The F-Droid forum should stop tracking links with HTTP pings

Currently, F-Droid tracks how many times a link is clicked using HTTP pings. This behavior is a privacy invasion and is inapprorpiate. This is likely a default configuration of the forum software used by F-Droid. It should either be disabled or, if that isn’t currently an option, a feature request made to the upstream project to create an option to do so.

4 Likes

Can’t see such an option in the admin interface, so I created a request: Privacy: option to disable link clicks counting - feature - Discourse Meta

4 Likes

Thank you.

F-Droid tracks how many times a link is clicked using HTTP pings 9. This behavior is a privacy invasion and is inapprorpiate.

What about this is worse than all the other logging and statistics they keep and display F-Droid Forum with discourse?

Workaround maybe: Open links by Right click copy or long-press copy, then paste into new browser tab. Caution: may be considered cracking in some jurisdictions. :laughing:

Trade-off: Fewer badges like Hot links Hot Link badge on F-Droid Forum or Popular links Popular Link badge on F-Droid Forum

This is worse than all the other things F-Droid tracks in a couple of ways.

1 - This tracks users who are not logged in to F-Droid, who have not done anything to accept being tracked by F-Droid, and who probably have an expectation that they are not being tracked by visiting the site.

2 - This tracks user behavior when they leave F-Droid for other sites (whatever the link goes to) and not just on F-Droid itself.

From a big-picture perspective, almost all tracking can enable some cool feature. I have written about this before. Hence, the existence of some cool feature is not enough of a justification for tracking to exist.

As a general rule, a website should not track users in a way that is not obvious to the user at the time that they will be tracked. For example, tracking who posts a comment and having a list of all the comments you have posted under the user profile is acceptable because a user expects the website to keep track of that when they post a comment, so the website isn’t tracking them in an unexpected way. Tracking which links you click on is not an expected way of tracking, so if a website wanted to do it there should be some obvious warning, that requires an opt-in, before that tracking is implemented.

Another general principal is that users who are not logged in should never be tracked.

1 Like

@sorenstoutner

tracks users who are not logged in to F-Droid, who have not done anything to accept being tracked by F-Droid, and who probably have an expectation that they are not being tracked by visiting the site.

It is naive or ignorant for anyone to expect their browsing of any site is not being logged by that site, which is tracking. The TOS and Privacy policies are posted, whether an annoying pop-up for click-agreement happens or not. That said, I do not consider those click-agreements to mean anything (but IANAL).

tracks user behavior when they leave

I don’t like it either, but in fairness it is not significantly different than standard referrer logging, which has been around and fake-able for a long time. “Where you leaving to” isn’t much different than “where you came from” info.

I have written about this before

I would add: a website does not need your actual IP address. It should not block or delay Tor users.

Another general principal is that users who are not logged in should never be tracked.

Unless they are “bad”. Or unless we can make money by doing it (sarcasm)

I completely agree. That is why Privacy Browser blocks all referrer headers. Part of the reason why I started Privacy Browser is because I wanted to change what was considered acceptable tracking on the web, and these are two examples that need to become toxic in the public mind.

I don’t think that Tor will ever grow up to be a real solution that can handle the bandwidth of the entire world using it. As such, it will never be more than a niche offering, meaning that any solution that is going to work for everyone is going to require not relying on Tor.

38% of tor 7.4 million $ revenue (far > 4 million expenses) is from US government. I see no reason it couldn’t grow as large as necessary.

Pdf page 12 or 13 depending how you count: The Tor Project 2020-2021 Annual Report | The Tor Project

There is no end of commercial tracking if sites know your real IP.

I would interpret that as being, “Tor is in such trouble it would fold if the US government didn’t prop them up by providing 38% of their funding.”

And why would the US government (a bastion of the rule of law and freedom from illegal searches) do that?

https://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity

It isn’t just the US government that has compromised TOR. The Russians are in on the action as well.

Then you have attacks from unknown origins:

https://www.zdnet.com/article/a-mysterious-group-has-hijacked-tor-exit-nodes-to-perform-ssl-stripping-attacks/

Let alone the fact that if a single entity controls all three nodes your traffic passes through on the Tor network, then they can easily track your real IP address. Given that the above articles point out that it is not uncommon for a single entity to control 25% of all exit nodes, this type of attack probably happens all the time. Especially if a single entity, like the US government, is providing 38% of their funding.

If you look at the Guide inside of the Privacy Browser app I have written about how most major companies use JavaScript to track users across multiple IP addresses. JavaScript is much more capable of identifying you than your IP address (which, for a typical user, changes during the day as they move back and forth between home and work and across cell phone networks and various devices). With JavaScript, the big companies say, “I see justsomeguy logged in from his desktop over Tor again. Let’s link that up with his cell phone usage and connect it to his credit card receipts from the last time he went shopping.”

Yes, yes, I’m not living in a cave with a sack over my head.

I said

commercial tracking

which is not what

sorenstouter said

… government tracking …

and

With JavaScript

Wasn’t JavaScript one of the first things we turned off, stopped and/or blocked? Except at semi- trusted and privacy respecting sites, like F-droid of course. :laughing:

Not if you use the official Tor browser with the default settings.

We’ve been around this (cough) track before, and learned to adjust those settings, because most users enjoy seeing how many sites are broken or blocked.

The point is that there is a 0% chance that the Tor project will ever be the solution to the problem. It will never scale to handle even a fraction of the internet’s total traffic, it has been compromised on multiple occasions and is likely currently compromised in various ways that we will only fully discover at some future point, and those who run the project make decisions like enabling JavaScript by default that are not in the best security and privacy interests of their users.

As a general rule, I am not interested in chasing after things that have a 0% chance of being the solution.

Apparently your estimate of the chances of Privacy Browser achieving high enough market share (with enough users not routinely turning JavaScript back to always-on so their favorite sites still work) is infinitely higher, because anything divided by zero… I am impressed with such optimism coincident with such pessimism!

it has been compromised…

This is true of almost all software, no?

Edit+: Why is this thread marked Solved already? I’ve observed no change in outward-click-counting.

Yes, I am very optimistic that over the next few years there will be a general shift in the public’s perception of acceptable web tracking, including a shift to where most users and web developers expect JavaScript to be disabled by default. I think that this shift will happen whether or not Privacy Browser continues development, but I am happy to be as much a part of it as I can.

Because in my original post I asked that if it wasn’t possible to disable click tracking in the forum software that F-Droid uses they make an upstream feature request to provide such an option, which was done.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.