxxxxxxxxxxxxxxxxxx
> >
> > To unsubscribe or change other settings go to
> >
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> >
>
>
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk



-- 
Conrad Rockenhaus
https://www.rockenhaus.com
Cell: (254) 292-3350
Fax: (254) 875-0459
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk