Gnu Icecat Desktop

It’s not just about ADS, there is more.

Libre Malware Problem:

A fairly recent way of disguising malware is to distribute it as Free Software and/or privacy oriented. Maybe the source code does not contain spyware and trackware, but the compiled version does. Icecat is regularly tested for unwanted connections coming from upstream Firefox source code. The source code of Firefox is just huge to say the least and it cannot be check by hand. So, I recently came up with a couple of ways for doing this, the best so far is using network namespaces and wireshark. You can read more on this topic here: https://blog.icecatbrowser.org/blog/20231221/application-network-auditing/

The Phone-Home problem:

A fresh installed Firefox, as soon as it is started, connects by default to several services owned by Mozilla (Telemetry) with so called “pings”, in the background and without asking for user permission*, signaling Mozilla and all the parties involved in the connection, that the user just open the browser. This antisocial and debatable behavior is consolidated among all major browsers developers and software vendors in general.[1]

Icecat mitigates this by:
– Removing Telemetry at compile time.
– Disabling checks for updates (you have to check for updates yourself).
– Disabling DRM

Differently from the many Firefox Forks out there, Icecat is the only one that doesn’t send out any data, unless the user decides.

The ‘Third Parties’ problem

When we open a web url, our browser will download a web page (html) and all the referenced javascript, images, css etc.
The problem is that many of these are often downloaded from third parties servers, who in turn, can log our visit, see our ip address, fingerprint our browser, and even worse, try execute some dangerous javascript. The majority of the browsers will happily execute any javascripts for the sake of the web, otherwise some website might not look as expected or might not have certain functionalities.
Some of these resources are included in a webpage with the only purpose of logging and tracking the user activity.
Think of Google Analytics: it’s almost everywhere and while the one website owners, can use analytics to get some stats about the website visitors, Google, on the other hand, can see the activity of all the users across many websites (the majority use Google Analytics) and build complete user profiles in an illegal and unethical way: without user consent, without letting the users know and with no chance of opting-out.

This also tells us why Google Analytics is GRATIS… Or is it?.

Icecat tries to mitigate this with the following settings:
– Isolate requests to First Party domains
– Do not load custom fonts
– Spoof Referers
– Resist Fingerprinting
– Prevent HTML5 Canvas data as default
– Prevent execution of Javascripts without a proper License (LibreJS)
– Prevent the execution of potentially dangerous javascript

The Big Picture (spoiler: it’s bad)

In normal circumstances and using the default settings of most of the modern browsers, our connections go through network devices (routers) that belong to unknown third parties, our browser needs to use services like DNS, so, for these reasons, our activity leaves traces behind. These traces are meticulously collected on different levels by different actors and built up over time (think years of tracking). This data is collected from several sources: for example, from Mastercard (all your purchases, yes, they do sell your data [2]), Facebook (Location, friends, gender, age, relationship graph [3]) , Whatsapp (same as facebook, plus address book), your mobile phone ISP (real approximate location 24h/D), some other data brokers and put everything together.
At this point we have a glimpse into the big picture and can confidently say that there is someone out there who knows me, my habits, my taste in music, my political views, my loving preferences, my readings and my purchases very well; probably better than I do.
Unfortunately this has horrible and damaging consequences on a collective level, where anyone sufficiently financed can buy and abuse these information in a number of different ways and we are not going to list them because, for how good the list could be, it would always be only a part of what actually happens out there, out of sight.

By using Icecat, I hope, we can change this consolidated behavior by making the data unavailable for collection, at least from the desktop browser; resulting in companies pivoting their research and funds towards something more elevated, like actually improve their products.

_{[1]

https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/collection/index.html}
_{[2]

https://pirg.org/edfund/resources/how-mastercard-sells-data/}
_{[3]

https://www.nytimes.com/2018/04/11/technology/facebook-privacy-hearings.html}