discourse forums: Isn’t using well-known privacy disrespecting technology (JavaScript) against the essential project goal?

Unsupported.

Last update:

Thanks for the feedback.

That sounds too bad.

Isn’t using well-known privacy disrespecting technology (JavaScript) against the essential project goal?

FWIW, even some of my email replies to a thread opened by me don’t appear on the forum.

See: Web Application Shortcomings

It says:

“Whonix developers have little to no control over the course these projects take”

What has control over other projects to do with the choice of software? There are (free) alternatives without mandatory JS. Consciously choosing a JS-dependent platform and then justifying that with lack of control, monetary, time and manpower resources sounds quite confusing.

“privacy and security issues often take a back seat to “enhanced features””

Not when the proclaimed goal is “Superior Internet Privacy”.

As for the privacy policy, underlined on the link as a promise, your current privacy policy has quite a few issues which breach the GDPR and enforce the user to agree to personal data processing which is not technically required for providing a web forum.

Just one example:

“unique device identifiers” - this is personal data and a form of intentional fingerprinting too. You cannot simply put such things in a common “Usage Data” category and enforce implied overall consent for everything. Every non-essential data processing must be clearly explained as per GDPR’s requirements and is subject to explicit separate consent before processing. If the user has not consented, you must limit the processing to whatever is technically required. Otherwise it is simply illegal (at least as long as you process data of EU citizens).

I understand your policy is generated by some cheap/free policy generator but that doesn’t make it legal. Remember that the fees for breaching the GDPR are huge and if someone decides to report this to data protection authorities (or even worse - sue you), the current state of it can get you into very big trouble. So, better read and understand the GDPR, as policy generators won’t save your nice project in case of trouble. It is quite good reading for a privacy-oriented project.

Just a friendly (off-topic but important for the project health) advice. No offense whatsoever.

It’s because of history, legacy. If starting a project from scratch, different decisions might be made with new knowledge learned.

discourse was suggested ~ 7 years ago (discourse integration - Change Whonix forum software to discourse) it was implemented with a help of a contributor that is no longer around and now we’re stuck with it. There’s a ton of content in this forum, maintenance, backups sorted out and migrating to any web development / sysadmin work would massively take away software development time.

We didn’t even complete abolishing Whonix phabricator issue tracker, moving issue tracking to forums, migrating phabricator.whonix.org to forums.whonix.org yet. (Which is for maintenance reasons unrelated to JavaScript / privacy.)

And after that exercise, there would still be the issue of Self-Hosting vs Third Party Hosting. Server would still be “in the cloud” and other than padding on the back, not much actual progress would have been made.

Whonix is a software project. Not a website project. The website is a means to the software but not the main thing itself.

The state of website development generally on the internet is a mess with hip coding practices such as NPM, pulling tons of unverified dependencies but Whonix isn’t attempting to create a perfectly secure, privacy web server. That’s auxiliary work.

See also: Server Privacy

Even The Tor Project – a much older, established and better funded organization – does not attempt to implement any suggestion concerning “perfect server privacy”.

• fastly CDN (similar to Cloudflare)
• discourse / JavaScript, set up years later
• initially even cloud hosted by discourse.com

Of the software.

Not the website, which couldn’t be made more clear than it already is on the Placing Trust in Whonix wiki page.

Where you’re getting this from?

There is no analytics, fingerprinting on the website such as Google Analytics or fingerprint.com.

Do you have any similar enforcement actions by data protection authorities or court cases handy where something similar happened?

Specifically interesting would be something due to simply bad wording with no actual data collection.

If such enforcement action was taken against a website that doesn’t even install analytics / tracking code, that would be… Interesting…

For me it seems the state of privacy policies and actual privacy practices by most (big) websites on the internet is a mess, cookie banners didn’t help accept to mindlessly train users to press the “accept” button and if there’s any enforcement actions going on then these didn’t have much impact yet. Google analytics, fingerprint.com, still very much widespread.

Did you check other projects such as Debian which doesn’t seem to have a link to privacy, cookie policy and/or imprint links on its homepage.

Debian uses AWS.
(Debian apt-get updates over https / SSL / TLS by default OR avoiding amazon AWS - pick one)

A lot of holes to poke so to speak or do other projects have that all covered? And also a lot more worthwhile targets as in potential financial gain.

There’s a book Three Felonies a Day. I haven’t read it except some reviews but it makes sense too me. There’s just too many laws, regulations, written in legalese, that cannot be made sense of without background of that country’s justice system, court decisions, and whatnot. Even “which laws of which countries do even apply” is difficult to answer. Let the constant onslaught of any law updates.

One can make a best effort to comply but then that’s it. If there’s selective, malicious prosecution there’s not much that can be done against it. Hence, I think statements made by government agencies, enforcement actions and court rulings are important to follow latest developments.

Therefore spending money on lawyer(s) to perfect these texts (which would still be mostly based on untested theories) doesn’t seem to be a good use of resources, unless you could elaborate on the threat model with practical examples.

Whonix is a software project. Not a website project. The website is a means to the software but not the main thing itself.

It really doesn’t matter how exactly privacy is can be abused, if the goal is to protect it. The forum is part of the project, just as the community around it. I am sure you don’t mean that you care only about the privacy of those who use the OS but not the website.

That’s auxiliary work.

Maybe offload it to volunteers?

Where you’re getting this from?

In the privacy policy text.

There is no analytics, fingerprinting on the website such as Google Analytics or fingerprint.com.

A unique device identifier is personal data (see Article 4). The GDPR does not cover processing of anonymous data for statistical purposes. So, there is nothing wrong in using such analytics. Of course, we all know that we can’t trust Google. I am explaining just in general.

Do you have any similar enforcement actions by data protection authorities or court cases handy where something similar happened?

I don’t keep a list just in case such discussion may ever take place, but if you are asking if I know of such cases - yes, definitely. I searched the web for you:

You can also check https://noyb.eu

Specifically interesting would be something due to simply bad wording with no actual data collection.

If such enforcement action was taken against a website that doesn’t even install analytics / tracking code, that would be… Interesting…

It seems you are missing an important point here. Having a correct policy is a legal obligation, not something optional. It must explain exactly what the data controller does with personal data and must allow the data subject to choose the optional processing.

Having a policy which says you do something which you don’t is not just bad wording - it is misleading as part of the legal agreement between you and the user, to which you ask him to agree. You simply cannot ask him to agree to everything, just because some script on some website generated such policy.

For me it seems the state of privacy policies and actual privacy practices by most (big) websites on the internet is a mess, cookie banners didn’t help accept to mindlessly train users to press the “accept” button and if there’s any enforcement actions going on then these didn’t have much impact yet. Google analytics, fingerprint.com, still very much widespread.

I am not saying all other sites are perfect. I am talking about your privacy policy only. Suppose someone decides to sue you (God forbid). What will you say in court? “But see, others do it as well, so I am innocent”? Good luck in winning a case with that.

Debian uses AWS.

It is OK to use external services, as long as it is clearly stated in the policy. You must specify:

• exactly what personal data is processed
• for what purpose
• who processes it and based on what other policy (in case of third parties)
• for how long (retention policy)
• whether it is technically required (inevitable) or optional (based on explicit informed consent only)

There’s just too many laws, regulations, written in legalese, that cannot be made sense of without background of that country’s justice system, court decisions, and whatnot. Even “which laws of which countries do even apply” is difficult to answer. Let the constant onslaught of any law updates.

The GDPR applies worldwide to anyone who processes personal data of EU citizens. If you process such data, you must comply. That is legalized internationally (including EU-US privacy shield etc). The only other (legal) option is not to provide services in the EU (which is what a few websites did when it was introduced and perhaps not what you want).

One can make a best effort to comply but then that’s it. If there’s selective, malicious prosecution there’s not much that can be done against it. Hence, I think statements made by government agencies, enforcement actions and court rulings are important to follow latest developments.

Try to say in a courtroom under oath that the law must not be followed but the court must follow technology and see what happens.

Therefore spending money on lawyer(s) to perfect these texts (which would still be mostly based on untested theories) doesn’t seem to be a good use of resources, unless you could elaborate on the threat model with practical examples.

You don’t need to spend money on lawyers. Just read the GDPR. It is written very well and easy to understand. All you need is a simple but meaningful policy. It is not necessary to sound legalistic or anything like that - on the contrary, it must explain to the user in understandable language and allow him consent. It is simpler than you think.

I am not arguing against “make things better”, better forum software, I am just not assigning priority/time.

Another option is to not have a forum at all. No forums, no JavaScript issues. For example, Tails - Support doesn’t have a forum and Tor Project didn’t have one either for years.

What happens in these cases that users go somewhere else such as reddit and I think that’s a worse option.

That’s really difficult.

• Sparse resource: There are not many volunteers. And even if there are, they are busy with other stuff, so progress is slow.
• Privacy vs security: Also server work inherently requires trust. So while it might be possible to move to a non-JS forum which would improve 1 thing, it could reduce security from data leaks (forum e-mail addresses and hashed passwords).
• Abandonment: Volunteers can contribute stuff and then be MIA leading to maintenance lapses that can result in security issues with privacy issues follow from there.
• Quality of work: Could mess up something such as broken backups, database issues, data loss or maneuvering into unresolveable issues, practically impossible to fix without trashing all forum data and starting fresh.
• Difficult work environment: I could write a tasks / tickets “test forums backup script”, “test forums restoration from backup”. But for a volunteer, no deadline can be set. So that task can just remain unresolved for ages.
• Competition: The skills required are worth money. So rather than contributing here, people work elsewhere for money.

Like anything in life, if one doesn’t have money to pay for it, it’s hard to reliably accomplish.

amazon:

for placing cookies without user consent

We only have functionality, session and setting cookies. (This statement does not replace the cookie policy.) I.e. “strictly necessary” cookies. The type of cookies which cannot be unselected in any cookie choice popups.

I do understand that regulators don’t like tricking users into “accept all” which then includes tracking cookies.

Instagram:

The issue being that Instagram business account are defaulted to “public,” so can be viewed by anyone and allowed user’s phone numbers and emails to be published publicly.

Doesn’t seem applicable and/or fixable by policy test.

Google:

The privacy regulator concluded that Google was using non-compliant cookie consent mechanisms, which made it too difficult for users to refuse cookie collection on both Youtube and Google Search.

Facebook:

Similar to Google’s 2021 fine, Facebook received a €60 million GDPR fine for failing to give users way to refuse cookies as easily as they could accept them. Users had to go through several clicks when refusing cookies, whereas accepting them only required clicking one button.

By only glimpsing over it, they seem to focus on large companies fighting against obnoxious stuff where actual user data was collected, processed but no purely theoretical nitpicking, “victimless crimes”.

Debian doesn’t have a policy covering that.
There is Debian -- Privacy Policy but it does not cover that.
These issues were also raised on the Debian mailing list.
(Lack of) GDPR compliance in Debian

• Sparse resource: There are not many volunteers. And even if there are, they are busy with other stuff, so progress is slow.

slow > none, no?

• Privacy vs security: Also server work inherently requires trust.

Is it not possible to use some decentralized solution? Personally, I like the idea of Bastyon for a decentralized social network. It is open source but unfortunately also JS-rich. I have not researched what other options exist. Have you any idea?

… [examples]

You wanted some, I provided some. As I said, I don’t keep a reference book. If you search annual reports of local data protection authorities, you may find many other smaller cases (not targeting tech giants) in which controllers have been fined.

If your are firm in your argument against complying, because others also don’t comply, from which you conclude it is unlikely that you may get into trouble, there is hardly anything I can say that won’t be answered the same way. I have done my part to notify you. The rest is up to you.

On Privacy Policy - Whonix I finally found under Usage Data, expand button I found it:

unique device identifiers

It’s legalize and seems to make sense there to cover all cases.

• So what that’s not: Some JavaScript (JS) that attempts to read any unique device identifiers (UDI).
• What it does: It covers some rather obscure and hypothetical cases. For example, if the user is using any (traffic compressor) proxies, these might inject a UDI in the HTTP request header. That UDI might then end up in server logs.

In the full context of that wiki chapter, meaning, if you keep reading, I don’t see an issue with it.

If the website had something intrusive (deliberate tracking, analytics cookies, browser fingerprinting) then a cookie prompt where the user can accept/reject might be needed. Since no such stuff is there nor planned, there is no need in such a button.

For high complexity, difficulty changes requiring high effort and low rewards, it’s so slow that it effectively happens never so equals none.

That would be ideal but I am not aware of any that have any relevant traction. Would be great to go back to standalone applications and not everything inside the browser. (Except maybe some proprietary applications such as discord, which are obviously not an improvement here in this context. Often such applications are no more than electron based, basically just a wrapper that styles the browser window differently but still rendered by the browser.)

JS-free internet, decentralized as in serverless (without server) even had their word definition changed unfortunately aren’t exactly strong movements, both for users and developers. Instead mandatory JS and more and more centralization in the form of clouds, CDNs.

Unfortunately, this seems unlikely to happen. Usability, first mover and network effects seem to trump considerations for security, privacy and decentralized.

No.

I don’t see any non-compliance.

Unfortunately, there are very few modern web applications with much functionality being built without JavaScript. This is because it’s hard to achieve the expected base UX without it. Bastyon looks cool, but incredibly JS heavy as you mentioned.

I agree that modern reliance on JS is problematic, but very few alternatives exist. If they do exist, how can we even know they wont be abandoned and us left with a horrible maintenance burden? How do we justify the time spent migrating data from app to app.

You could build something with hotwire and rails, or phoenix/elixir/liveview. But few people have the time, money, and skill, to build something like that.

Ultimately the developers here are here to build Whonix, and provide you with the most water tight privacy focused operating system in the world. Moving data from one failed open source project to another is a waste of our time.

I also think labelling JavaScript as “privacy disrespecting technology” is either foolish or ignorant.

Python is the industry standard for manipulating, analyzing, and curating data. It’s well know the ways you can violate privacy with piles of data and some clever algorithms.

Python is a tool. JavaScript is a tool. Powerful tools, but tools nonetheless.

At least you can see what the javascript is doing on your client. There are basically no legal ways to see what they are doing on the server.

Distrust the infrastructure!

JavaScript doesn’t disrespect privacy. Many websites do. Many browsers are enabling the behavior.

It’s a slippery approach to argue against privacy respecting use of JavaScript just because some are abusing it. Would be similar to arguing against Tor just because some are abusing it.

I know what you mean but it’s confusing in this context as if website JavaScript would do something on the server, which doesn’t happen.

This is because it’s hard to achieve the expected base UX without it.

Who defines what is “expected base UX”? Privacy aware users expect (and look for) non-invasive web.

I agree that modern reliance on JS is problematic, but very few alternatives exist.

A few sounds different from none. Which ones have actually been considered and why have they been discarded?

If they do exist,

When you say “if”, does that imply that no research has been made?

how can we even know they wont be abandoned and us left with a horrible maintenance burden? How do we justify the time spent migrating data from app to app.

How do we know that Discourse won’t be abandoned soon? How do we know that (e.g.) next month the world corporatocracy won’t create laws that shut down the Tor Project forever? - We don’t. In fact, we see that the direction the whole world is taking is towards anti-privacy hell. So, there are no guarantees. Does that mean we should surrender to the mainstream which is obviously going in the direction of anti-privacy hell?

I also think labelling JavaScript as “privacy disrespecting technology” is either foolish or ignorant.

Thank you. I always appreciate discussing with polite and intelligent experts.

Python is the industry standard for manipulating, analyzing, and curating data.

Python does is not downloaded through web pages and run inside your browser. But what do I know… some ignorant fool.

Distrust the infrastructure!

Yeah. And invite more of its anti-privacy features!

Wait a minute. What’s the anti-privacy feature?

Just your asking to blanket ban JavaScript because it could be abused while there isn’t any actual abuse?

Do you also hold other projects to impossible standards you’re just trolling here while developers wasting explaining the obvious?

Better google before speaking…

Django and Fingerprint Pro Server Python SDK joined the room. And many others.

They’re generating HTML which then your browser executes. Blame HTML, Python next?

WASM too…rust, etc.

Blaming javascript is ignorant. You can do bad things with any programming language. That was my point. At least you can see the JS in your browser. Serverside code can be malicious too.

I say “very few” but the truth is I dont know of a single one. Discourse is well maintained and stood the test of time. Thats why it was chosen.

Because it has a valuation of somewhere in the ballpark of 100 million dollars. It was started by Jeff Attwood who also built stack overflow. We dont know, but we certainly can put our bets behind well supported technologies.

Surrender? We spend our free time building arguably the best privacy operating system around. I could spend my time outside of work doing far more profitable things.

If you hate javascript web applications, build something better without it? Why are you complaining to us. Give us the solution. I suggested phoenix, elixir, and liveview already. Once you have something usable in 18 months (optimistic), we will discuss as a team if it is worth us using

Exactly the issue. Even noJS webapps are insufficient.

Any centralized server based solution is non-ideal for many reasons. Websites, discussion forums, issue trackers should be decentralized.

• No central server.
• No client/server architecture.
• No dependency on the mainstream DNS system.
• An onion domain is nice but also just a centralized web server behind an onion domain.
• Instead should be Kademlia - Wikipedia (or similar) / Distributed hash table - Wikipedia based.
• Maybe similar to OnionChat (unfortunately abandoned) (all participants communicate onion to onion only).
• Not browser fingerprinting because not running inside a browser. Instead,
• a locally running application.
• Downloads contents locally so no analysis who reads what and when is possible.
• Easily forked in case original administrators are missing or other contagious issues.

Projects (somewhat) going into that direction:

• ZeroNet
• Retroshare

I was hoping for something like that perhaps for 20 years already. But from all the projects i saw come and go, nothing ever got any relevant traction.

Just your asking to blanket ban JavaScript because it could be abused while there isn’t any actual abuse?

How do you know there isn’t?

JS makes it possible much more than the lack of it. That does not mean website owners are abusing intentionally. It means that abuse, exploiting the fact that the users have JS enabled, is possible regardless of owners’ intention (through infrastructure). If JS is not enabled, the possibilities for such abuse are much more limited.

Example: “Verifying your browser” pages, shown by hosting providers, which don’t work without JS - this is not obvious to non-experts. There are also cases when hosting providers inject JS code inside the web pages of the website itself. The website owner might not even know about it. That is not instantly obvious even to experts.

Do you also hold other projects to impossible standards

There are other community websites (which don’t claim superior privacy) that use non-JS-dependent forums. Obviously - possible.

you’re just trolling here while developers wasting explaining the obvious?

Since I am the one explaining the obvious, from my point of view it is the other way around. But thanks for yet another epithet.

As for any other technology which allows downloading and executing arbitrary code - feel free to consider for yourself what it means for security and privacy.