Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Turn off Google's surveillance on meet.jit.si #4590

Closed
Shamar opened this issue Sep 3, 2019 · 23 comments
Closed

Turn off Google's surveillance on meet.jit.si #4590

Shamar opened this issue Sep 3, 2019 · 23 comments

Comments

@Shamar
Copy link

Shamar commented Sep 3, 2019

Description

Even just the name of a chat room might contain sensible data.

Google should not be informed about people joining a chat room, since it might be able to identify them (by relating informations gained across different Web sites or on their own services) and profile their relationship.

Current behavior

Any visit to https://meet.jit.si/ or any chatroom therein informs Google through Google Analytics.

The Referer HTTP Header let Google relate the different members of a chatroom and personal data such as user's IP and User-Agent let Google actually identify the persons in the chatroom by relating such information with those available on their ubiquitous services.

Expected Behavior

https://meet.jit.si/ doesn't leak personal info to third party.

The users accept to trust only meet.jit.si and such trust should be honoured.

Possible Solution

Remove

<script async="" src="//www.google-analytics.com/analytics.js"></script>

from the Web pages served under https://meet.jit.si/

Steps to reproduce

Visit https://meet.jit.si/ or any chatroom therein such as https://meet.jit.si/GoogleIsProfilingYouRightNow

Environment details

A logging proxy might be useful.
As an alternative, the DevTools of the browser might suffice.

@saghul
Copy link
Member

saghul commented Sep 4, 2019

Thanks for bringing this up. I'm going to try and explain why GA is there and what we do with it. Please note that I'm also on the privacy minded camp, I hear you.

First and foremost, let me assure you we are not into tracking users. As you may have noticed, we don't request any data from you, because we simply don't care. What we do care a lot about is the quality of the conferences our users have.

Quality analysis (in many shapes and forms) is where analytics are useful to us. To that effect we use a number of services (which you can check in https://meet.jit.si/config.js) including GA, Amplitude (currently disabled) and CallStats.

Why do we need these? We need to know if your call failed. We need to know if ICE took too long. We'd like to know if nobody is using feature X. Or how many page reloads have happened recently and why. See the pattern? Without this information we'd be flying blind and we can't just rely on some testing we can perform. We rely on the community using the service so we can keep on improving it.

Even just the name of a chat room might contain sensible data.

You can pick arbitrary room names. If you don't want to leak sensible data you shouldn't put it out there to begin with, right? Users should pick something completely impresonal like a UUID v4 in that case, wouldn't you agree?

"But there are alternatives!" I hear you. Setting up a custom analytics backend is not something that will happen overnight, and while we have been looking into alternatives like Amplitude and HOMER, this is slow to change, but like the song goes: don't stop believin'.

Be it Google or our own backend, some of your data will always leak because you are using a service you don't control. So, what can you do about it? Here is what you can do:

  • block tracking in your browser
  • use #config.analytics.disabled=true in your URLs, for example: https://meet.jit.si/foo#config.analytics.disabled=true
  • setup your own deployment (there are no analytics enabled by default, of course), it's now pretty aproachable either with the quick install or our dockerfiles.

If you made it this far, ❤️ , I hope you understand.

@Shamar
Copy link
Author

Shamar commented Sep 4, 2019

Hi @saghul, nice to meet you and thanks for your kind answer.

At the very best, there is either a PR/marketing issue or a UI/UX error at work, here.

Misleading marketing?

Meet.jit.si market itself as a "Secure, fully featured, and completely free video conferencing", all over the world, but

  • it's not as secure if it informs third parties that could identify you
  • it's not completely free if people pay with their personal data

For sure, those who use meet.jit.si, necessarily trust you.
But they trust YOU. Neither Google, nor CallStats.
They just trust you.

Misleading UI?

In the home page there is no mention about Google¹ being informed I'm joining a certain chatroom or being able to learn who I'm talking with. Or to learn then name of our chatroom.

Even just the name of a chat room might contain sensible data.

You can pick arbitrary room names. If you don't want to leak sensible data you shouldn't put it out there to begin with, right?

With all respect, this sound a bit like victim blaming.
Many people trust you, they are connecting to your server through encrypted TLS connections and have no reason to suspect that others will learn the name of their chatroom.

Moreover most of people have no control about their User-Agent and IP which are personal data according, for example, to European GDPR. And they are leaking such data to a third party that can use them to identify them by relating such data to the one collected into a huge amount of other websites and services.

Most users are helpless about such data: they cannot really decide to "put it out there to begin with".
As you provide a secure service, it's your responsibility to inform them (and to protect them).

Users should pick something completely impresonal like a UUID v4 in that case, wouldn't you agree?

You are talking with a hacker. Sure, I agree.
And I'm actively working to teach Informatics to kids, so that the next generation of people will be able to understand who they could trust and how much.

BUT, today, how many people know what a UUID v4 is?
Google shouldn't be able to exploit their ignorance, don't you think?

block tracking in your browser

Yeah... but unfortunately most people today don't even understand how Web tracking works. When they visit a Web page they are not aware about protocols, encryption, includes and so on...

And we are talking about a secure application and they trust you to protect their privacy.

We need to know if your call failed. We need to know if ICE took too long. We'd like to know if nobody is using feature X.

All of this can be done via (opt-in) logging in your own JavaScript code.

Or how many page reloads have happened recently

Look at the web server's logs. ;-)

setup your own deployment

Sure! This is one of the reasons why I'm taking the time to compile this bug report.
Because I think Jitsi is a great software and has a great potential.

But this is not the topic here.
You are providing a service, marketing it as a secure service.... and leaking users' personal data.

An actual UI bug?

use #config.analytics.disabled=true in your URLs, for example: https://meet.jit.si/foo#config.analytics.disabled=true

This is interesting, but as far as I can see, users can't chose this option from the current UI.
I'm a web developer with 20 years of experience and I had no idea this was possible till now.

Moreover, technically speaking, using an URI fragment interpreted client side isn't safe for the user. Try it yourself:

  1. Start a new instance of Google Chrome
  2. Paste this address https://meet.jit.si/GoogleIsProfilingYouRightNow#config.analytics.disabled=true into the address bar
  3. Press enter

You will see the page will start loading but the URI fragment will disappear after a few seconds.
What will the user do if the connection hangs? Click the refresh button.
The browser will then load the page without that fragment.
So the user will leak personal data to Google anyway².

I understand

If you made it this far, ❤️ , I hope you understand.

Yeah, I really understand you and I really appreciate your work.

But the more successful you are, the more Google's surveillance will be dangerous.
They will know more about your users, more about their relationship.

To fix this is your own responsibility, as developers and as provider of a service used all around the world.


¹ or CallStats, but they are slightly less dangerous than Google these days

² AFAICS, nobody is asking consent about this, so this might even be considered a data breach of which European users should be informed, according to Article 34 of GDPR (but remember, IANAL).

@saghul
Copy link
Member

saghul commented Sep 6, 2019

Just a quick heads up. We are going to have a discussion about this. I'll get back to you.

@zicklag
Copy link

zicklag commented Sep 19, 2019

Just wanted to bring up in case it is helpful: Matomo is a good Open Source analytics platform that you can host yourself and that has support for asking for concent to collect metrics. I use it for my own sites.

@paulvi
Copy link

paulvi commented Sep 29, 2019

@Shamar Thank you for sharing

You can use Firefox, that has by default trackers blocked
(and clearly shown what trackers are on the page)

image

There is Brave browser saying they disable trackers

There are plugins for Chrome, like NoScript (disable js execution from specific sites)

@Shamar
Copy link
Author

Shamar commented Sep 30, 2019

Hi @paulvi thanks for your suggestions.
Unfortunately this not really an issue for people with a technical background, but for everybody else.

Out of curiosity @saghul, do you have any news on this issue?
I have a further question: is Google's surveillance also active when using meet.jit.si as a server from the native Android app available at https://play.google.com/store/apps/details?id=org.jitsi.meet ?

@saghul
Copy link
Member

saghul commented Oct 1, 2019

I have no updates at this moment, sorry.

Google Analytics is not used on mobile.

@MagicFab
Copy link
Contributor

Has there been any progress on this ? I can help testing Matomo. Matomo could also help understand mobile use for those using F-Droid and opting-in.

@saghul
Copy link
Member

saghul commented Dec 18, 2019

Hi there! Sorry, alas we have no news. Legal is slow 😔

@MagicFab
Copy link
Contributor

I asked about pricing for Matomo cloud service, this may help :

https://forum.matomo.org/t/is-there-a-free-offer-or-discount-for-free-software-projects/35412

@Echolon
Copy link

Echolon commented Dec 28, 2019

Can't you gather the data you need for development from https://piwik.pro/
It still collects data but is self-hosted I think

@MagicFab
Copy link
Contributor

@stale
Copy link

stale bot commented Mar 27, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix Issue won't be fixed label Mar 27, 2020
@Jip-Hop
Copy link
Contributor

Jip-Hop commented Mar 27, 2020

Adding config.analytics.disabled=true to the link like so: https://meet.jit.si/foo#config.analytics.disabled=true disables Google Analytics.

But it doesn't fully disable all third party integration. According to the config.js file that's what disableThirdPartyRequests is for. But adding it in the same way like so: https://meet.jit.si/foo#config.disableThirdPartyRequests=true doesn't disable anything. Not even Google Analytics.

Would love to hear if someone can shed some light on the proper way to disable third party integration (and tracking).

Thanks!

@stale stale bot removed the wontfix Issue won't be fixed label Mar 27, 2020
@rosa2
Copy link

rosa2 commented Mar 28, 2020

I am interested also in this because I didn't know and I am advising to use Jitsi to many people. Thanks for the software and I hope you change to Matomo.

@saghul
Copy link
Member

saghul commented Mar 28, 2020

But adding it in the same way like so: https://meet.jit.si/foo#config.disableThirdPartyRequests=true doesn't disable anything. Not even Google Analytics.

Damn, that's a bug. It must have snuck in when we refactored loading analytics handlers. Apologies.

@saghul
Copy link
Member

saghul commented Mar 28, 2020

@Jip-Hop Thanks for the report. Should be fixed by #5450

@rosa2
Copy link

rosa2 commented Mar 30, 2020

Just in case people want a list of jitsi servers that don't use Google and other trackers

https://fediverse.blog/~/DonsBlog/videochat-server?responding_to=745

@Jip-Hop
Copy link
Contributor

Jip-Hop commented Mar 31, 2020

I've posted a workaround to permanently disable the analytics etc. while still using the official hosted Jitsi instances. You will need to host at least 1 static HTML file for this to work.

@seanm
Copy link
Contributor

seanm commented Apr 1, 2020

Zoom is getting a lot of bad press recently wrt privacy, ex:
https://techcrunch.com/2020/03/31/zoom-at-your-own-risk/

It could be a coup for jitsi to remove the Google Analytics!

@rosa2
Copy link

rosa2 commented Apr 1, 2020

Zoom is getting a lot of bad press recently wrt privacy, ex:
https://techcrunch.com/2020/03/31/zoom-at-your-own-risk/

It could be a coup for jitsi to remove the Google Analytics!

Very good point. And the list that I passed is ruling a lot in internet. People we want privacy. Take advantage of that. Go for Matomo!

@Echolon
Copy link

Echolon commented Apr 1, 2020

Yeah, I really like Jitsi and its so simple to use by just clicking the links - my non-aware friends were so happy that you don't need to register. It is a big thing of Jitsi I think!

@saghul
Copy link
Member

saghul commented Apr 3, 2020

Hey all, sorry it took so long, but it finally happened: meet.jit.si no longer has Google Analytics. Thanks a lot for your feedback.

@saghul saghul closed this as completed Apr 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants