In Gerrit change #1875, @PulkoMandy asks:
I’m questionning if it’s ok to connect to 3rd party service (Mozilla) and send them the list of nearby Wifi networks at first boot without asking the user, however. What do you think?
The answer is a big no, it is not ok.
I would propose that Haiku implements a policy that any communication to a 3rd party is not allowed unless it is explicitly configured and enabled by the user. No exceptions.
Physically plugging in a network cable or connecting to a WiFi network is considered “configured and enabled by the user”.
I agree the user should want it and opt-in.
Even GNOME first config asks it.
Configured and enabled, sure, but only the networking, NOT sending data about my or the neighbours SSID.
Sending SSID information to a 3rd party is not included in dhcp configuration and is therefor not ok. Sending dns requests to the configured dns servers is ok.
So DHCP is okay, but NTP is not? what about DNS or leap seconds file?
Personally I don’t like this change to be enabled per default. But moreso because one would send data that accurately conveys a location, which seems a bit more bad than contacting servers.
NTP is ok if it is configured and enabled by the user. If it is enabled via dhcp, then that is considered configured and enabled by the user. If not, it should be turned off by default.
DNS is usually handled the same way as NTP. If it is configured via dhcp, then that is considered as configured and enabled by the user. If not, the user has to manually enter the dns servers.
I have no knowledge about leap seconds files.
Playing devils advocate for the moment, are public wifi network names considered private? Wifi networks generally extend beyond buildings. We also throw away the result once the language is detected. We are detecting location from Mozilla, but not contributing any data since we don’t know your location via any alternate methods.
I completely understand the privacy concerns… but this also handy feature for users globally.
Would it be better or worse to try and determine location from your public IP address instead?
We actually do give them new data I think,
If we send the list of detected BSSID’s they can add new BSSID to the locality map to know they are in a similar location.
I think the more pressing issue is that we send data to mozilla that can be used to detect a position, and they send an assumed position back. Thus they know the position of that user now.
I think for Language defaults alone the public Ip would probably be enough in most cicumstances. Is it possible to include the db for this in the system? Or is it possible to include the wifi map? I don’t know how big those are, maybe a reduced one could be added aswell, that would avoid the contacting mozilla problem. Just throwing some potential options out there.
Good point!
This was a trap I set you fell into 
You’re exposing your IP as a network running Haiku in this model as well.
We likely need to officially draw the line somewhere, but it’s going to be a very vague line 
Not sure what you mean, we can just querry the gateway for the public IP (aslong as we are stuck on ipv4…), which would be in line with using DHCP for autoconfig.
It’s unlikely that the computer itself would get the public IP nowadays, but rather a router or so. I guess you could argue that Haiku shall not use the network at all during Install, but that maybe seems a little harsh.
As an additional point: How are we even going to ask anyone about the locality of wifi networks before the user had a chance to select one… IIRC deskbar isn’t running on first boot, thus no network config, thus no wifi ssid joined. Seems like this code would only work when having an ethernet cable plugged in with a wifi capable device in any case?
I am a little confused here - why is this required at all? As I understand, in order to automatically set a language during install depending on the user’s position? Why would this be necessary? The user can just select the language they want themselves (unless I am misunderstanding something).
This is regarding detecting Wifi Networks based on location - not automatically setting a language. Language selection won’t change.
Edit: Whoops. Looks like I’m just as confused!
It is not required, it is just a way to automatically select a probably correct language (and then let the user change it if they want to).
Which protocol would you use for that? Also, how do you know there is a single gateway between you and the internet? I don’t think there is any standard way to get the public IP this way, you need the collaboration of an external server which can tell you which IP it sees your data coming from.
Note that Mozilla Location Services already uses the IP address in addition to Wifi networks.
Yes, they get a list of wifi networks near you, and your public IP address. And they know you are running Haiku because of the API key used to query their server. That’s all the info they get. There isn’t really a way to map this to a specific user.
So, essentially, all they know is “someone in this neighborhood is running Haiku”. And they probably don’t keep that data in such a detailed way, either, what would they do with it?
Other things to note:
Also, this will only work if:
When you run FirstBootPrompt, the only ways you can have network up is wired network. There is no chance that you have already configured a Wifi access point at this stage. Overall it seems a bit unlikely that this would work all the time, and possibly we could add other detection methods such as asking USB keyboards if they can provide their language (but I think only Apple ones do…), get info from UEFI if possible, and other things like that.
I was really shocked when I stumpled over this topic yesterday.Many valid point’s are already said,but I have to give it a big fat dislike,too.While Mozilla is publicly known to be the hero that protects us from data-kraken Chrome,their Firefox isn’t much more privacy-friendly in its default configuration.Also Mozilla is a US company which uses servers from Amazon and Google.It’s not okay to embed their tracking services (and that’s exactly what online geolocation for no reason and without consent is) into the operating system.
Besides that,I also see a very limited use case for that.It won’t work without internet,so you must either have a Ethernet cable additionally to Wifi (which is needed to make it work) or configure your Wifi in English before getting the correct language.At the lattet poiny,just setting your language yourself is easier,I think.
Another point to think about: You may not always speak the language of the country you’re currently in.Think of vacation.If I’d be in China for example,I wouldn’t even understand enough to change my language back to English.
In my opinion it would be best to completely drop the geolocation nonsense and present a language selection dialog at the first boot.This way you protect privacy and the user has a better control over their settings.Alternatively you could make it opt-in,but reading the privacy notice and accepting it may take more time than just simply selecting a language by hand…
Any kind of geolocation should only be performed with user consent. Period.
Automatically getting the location is a useful tool with many great use cases. But just querying the location without consent is never ok.
Sending any data should require explicit user permission. Nothing should be sent until user permission is granted.
It seems the general sentiment here is that use of third party services should not be done unless the user has specifically consented. I certainly agree, and have placed a “-2” vote on the change accordingly.
It was meant to be just “try it and see if it works”. If you have the right setup, it selects a language in the list. If you don’t, it defaults to English.
We never planned to remove the selection dialog. Just select something by default in it as a best guess, and you can still change it as easily as you already can now.
(just to make this clear and show that I have thought about the user experience aspects when designing this. The other points are perfectly valid, and in fact I am both the person who implemented this change, and the one that bought up the fact that it was not a good idea in the code review)
I will see about other ways to guess the language that don’t involve network connections.