False negative 3rd party network requests using 'fetch'

[sdsantos]

It seems the extension is ignoring requests made with fetch.

Here's an example: https://arcanemaps.com

The inspector is showing network calls to analytics.arcane.ac, api.mapbox.com, and events.mapbox.com, but the extension ir purple saying it's preventing evil.

[friedger]

fetch calls are not evil in general. There are also many fetch calls to gaia hubs.

[dantrevino]

fetch with method PUT, POST or TRACE should trigger a 3rd party server CBE defect.

[njordhov]

fetch with method PUT, POST or TRACE should trigger a 3rd party server CBE defect.

Storing a file to Gaia would then be evil. So we need more granularity.

[Trudko]

Limiting requests to same domain might be a good start.

[Walterion02]

It seems you are misunderstanding the internet with the old programs on a Floppy disk. Security and privacy is a critical thing, but they need to be while we are using the internet, and not going back in time and making apps that are not connected to anything. Limiting the basic needs of the internet to have something secure seems not a fine solution.

If you want to make an independent node for each user with no need for any connection to any resource, you will need colossal storage and network usage for each user, and their map info will not be updated and live. Even in that case, there will be the first resource you need to get the data from for the first time. Isolating an app is not preventing evil; it is isolation in a world of connections, and it is simply not going to happen as it will not be "internet" anymore. It is like to prevent someone from eating to avoid food poisoning.

The rational way that came to mind is to get resources without sending private info, and of course, it has considerable room to improve, but proposing to disconnect from the world out there seems not practical. Also, the calls you are talking about it transparent that what data are transferred and if they are put users' privacy at risk or not.

[sdsantos]

I misunderstood the reach of this version of the extension. It still doesn't block 3rd party requests, only 3rd party assets. But according to the FAQ, it seems future versions will: https://github.com/newinternetlabs/new-internet-extension/blob/master/docs/cant-be-evil-faq.md

@Walterion1 there might be different ideas of what Can't be evil is. But, at the very least, it's commonly agreed that, if you want to send any of my info to a 3rd party, at least ask for my consent first.

[Walterion02]

It is not just a matter of ideas; it should include the practical way of working our way to a safer internet, not making a closed intranet. @sdsantos Also, we made sure that on the welcoming process we gave people enough info, but I am sure we can improve everything, and I always appreciate wise full suggestion on channels that we can work on, just like our talks before about your apps. I am on Slack and Discord too.

[dantrevino]

Also, we made sure that on the welcoming process we gave people enough info

lol. We dont save your data, but i do pass it along to others, therefore I'm "privacy-focused". And we told users in this tiny tiny font with a link they'll never click.

[Walterion1]

@dantrevino I think you should stop making fun of others when you do not have a proper reason. You are doing this in every platform and every time you get a chance and it seems like harassment instead of an act of CantBeEvil as you always insist. I may repeat myself that we are not sending private info, we just query map of the EARTH around the location. It is like getting whether of your city and you say "It is evil! It wants to know my city!?", and it even does not know who you are. It is not linked by your identity in a way the someone can log where you are. Please be reasonable when you want to "help" and if you have a better idea, share it or, be my guest and give it a try instead of this behavior.

[sdsantos]

The purpose of the Can't be evil concept is not about whether it is evil, but if it Can't be evil. Since you are leaking identifiable information to 3rd parties (IP address is enough), there's even less assurance of it.

NIL is aware of it, and mentions further protections in future versions: https://github.com/newinternetlabs/new-internet-extension/blob/master/docs/cant-be-evil-faq.md

Nobody is saying that building Can't be evil apps is easy, or that we have all the tools to build certain Can't be evil apps right now. But I believe the end goal is clear. There's no need to make scaremongering arguments like we're going back to the stone age because of this.