[tor-talk] trackers in OONI Probe Mobile App / was: NEW RiseupVPN test in OONI Probe Mobile App

[Maria Xynou]

Hi Christian,

Thanks so much for sharing this detailed feedback and for helping us to
improve the OONI Probe apps.

We previously received legal consultation to ensure our apps and data
policies are GDPR compliant, but more eyes are always better!

Apart from GDPR compliance, we generally aim to adhere to best practices
when it comes to data collection, as we genuinely care about user
privacy and safety.

I have replied below:

On 10/02/21 11:56, Christian Pietsch wrote:
> Dear Maria,
>
> On Mon, Feb 08, 2021 at 11:15:43AM +0100, Maria Xynou wrote:
>> Importantly: You can opt-out of Countly and Firebase data collection by
>> disabling this in the Settings of your OONI Probe app.
> I'm afraid by the time users have found this opt-out, the app has
> already transmitted data to Google and Countly. This violates the
> GDPR. The GDPR also demands opt-ins for this kind of surveillance.

OONI Probe users opt-in to the collection of app usage metrics and crash
reports in 2 cases:

1. During the initial onboarding process (where the user is informed of
the collection of app usage metrics and crash reports, and they can opt
in to this)

2. When we added app usage collection, a modal appeared for OONI Probe
users, asking them if they want to opt-in to this (this modal also
appeared for users updating from older versions)

If users have opted-in and they change their mind, they can always go
back and opt-out through the settings of the app.

That said, your feedback made us realize that we should probably make
the opt-in process more clear in the onboarding, which is why we worked
yesterday on making relevant OONI Probe mobile and desktop app releases.

In the latest release:
   
* When you tap on "Change default settings" in the onboarding, you are
taken directly to settings where you can opt in to app usage metrics and
crash reports collection (it's disabled by default).

* We have removed Google Firebase Analytics entirely (it was previously
used as a dependency to make the use of Crashlytics better).

* We have removed Countly crash reports collection from F-Droid (this
was self-hosted).

>
>> We recently enabled Firebase because we were investigating several app
>> crashes that were not being displayed properly by Countly.
> This is not correct. According to the Ex0dus database, the OONI Probe
> app has included Google Firebase Analytics for many versions:
> https://reports.exodus-privacy.eu.org/en/reports/search/org.openobservatory.ooniprobe/
> The tracker you recently added is called Google CrashLytics:
> https://reports.exodus-privacy.eu.org/en/reports/163803/

What I meant is that we recently re-enabled Firebase Crashlytics, because:
   
* We realized that Countly doesn't do crash reporting well and we were
unable to investigate crashes.

* We weren't able to collect crash reports in countries where we're
blocked (when we were using the Countly self-hosted platform for crash
reports). While we agree that it's not optimal to use Google services
from a privacy perspective, Google services are less likely to get
blocked (due to the collateral damage that would cause).

Google Firebase Analytics was used alongside Google Firebase Crashlytics
because that is the recommended way to use Crashlytics (see:
https://firebase.google.com/docs/crashlytics/get-started?platform=android
&
https://firebase.googleblog.com/2020/09/crashlytics-analytics-together.html).


Yesterday we reviewed this more carefully, and concluded that since
Firebase Crashlytics seem to work well without Firebase Analytics, we
removed Firebase Analytics entirely from the latest OONI Probe mobile
release (2.9.3).

That said, we would prefer to use an alternative (non-Google) analytics
platform for crash reports, which is why we are temporarily using Sentry
(https://sentry.io/) for collecting crash reports on mobile too. We're
in the process of evaluating whether Sentry could serve as a replacement
for Firebase Crashlytics, and we're also evaluating other open source,
self-hosted options too (such as Acra recommended by Nathan).

It's worth noting that through the use of Countly (which is open source
and self-hosted), Firebase Crashlytics, and Sentry, we do *not* collect
any information that would enable us to identify users.

If you opt in to the collection of app usage metrics (which is not sent
to Google, as we host this), we will collect aggregate app usage data
(such as how many users tap on specific buttons), as this information
can help us better understand user needs and improve the app. We do not
collect the IP address of the user.

If you opt in to sharing crash reports with us, we will collect
sanitized technical data which will help us understand why the OONI
Probe app has crashed. We do not collect the IP address or a unique
identifier of the user (though Google may collect this, which is why we
would ideally like to replace Firebase Crashlytics).

All of this being said... the biggest risk to OONI Probe users is
probably not the aggregate/sanitized collection of app usage and crash
reports, but running OONI Probe itself: an investigatory tool
specifically designed to expose internet censorship.

For example, if a user runs OONI Probe in Iran, the biggest risk is
probably the fact that their ISP can likely see that they're running
OONI Probe, testing lots of censored/banned sites, and uploading test
results to servers hosted outside of Iran.

We inform users about this risk during the onboarding, where we present
users with a quiz that they have to answer correctly (demonstrating
their understanding of potential risks), as a prerequisite to using the
app and as part of practically acquiring their consent. We also link to
relevant documentation (written based on extensive legal consultation)
in the apps and on our website, and we discuss these risks during
workshops/meetings/presentations and other community interactions.


>  
>> We are not sure if we are going to keep Firebase in the long-run, but
>> it's difficult to investigate app crashes without proper reports.
>>
>> Do you have any suggestions for better tools to collect app crashes on
>> Android?
> Are you looking for a replacement for Google CrashLytics or Google
> Firebase Analytics or both? I can ask around on Twitter and in the
> Fediverse if you need advice.

Thanks, that would be very helpful!

We have already removed Google Firebase Analytics (this was included as
it was the recommended integration for Firebase Crashlytics), and so
we're mainly evaluating to replace Google Firebase Crashlytics with an
open source and privacy-preserving alternative.

>
>> You can learn more about OONI data practices through our Data Policy:
>> https://ooni.org/about/data-policy
> This document does not mention Google or Countly. This is another
> reason why your app violates the GDPR. In case do did not know, the
> GDPR is applicable law for anyone targeting EU users.

To be completely honest, I had no idea that specifying the analytics
platforms was a GDPR requirement (this was not communicated to us when
we received legal consultation, nor do I recall seeing this in the data
policies of other organizations in our field).

The only reason why we didn't name the specific analytics platforms in
our Data Policy was because we were trying out different solutions, and
we weren't sure what we would keep. This is why we, instead, pointed to
https://github.com/ooni/sysadmin, which includes details about our
specific setup.

To ensure full transparency and clarity, I have updated OONI's Data
Policy to include details about every analytics tool we use in the OONI
Probe mobile app, OONI Probe desktop app, and ooni.org.

You can view the updated version of the OONI Data Policy here:
https://ooni.org/about/data-policy

Overall, we're mainly using open source, self-hosted analytics tools
that users can opt in to, and we don't collect IP addresses. We're
looking into potentially replacing Firebase Crashlytics with something
open source and privacy-preserving, and we're going to request further
legal consultation with regards to GDPR compliance.

If you (or lawyers in your team) have any further feedback, we would
greatly appreciate it! Feel free to follow up with us off-list.

Thanks so much for your time, and thanks for helping us to improve OONI
Probe and our Data Policy.

Cheers,

Maria.


>
> Cheers,
> C:


-- 
Maria Xynou
Research & Partnerships Director
Open Observatory of Network Interference (OONI)
https://ooni.org/
PGP Key Fingerprint: 2DC8 AFB6 CA11 B552 1081 FBDE 2131 B3BE 70CA 417E