mitchellkrogza
commented
6 years ago We've discussed this matter in some detail on another project and the conclusion was it remains blocked @funilrys
Closed Crystal-RainSlide closed 4 years ago
mitchellkrogza
commented
6 years ago We've discussed this matter in some detail on another project and the conclusion was it remains blocked @funilrys
funilrys
commented
6 years ago Hi @Crystal-RainSlide and thanks for pointing out.
But because of some experiment in data collecting between Cliqz and Firefox, this is not going to be removed/whitelisted.
Thanks for your comprehension.
Crystal-RainSlide
commented
6 years ago thanks 4 informing this~
mozfreddyb
commented
4 years ago But because of some experiment in data collecting between Cliqz and Firefox, this is not going to be removed/whitelisted.
AFAIU this experiment is long over. Reconsider?
spirillen
commented
4 years ago A 2 cent
As @funilrys referenced:
For documentation: https://www.ghacks.net/2017/10/06/mozilla-to-launch-firefox-cliqz-experiment-with-data-collecting/
That FF and Cliqz even can consider doing this, is leading to a mistrust, that should leads to the denial of the possibility to ever be whitelisted, but doing so, what also leads to a lack in browser updates, and that's means a more insecure internet :unamused:
Lately I can announce how bad FF have been in securing your data traffic here, they letting ISP's intercepting httpS traffic
A short dig for confirming
gHacks Technology NewsMozilla plans to launch a new Firefox experiment for Cliqz next week for German Firefox users who download the browser from the organization's website.
konark-cliqz
commented
4 years ago Hi,
My name is Konark and I work with Cliqz.
We would like to understand what are the exact concerns w.r.t privacy, so that we can address them.
From the discussion so far, it seems that cliqz.com is labelled as guilty based on a press release of a communication’s department, rather than a proper investigation by checking the documentation, source code or the actual data being sent. Besides the miss-interpretation of the press release that seems to have got us on this list, did the list maintainers actually consider that Cliqz went through strict auditing process of privacy and security. From our experience, Mozilla does not partner without due diligence.
Just to re-iterate : We collect data but we never send private data points or data points that can enable us to link messages coming from the same user. We have talked about this extensively in the past and also in recent advent series where we talk about Tech @ Cliqz.
We run both internal and external audits on the practice and the data being collected every year. We are very happy to address constructive feedback and concerns, especially on the technical front.
If there are any issues / bugs on the way data is being collected we encourage responsible disclosures to Cliqz and we are more than happy to fix them.
We are the first interested in not collecting any private data. If we had that intention, we would just be a collect-all-you-can service. It seems that being honest, responsible and transparent is actually detrimental, sad. A lot of work to protect the privacy of the users, to be accused [falsely] of violating it, double sad.
References: Why we collect data: https://www.0x65.dev/blog/2019-12-02/is-data-collection-evil.html https://www.0x65.dev/blog/2019-12-06/building-a-search-engine-from-scratch.html
Data collected with samples: At the time of press release: https://gist.github.com/solso/423a1104a9e3c1e3b8d7c9ca14e885e5
Recent version: https://www.0x65.dev/blog/2019-12-03/human-web-collecting-data-in-a-socially-responsible-manner.html
Network level anonymity: https://www.0x65.dev/blog/2019-12-04/human-web-proxy-network-hpn.html
Tech @ Cliqz
Privacy or data, a convenient false dichotomy
A whirlwind tour of the big ideas powering our web search
Gist
Human Web Overview. GitHub Gist: instantly share code, notes, and snippets.
Measures to prevent record linking & privacy leaks.
Preventing record linkage for improved anonymity. An introduction to the HPN protocol.
Cliqz features, shared across products including Cliqz browsers for Windows, Mac, Android and iOS - cliqz-oss/browser-core
spirillen
commented
4 years ago As personal opinion (Not representing this repo or any other), but solely in reply to @konark-cliqz comments.
We collect data
That is and will lead to abuse, it is privacy violating. Browsing is a business between the one who browse and the destination only.
All kind of interception, data collection, fingerprinting etc. is a complete violation of the trust a user should be giving by the httpS protocol.
Any kind of data sharing, like cliqz fingerprinting, is a clear violation of this trust.
Disregarding what you claims to do to NOT disclose any data, you are collecting fingerprinting data, you analyze them. you can very very easily turn these into personal identifying data.
Collecting data against a users consent and opt-in you software is spyware and not to be trusted.
In appendix to this:
Your webfront is clearly miss-leading marketing, as it do not clearly telling about that you do collect fingerprinting data that can, and later will, be used for personally identifying usage. You are selling your software as safe, No more data theft!, Personal data protection, Privacy by Design
The data collecting is clearly the opposed of this.
I like you thoughts about building this concept, but you ruing it your self, as your actions and doings is walking in each direction.
About the rest of your comments: Google, Microsoft etc talk.... pure empty buzz words, are you in the marketing department? just curious.
That's my personally thoughts,
trisch-me
commented
4 years ago out of curiosity, @spirillen have you read articles posted above in @konark-cliqz answer? For me it looks like no, because they have answers to your comment regarding data collection. Taking 3 words out of context is not a correct argument IMO
mozfreddyb
commented
4 years ago Lately I can announce how bad FF have been in securing your data traffic here, they letting ISP's intercepting httpS traffic
Either you are linking to the wrong thing or you are blatantly misunderstanding how DNS works. This issue is not about Firefox. If you want to get your DNS responses from your ISP, there's nothing Firefox can do for you. The ISP has to abide local law - if you disagree with the law you need to go to a court. If you want to get DNS responses from some place else than your ISP, you need to change your configuration. But you'll have to bear the legal risk.
In this (!) case DNS happens elsewhere, not within Firefox.
spirillen
commented
4 years ago Hi @alexandra-trisch :smiley: Yes I have read his full reply. The very reason I explecitly chosen the three words, is because that is, in my personal optic, the keywords between trust and distrust.
I was actually on the run to update my reply by the following:
As chose who reads my arguments, comments would know, that i advocate strongly for democracy and the right for the user to decide for them self, what they would like to give away of information's, I do not see the reason for any difference between the right to freedom in the real live and the internet. True democracy is based on what information a citizen chose to share, is also applies in courts, you have the rights to be quiet. Surveillance of a citizen can only happens if a court finds it beyond doubt, that a given citizen is during something criminal or intent to do so in very near future and can only be done by the law enforcement. A such court order shall be based on solid proofs.
After the above point of view
These include independent search engine, browser and privacy technologies as well as new techniques for responsible advertising and statistical data collection for the benefit of all users. source: https://cliqz.com/en/about
When have it ever been in a users best interest of have there interactions monitored and collected?
How well did this go in 1933 to 1945 in Germany and 1945 to ~1988/9 in the European eastern block like DDR (East germany), Czechoslovakia (Now Check and Slovakia), Poland, Hungary, Romania etc? I can also think of a city/country like Tokyo?
Later we sees the same protest on the internet, by which mypdns.org, cliqz.com etc sees the first daylight, the torproject.net also have the biggest and most porpuler hours these days as peoples is starting the riot against data-collection and mass surveillance.
LOL @mozfreddyb I use quad9 in this case :stuck_out_tongue: By hell no my ISP's DNS, that one is blocked in the firewall.
cat /etc/unbound/conf.d/forward.conf
#forward-zone:
# name: "."
# forward-addr: 95.216.209.53
# forward-addr: 116.203.32.67
# forward-addr: 2a01:4f8:1c0c:5f61::53
# forward-addr: 2a01:4f9:c010:410e::53
#forward-zone:
# name: "."
# forward-addr: 192.168.1.53
# forward-addr: 192.168.1.5
# forward-addr: 192.168.1.53@5302
forward-zone:
name: "."
forward-addr: 9.9.9.9@853
forward-addr: 2620:fe::9@853
forward-addr: 2620:fe::fe@853
forward-addr: 149.112.112.112@853
forward-tls-upstream: yesThe ISP has to abide local law
There is non what so ever laws, quit the opposed as posted in the link you saw. As a side note can tell that this is the only "judgement" call that violates the fundamental right in https://www.ft.dk/da/folkestyret/grundloven-og-folkestyret/grundloven-med-forklaringer (sorry, but I actually thinks this is only in danish) but that another story, to be another place.
Cliqz
Learn about Cliqz GmbH, the company behind the Cliqz search engine and browsers.
ghost
commented
4 years ago @spirillen
Lately I can announce how bad FF have been in securing your data traffic here, they letting ISP's intercepting httpS traffic ebsite.
I don't understand how this has anything to do with Firefox. ISP can always see the domain for https (but not the full URL), unless you use something like a VPN. Even if you were using Firefox's own VPN, the website site or their CDN (probably cloudflare) can redirect you if it wants to.
funilrys
commented
4 years ago I'm not writing in the name of Mitchell @mitchellkrogza,
I'm indeed collaborator of this project but the decisions I take here are always with the consent of @mitchellkrogza. And if he is not available (happens a lot in a year), he deserves the right to reverse my changes when he comes back. Unfortunately, it's the wrong time of the year so, my decision may be reversed next year.
Mozilla does not partner without due diligence.
I know that but at the time, the decision to make your add-on activated by default (even for 1% of German users) was a bad idea. I know it's over now but I hope you learned from it.
It was the beginning of the mistrust we had toward Cliqz. Activating an addon which collects data by default, is already an attack against privacy. I know the "how could we then get data to work with then ?" argument but there could be another way. We are people in tech, but for the targeted subjects, who are not necessarily tech-friendly it was a true privacy, freedom and trust attack.
We run both internal and external audits on the practice and the data being collected every year. We are very happy to address constructive feedback and concerns, especially on the technical front.
Your audits should be easier to find. It was hard to find an audit certificate, but I trust the TÜV Saarland certification. So you got one point. I do understand that people don't necessarily get the point behind the TÜV, but they don't provide a certificate out of nothing. And I get it.
@konark-cliqz and others, do you think it will be one-day possible to get a public copy of the audits? That will be a good step forward transparency.
I took the time to read the blog article and I think it's a good point into transparency. I really hope that we will not discover in the future that they are "blank" articles/blog posts.
I'm choosing, today, to add cliqz.com (ONLY) to the whitelist list.
I do this because:
But:
It's yours now Mitch @mitchellkrogza!
mitchellkrogza
commented
4 years ago I'm good with this. Thank you @funilrys for handling this in my absence. 2019 has been a burden for me.
solso
commented
4 years ago Hi, my name is Josep M. Pujol (I work at Cliqz, like @konark-cliqz).
Thanks a lot for your quick response on the issue.
I would like to stress that the decision to put Cliqz to your blocklist or not is totally up to you. We have no right or no intention to contest your decision, or the fact that other subdomains of Cliqz are still on the blocklist. That said, however, we do believe we have the right to contest the reasoning behind it.
Allow me to quote you,
It was the beginning of the mistrust we had toward Cliqz. Activating an addon which collects data by default, is already an attack against privacy.
You are free to distrust anyone. But the second part of your statement is flawed.
Collecting data is not always an attack on privacy. It depends on what data is being collected and how. Neither Mozilla or Cliqz collected any private data that would for instance allow tracking of users, or building something similar to a user profile. Before doing the experiment both parties worked very hard auditing the methodology of data collection (HumanWeb) to make sure it was safe with regards to privacy. The experiment was not sketchy either, there was on-boarding and opt-out option. As a matter of fact, we were so transparent that in a contorted way it punished us. You might not have liked the experiment; many people are against extending the functionalities of a browser, or against any data at all. That's legitimate. But you cannot accuse us of violating privacy without offering some sort of proof that privacy was compromised.
The press release from Mozilla stated that in the experiment URLs would be collected. This is factually correct. But what is not correct is to assume that this is a privacy violation without checking on documentation, code or data. Biases and dogmatist are to blame here.
This URL https://github.com/mitchellkrogza/Badd-Boyz-Hosts/issues/34, collected without any information about the user who visited the page, and without any way to know which other URLs has been visited by the same user does not put the user's privacy at risk. However, if instead of this, we were collecting something like,
[0d944e, https://github.com/mitchellkrogza/Badd-Boyz-Hosts/issues/34]
where the first part is a user-id, then the story changes, we would be able to get all other URLs visited by the same person, and eventually, one of the URLs would give away the identity of the user.
The latter approach is, sadly, the standard on data collection. And yes, collecting data that way, no matter of pseudonymous the user-id has dramatic side-effects. But it is NOT what we or Mozilla did. People are very quick to assume for the worse, but it seems that no one is actually willing to double check, which is also very sad.
Data collected by Cliqz through the HumanWeb, before, during or after Firefox is unlinkable, meaning we cannot associate multiple records from the same user. It would not be technically possible for us to do something like Google did on tracking down some arsonists at the request of the law. Even if government had full access to the data, such use-case would not be possible, because we committed us to collect the data needed to build services such as search in a responsible manner. There was a comment before talking about democracy, blah, blah. We are in line with that, because we are old enough to know history. Instead of complaining about how bad the world is, we are actually working to change it by building alternative service that use data, but not at the expenses of privacy.
But please, allow me to continue my rant... if you have read about Cliqz, you know that we have a tracking protection. We do block domains. But we always can point out why, otherwise, we would be working solely on gut feeling. Whenever someone complains, happens often. We can point out to which endpoints collect data (that's the first part of the process), but also, we can point out which data-elements can be used to fingerprint the user and build sessions. We have no way to know the true intentions of that data-collection, we would not dare to judge intentions. The only thing we can do is to judge that the data, in the way is being sent, has the potential to put the user's privacy at risk.
I would expect you guys to do the same, perhaps you cannot do it at the extend we do, as our process is 100% algorithmic. But, some sort double-checking should be part of the process. Instead, from the case of Cliqz, your decisions appear to be adhoc and very arbitrary. Not even coherent. Allow me to be a pain in the ass here. If we were added to the block-list because of the 'bad-boys' experiment. Why was not Firefox and Mozilla also added? You did not block the data-collection endpoints, you block the top-level domain. Why facebook or google are not in the block-lists? When they act as 3rd party they are tracking (can be proved). I do know the reasons why they are not, if they were on a blocklist with blocking at the DNS level everything would break. You are making a wise trade-off her. However, a tin-foiled privacy advocate could use that to tarnish your reputation, right? Right. That's actually what you have been doing with Cliqz.
Since 2014, Cliqz has created (in the area of privacy)
Needless to say, that all our client-based code is open-source, data can always be inspected, etc.
Not a bad track-record given our limited resources.
If you think now that we are 'champions of privacy' being attack by misconceptions and unfounded opinions. Yes, that is the case. As a matter of fact, we are on constantly under suspicion because we do not buy into the argument that data!=privacy. Data is needed, otherwise you cannot build competitive products. Because it is needed it needs to be collected while respecting privacy. It is difficult to do, more inconvenient, the "quality" and quantify of the data is less, and of course, data collected cannot be reused outside the use-case for which it was collected for.
Please, before sentencing a company and tarnishing its reputation, do a proper analysis, or at least reach the people so that they can defend themselves. This way of acting is extremely arrogant and what is worse, it actually does a disservice to privacy as you [unwillingly] push any company that want to collect data properly to do poorly; since 'the guardians of truth' are going to accuse us no matter what, better commit the crime.
spirillen
commented
4 years ago We can now finally remove clicqz from our records, they should no longer be violating our privacy
https://www.mypdns.org/T691#12184
But it is funny how active the data-collecting domains still is:
drill @192.168.1.53 -p 5302 analytics.cliqz.com
;; ANSWER SECTION:
analytics.cliqz.com. 300 IN CNAME company-website-analytics-elb-1486958402.eu-central-1.elb.amazonaws.com.
company-website-analytics-elb-1486958402.eu-central-1.elb.amazonaws.com. 60 IN A 35.156.24.234
company-website-analytics-elb-1486958402.eu-central-1.elb.amazonaws.com. 60 IN A 52.58.44.107
anolysis-gid.cliqz.com. 300 IN CNAME gid-server-848292861.us-east-1.elb.amazonaws.com.
anolysis-telemetry.cliqz.com. 264 IN CNAME telemetrywithoutidserver-765249956.us-east-1.elb.amazonaws.com.
api.cliqz.com. 300 IN CNAME api-eu-central-1.cliqz.com.
api-eu-central-1.cliqz.com. 300 IN CNAME prod-api-cliqz-stub-791705786.eu-central-1.elb.amazonaws.com.drill @192.168.1.53 -p 5302 anolysis.privacy.cliqz.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 43521
;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; anolysis.privacy.cliqz.com. IN A
;; ANSWER SECTION:
anolysis.privacy.cliqz.com. 60 IN A 143.204.243.55
anolysis.privacy.cliqz.com. 60 IN A 143.204.243.117
anolysis.privacy.cliqz.com. 60 IN A 143.204.243.90
anolysis.privacy.cliqz.com. 60 IN A 143.204.243.127antiphishing.cliqz.com. 60 IN CNAME d1lx1e3uveyei7.cloudfront.net.
d1lx1e3uveyei7.cloudfront.net. 60 IN A 143.204.243.122
d1lx1e3uveyei7.cloudfront.net. 60 IN A 143.204.243.105
d1lx1e3uveyei7.cloudfront.net. 60 IN A 143.204.243.27
d1lx1e3uveyei7.cloudfront.net. 60 IN A 143.204.243.67etc etc....
solso
commented
4 years ago It's amazing that you keep insisting on the false claims that cliqz was tracking people. If you ever bothered to read the code or documentation it's self-evident (links on the thread above). But no, you prefer to stick to your biases and prejudices, instead of actually checking.
This kind of behavior is one of the many reasons that has made Cliqz go belly up. Instead of supporting alternatives you punish them without factual evidence, just because you do not like the name or the owners. Terrible. GAFAM and satellites like DDG, Startpage, etc. which are privacy whitewashing their products thank you for the effort. Bravo.
Crystal-RainSlide
commented
4 years ago It was really a sad news for Cliqz's leave.
While there are Chromium and Firefox, most browser companies around the world are modifing Chromium instead of Firefox for their respective sake. For modified Firefox, one less is a huge loss.
Needless to talk on Chromium's non-controllable-ness for users. In Chromium's code base, there are code generator generating code generators, same-looking button with totally different attributes and styles. I think it is also essenstially non-controllable for most developers, or anyone who is not capable to be familiar with C++, Web and software engineering. This way, I even doubt what kinds of privacy browser can be made from Chromium. For Firefox, most of the code is just exceptionally clear, I can understand most of the Web API implementation with only a little C++ knowledge, Hope this trend would continue after Rust came in.
But after all, lets back into the topic:
||duckduckgo.com/t/`||startpage.*/do/avt?$image`and as I know, there is not a single entry for Cliqz all the way along, from past to now, even in Fanboy's Enhanced Tracking List: https://github.com/ryanbr/fanboy-adblock/search?q=Cliqz Hosts are often more arbitrary as they can't block things exactly, but in blocklists, things are just clear.
I'd also like to show you my use case, where block almost everything data collecting is needed, even causing the websites unusable, only this case, the whole website is blocked, is to be avoided:
I would mess up with websites randomly for some on-site tests or development, and may create lots of invalid access data to them. To reduce the invalid data, I would block all XHR and fetch except essenstial ones — but this is just not enough, as most data collecting technology, whether "good" or "bad", are still using script or image for intermediary. Then, with a merged hosts & blocklist and several rules for Piwik, I can run my tests without polluting some of the data, sometimes all of them, and without writting any more block rules.
Thus, I'm still accepting the arbitrary, the stubbornness and sometimes even unreasonable and false positive, of some blocklists and hosts. After all, there are strict lists and loose lists. To allow more use case of the lists to be satisfied, I think we should focus on discuss, define, and declare the strictness and rules of lists, maybe also teaching the list users how to debug the list & re-allowing entries. Almost all lists by mitchellkrogza are strict, and by default don't allow any means of avoidable data collection, in this manner, I think seeking the removal is feasible, but not worthwhile to insist, and indeedly not worthwhile to condemn. Most blocklists, also UserStyles, also UserScripts, are just personal projects, without an influence matching with any product by any diligent company. Finally, they will just stop updating one day, and most of those who is lucky enough to know the projects would only reach them a few years after the termination. With some more time, nobody will know about the abandoned projects, while your work has been archived into the Arctic Code Vault, documented into Wikipedia and saved into the Internet Archive.
GitHub
Contribute to ryanbr/fanboy-adblock development by creating an account on GitHub.
but...is this browser upload data to cliqz.com? (I think it will do this only when that is enabled in settings.