Trackers in Riot

General Privacy & Security
1

Continuing the discussion from Where was Purism moving?

@nami Yes, kinda. Compare
https://reports.exodus-privacy.eu.org/en/reports/search/one.librem.chat/
https://reports.exodus-privacy.eu.org/en/reports/search/im.vector.alpha/

But this needs explanation.

First, notice that the count for riot varies between 1 and 3, quite possibly unintentionally. Before Librem One was launched, the developer had already attempted to remove or disable the trackers (as can be checked in the repository), but traces remained. Exodus rightly explains “This is not a proof of activity of these trackers”. That’s like removing a switch from the wall and noticing that there’s still an inactive light bulb in the ceiling, saying “We don’t know if there still is a switch for that bulb”.

Second, at least one of the trackers comes from a 3rd party library (Jitsi), so it was not put there by the Riot devs.

Third, those trackers are different from those tracking your path through the web. They are usually there to create statistics of feature use.

Fourth, Riot even has code (removed from Librem Chat here, as no longer relevant) to ask the user for permission to enable those statistics. But the above analyzer cannot take that into account. It just says “I found that this app might track user actions”.

So, to me, all of this was a bit a storm in a teacup.
Like so often in the outraged Internet these days.

4 Likes
2

Now compare it to this:
https://reports.exodus-privacy.eu.org/en/reports/75087/

3 trackers vs 44(!) permissions, vs 0 trackers and 16 permissions.
Not even talking about a clearly superior protocol and audited encryption.

Only after, and if, they will hugely debloat that project, we can talk about teacups.

//
The fact that they “missed” some trackers is actually another sad story, it means they didn’t even
check the code before launching it. Kind of like copy+paste+launch let’s see later. Not a trustworthy
approach towards the audience here.

3

:roll_eyes:

:wind_face::tea: :wind_face::tea: :wind_face::tea:

:roll_eyes:

3 Likes
4

[Had to remove your links since new users can apparently only post 2 links per post, even if it’s part of a quote, apparently]

Sorry to nitpick, but removal of any single switch renders the bulb inoperable. Unless you take care to bridge the wires. :wink:

(this does not apply to pushbutton activated bulbs, but a button is not a switch)

Nitpick aside, totally agree. I looked it over as well, and while the details elude me right now (I look at so much stuff it’s hard to keep track), I do remember coming away from it with a “meh, that’s all?” sentiment about the whole affair.

1 Like
5

If it’s “meh that’s all” for you why even bother with such services? The actual bottom line
here is simple, if such obvious things were missed, what will it mean about more serious
issues in the future? Just like you wouldn’t want a taxi driver that just scratched some car
on the way, meh that’s nothing, we can still keep going…Same logic.