GNOME Bugzilla – Bug 734048
gnome-weather leaks information of your saved locations in cleartext when not using the app
Last modified: 2014-09-17 15:50:57 UTC
gnome-weather leaks information of your saved locations in cleartext when not using the app. It leaks the nearest weather station to NOAA (on cleartext) and the GPS coordinates to yr.no. If you have location information, it might also leak your current location. This is sensitive, private and uniquely identifying information. This kind of data should not be transferred in cleartext, but more importantly I don't expect this data to leak when I'm not actively using the app.
If the app is not running, we don't do any geolocation (at least in master). If the app is running and automatic location is disabled, we won't send the coordinates of the current location (at least, this will be the case when the new design lands). Finally, if you are really concerned, you can disable geolocation globally. I'm afraid neither yr.no nor NOAA use TLS, if that's your problem, so I don't know how to solve this...
GNOME would need to set up a TLS proxy or something, I guess. Sending the locations you care about (the combination of thereof could be uniquely identifying) over cleartext is really bad. Can gnome-weather avoid doing this until we have a TLS proxy?
(When I say avoid doing that, I mean avoid doing it when the app is not running)
Again, there is no geolocation running if you don't run the app. We do pull the weather forecast for stored locations in background, but you can disable that from the Search panel. If you want a TLS proxy (something I don't think it's strictly necessary, given that you can just configure a couple of cities around the world and make the data worthless), you'll need to convince the Infrastructure team to provide one.
> Again, there is no geolocation running if you don't run the app. > We do pull the weather forecast for stored locations in background, but you can > disable that from the Search panel. That is very unclear from a UX perspective. A user who have the search provider enabled will not expect Weather to leak private information while not using the app. > given that you can just configure a couple of cities around the world and make the data worthless It's not a solution. The data will still identify you. >you'll need to convince the Infrastructure team to provide one. Working on it.
(In reply to comment #5) > > Again, there is no geolocation running if you don't run the app. > > We do pull the weather forecast for stored locations in background, but you can > > disable that from the Search panel. > > That is very unclear from a UX perspective. A user who have the search provider > enabled will not expect Weather to leak private information while not using the > app. A user who has the weather search provider enabled will expect Weather to periodically check the weather for a set of configured locations. There is no way around that...
No, that is wrong. 1) Weather is configured to do this by default without telling the user 2) Users are not familiar with the implementation details of the search provider
They can look at the shell indicator: if there is no geoclue icon there is no geolocation going on and they are safe. The fact that forecast is retrieved from the internet is an implementation detail of course, but it's one that is very reasonable to assume: I don't think anyone would believe gnome-weather makes data out of thin air. We need to retrieve that from somewhere, in order to show it to the user, it's the whole point of the application. Besides, TLS proxies and anonymizers exists already and can be configured system-wide for extra safety, without involving GNOME Infra.
The user is not safe even if you don't have geolocation. right now in the GUADEC wifi I can sniff the traffic and see everyone's home/work coordinates. Combined with some more data mining techniques I could attach this information to individuals. This is no good. > I don't think anyone would believe gnome-weather makes data out of thin air. Of course not, but gnome-weather is INSTALLED BY DEFAULT and the search provider is ENABLED BY DEFAULT. I never consented to gnome-weather leaking my home location over the internet WHEN I'M NOT ACTIVELY USING IT. > Besides, TLS proxies and anonymizers exists already and can be configured system-wide for extra safety, The idea is to make gnome safer by default.
Ok, let's turn this bug into an actionable plan 1) We will use TLS whenever available. Currently this is never, but if GNOME (or some other trusted agent) will provide a TLS proxy we will happily use it. 2) We will disable the Weather search provider by default. This is a little convoluted because it needs changes in the search infrastructure in the shell, but it's all fixable for 3.14. Is that enough for you?
Created attachment 282249 [details] [review] Disable the search provider by default The weather search provider has privacy implications because it broadcasts the current and stored locations over unsafe channels, so don't enable it by default.
Comment on attachment 282249 [details] [review] Disable the search provider by default This was committed a while ago, is there anything else we can do here?
Hey, I don't think we can do anything more for 3.14. Our only two other options are to try to contact the API providers asking them for TLS or to have gnome host a TLS proxy for this API. Both of these are unlikely to happen. So I think this bug can either be closed or kept open to track the effort of trying to contact NOAA and yr.no asking for TLS or implementing a GNOME hosted TLS proxy.
I created bug 736814 to use a gnome proxy, once available; so this bug can now be closed.