webmail saga continues

I was pleased to see a reply from Daniel as a reaction to my post. I read and re-read the blog couple of times yesterday and another time today to question my own understanding and see if there is anyway I could make life easier and simpler for myself and other people whom I interact with but finding it somewhat of an uphill task. I will not be limiting myself to e-mail alone as I feel until we don’t get/share the big picture it would remain incomplete.

Allow to share me few observations below –

1. The first one is probably cultural in nature (either specific to India or its worldwide I have no contextual information.) Very early in my professional and personal life I understood that e-mails are leaky by design. By leaky I mean being leaked by individuals for profit or some similar motive.

Also e-mails are and were used as misinformation tools by companies and individuals then and now or using sub-set or superset of them without providing contextual information in which they were written. While this could be construed as giving straw man I do not know any other way. So the best way, at least for me is to construct e-mails in a way where even if some information is leaked, I’m ok with it being leaked or being in public domain. It just hurts less. I could probably give 10-15 high-profile public outings in the last 2-3 years itself. And these are millionaires and billionaires, people on whom many people rely on their livelihoods should have known better. In Indian companies, for communications they do have specific clauses where any communication you had with them is subject to privacy and if you share it with somebody you would be prosecuted, on the other hand if the company does it, it gets a free pass.

2. Because of my own experiences I have been pretty circumspect/slightly paranoid of anybody promising or selling the cool-aid of total privacy. Another example which is of slightly recentish vintage and pains me even today was a Mozilla add-on for which I had done RFP (Request for Package) which a person for pkg-mozext-maintainers@lists.alioth.debian.org (probably will be moved to salsa in near future) packaged and I thanked him/her for it. Two years later it came to fore that under the guise of protecting us from bad cookies or whatever the add-on was supposed to do, it was actually tracking us and selling this information to third-parties.

This was found out by some security researcher casually auditing the code two years down the line (not mozilla) and then being confirmed by other security researchers as well. It was a moment of anguish for me as so many people’s privacy had been invaded even though there were good intentions from my side.

It was also a bit sad as I had assumed (perhaps incorrectly) that Debian does do some automated security audit along with hardening flags that it uses when a package is built. This isn’t to show Debian in a bad light but to understand and realize that Debian has its own shortcomings in many ways. I did hear recently that lot of packages from Kali would make it to Debian core, hopefully some of those packages could also serve as an additional tool to look at packages when they are being built 🙂

I do know it’s a lot to ask for as Debian is a volunteer effort. I am happy to test or whichever way I can contribute to Debian if in doing so we can raise the bar for intended or unintended malicious apps. to go through. I am not a programmer but still I’m sure there might be somehow I could add strength to the effort.

3. The other part is I don’t deny that Google is intrusive. Google is intrusive not just in e-mail but in every way, every page that uses Google analytics or the google Spider search-engine be used for tracking where you are and what you are doing. The way they have embedded themselves in web-pages is it has become almost impossible to see almost all web-pages (some exceptions remain) without allowing google.com to see what you are seeing. I use requestpolicy-continued to know what third-party domains are there on web-page and I see fonts.googleapis.com, google.com and some of the others almost all the time. The problem there is we also don’t know how much information google gathers. For e.g. even if I don’t use Google search engine and if I am searching on any particular topic and if 3-4 of the websites use google for any form or manner, it would be easy to know the information and the line/mode or form of the info. I’m looking for. That actually is same if not more of a problem to me than e-mails and I have no solution for it. Tor and torbrowser-launcher are and were supposed to be an answer to this problem but most big CDNs (Content Distributor Networks) like cloudfare.com are against it so privacy remains an elusive dream there as well.

5. It becomes all the more dangerous when in mobile space where Google Android is the only vendor. The rise of carrier-handset locking which is prevalent in the west has also started making inroads in India. In the manufacturer-carrier-Operating System complex such things will become more common. I have no idea about other vendors but from what I have seen I think the majority might probably be doing the same. IPhone is supposed to also have lot of nastiness where it comes to surveillance.

6. My main worry for protonmail or any other vendor is should we just take them at face-value or is there some other way for people around the world to be assured and in case things take a worse time be possible to file claim for damages if those terms and conditions are not met. I looked to see if I could find an answer to this question which I asked in my previous post and I looked but didn’t find any appropriate answer in your post. The only way I see out of is decentralized networks and apps but they too leave much to be desired. Two examples I can share of the latter. Diaspora started with the idea that I could have my profile in one pod, if for some reason I didn’t like the pod, I could take all the info. to another pod with all the messages, everything in an instant. At least till few months back, I tried to migrate to another pod and found that feature doesn’t work/still a work in progress.

Similarly, zeronet.io is another service which claimed to use de-centralization but for last year or so I haven’t been able to send one email to another user till date.

I used both these examples as both are foss and both have considerable communities and traction built around them. Security or/and anonymity is still at a lower path though as of yet.

I hope I was able to share where I’m coming from.

3 thoughts on “webmail saga continues

  1. @Martin, you are right, it was wot or web of trust. I do agree that it’s not debian’s place to do the kind of monitoring and we already are hampered with the number of resources we have.

    I do agree with your assertion of the ‘smartphones’ culture but there is no way to escape that . It has been part of quite a few discussions especially when the whole ‘meltdown’ and ‘spectre’ came down and how most of the vendors are just invested (meaning they have no motivation) to continue to provide patches unless of course you have a flagship phone.

    The problem is getting a vendor who sells Librem 5 pre-loaded and is in position to honor the warranty of 1-2 or lifetime warranty depending upon the nature of the ‘smartphone’ .

    I *think* the problems are multi-faceted, the problems of the mobile phone are similar to what has been in off-the-shelf commoditized hardware. We even have an alternative to somewhat dreaded UEFI but only a single vendor or two are doing in the States.

    I would want to get a librem5 provided the pricing is right, the support is right and its a workable/usable solution.

    To illustrate, let me share an anecdote which happened around me. 2-3 or maybe a little before, Firefox OS was being launched by Mozilla. Against most of the community’s wishes including most of the students who are part of mozilla community (Mozilla has a program called Mozilla Ambassadors which has been quite successful but it has a bit of cash burn rate.) Anyways the mozilla community wanted them to strike a deal with samsung or some other well known vendor who could scale at both low-end and high-end quickly. The launch of the phones in India were delayed more than a year which in mobile space is akin to murder. Even then, the first phones that were launched were low-cost ones . Praveen , although a DD did try to reach to mozilla as a normal user and used the mozilla bts to tell the issues . All his bugs were either marked won’t fix or they do not see the problem. Much later it was revealed or transpired that all the developers who are working on Firefox OS were given the flagship phones so they never once encountered rendering issues, slowness issues or any of the other issues which probably could have been fixed by refactoring the code-base.

    IIRC (and I may be bad) Praveen also tried to put up some patches for some particular bits even with the limited knowledge that he had gathered on his own (no mentoring or knowledge passing on space) which resulted in Firefox OS being declared a failure.

    I do know and understand that what I have shared is probably a minutiae/tinish detail and there are just too many things that can go wrong. Even the uber-successful one at a time Atari is an example of the same – http://www.8bitgeneration.com/the-movie/easy-to-learn-hard-to-master/ which tells of some of the other factors.

    I do wish librem5 well and would be looking to buy it once it hits in my home market at reasonable rates.

  2. Shirish, to most of the problems you mention there is no (usable) solution.
    We can try and should try, but the silver bullet does not exist.

    Just two remarks:

    1. The Mozilla add-on, you were talking about, is probably “wot”.
    I’m a little bit familiar with the problem, because I uploaded the “fixed” version, which just disabled the plugin.
    To the best of my knowledge, the plugin wasn’t spyware, when it was included in Debian.
    It was also fine, when it was in a stable Debian release.
    Only after Debian 8, but before Debian 9, it turned evil with a new version.
    Users of Debian stable were never exposed to the spyware.
    Personally, when I read the description of “WOT” and my first thought was “WTF?”
    Anyway, I don’t have much hope to prevent such incidents in the future.
    We would need Debian test machines with “real life like” usage pattern and monitor any network activity.
    Maybe a task for a university or a government IT security department?
    Debian does not have the resources for that task.

    2. One can improve a little bit about personal privacy, if one is able to go without one or the other technical rubbish.
    E.g. if you don’t use Facebook or Twitter, you not only are better off privacy-wise, but you also lose less time reading useless nonsense.
    Having cloudflare, fonts sites etc. in hour /etc/hosts as will reduce leakage of private data and also the amount of dispensable web sites, that try to waste our time.
    (In my book, we live only once, and after our very short life span there is – nothing. So let’s not waste time on websites, that use CDNs.)
    Not having a mobile phone is both good for your privacy, but also makes life much more livable!
    If you really can’t live without a mobile phone, at least do avoid so-called “smart phones”. Smart phones are for dumb people :~) Just make sure, the dumb phone is switched off as often and long as possible, so that tracking is reduced to a minimum.
    If you really, really want a smartphone, use a Librem 5 which runs Debian or a Zerophone running Raspbian.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.