Privacy issues,! - Githubissues

q10123p commented 4 years ago

Why is the app sending user draw history to the app developer?! Why is the app sending what i draw to the app developer?!

q10123p commented 4 years ago

1j01 instead of adding a question label, just answer it! Why is it your app (jspaint.app) sending what user paint to you?!

Zekfad commented 4 years ago

As far as I remember, it use firebase to store your history, it's used to restore your progress and organize online collaboration sessions.

q10123p commented 4 years ago

So, this app has no privacy at all.

Zekfad commented 4 years ago

@q10123p, i just checked default session, and it actually has no request which sends any your drawings to dev. When you open new session it starts in local mode, and nothing goes beyond your browser which is somehow can compromise you. It stores data in local storage:

Spoiler

![image](https://user-images.githubusercontent.com/8970959/87810891-61211980-c866-11ea-8841-b4401e06ecb6.png)

Only in public session here's web socket connection to firebase:

Spoiler

![image](https://user-images.githubusercontent.com/8970959/87811279-148a0e00-c867-11ea-8723-2272876e56a7.png)

Also here's disclaimer that all multi-user sessions are public. Your issue seems unreasonable, or you get scummed by app clone(?)

@1j01 here's only one thing i noticed, every draw app re-requests tool icon:

Spoiler

![image](https://user-images.githubusercontent.com/8970959/87811584-8f532900-c867-11ea-9798-64083238c5d2.png)

I guess I'll open new issue about that, if there are none yet?

1j01 commented 4 years ago

https://jspaint.app doesn't send any information to a server (or "to the app developer") by default.

There are a few features which do talk to a server:

File > Upload to Imgur (naturally)
If you paste an image URL, the app will fetch the image via the URL, or if that doesn't work, fetch via a CORS Anywhere proxy service, or if that doesn't work, attempt to fetch via the Internet Archive Wayback Machine.
(In Speech Recognition mode, if you say "draw a cat", it will do an anonymous Bing Images search for "cat" clipart.)
Multi-User mode, intended for online collaboration. You should see a disclaimer dialog letting you know that it's a public session.

If the URL starts with https://jspaint.app/#local:, it's a local session, private to you. You can view all local sessions with File > Manage Storage. If the URL starts with https://jspaint.app/#session:, it's a multi-user session. Multi-user sessions are currently entirely public. (That is, there's no support for private online collaborative sessions yet.) If the URL doesn't start with https://jspaint.app/, it's an unofficial instance, and may have invasive advertisements and trackers.

If you got linked to the app via a multi-user session URL, this may be confusing, and I'm sure I could do something better to handle that case, like explaining in the disclaimer dialog how to switch to a private local session.

1j01 commented 4 years ago

I guess I'll open new issue about that, if there are none yet?

@Zekfad Please do. These icon requests are for the Document History view (Extras > History), but it shouldn't be making requests on every brush stroke!

q10123p commented 4 years ago

Thank you all.

1j01 commented 3 years ago

Closing in favor of:

https://github.com/1j01/jspaint/issues/189 - Errant icon requests
https://github.com/1j01/jspaint/issues/214 - Privacy Policy
https://github.com/1j01/jspaint/issues/215 - Clarify how to get out of multiuser session

1j01 / jspaint

Privacy issues,! #188