💾 Archived View for gemlog.blue › users › spyware › 1676930955.gmi captured on 2023-04-20 at 00:56:41. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-03-20)

-=-=-=-=-=-=-

==========

Telegram

Telegram is an instant messaging program that allows you to send text, images, videos and also any other files to other Telegram users.

Spyware Level: Not Rated

Telegram has some privacy problems such as the telephone number verification, and routing communications through official Telegram servers in most cases. However, Telegram contains privacy features and claims to not collect any user information.

Telephone Number Required

Telegram features the more modern spyware feature that requires the user to associate their persistent user identity with a telephone number. This is obviously a breach of privacy, because Telegram requires the user to disclose this personal information.

Centralized communication routing

Telegram does not use peer-to-peer or private servers for the majority of its communications. This means that Telegram is capable of logging all of the communications you send through its service, unless you opt to only use the Peer-to-Peer features of Telegram. Centralized communication routing has a high potential to be spyware. Telegram attempts to use Peer-to-Peer communication for Voice Calls, but it may disclose IP address to the counterpart. Telegram claims in its privacy policy. that it does not collect any information, but it is impossible to prove this.

Telegram's server software is closed source and Telegram does not distribute its server software. There is no way for other people to host their own Telegram services because of this, meaning that the servers that the developers operate are the only choice for using this messaging platform.

Telegram does not follow its GPLv2 Obligations

Telegram clients are advertised as free software, but in practice the source code is not immediately accessible, the delay sometimes being up to 5 months. So, unknown spyware features could be in the official Telegram client binaries that you download, without you knowing. It's recommended that you build an outdated version of telegram from its source code, since it's not provable whether or not the binaries that are distributed have unknown spyware or not.

==========

==========

HyperText Transmission Protocol

HTTP is a protocol usually used for transferring HyperText Markup Language documents accross the internet.

Spyware Level: Not Rated

HTTP is a protocol that is not designed with the privacy of its users in mind. The language used in the HTTP specification explicitly says that the protocol was designed with enabling the datamining of its users in mind, and contains features that are not absolutely necessary for the purpose of the protocol, but allow the protocol compromise user privacy.

"User-Agent" Datamining feature

Section 14.43 of the HTTP specification details the "User-Agent" feature of the protocol that, when implemented, will attach information about your computing enviroment that can be used to track you. The biggest danger of the User-Agent is that there is no way to anonymously opt-out of this- even if you do not provide a user-agent, because almost everyone else does, you will be tracked by the fact that you do not provide that information. There are many strategies to mitigate this, with only varying levels of success, but the problem is that this is the acceptable standard of how HTTP is used and not the forgotten feature that it should be. Not only does the User-Agent feature collect this unncessary information, its purpose is explicitly stated in the protocol specifications to aid in datamining.

"The User-Agent request-header field contains information about the user agent originating the request. This is for statistical purposes, the tracing of protocol violations, and automated recognition of user agents for the sake of tailoring responses to avoid particular user agent limitations. User agents SHOULD include this field with requests."

Acknowledgement of HTTP's privacy problem

In the HTTP specification, the W3C explicitly acknowledges the serious privacy violations that implementations of this protocol are capable of comitting. Section 15.1 of the HTTP specification has a very detailed analysis of the implications of the comprimization of privacy that the User-Agent allows to happen and suggests how to use the User-Agent feature: as an opt-in feature where the privacy concerns of using such a feature are properly explained to the user. Even though this is a good section, it shows a very naive viewpoint from the W3C, the expectation that this feature would not be abused, and the expectation that implementers of this standard would respect the privacy of their users and would not use these features of the protocol to datamine users.

At best, you could call this mindset naive. If you want to hold the W3C in contempt, you could call it malicious. It's easy to write in your standard that while you could use this protocol to monitor the behavior of users, you should ask for their permission. But once that standard is widely implemented, and is widely used for the exact malicious purpose that was acknowledged in its specification, who's fault is that?

==========