Data Leakage/Privacy /e/ OS

Hello to Everyone!

I have been using /e/ OS on my device for several weeks and I am very happy with the system, but I have one concern:

Q. Is /e/ OS 100% data tight?
What I mean by this: Does any of my data go to Google or any other third-party: analytics, personal information etc when I am connected to the Internet?

My question has nothing to do with what I browse on the Internet or what I say on the phone through a network, it refers specifically to the OS and the standard provided apps.

The reason for asking is that I used afwall+ and xprivacy lua through xposed and the OS kept crashing. This got me thinking that, if I am preventing the OS and the apps from either accessing the Internet with the firewall or feeding fake data through Xprivacy, and this is causing the OS to crash, then what exactly is being sent by what and to whom.

Hello, welcome in our community :slight_smile:

I don’t know exactly which requests are made by /e/OS. But I guess you have the skill to monitor all requests. In that way you will see by yourself which requests are made.

Doing it properly would mean restore the OS (in order not to have third party apps), without activate any wifi or cellular connection at first boot, install a request monitoring app (like Blokada), reboot with internet connection and see all requests made.

Any leakage can be reported in our GitLab in order to be fixed.

Thank you for your feedback. Appreciated.

My request has nothing to do with third-party apps. I am interested in the /e/ OS and your standard pre-installed applications.

I shall monitor and revert as you have suggested…

I am however a bit surprised that /e/ does not appear to know what its own OS is requesting or sending out and to whom. Surely this would be front and centre in the OS design in preventing such leakage of data.

There is one connection to google at startup (issue is created on gitlab). All other android connections are removed by e.foundation. That’s the most difference to other custom roms like linageOS

1 Like

Harvey,
Appreciate the reassurance - thank you!

There is an article, which pointed out some issues:

Hopefully all those will be fixed soon.

You can check the progress on the InfoSec bugs here - Open , closed and read the comments in each for details.

If I can just add.
I believe in the Right to Privacy. It should be a Human Right. I would like to thank the /e/ team for their continued efforts to achieve this goal and I have donated to support the continuation of this work.
Please donate also, let’s not lose this.

3 Likes

Thank you.

Interesting article and follow up response from /e/.

What device are you using?

Quick update:

Im using Xprivacylua + pro upgrade.
The log shows that the preinstalled Browser, Weather and Email apps are accessing the following personal data:

Contacts
Network: including WiFi SSID, phone network operator, sim operator, country ISO
Tracking
Account Name

This is just three apps.

If I try and feed fake personal data to the /e/ OS including Android system apps then the phone goes into a boot loop. This means that the OS will not accept fake data provided by Xprivacy and will only accept my real personal data.

It is clear that the /e/ OS and its pre-installed apps are collecting personal data from my phone. I assume that this data is then sent to /e/ or Google or other third-parties when the phone is connected to the Internet.

Who is receiving my personal data?

If there is any doubt regarding the efficacy of this update, please install Xprivacylua + pro and review the data for your OS contained in the app’s log.

2 Likes

It appears there is still work to be done to clear out the data leaks in /e/ :frowning_face:

For one, the default browser is based on Chromium. Obviously the worst choice when it comes to privacy. Remove that crap whenever you can and switch to a Firefox flavour (Firefox, Fennec, Focus, Preview, Klar) and get back in control. Depending on which flavour you took, you can install the add-ons to further increase privacy.

For email, I would stick to K9 or the variant by Purism.

For the weather, if you really need it (I never ever use those useless apps), perhaps use an alternative you can find in the F-Droid store (like Weather Widget, using OpenWeatherMap).

It would be helpful to tell which firefox flavor is the best in your opinion, which add-ons to use for privacy and which tweaks to make. Many use the default browser but might give that firefox a try.

I will give my configuration, which is barely the same as the Tor Browser but without the TOR network (but I use a VPN).

Addons :
HTTPS Everywhere (with the setting to block HTTP only websites)
NoScript : in order to prevent fingerprintinh which comes a lot from scripts.

In advanced settings (enter about:config in the bar address) :
privacy.resistFingerprinting : true (this will use the agent user the Tor Browser uses and on firefox for desktop resize the window like the Tor Browser does).
intl.accept_languages : en-US,en (it’s the most use setting so it reduces fingerprinting capability against you)
media.peerconnection.enabled : false (disable peer to peer connection)
privacy.trackingprotection.enabled : true
security.tls.version.min : 3 (disable the support of TLS 1.0 and TLS 1.1 that are unsecured, firefox will disable them by default in 2020 by the way)
webgl.disabled : true (disable WebGL)

And of course try to delete data (especially cookies) each time you quit firefox.

Check https://amiunique.org before and after applying those changes, you won’t see any red color after. Firefox and the Tor Browser have exactly the same fingerprint now.

2 Likes

Firefox, Firefox Focus and Firefox Preview (for Android) all come with Ad-tech trackers.

Use at your own risk.

And if you don’t believe me, download them and scan them with ClassyShark, which you can download from F-droid. And have a nice day.

@dotcoma Dotcoma,

Excodus is doing staticall analysis of included or referenced packages. It looks for signatures in names. It doesn’t mean the functions are actually used and it doesn’t tell how they are being used. That being said:

Focus has just 1 reference (adjust.sdk) and makes use of it for 1 purpose:

They explain when it is executed, what the payload is and what the purpose is.

For the optional Mozilla telemetry, this is something Mozilla also has been very transparent about. Contrary to the past when it was switched off by default, it is now switch on by default. But every Firefox browser offers the ability to switch it off. Like I did for all my installations of Firefox on all my devices.

Take the effort to inform yourself and get your facts right before spreading bullocks or making false claims.

@kalman

I’ve tried NoScript on my mobile devices, but it turned out to be a pain. So I left that behind. Still using it on all my desktop versions, though.

In addition to HTTPS Everywhere and NoScript (breaks some sites), following add-ons help you out:
Privacy Badger
Decentraleyes
uBlock Origin
Privacy Settings
Cookie Autodelete
Ghostery (make sure to turn of telemetry)
CyDec Platform AntiFingerprint (breaks some sites)

1 Like

I used Cookie Autodelete but it did not delete everything. Maybe it got better. Cleaning the history is important from time to time. For the desktop I like uMatrix, works better than noscript or Scriptsafe.