1. 41

  2. 15

    I don’t think this was intentionally placed by the Canadian government’s developers, but it shows how much is wrong with the current system of surveillance capitalism. Many software frameworks/libraries have pretty harmful defaults and are keen on using services by and submitting data to Google and other companies (AWS, etc.) without giving it much thought and only thinking about convenience.

    Other good examples are Google Fonts, Google Hosted Libraries, Microsoft Ajax CDN, CDNJS (Cloudflare), jQuery CDN (MaxCDN), jsDelivr (MaxCDN), Yandex CDN, Baidu CDN, Sina Public Resources and UpYun Libraries, just to name a few.

    Start hosting your own stuff so you can remove those shackles and actually demonstrate that you care about privacy.

    1. 1

      You raise a good point, but at the same time hosting any moderately successful software project is extremely costly (bandwidth alone). It’s not a coincidence that the easy examples are CDNs: most hosting providers overprice their outbound bandwidth.

      And when I say “moderately successful” I’m definitely talking more about access/popularity which doesn’t easily translate into income. Which is to say: just because a site gets a lot of views doesn’t mean it makes any money to pay for hosting.

      1. 7

        A VPS with 10TB of traffic and 20 GB of storage costs roughly 3€/month at Hetzner, and they offer very good hosting in multiple countries, if you are inclined to offer a CDN (which makes no sense most of the time, see below). Is that too expensive? I know of some downsides of VPS’s, but it fits 95% of cases, and people should stop thinking they need Google-scale-solutions for their projects.

        Most importantly: 10TB can get you a long way if you don’t overbloat your websites into megabyte-behemoths.

        People are always talking about efficiency, green energy and climate change, but they don’t seem to relate it with obvious things like not serving 1.5MB of JavaScript and 2MB of CSS for each page. Sending less data also has a much greater impact on page loading speeds than the benefit of a CDN, with exceptions of course.

        People throwing more hardware/CDNs/etc. at the website obesity problems are like those recommending headphones as a remedy for fan noise or nose-clips as a remedy for a lack of personal hygiene.

        1. 3

          Maybe developers would be less keen to using those massive frameworks if they had to pay for sending out those bytes.

          1. 1

            What massive frameworks? I don’t see any relation between using a framework like React and the size of your page. My simple react app uses 145 kB of JavaScript resources. And that’s thanks to the tools the JavaScript ecosystem provides to reduce the size of JavaScript ;)

            The frameworks aren’t the issue, Developers should be aware of the cost of the data they are sending.

      2. 7

        Thank you for your service. It’s not glamorous, but it’s really important to do this kind of audit.

        1. 5

          By the end of it, I had one of their developers showing me what they saw in mitmproxy, so I’ll call that a win, and I hope they’ll do their own audit (first) in the future: https://github.com/cds-snc/covid-alert-app/pull/1008#issuecomment-670030430

        2. 6

          I love that the app is on Github, and that the developers are open to PRs! I posted a PR to add the App Store buttons at the top of the readme, which was accepted.

          1. 5

            I’ve been hugely impressed by everyone I’ve met from the Canadian Digital Service, so I’m glad they’re also gracious in handling down-the-dependency-chain bugs like this. Found them to be very dedicated people who care a lot about the work.

            I am a little surprised that there is no OS-level service for “reachability” that react-native-netinfo could have polled instead? I guess on Android it would probably just go to Google anyway.

            1. 4

              I’m a bit uncomfortable about how this article keeps making it sound like the app does surveillance on you, when the explicit design purpose of the app and protocol is to make that not happen.

              1. 4

                I’m willing to update that. Where do you mean? The app definitely sends Bluetooth sightings to .canada.ca. It doesn’t know who you are or your actual location (though it could be correlated). Maybe that should be made more clear, though that’s not really the point of the article.

                1. 5

                  Statements like:

                  it seems to me that the benefits outweigh the “government can track me” risks


                  an app, designed for tracking people

                  seem a bit heavy-handed for an app that doesn’t know who you are or where you are or really anything except for what other app was near you (and it doesn’t know who those are or where they are either).

                  I would say, rather than “designed for tracking people” the app is almost the opposite: designed to do a job we would normally do by tracking people, but without tracking people.

                  1. 7

                    Okay; that’s fair. I’ll reword. It’s definitely designed to track your physical interactions with other people. I’ll probably go with something closer to that.

              2. 2

                I liked reading this article and makes me wonder how well-intentioned developers reliance on dependencies can shoot yourself in the foot. The other day I remember reading on a non-intentional reliance on Cloudflare’s services. While this makes developing complicated apps easier by increasing composability, it gets a little scary especially when it comes to data residency and privacy. Hopefully, more and more such entities come forth and publish their apps as open or at least engage with the community via bug bounties and the like.

                1. 3

                  I agree with you, but to be clear: I knew the app was contacting Google before I knew it was open source. I even knew what library was (probably) doing this thanks to the jailbreak on my old phone.

                  The app being open source allowed me to patch it, it being on GitHub made submitting the PR easy. Both of those things make the app better for everyone.

                2. 1

                  Nice article, but when I read the headline I thought it was totally broken, so I guess I was using my user hat and not my developer one, as it’s a proper fix. I guess that’s reading more into it because the German one had a few problems as well.