About the "spyware watchdog" article on Pale Moon

[Moonchild]

Since people seem to give the authors/maintainer of the "spyware watchdog" a lot of credit, I'm writing this post to indicate the article about Pale Moon is wrong on many accounts, and despite indicating this to the maintainer they refuse to correct the article (in fact they don't even grace me with a response) and keep spreading misinformation about Pale Moon and calling it "spyware" while it is not.

To set the record straight once and for all and to prevent further unnecessary arguments with people who are convinced that I, as project lead, would not know about my own products, this post. Do with it what you will.

Let's go through the claims on that page, shall we?

Connects to a MASSIVE amount of trackers, and these requests can only be avoided on subsequent runs. Has geolocation, search suggestions, and auto-updates. Sends SSL certificates from the sites you visit. Together made 169 unsolicited requests upon my first run of it, but again, most of them can be avoided on subsequent runs.

First run

If this is your first run of Pale Moon, it will automatically connect to its first run webpage (http://palemoon.org/firstrun.html), which in turn will make a bunch of requests for location-aware Google Ads.

Pale Moon's start page

By default, Pale Moon's start page is set to https://palemoon.start.me, and it will automatically make a connection to it upon its first run. That page will then (again) make a bunch of requests for various trackers

This claim is based on a single thing that is not even the browser's fault, and has already been discussed with the responsible people and mitigated.
The claim that it "connects to a massive amount of trackers" is the fact that, for a short while, the start portal run by start.me was using a "real-time bidding" system for the single display ad on the start page (there to offset the costs of running the portal) which would connect to many different ad networks (which also does not equal trackers, by the way - most connections involved in such systems don't track anything; in fact they have to be minimal in content and executed fast or the bidding will be so not "real-time" that an ad is never served, which makes no money at all). I've already indicated this was undesirable to the people at start.me and they have replaced the RTB system with a much simpler and less intrusive dynamic-loading ad.

Now the real question is: does the browser doing what it is supposed to do (load a web page) make it spyware? Absolutely not. To suggest as much is displaying a rather critical lack of understanding of web software. it would be a different story if the browser code itself would be contacting all sorts of data collecting servers, but it is not -- so what is the big deal? Apparently, according to the author, we are not allowed to have any ads on either the default start page or the default landing page for new installations. So it then becomes... namecalling because we are still short on patrons to remove those ads or because this is actually more than a hobby to do as an aside to a paying job? Calling it "spyware" certainly won't get us more patrons, so in the end the article is actively harming our project. Thanks, dude. Really appreciate your support for FOSS.

The reality is that developing and hosting software costs money. If the software is free to use, then it has to be paid from somewhere. Now, this can either be hidden like the "big players" do, collecting big data in the application itself and selling that, in the open like we do by having a display ad on the website/portal, be funded by donations that have consequences (and with that I mean e.g. the practice of big corporations "buying influence" in Open Source with large donations), or be funded completely by donations or other voluntary contributions without attached consequences. We are working on the latter option, but until we have enough donations we will have to pay for some things with ads because that is simply how a "free software economy" works.

Blocking privacy-enhancing addons

Pale Moon blocks privacy enhancing addons like noscript, citing this rationale for blocking such an imporant addon: "NoScript is known to cause severe issues with a large (and growing) number of websites. Unless finely tuned for every website visited, NoScript will cause display issues and functional issues. "[1] So, it looks like Pale Moon's developers are actively working against the intrests of its privacy-concerned users, and would rather allow websites to execute malicious ECMAScript programs on unsuspecting user's machines, than to be blamed for a broken website. To disable this blocklist, set extensions.blocklist.enabled to false in about:config.

First off, we do not hard-block NoScript (and this has been discussed at length on the forum already), we do not prevent other blocking extensions either, and we are certainly not "actively working against the interests of our privacy-concerned users" just because we are soft-blocking a known-problematic extension that will cause issues even including browser crashes. So this is yet another claim that is false, where the author is taking an exception and presenting it as the rule just to try and press the point and support the extremely negative bias in the article.

Auto-updates

Pale Moon will automatically update itself, addons and search engines, as well as its blocklist.xml file with the addons it considers "malicious". Some of these can be turned off from the GUI, and some only from about:config.

So, automatically updating lists of malicious extensions (no quotes around malicious) and other extensions and plugins with known stability and/or security issues, pro-actively keeping users protected also between browser releases, is making the browser "spyware"?

Search Suggestions

The default search engine is the privacy-respecting DuckDuckGo, however search suggestions are enabled by default, which could send a request for every letter you've typed, all while you think it stays in-browser until you press Enter. Can be turned off by right-clicking the search bar.

Search suggestions from a privacy-respecting search engine are considered bad. Please explain this one to me. If you agree with the search engine selection for being privacy-respecting, why would you strike down against search suggestions from that very same engine? You either trust the provider or you don't - that's not context-dependent.

Geolocation

Pale Moon connects to Mozilla's geolocation services.

... completely false. It does not. It uses ip-api.com and has so for many years, with a simple get request containing only public information (your public IP address as part of the standard HTTP packet) and only requesting the minimum response needed for geolocation. On top, websites can never request this without explicit user consent.

OCSP querying

Will automatically check every site's SSL certificate to see if it is valid, which necessitates sending it to a third party. Can be turned off from the GUI.

Once again false! Checking the validity in most cases does not necessitate sending anything to a third party.
OCSP querying is almost always done by checking a stapled OCSP response, which does not contact OCSP servers directly and therefore does not send anything to a third party. Even if it does, what is sent to an OCSP server is only public certificate data to check if a certificate has been revoked or not. This is a normal, essential part of checking the authentication and security of connections to secure servers.

So, all in all there are a lot of things in the article that are plainly wrong, and other parts of the article are taking a very, very biased and peculiar stance towards what is just normal practice.

P.S.: Want the ads to go away? Become a patron! If we reach the necessary monthly goal, they will be removed.

[Kerebron]

So, all in all there are a lot of things in the article that are plainly wrong, and other parts of the article are taking a very, very biased and peculiar stance towards what is just normal practice.

Weird and annoying. But, looking at their site, they are still living in the '90s.

Want the ads to go away? Become a patron! If we reach the necessary monthly goal, they will be removed.

I'm getting 404 here.

[Moonchild]

I'm getting 404 here.

WTF?

great. Breaking signup links without telling me, thanks patreon

[Moonchild]

the widget link is still given even though it 404s. I guess I'll just link to my Patreon page instead


https://www.patreon.com/MoonchildProductions

[Tomaso]

I couldn't help but notice that Ungoogled-Chromium gets the "Not Spyware" label @ spyware.neocities.org, with the following statement:

It was tested with MITMproxy and makes no unsolicited requests, and is therefore not spyware.

Well, I recently downloaded and tried the Ungoogled build from chromium.woolyss.com..
No matter how I configured it, I couldn't prevent it from making connection attempts to both CloudFlare and MCAST, on every single occasion, when launching it!

In comparison, when I've configured Pale Moon to my liking, it doesn't connect to anything at startup!

[vannilla]

Even though I knew about this article, I didn't really bother with it.
Though after your post, I became a little curious and went to check the guide to make Pale Moon not a spyware (https://spyware.neocities.org/guides/palemoon.html)
Basically, it's about not using start.me as home page, which isn't a browser-specific thing. If GNU Emacs were to use start.me as home page too, would that make GNU Emacs spyware? (yes, it does have a webkit-based browser inside)
The other reccomendations are in a table, but...
It suggests to disable the add-on blocklist, which makes no sense since it's there to avoid malicious extensions (some of which are real spyware) from being installed.
Then it suggests to disable OCSP. Except that OCSP is useful in checking the validity of a certificate, meaning that it can protect you from malicious entities that might spy on you for real. The reason it's considered "spyware" seems to be the fact that to check for validation you have to tell the server which site you want to check the certificate for. But then shouldn't we also stop using DNS? Doesn't that also sends informations about which site you want to visit? Or am I missing something?
And then there's the geolocation but I don't have anything to say here.

[Moonchild]

If GNU Emacs were to use start.me as home page too, would that make GNU Emacs spyware

Yes, it would according to their criteria.

But then shouldn't we also stop using DNS? Doesn't that also sends informations about which site you want to visit?

Absolutely. A DNS server will get a record of every website and host you look up.

[gepus]

The methodology is unfortunately questionable at best and stupid at worst, leading to flawed conclusions.
The same service can be considered useful by an user and intrusive or even spyware by another user.
Therefore one must configure the browser first at his like before connecting to the Internet and doing a test.
Another crass flaw of the testing methodology:
Some browsers let you turn off privacy hostile settings in the internal prefs at least whereas other browsers leave you without any chance.
This wasn't taken into consideration by the author of the tests whom I wouldn't even qualify as an advanced user.
As an example - no Chromium fork (including one of their Top Tier = Ungoogled Chromium, IceCat is o.k) offers the option to disable hyperlink auditing.
Not to mention that a client without its own network settings (apparently yet another invention of Google) is a bad joke...

[RavAshi]

This should be stickied.

[John connor]

Is https://neocities.org/ like Geocities from the early 90's? FFS, you'd think they at least buy a domain from some company like Namecheap and host a web page with WordPress at least. You just can't get anymore lame than that. And I didn't know anyone used their site for real "malware/spyware" information. I never even heard of the site till now. Prior to this it was pretty much mostly AV Comparatives. And I'm pretty damn sure everyone and their mom has been to AV Comparatives.

Anyway, cheap ass site, really has no bearing especially given the fact they won't let you, the developer set the record straight.

As to the home page. People use that?! I just use a blank page and have been doing that since Firefox. I ran a network sniffer like Wireshark and never saw anything emanate from my idle browser. All I see are router and Windows communications. Granted while I surf perhaps there's other traffic, but I have add-ons to help with the privacy realm of things. I used to use NoScript and swore by it. It really was a gate before your anti-virus. But now a days with web pages being so script heavy it has become a real PITA so I got rid of it and opted for Sandboxie for the whole browser. Better than nothing, and then I have the PM version of uBlock Origin so that helps with malware domains and malware-laced Ads.

Question: Why isn't http://ip-api.com/ using HTTPS?

This should be stickied.

I agree and it was the first thing I thought of. Right under "rumor control."

[Moonchild]

Split off the ip-api discussion to its own thread. I'll sticky this but please make sure to remain on-topic about the article.

[spyware_watchdog]

Hi everyone, I am the person who maintains the website https://spyware.neocities.org/. I thought I could make a post explaining the situation with the article.

I didn't reply to moonchild because in his email he told me that "a reply is not necessary", which gave me the impression, that he didn't want me to respond to him. I wrote a guide on how to set up the browser so it doesn't have the issues discussed in the article, and I decided to keep the article as it was because ultimately nothing had changed about the homepage, software, etc. It was run through MITMproxy which showed that it was making those connections, but now that the situation with the homepage has changed, there was a good reason to take another look at it, so I did re-write the article, to reflect the changes. Also the section about noscript, it was unfair, so that's changed as well, so it doesn't sound so negative. The inaccuracies are only things that changed about the homepage.

Any internet request, that isn't approved and known by the user, is a form of spyware, because it can reveal information about them without them knowing. This includes any kind of auto-update feature that is turned on without explaining itself to the user, or any other feature that sends internet requests without explaining the situation to the user. Consider showing people something like the file attached... although I think that UI is misleading because the boxes are checked by default.

[Moonchild]

Any internet request, that isn't approved and known by the user, is a form of spyware, because it can reveal information about them without them knowing. This includes any kind of auto-update feature that is turned on without explaining itself to the user, or any other feature that sends internet requests without explaining the situation to the user.

This is total bullshit. By that reasoning, any web browser is spyware because no browser will provide an explanation of every request or type of request that is being sent out as part of normal use and operation.
In addition, the Pale moon website has clear pages explaining the privacy considerations involved. But even aside from that, potential disclosure of information when accessing public Internet spaces through a client does not, in any way, equal the software being spyware.

Spyware is very clearly defined as software that is designed to explicitly collect and transmit private data to its author(s) with malicious intent. Accidental or procedural disclosure through normal use and normal practice does NOT make something spyware.

[New Tobin Paradigm]

By running client software who's primary if not sole purpose is to connect to the internet you are obviously consenting to connecting to the internet with all the legitimate and reasonable purposes therein. If you have questions then refer to relevant documentation or seek out the developer of the software and in this case, audit the open source code.

OR you can always create a defaming website from the 90s and spread fear and lies to other people while pretending you know what you are talking about. Up to you

[spyware_watchdog]

This is total bullshit. By that reasoning, any web browser is spyware because no browser will provide an explanation of every request or type of request that is being sent out as part of normal use and operation.

Spyware that a user can download, is different from spyware that is directly built into the browser- in that case it couldn't be blamed on the developer of the browser. It's still spyware, but it's someone elses fault. It's the same reason that being able to download some kind of spyware program for Linux wouldn't make Linux itself spyware.

In addition, the Pale moon website has clear pages explaining the privacy considerations involved. But even aside from that, potential disclosure of information when accessing public Internet spaces through a client does not, in any way, equal the software being spyware.

This is the bare minimum. It's not placed in a prominent place on the site and if I want to install PM I don't see a single mention of it in the install process. Even Internet Explorer does this. At least, you should link it, better, make people read it, and ideally, let people turn off those features in the installer. VLC does this. It's just six features, so that's only six more checkboxes on your installer.

Spyware is very clearly defined as software that is designed to explicitly collect and transmit private data to its author(s) with malicious intent. Accidental or procedural disclosure through normal use and normal practice does NOT make something spyware.

When normal use involves disclosing user information to the author, it is spyware. Just because other software engages in bad practices too, isn't an excuse.

[Isengrim]

When normal use involves disclosing user information to the author, it is spyware. Just because other software engages in bad practices too, isn't an excuse.

No, your definition is not correct. Spyware is intentionally malicious. Browsers sending user agent information to servers (as an example) isn't inherently malicious. UA information can be used maliciously by webmasters to deny access or track users. It can also be used beneficially to tailor a page to a user's browser and its feature set, to make sure that as many user agents as possible are properly supported. This has been a standard browser feature going back to Mosaic.

By your definition, the internet and all underlying networking architecture is spyware because it requires the transmission of certain information that could potentially be used to track users, but is also required for networks to function. Maybe you could argue that case, and maybe people will agree that it sucks, but I don't think many people would agree with it as being spyware.

[mintoyatsu]

I recommend a firewall if you are concerned about applications making connections on startup.

[spyware_watchdog]

No, your definition is not correct. Spyware is intentionally malicious. Browsers sending user agent information to servers (as an example) isn't inherently malicious. UA information can be used maliciously by webmasters to deny access or track users. It can also be used beneficially to tailor a page to a user's browser and its feature set, to make sure that as many user agents as possible are properly supported. This has been a standard browser feature going back to Mosaic.

Spyware isn't spyware because of the intents of the developer. It's spyware because of the actions of the developer. Maybe some developers feel like what they do doesn't infringe on the privacy of their users, but that doesn't change the facts about what is happening.

[New Tobin Paradigm]

You my friend, simply put, are fake news.

[athenian200]

I think it's really a shame that you had to give up your ad revenue on the start page in order to get these people to not list your browser as spyware. I really don't see how Chrome, or Firefox, or any other browser wouldn't be considered spyware by the definition he's giving. Those browsers do things that are a lot less privacy and security friendly. Then again, I've seen people use warped definitions of "security" such that they say it's not safe to avoid relying on Google's services to protect you online by sending them all your info.

Anyway, while the ultimate goal of the software should be to be funded by patrons, I feel like it's better to take advantage of the ad revenue for as long as you can do so without the advertisers demanding to have some influence over your product. That is to say, I don't think there's any shame in taking all the money you can get early on and investing it into the browser, so that when the time comes that the advertisers want a say in the browser's direction, you have a bigger reputation and a bit of a financial cushion to fall back on.

Having to give up more of that revenue now means less money to develop and promote the browser, which means fewer opportunities for new users who could become new patrons. This article may well prove to have inflicted serious damage on Pale Moon's long-term future prospects given what you were forced to do as a form of damage control.