Follow

I investigated the inner workings of 's Mint Browser and summarized it in a blog article. In short: it's as bad as the Forbes article suggests, and even worse. That browser is spyware, exfiltrating an enormous amount of data.

palant.info/2020/05/04/are-xia

· · Web · 1 · 12 · 6

@WPalant

Good article. It answers half the question though: “what data is being exfiltrated?”

The other half is: “how does that compare against other competitors?” For instance #Firefox or say #Samsung's default browser.

Comparing against #Chrome is an entirely different beast, since in that case you need to take into account data collection that happens both inside and outside the browser (take the #YouTube example: #Google own it, so they don't need to sniff your browser output at all).

@WPalant

For the record, I'm firmly against indiscriminate data collection but I think that pointing the finger at some culprits and not others is very unhelpful and not conducive to a satisfactory solution.

@0 Firefox Telemetry isn't really comparable, and Mozilla is being transparent about it. Chrome also isn't anywhere near that invasive (it doesn't have to be, its purpose is promoting Google services). I'm pretty sure that no browser anywhere near mainstream does anything even remotely comparable. But I know nothing about Samsung's browser.

So far I've only seen a privacy violation like this once, in Avast products: palant.info/2019/10/28/avast-o

@WPalant

> Firefox Telemetry isn't really comparable

Do you know of any methodical analyses like yours but applied to #Firefox? What about other brand name vendors like #Samsung?

As you say, the same methodology would not apply to #google since they control a large swath of the other end of the wire anyway.

Incidentally, from the post datum in your article, am I to understand that those findings no longer apply to current versions?

@WPalant

And just to offer my own theory, freshly out of where completely unfounded theories are made, the impression I get is that they're trying to gain the same sort of profiling vintage point that some #US companies enjoy.

I just find it rich of the media to criticise the Chinese for that while staying mum on what their own brethren are up to.

I'd rather they all took a less ethically questionable approach.

@0 Firefox is an open source project. It isn't necessary to analyze it, it's all documented: firefox-source-docs.mozilla.or. The data collected is made accessible to the public.

There are also Data Privacy Principles, and they really live by those: mozilla.org/en-US/privacy/prin. I know plenty of Mozilla developers, and I know that they wouldn't tolerate anything like what Xiaomi does. There would be a massive public outcry immediately.

@0 And even when using Chrome, there are obvious ways to avoid giving data to Google - you can use non-Google services, install an ad blocker, use Incognito Mode after all. Google doesn't have the same kind of insight. So your theory is implausible.

@0 Forgot to answer one of your questions. The original article was taking apart an outdated version of the browser - it explicitly says so. There is a second article on the current version: palant.info/2020/05/08/what-da

@WPalant

Thank you. Frankly, I'm still not convinced that their bad practices are in any major way worse than the bad practices of the other players out there. I think that singling them out has much to do with geopolitics (and for some, xenophobia) and little if anything to do with privacy rights advocacy.
It's good to call them out on it but there are no angels out there.

As for #Firefox: drewdevault.com/2017/12/16/Fir

@WPalant

> Google doesn't have the same kind of insight.

No. Google has the kind of insight given by being present in nearly every website out there in one form or another: analytics, CDN, add, etc. and by controlling major bits of internet real state, from YouTube to quad-8, not to mention the OS that most people run on their phones. Chrome is just one more piece in that machinery.

@WPalant

#Mozilla devs (I don't know any personally, only through forums and such) can be super disingenuous. Take for example the #Pocket affair, where they (the devs who implemented the feature) were not aware that #money was changing hands between the two companies. This was documented in real time in one is the pocket related bug tickets.

@WPalant
And let us not get into the #Eich affair, the ousting and character assassination of a colleague for privately exercising his legitimate democratic rights (believe or not, those also apply to people who think differently), by what some call the San Francisco Taliban.

monde-diplomatique.fr/2019/08/

@0 So why was Avast singled out then?

This happens exactly because these practices are egregious and uncommon. Any company caught redhanded doing something like this will rightfully be reprimanded. If anything, Xiaomi so far is mostly getting away with it because the brand isn't too known in the Western world.

Yes, one doesn't have to find every decision made by Mozilla great, I certainly don't. But you also have to recognize that this is a totally different scale.

@0 In particular, Mozilla's experiments to make the project less dependent on search revenue clearly weren't too popular. But it's very obvious why it has to be done, and Mozilla has always been very transparent about it.

I also clearly dislike Mozilla's management style and communication approaching that of commercial companies. But that's not because they do something terribly bad - rather that they started out in a place which was exceptionally great.

@0 And don't get me started on Brendan Eich. At the time I was also upset with him being pushed out. Over time I have grown convinced however that the public reason was only the last drop - it was only the tip of the iceberg, but he has done a whole lot more to bring people up against him.

Again, in a private company this whole thing wouldn't have been noticed at all. It's only because of Mozilla being open and transparent that you know about this.

@WPalant
Err… I think I get your point isn't it put across a bit poorly?

— Listen, he was widely disliked and a terrible manager. He had to go. That he supported same sex marriage was only the last drop.

See the problem? 😀

@0 Not "he supported same sex marriages" - quite the opposite, he supported groups searching to prevent same sex marriages in the US. Which in an open and tolerant organization like Mozilla's tends to rub lots of people the wrong way, yes.

@0 Mind you, he wasn't let go - he resigned. Because so many people were protesting against him leading the project. And while the immediate trigger is known, people's reasons weren't really communicated or obvious.

@WPalant

I know what his stance was. My point is that that is his personal opinion and none of your colleagues' business.

#Mozilla is open and tolerant in the same way the #Komsomol was open and tolerant: if you are cut of the same cloth.

From experience, open and tolerant is when you have the homophobe and the homosexual, the leftist and the guy who joined the OAS, work together as one team, respect and support each other despite their differences. It takes a lot of selflessness.

@0 I could talk a lot about false balance, toxic people and more. But we would both waste time and you would be no wiser after that. If you are really interested in this and what it means for community building, it's not hard to find information given these keywords.

@WPalant

Oh, I have quite extensive experience in this field myself and some quite funny stories to tell (which I won't, because privacy and all that).

Let's just say that “toxic people” = you don't really have a team but just a bunch of people.

@WPalant

And anyway, thanks for an interesting exchange. 👍

@WPalant

Well, we do agree in our dislike of Mozilla's (mis-)management culture.

I am in two minds as to whether #Mozilla is doing more good than harm. Arguments can be made either way, in both cases based on difficult to test assumptions.

But I suppose #Thunderbird could give us part of the answer there.

@0 You seem to blow issues out of proportion. Mozilla is doing way more good than harm, there is no question about that. Or do you want an internet where Chromium is the only browser engine you can have?

The question is mostly: could they do more good? Is there something they could have done to prevent Google from rolling over them? Could they restart real competition of browser engines? Could they unlock the smartphones walled gardens like they tried?

@WPalant

> why was Avast singled out then?

Was #Avast (a Czech company, btw) tarred and feathered in the #Forbes front page? I wasn't aware of that.

@0 I don't know what the Forbes front page looks like. But I know that forbes.com/sites/thomasbrewste is what gave the whole thing considerable momentum. And "tarred and feathered" they have been, not just by Forbes. Their stock exchange price still didn't recover.

@0 But with Avast it didn't end with Forbes. pcmag.com/news/the-cost-of-ava started a second wave of bad press, eventually leading to Avast terminating Jumpshot. Whether the media will keep watching Xiaomi is rather questionable.

@WPalant

> So why was Avast singled out then?

Since it was you who uncovered the issues you will know a lot more about it than me. Did you approach Mr Brewster and Mr Kan or other journos or did they approach you? (I assume you do the Twitter thing and have a number of IT journo subscribers?)

But two observations: 1. #Avast is also not a #US company, 2. I don't think that had as much of an impact outside the IT press.

@0 Yes, Avast is not a US company. But I wrote this up two months before it hit the press and nobody cared. Which happens all the time - whether a particular topic is covered depends largely on luck. Usually it requires a single multiplicator to notice it and get interested. With Kaspersky (really bad security practices) this happened, for one post out of four. For Avast it didn't.

@0 This only got picked up when I reported these extensions to browser vendors. When Mozilla and Opera removed them, this suddenly became noteworthy. And funny enough, it appears the Avast approached Forbes (also PCMag UK), not vice versa. They probably hoped to get beneficial news coverage, instead that's where it really picked up pace. I did not approach any journalists myself, and all of them merely quoted my blog post without talking to me.

@0 The second wave of news coverage wasn't my doing at all. It was a joint investigation by PCMag and Motherboard, they got an inside source who supplied them with information. They asked me to comment, but since they didn't show me the data I could only give them some generic thoughts.

Later I got my hands on the data and wrote up a detailed analysis. And once again - nobody cared. C’est la vie.

@WPalant

Thanks, that's very interesting.

And yes, journalism is a funny business. The bastards never react how you expect them to. 😁

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.