Bug 391865 - Akregator allows feeds to gather data on article reading habits
Summary: Akregator allows feeds to gather data on article reading habits
Status: REPORTED
Alias: None
Product: akregator
Classification: Applications
Component: general (show other bugs)
Version: 5.5.3
Platform: Ubuntu Linux
: NOR normal with 20 votes (vote)
Target Milestone: ---
Assignee: Laurent Montel
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-14 20:50 UTC by Jaak Ristioja
Modified: 2021-04-09 22:19 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments
Screenshot of (an unbranded version of) Mozilla Thunderbird handling a similar situation. (9.87 KB, image/png)
2018-03-14 20:50 UTC, Jaak Ristioja
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jaak Ristioja 2018-03-14 20:50:34 UTC
Created attachment 111403 [details]
Screenshot of (an unbranded version of) Mozilla Thunderbird handling a similar situation.

I'm filing a new bug as instructed in https://bugs.kde.org/show_bug.cgi?id=229989#c2 and https://bugs.kde.org/show_bug.cgi?id=229989#c3 since this still occurs in recent versions of Akregator.

When opening an article, Akregator automatically downloads all requisites found in the <description> (e.g. if images etc are specified in HTML; perhaps even flash or AJAX?). Generally this generates extra HTTP(S) requests to remote server(s), leaking information about the users activities, i.e. which articles they browse, and possibly info about how long they read an article before switching to another article, etc.

The man in the middle, even when the user is using HTTPS, has quite good chances to figure out the exact articles being read (given he can determine the endpoint of the HTTPS connection), which are probabilistically among those new articles which the user has not previously read.

Hopefully it will be configurable per-feed, whether such requisites are downloaded or not, and with an action somewhere to force download of requisites of the article currently open.

Please fix these privacy leaks!

Mozilla Thunderbird, for example, handles such e-mails with remote content much better, by prompting the user about whether to download remote content or not (see attached screenshot). This is also what Akregator could do on a per-feed basis. An "always show remote content" checkbox could also be added to the feed properties dialog.
Comment 1 Justin Zobel 2021-03-17 01:32:08 UTC
I believe this is a privacy issue on the end where you're getting your articles, not on the application used to fetch them. Disabling AJAX, Flash and any other content would likely impact the user experience quite dramatically.

If you have concerns about extra connections being made when reading the articles I suggest discussing it with the content creators.
Comment 2 David Faure 2021-04-09 22:19:38 UTC
Thanks for the report. I talked to Laurent and he said he's now working on this. Not a trivial fix, refactorings needed to share code with KMail, this will take some time.