Purism Explains Why There Are Trackers In Librem One Chat

Lmao, so they first have the guts of selling free open source apps without creditting their source, they also accidently included trackers.

2 Likes

Matomo, Google’s Firebase Analytics and Amplitude. The latter of which is an ad tracking platform best known for its affiliation with Microsoft, Twitter and other companies.

I had been watching them for past 6mo trying to build trust and faith, this knocks them back down much closer to all the “other players” level :confused:
sigh.

Rankin reiterates that the company upstreamed the Librem One Chat app from the Riot Android app, and discovered those same trackers a few days ago.

this also pisses me off and I cannot imagine it is any different with riot desktop or riot.im run in browser? matrixhq/newvector team is scaring me. Please @The Grid-Sunrise project stay strong and move us forward!

2 Likes

to be fair to riot android I asked instead of stressing out over it further:
https://matrix.to/#/!GnEEPYXUhoaHbkFBNX:matrix.org/$155734131622590aOGNJ:privacytools.io?via=matrix.org&via=chat.weho.st&via=tchncs.de

aiui, 2 of 3 trackers were accidentally included (google fire analy and amplitude and appears confirmed thru exodus:
https://reports.exodus-privacy.eu.org/en/reports/72513/

vs purism’s version, still tainted?
https://reports.exodus-privacy.eu.org/en/reports/73458/

but still… (and the conversation continues in #riot-android:matrix.org

Fdroid version according to Classysharkexodus

Matomo (Piwik)

*Matomo (Piwik)
59org.piwik

1 tracker

yeah, seems bizarre that Riot would include these trackers by default.

According to Classysharkexodus, there are no trackers in Librem One Chat

1 Like

@crossroads Could I trouble you to run the same test on the riot client? I’m really curious.

I have Riot installed from F-Droid, so it’s the same as @craigevil mentioned

Hopefully these are just growing pains.

The Librem One is a bit too pricey for me right now, but I would love a properly supported phone where you don’t have to fight every step of the way.

sorry, thought he was referencing purism chat.

I was asked for a quote on this article and they didn’t use it. I was mad because I was certainly not nice to Purism for this and they wrote a puff piece instead.

1 Like

They removed the trackers when they were contacted about this article. They had 3 originally, and then disabled them.

@blacklight447

have the guts of selling free open source apps

This isn’t technically true. What they are selling is the hosted service their branded forks of those apps are pre-configured to connect to. The apps themselves can be downloaded gratis.

without creditting their source

I agree the lack of attribution and links to source code is a problem. But it’s not like they went to great lengths to disguise the sources of the code. For now, I’m willing to believe it was an oversight, motivated by their strategic goals of keeping their communications simple enough for non-geeks to understand.

@shilu

seems bizarre that Riot would include these trackers by default.

Why? New Vector are VC-funded, that’s the sort of thing that happens when you’re trying to keep your company going and generate a 10x return for VCs. I think it would be more bizarre if Purism, who are totally customer-funded through crowdfunding and device sales, knowingly included trackers.

@danarel

They removed the trackers when they were contacted about this article.

They said that’s because they didn’t know about them until then, because they trusted the upstream Riot code. If you can get hold of a copy of the gOgle Prey Store version of the Riot app from the point Purism forked their code, or of the Riot code on that date, and prove that the trackers weren’t in Riot, then you’ve got a case that Purism are lying. Otherwise, as indicated above, I see no obvious reason not to take them at their word.

That they did not look sufficiently at the code to know what was in it before releasing with their name on it seems equal disconcerting.

@wafiech

That they did not look sufficiently at the code to know what was in it before releasing with their name on it seems equal disconcerting.

They knew they were there and attempted to remove them, but weren’t completely successful. See:

New versions released since are completely tracker free, according to an update added to the article linked in the OP.

But even if they hadn’t thoroughly audited the code, that’s not strictly necessary. Do you think every GNU/Linux distribution checks every line of the Linux kernel before releasing it with their name on it? Some of them do (eg the ones that use the deblobbed Linux-libre fork of the kernel), but mostly the Linux kernel team are trusted to know what they’re doing. We generally give established open source communities that same benefit of the doubt. As @shilu put it:

seems bizarre that Riot would include these trackers by default.

I was going to say more but realized I was lecturing, so l’ve posted an extended version of this comment on the Disintermedia blog for anyone who’s interested.

The difference is that Debian or the kernel team are not explicitly selling a privacy service. Were they to do so and blindly import code simply because it’s open source and because they wanted to turn on the flows of money, they would lose that trust. And if Purism have been paying attention, there have been trackers in Riot for a long time. There’s even a fork on F-droid that removes 2 out of 3 of them.

^^ This!

the onus is on the service provider to ensure what they offer to their subscribers is fully compliant with their (Purism) policies and no matter the excuse (or reason, if you prefer to say) Purism is responsible for the debacle, someone else’s developed app, that they re-branded, or not.

to shift blame upstream is classic BS/CYA instead of simply admit sloppy practice and privacy failure. and because of the ‘unique’ market position they are in (privacy focus smartphone) leads me to believe they knew about it and if unchecked it would have been profit stream down the road if not already.

about the rebrand and license issue, while it may prove easy to forgive newbie mistakes like that, they are not newbies…they are professionals and this is a signpost of how they appear to be sloppily putting together a ‘total phone privacy package’ without taking the “great care” required to provide such a thing in this modern privacy invasive tracker everywhere age.

Simply put, If they are wanting to be successful in this venture then they must put in the extra effort to ensure their promises and assurances are genuine and not based on assumptions, good faith or otherwise, especially for code merged from other developers. Only this, imo, will build “trust” as best as can be had in such relationships.

This is to say, audit the code, and yes, consider this strictly necessary.

The fact they have set unrealistic deadlines for themselves to get it all together is no ones fault but their own and the over-reach is hurting them! as Librem1 (service) rolled quickly (on shaky ground) and Librem5 (phone) initial promised shipment gets delayed (at least one quarter so far and i’ll bet it more likely to see a last quarter ship, in time for New Year’s Eve or later :frowning:

(this is not good business for even a small no profit developer, and definitely inexcusable for a professional for profit company)

By all means, make valid criticisms of Purism and their practices. I wouldn’t support Stallman and the FSF if I didn’t believe in the value of detailed criticism. But let’s not make the perfect the enemy of the good. Can anyone gleefully knocking Purism here (and projecting all sorts of sinister motives on what could be honest mistakes) recommend a more user-respecting mobile device than the Librem5, or a more privacy-respecting set of services than LibremOne, available to a user now, without said user having to strap it all together from a bunch of DIY bits spread across the net?

PinePhone for an alternative to the Librem5 which is probably the closest thing you will get, GNU+Linux based on mobile.
And for LibremOne, The only real service in which you couldn’t find a real contender for free, would be their VPN Tunnel, in which, you can find a bunch of other services available for it anyway.