Several of these suggestions seem somewhat disingenuous - e.g. many of them to be about free software more than actual concerns about tracking, as reflected in the labels "Proprietary" and "Free alternatives". In particular:
- None of the proprietary browsers will track you - well, beyond what's specified in the privacy policy. Two of the alternatives are Tor applications, but the other two are Firefox (which provides no additional protection) and GNUzilla IceCat (which has little reason to exist other than free software politics).
- Most of the browser add-ons are mostly about third-party tracking; these could be subject to PRISM, but the notes suggest that the concern is more about the third-party tracking itself and non-free software (in the case of Ghostery).
- Ditto with the notes in cloud storage, which discount three storage systems with client-side encryption (i.e. equal protection) because they are proprietary.
- The media publishing section promotes third-party blog publishing services for "privacy and security", even though most blogs are public and thus have no need for either.
- Ditto above with Icedove vs. Thunderbird in the email desktop clients section.
- iOS is advised against with a misleading claim that "iOS devices contain hardware tracking" due to an long-patched bug. The claim about it being impossible to verify whether an iOS app was compiled from the original source is disingenuous, as this is rarely done on any platform, but would certainly be possible to do on iOS if the developer cared.
- OS X and Windows won't track you. (Chrome OS won't either, but it strongly encourages using cloud services which will, so I'll concede that.)
In the claims that proprietary software won't track you, I am assuming that the NSA will not compel (or has not compelled) these companies to modify their software to include secret tracking. This claim is made explicitly under the operating system section: "Apple, Google, and Microsoft are a part of PRISM. Their proprietary operating systems cannot be trusted to safeguard your personal information from the NSA." But even considering all that we have heard about the NSA, this seems absurd, far beyond what they are willing to do, and even if it were true, using free software would not necessarily prevent the US-based host of the download from being similarly compelled. Moreover, someone would probably notice (unless it were an intentionally introduced but otherwise unremarkable security bug, but it's sure easy enough to find real zero-days in software, free or not, without having to resort to that! - not that that should necessarily make you feel better.)
> Several of these suggestions seem somewhat disingenuous - e.g. many of them to be about free software more than actual concerns about tracking [..] None of the proprietary browsers will track you.
No, these issues are very much related. It is the very nature of proprietary software that you cannot inspect and modify it, so you cannot know if it will track you or not, and cannot fix things if you are.
(Inspecting outgoing traffic is helpful, but unless you monitor all activity all the time, and make the effort to actually understand every single bit that is transmitted, you can't be certain.)
Furthermore, some of these browsers explicitly do track you. For example, Internet Explorer, Chrome and Safari provide ways to sync your bookmarks, all of which track you - and some of them encourage you to do this, for example if you do not log in to Chrome it says "you're missing out". (Firefox also has a sync service, but it is encrypted on the client, so the server cannot read the information, and you can't be tracked.)
Although proprietary software may be easier for a government to compel to be modified to add tracking, it still runs the risk of being noticed in most reasonable cases, and there is in fact no evidence that any Western government is doing any such thing. It does increase the chance that you are being tracked due to incompetence, but I don't think this is particularly likely for such well-known software.
True, there is a difference with the bookmark sync - I do not think it is valid to discount a browser entirely based on this.
You seem to be assuming that tracking only happens either through incompetence or government mandate? Companies also track users to make money. Just today there was the news that twitter is starting to track its users, for example (at least it is opt-out).
Tracking in client-side software that occurs to make money is typically described in privacy policies, and a browser adding additional tracking would likely cause an uproar. While Firefox may provide a better default regarding sync, there is a difference between saying "stop using Chrome" and "enable client-side encryption".
> Tracking in client-side software that occurs to make money is typically described in privacy policies, and a browser adding additional tracking would likely cause an uproar
Emphasis mine. Yes, you might trust them not to track you, or to trust that someone will find out if they do, and that you will hear about it if so. But far better would be to use an open source browser (either Firefox or Chromium).
Twitter has been and will continue to track users' (and possible non-users') external web activity through their embedded buttons on so many pages. They're now beginning to sell that data, and that's what you can opt out of.
> For example, Internet Explorer, Chrome and Safari provide ways to sync your bookmarks, all of which track you
Safari is getting especially terrible. You can either sync "Safari" with iCloud or you don't. This includes bookmarks, but also ALL OPEN TABS ("iCloud tabs"). My bookmarks are absolutely harmless, my open tabs are highly sensitive. Apple sucks at services. :(
"In the claims that proprietary software won't track you, I am assuming that the NSA will not compel (or has not compelled) these companies to modify their software to include secret tracking."
The assumption that the NSA would never compel software vendors to include tracking code seems completely unjustified to me. It makes no sense at all to accept all the inconvenience that comes with avoiding NSA tracking and then use closed source software.
But I think many of the suggestions on this list are completely unworkable. Using Tor isn't just a little slower. It's unusably slow for regular browsing. Using noscript is nonsense. It breaks almost all websites nowadays.
They do not use visited URLs. While Firefox separates its location and search bars, this seems to me more of a design choice than a privacy one. I could be wrong! - but then again, the much bigger privacy risk is using Google in the first place, and if you switch to a different search engine then Google stops receiving autocomplete too.
You are wrong, they specifically say that this is a privacy measure to anyone who whines that they want a "superbar" like Chrome's.
Using Google is a privacy risk but at least you can control it with Firefox, when typing URLs that need privacy. Who the hell can verify what Google (and the NSA listening to their pipes) does with your visited URLs? If you use another search engine, Google can see that, and it's one more piece of information.
> None of the proprietary browsers will track you.
Can you elaborate a bit on this, how do you know they won't? My default assumption is that anything I can't see the source code of and compile myself is compromised.
Sociologically: there is a surprisingly large contingent of people who believe that if a company makes a claim, it's the God's honest Truth. The OP may not necessarily fall into this camp.
Technically: if the browsers were somehow phoning home, even if the data were highly fuzzed, I'm sure there would be guys like tpatcek who would manage to detail, if not the content of the tracking, at least the amount of data sent and the targets. I don't recall there being such a scandal in recent memory.
It is possible to send data along with other data so that it's reaaally hard to find. Also, they don't need to send data all the time, but rather activate this mode on request, say when a person using this browser is a suspect for some reason and govt needs to track his every move on the internet. This would make detecting of such a functionality virtually impossible, because it'd be turned off most of the time for most people.
It is possible. However, considering that it would only take one person being exceptionally curious with IDA, one employee to blow the whistle (the source is still "open" to a fairly large number of people, and a backdoor is far harder to hide than passive collection of existing data), or one slipup to cause a massive amount of PR damage, and this has never occurred, nor does the Snowden leak suggest this is happening, I personally consider this claim extremely improbable. YMMV.
I wonder if anyone tried frequency-modulating the data stream they send home, i.e. encode the sensitive data as changes in frequency of sending packets. Now try to Wireshark that one.
> Although proprietary software may be easier for a government to compel to be modified to add tracking, it still runs the risk of being noticed in most reasonable cases, and there is in fact no evidence that any Western government is doing any such thing. It does increase the chance that you are being tracked due to incompetence, but I don't think this is particularly likely for such well-known software.
Do you inspect every single line of code? Or at least grep the file list to see if you find a suspicious looking name? Don't think so. Your default assumption should thus be 'everything is compromised' since you did not verify it :]
Unless they frequency-modulate the packets they send home to transmit additional data and you'd probably never figure it out looking at Wireshark output that they are sending more than meets the eye. This is a simple trick; there are probably many other I can't even think of.
I've never heard the term "frequency-modulate" applied to software, and Wikipedia only knows about the radio kind of modulation. Can you please explain what this is?
This is an interesting idea. I assume by "frequency modulation" of data, he means adjusting the timing of the transmissions to create an out-of-band channel that might be more difficult to notice when packet sniffing. As a crude example, if I uploaded War and Peace to you, not as a steady stream of traffic, but as bursts of dots and dashes, I could send "The Magic Words are Squeamish Ossifrage" in Morse code. (Although in the context of apps phoning phone, I'm not sure what the advantage is over simply encrypting the stream...)
I'm at a bit of a crossroad, and I'm not entirely sure whether it's worth it; I've converted to Firefox from Chrome, moved to Piwik from Google Analytics, moved from Google Reader to Fever and so on. But it's just that it doesn't feel like it'll make a difference in the long run because nothing I'm doing will stop them if they actually do go after me.
It might help against tracking and such, but I feel like it's just an illusion that I'm making for myself. No matter what I do to try to prevent it they it won't matter in the long run, it just makes it that much more inconvenient for me.
It won't stop the government from getting at your data if they have time to spend actively targeting you. But it will stop them from passively slurping up your communications (possibly along with many other users') as part of an everyday protocol, which is surely an important difference.
(At least, for the present! I could totally imagine a near future where the government had a standard method to collect the data of various self-hosted services from VPS providers.)
On an individual level you’re probably right, if the government wants to track you, they might find a way—so this is more about doing the right thing because you hope more people do it. Google analytics, for example, is mainly problematic because everyone uses it, which creates a graph where at Google’s end, ip numbers can get a very detailed surfing history, as users hop from GA using server to GA using server. One person using Piwik changes nothing, many people using it will.
In relation to OSX, Windows, Chrome, IE, etc, I thought it was more to do with the fact that Apple, Microsoft and Google have all willingly turned over data to the feds...
Up until 2000, export control regulations made it illegal for a U.S company to release cryptographic tools internationally with a key size greater than 40 bits. Lotus Notes got around this by making a deal with the NSA to let them encrypt an additional 24 bits with an NSA key to allow greater security from everyone else but let the NSA still access things easily. At least some have speculated the Windows NSAKEY was for a similar purpose.
A claim that has been explicitly denied by the companies in question. As serious as Snowden's leaks are, he has repeatedly made exaggerated claims regarding them, and I wish he would stop.
- None of the proprietary browsers will track you - well, beyond what's specified in the privacy policy. Two of the alternatives are Tor applications, but the other two are Firefox (which provides no additional protection) and GNUzilla IceCat (which has little reason to exist other than free software politics).
- Most of the browser add-ons are mostly about third-party tracking; these could be subject to PRISM, but the notes suggest that the concern is more about the third-party tracking itself and non-free software (in the case of Ghostery).
- Ditto with the notes in cloud storage, which discount three storage systems with client-side encryption (i.e. equal protection) because they are proprietary.
- The media publishing section promotes third-party blog publishing services for "privacy and security", even though most blogs are public and thus have no need for either.
- Ditto above with Icedove vs. Thunderbird in the email desktop clients section.
- iOS is advised against with a misleading claim that "iOS devices contain hardware tracking" due to an long-patched bug. The claim about it being impossible to verify whether an iOS app was compiled from the original source is disingenuous, as this is rarely done on any platform, but would certainly be possible to do on iOS if the developer cared.
- OS X and Windows won't track you. (Chrome OS won't either, but it strongly encourages using cloud services which will, so I'll concede that.)
In the claims that proprietary software won't track you, I am assuming that the NSA will not compel (or has not compelled) these companies to modify their software to include secret tracking. This claim is made explicitly under the operating system section: "Apple, Google, and Microsoft are a part of PRISM. Their proprietary operating systems cannot be trusted to safeguard your personal information from the NSA." But even considering all that we have heard about the NSA, this seems absurd, far beyond what they are willing to do, and even if it were true, using free software would not necessarily prevent the US-based host of the download from being similarly compelled. Moreover, someone would probably notice (unless it were an intentionally introduced but otherwise unremarkable security bug, but it's sure easy enough to find real zero-days in software, free or not, without having to resort to that! - not that that should necessarily make you feel better.)