[liberationtech] Ghostery, NoScript.. add-ons frequently phone home

carlo von lynX lynX at time.to.get.psyced.org
Sat Apr 25 15:00:21 PDT 2015 

Just so you know, frequently the add-ons you recommend have
phone-home functionality just as Firefox itself.

Firefox by default connects Google to let it know your current 
IP of the day. Officially it is picking up precious info from
some safebrowsing*.google.com site.. you can disable it if you
dare to uncheck the "Block reported [evil cybercrimes]" boxes.
I was told it even lets Google have the cookie it uses to
identify you, so even if you use Tor, the five eyes immediately
know it is you. I didn't bother to check however.

Next thing it does is to connect a whole slew of
*addons.mozilla.org sites to make sure it won't miss out
on letting Mozilla know which version you are running etc.

Then it's the moment for the addons. NoScript immediately
sends a shout out to informaction.com while Ghostery...
Oh no! Ghostery! Weren't they supposed to be the good folks?
Yes, Ghostery has code in its init() function that looks
like this:

        if (JUST_UPGRADED) {
                metrics.recordUpgrade();
        } else if (JUST_INSTALLED) {
                SDK.timers.setTimeout(function () {
                        metrics.recordInstall();
                }, 300000);
        } else {
                metrics.recordInstall();
        }

You don't need to learn coding to understand that here is
a series of if/else-if/else which, whatever condition your
addon may be in, will result in some metrics.something()
getting executed. That function then happens to produce an
HTTP request targeted at "d.ghostery.com" which tells
Ghostery which IP address you are using today and whether
you are a nice person (Ghostrank=1) or not so nice (aka
Ghostrank=0). This allows Ghostery to measure how many
people are using their tool.. which sounds reasonable from
a business model point of view. Unfortunately, the problem
with business models is, there hardly seem to be any that
go together well with privacy. So once again a privacy tool
is protecting you really well from the truly nasty people,
but cutting out a little privileged exception for itself.

Is this a serious problem? Depends. I haven't checked whether
it sends identifying cookies along. Probably the information is 
rather anonymous - you may consider this no reason to worry.

I was a bit surprised to find that Ghostery calls home even
if I unchecked all the appropriate preferences, but it does.
You can opt out by blocking the hostname in your firewall.
At least until they change it to "e." or "f."

What do you folks think about this.. should we worry about
software calling home to report things about us? Do we really
have to inspect each specific case or should we be angry anyhow?
Where is the boundary of well-educated privacy software?

How much more capitalism can the web take? I see a systemic
problem of capitalism not getting along well with
constitutional duties.


-- 
  E-mail is public! Talk to me in private using Tor.
  torify telnet loupsycedyglgamf.onion		DON'T SEND ME
          irc://loupsycedyglgamf.onion:67/lynX  PRIVATE EMAIL
         http://loupsycedyglgamf.onion/LynX/    OR FACEBOOGLE

More information about the liberationtech mailing list