Follow

I wonder how I can be surprised to learn that 's collect telemetry infos (including your mail domain) and share them with partners such as .

It's obvious they spy on your mails! 🤦‍♂️

Indeed, in case of crash, they even send to "their" servers a memory dump that contains sensitive data crash reports.

This likely include, your emails in clear, your private encryption keys¹ and everything else the program has loaded and kept in memory.

What does this means for an hypothetical attacker that can access such reports?

I mean... like a agency arguing that you might be a terrorist or something.

Oh but sure... they shall do no evil...

mozilla.org/en-US/privacy/thun


_____

1) Since version 68, Thunderbird does not use the suite via , but directly do encryption "to avoid licensing issues" 🤷‍♂️

@rysiek@mastodon.technology @mala

@Shamar @rysiek@mastodon.technology @mala A couple points... 1) When you actually read their policy it's not all that shocking. I would agree it's annoying that telemetry is on by default but you can opt out if you like. 2) Literally any communication that isn't end-to-end encrypted can be intercepted by any third party, not just the company that made your email client

@b6hydra

No, indeed I surprised myself by being surprised by 's bad faith.

I mean: ok, is a surveillance tool marketed as a privacy friendly browser, but it's a "just" a browser.

But I was STILL thinking that good old (that I do not use since decades but still suggested to others) was safe!

It's not.

is not just on by default and all data are received by through servers.

I really think such kind of defaults should be forbidden by law. And in fact they are forbidden by as all data collection must be opt-in not opt-out.

Curiously, crash reports are disabled by default (as far as I can read online) so at least people are less likely to send them cryptographic keys in clear in a memory dump.

But the fun fact is that if you enable crash reports in the hope to let them improve a privacy friendly MUA, you sacrify your security (and your peer's security, exposing them to social engineering) to improve a surveillance software.

Indeed Thurderbird is sending back your interactions activities, so the fact that mails sent without can be intercepted, is totally irrelevant.

@rysiek@mastodon.technology @mala

@Shamar @rysiek@mastodon.technology @mala

And people ask why some compile Firefox from source... Most of the telemetry flags are in about:profile, but not all of them. Good distros, probably, compile the right versions on their servers.

@jmw150

"Good distros"... these days I wonder if gives a shit, tbh.

So sad...

@rysiek@mastodon.technology @mala

@rysiek@mastodon.technology @mala

*about:profiles

And it is in pref.js of the profiles folder. about:config allows access in the browser, but that is manual.

@Shamar
Debian seems to have them off in the pref.js file. Which indicates they put in some effort to keep telemetry junk out of the binary apt version. But doing "apt source" should give a version that you can compile on your own.

@Shamar @rysiek gosh! but where does it say that it sends crash data to AWS?

@mala

In the notice that nobody is expected to read: mozilla.org/en-US/privacy/thun

```
Thunderbird May Disclose Information To:

Amazon Web Services: Thunderbird uses Amazon Web Services (AWS) to host its servers and as a content delivery network. Your device’s IP address is collected as part of AWS’s server logs.
```

I assume they receive and manage the crash reports on "their" servers that accidentally are owned by .

@rysiek@mastodon.technology

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.