Community-edition: Amend privacy policy to inform users about tracking.

Created on 13 Jun 2018 · 4Comments · Source: ramboxapp/community-edition

Expected behavior

After reading the Privacy statement in README.md I was under the impression that rambox would not track my behavior. Looking through the sources I was saddened to see rambox accurately tracks my exact usage of the application.

Actual behavior

The user is being tracked outside of the defined scope.

ENVIRONMENT

Violating both European law and US. Not sure about other countries legal system.

Of course rambox does not require to hire a DPO to comply with GDPR. And there is no expectation that your data portability systems are of the same scope as bigger companies. However you should clearly inform users exactly what data is being gathered.

Also make sure that your google analytics is configured to mask the last bit of the ip address. This helps anonymizing the gathered statistics while still revealing the demographic of your users.
https://support.google.com/analytics/answer/2763052?hl=en.

Source

menzow

👍9

Most helpful comment

Quick search through the source reveals the following urls:

$ rg 'track(Event|Page)' rambox/
app/Application.js
31:     ga_storage._trackPageview('/index.html', 'main');
32:     ga_storage._trackEvent('Versions', require('electron').remote.app.getVersion());

app/ux/Auth0.js
61:             ga_storage._trackEvent('Users', 'loggedIn');

app/ux/WebView.js
236:        ga_storage._trackEvent('Services', 'load', me.type, 1, true);

app/view/main/MainController.js
27:     ga_storage._trackPageview('/index.html', 'main');
294:        if ( !called ) ga_storage._trackEvent('Usability', 'dontDisturb', ( btn.pressed ? 'on' : 'off' ));
373:            ga_storage._trackEvent('Usability', 'locked');
480:            ga_storage._trackEvent('Users', 'loggedOut');

Especially https://github.com/saenzramiro/rambox/blob/master/app/ux/WebView.js#L236 is worrisome if ips aren't masked. This allows rambox to see exactly when you're using a service.

Actually after going through the sources I noticed that rambox has the most terrible security configuration you can get in a electron app..

menzow on 10 Jul 2018

👍3

All 4 comments

Looking through the sources I was saddened to see rambox accurately tracks my exact usage of the application

For those of us that don't understand electron, could you advise what is being tracked please?

BuildTheRobots on 13 Jun 2018

Quick search through the source reveals the following urls:

$ rg 'track(Event|Page)' rambox/
app/Application.js
31:     ga_storage._trackPageview('/index.html', 'main');
32:     ga_storage._trackEvent('Versions', require('electron').remote.app.getVersion());

app/ux/Auth0.js
61:             ga_storage._trackEvent('Users', 'loggedIn');

app/ux/WebView.js
236:        ga_storage._trackEvent('Services', 'load', me.type, 1, true);

app/view/main/MainController.js
27:     ga_storage._trackPageview('/index.html', 'main');
294:        if ( !called ) ga_storage._trackEvent('Usability', 'dontDisturb', ( btn.pressed ? 'on' : 'off' ));
373:            ga_storage._trackEvent('Usability', 'locked');
480:            ga_storage._trackEvent('Users', 'loggedOut');

Especially https://github.com/saenzramiro/rambox/blob/master/app/ux/WebView.js#L236 is worrisome if ips aren't masked. This allows rambox to see exactly when you're using a service.

Actually after going through the sources I noticed that rambox has the most terrible security configuration you can get in a electron app..

menzow on 10 Jul 2018

👍3

This was solved in #1772 and will be available in v0.5.18.