F-Droid Appstore criticizes application for using "non-free network service"

23 respuestas [Último envío]
quantumgravity
Desconectado/a
se unió: 04/22/2013

Lately, i installed the f-droid appstore on my tablet.
When I was searching for a free messaging client, I encountered "Telegram" which is obviously just that.
Anyway, in the description of the program there is a big red mark, reading:
"This application advertises non-free network services"
and below, one can read:
"Anti-feature: Non-free network, since the servers run proprietary software".

I'm here to ask for your opinion if I'm getting something wrong, because from what i understand so far, this statement is just - excuse my vocab here - *horrible* bullshit!

1. Why should I care if THEY use proprietary software on their servers - how should I make sure that they are really using free software anyway, even if they claimed it?
2. If you put it that way, you had to label every mail client the same way, because it "advertises" the use of a normal mail account, hence you're sending mails to a server with (very likely) proprietary software on it.
3. What's with the term 'non-free network'? There is nothing like a non-free network, since you can't apply the four freedoms to it. How should you copy a network or make your own version of it??

So it would be nice if you gave your opinion on this.
At the moment, I don't see any reason not to use Telegram and about the expressions i'm already convinced that they are just nonsense.

t3g
t3g
Desconectado/a
se unió: 05/15/2011

I agree. Many of these servers are probably running a flavor of GNU/Linux or BSD and free software applications like Apache, MySQL, nginx, PHP, or Python to serve the data. As long as the output data that the server returns is in an open format (like JSON or XML) then its not a big deal.

On top of that, if the software on their server is built by them and for them for a custom purpose, then they have no obligation to share. If they do distribute their custom software, then that's another story.

davidnotcoulthard (no verificado)
davidnotcoulthard

1) I don't know non-free network either....
2) They use non-free software on their servers, it's not really a deal breaker (otherwise it....wouldn't appear in F-droid), but I don't mind a big warning sign. F-droid feels that it's worth noting, and they've got the right to.

What they rather shouldn't do (which they don't) is unaccedentally excluding Telegram from their repos on the basis of that, in my opinion.

So all is well, apart from the definiton of non-free network part.

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

I agree. Free software is about controlling your own computers. Not the computers you are connecting to but do not not possess!

Alexander Stephen Thomas Ross
Desconectado/a
se unió: 09/17/2012

I think your missing the point. if it's non-free then it won't be
free/released for you to run it on your own computer. it's a note that
it is "cloud" - you not doing your own computing and so beware.

to try to see more where my thinking comes from, read the cloud related
writings on fsf website.

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

A messaging application is not SaaSS.

andrew
Desconectado/a
se unió: 04/19/2012

I don't think "non-free" network service makes much sense. Perhaps
warning the user about SaaSS (service as a software substitute) and the
risks (lack of control, privacy) would be more clear and informative.

Andrew

quantumgravity
Desconectado/a
se unió: 04/22/2013

I agree that a warning about SaaSS should be included if it's present (actually I think such applications shouldn't be included in f-droid in the first place).
However, a messaging software is not what you call SaaSS, since you can't do the job with your own computer.
It's just the same thing like using this forum:
I use a free software program (my browser) in order to send and receive text to a server. What kind of software on the server is running doesn't matter, since I gave somebody else control over my data anyway.

Though I agree that hosting your own jabber server is a better option.

jxself
Desconectado/a
se unió: 09/13/2010

It should be possible to deploy your own Telegram server and have the app on your phone communicate with that instead. Just like I could set up my own server running XMPP or use someone else's. But it currently isn't possible to do that for Telegram, because they don't share the code that they wrote to make the backend, only the thing that runs on the phone i.e. they don't share their "secret sauce." Perhaps some people don't care about that matter and want to use third party services instead of being self-hosted (as it seems some in this thread.) There's a whole topic that could discussed there. Either way, some are interested in this topic and so this is all that the F-Droid people are pointing out for those that are, nothing more and nothing less. It is information that you will be dependent on the Telegram people for all of your Telegram needs, so use it as you wish.

davidnotcoulthard (no verificado)
davidnotcoulthard

Come on guys! It's just a slightly bold red warning! A non-issue in my book.

F-Droid writes the warning but still puts it in their server and does nothing else - and I don't think they need to change that.

quantumgravity
Desconectado/a
se unió: 04/22/2013

I agree that it would be even better to host the server software myself.
However, I conclude that telegram
1. isn't SaaSS
2. doesn't require non-free software to be executed on my computer
3. offers end-to-end encryption

so from a privacy and freedom point of view, I don't see any problem here. Since the client is free software, I trust the community to make sure the encryption is really safe.

Besides, what I've seen so far from telegram is excellent. It's basically a free version of whatsapp, which is awesome.

jxself
Desconectado/a
se unió: 09/13/2010

"...from a privacy ... point of view, I don't see any problem here"

(Note that I removed the software freedom point.)

You should but, of course, privacy is outside the realm of free software right? I mean, there is an intersection but they're more or less different issues.

quantumgravity
Desconectado/a
se unió: 04/22/2013

Explain why the use of Telegram is any different from using a forum on the internet when it comes to privacy. So far, I've just heard some populist statements about the topic but nobody seems to think about the logical implications that arise if we consider a system like telegram not private enough.

jxself
Desconectado/a
se unió: 09/13/2010

"nobody seems to think about the logical implications that arise if we consider a system like telegram not private enough."

Of course people have.

All of the usual issues with centralized services come up. It's the whole "man in the middle" thing. The Telegram people know who has who added to their contacts, how often the communicate, what is said (at least when using ordinary chats. They claim that they can't when Secret Chats are used but, since the backend source code is not available this cannot be independently confirmed or denied that end-to-end encryption is actually used and that they have no way to read them.) But even if they could, metadata is still metadata and valuable in and of itself. All of the issues with it being a centralized service alleviated by making it free software so that people can run their own instance privately and keep that data to themselves. And if you want more information on why decentralizing things is important, Eben Moglen gave a great talk on that very issue: http://www.softwarefreedom.org/news/2010/feb/08/audio-and-video-eben-moglens-talk-freedom-cloud-no/

I also have a blog which mentioned avoiding centralized services in part of it: http://jxself.org/avoiding-surveillance.shtml

These are all issues to do with privacy, though, not software freedom. Of course, people are free to do whatever they want. The whole point I'm trying to make is that there are issues to consider here, when some in this thread were totally dismissing the matter of where the backend lived, who ran it, etc. as being totally unimportant and irrelevant things ("Why should I care" etc.)

quantumgravity
Desconectado/a
se unió: 04/22/2013

"They claim that they can't when Secret Chats are used but, since the backend source code is not available this cannot be independently confirmed or denied that end-to-end encryption is actually used and that they have no way to read them."

That's just wrong. The data gets encrypted by the free client program so the encryption mechanism is completely transparent.
You can read the code to verify that there is no "additional information" which gets transmitted to the server and allows it to decrypt the message.

"I also have a blog which mentioned avoiding centralized services"

I agree that centrilized services *are* a problem, but I'm more concerned about the big companies like google or apple.
Using telegram with encryption is a far inferiour problem than using gmail or youtube.

danieru
Desconectado/a
se unió: 01/06/2013

>Using telegram with encryption is a far inferiour problem than using gmail or youtube.

Then you recognize the use of Telegram as a problem? Then even if it's the lesser evil you should avoid it, because at the end of the day you still have a problem.

jxself
Desconectado/a
se unió: 09/13/2010

"a far inferiour problem"

There is actually no difference: it has the design of a data collection silo which, as mentioned in the blog post, is one of the two things that made mass surveillance possible.

"Using third party services that sell them out" doesn't just refer to cases where the service provider is doing that but is generic enough to refer to any time where that happens.

With the current design they're just one letter away from the top five intelligence agencies having full access to their system. The data of fifty million people and an additional one million each week present a pretty attractive target so who knows - maybe they've already received that letter. That's the problem: Under current laws companies are forbidden from saying that they've received one and thousands are issued each year. A notable company is fighting that but that's really fighting the symptom and not the problem. The real problem is using centralized services. Actually, the real problem is the spying which people need to fight with their legislature to address, but a second prong of attack can be applied by not using such things in the first place.

quantumgravity
Desconectado/a
se unió: 04/22/2013

"There is actually no difference: it has the design of a data collection silo which, as mentioned in the blog post, is one of the two things that made mass surveillance possible."

Well, there is one big difference: Leaving *diffusive* information is no problem at all (even rms acknowledges this btw).
You're doing it in real life all the time.
It's no problem that I buy grocieries at the same conveniance store every day and the shop owner already knows my face. I'm getting in trouble if that's the same guy owning the surveillance cameras on the street, at the train station etc... the trouble gets even bigger if he does the same thing for everybody, which isn't possible in real life as much as in our digital world.

Now the question is: how do I choose my threshold for diffusive information? In which case it is diffusive enough?
Please realize that if you consider telegram not to fit your criteria then you shouldn't use this forum neither.
I can't see any difference between those two situations.
Why don't you demand that the forum should be hostet in a decentralized way, scattered over the servers of many trisquel users?
That's the whole point of my argumentation: you reject one service but you obviously don't realize that other things you do on a daily basis are basically the same thing.

The owner of telegram servers can track my meta data on conversations with a few people.
If i use google services, google knows 1) what I'm searching on the internet 2) my email conversations 3) what videos I watch 4) maybe even what products I buy etc.

Now, you're obviously concerned of server owners (more precisely: companies) being forced to release the data by law. That's the case when the state grabs the data of telegram, grabs the data of my search engine etc. and combines them to a huge dossier.
What basically happened was: they collected diffusive information and put them together, something you might be able to fight with even deeper decentralization.
But again, using a websearch (even duckduckgo), a normal email provider and (i want to stress that once more) this forum are on the same level as using telegram.
They all fit the criteria I personally set up for decentralization, but not yours.
I think you have the right goal but i find it unreasonable that you condemn telegram and not, let's say, duckduckgo and internet forums.

riftyful
Desconectado/a
se unió: 09/02/2014

"I can't see any difference between those two situations."

I'd like to point out that they do not share the exact same problem. Telegram is a messaging service you can use to talk to people. Therefore, your messages are private and meant for only one person (or a specific group of people). This is a forum where your posts are public and everyone can see them. As far as posting threads and replies goes, there is no privacy need to begin with.

"I think you have the right goal but i find it unreasonable that you condemn telegram and not, let's say, duckduckgo and internet forums."

Now, I am not a programmer and I'm not sure to what degree can you verify DucDuckGo's trustworthiness, but I agree that it is not the ideal solution. I like DuckDuckGo because it's (mostly) free and cares about privacy (I did not verify that, but I believe it).
Of course, it would be best if we all could use something like YaCy, but both DuckDuckGo and Telegram are at least a better option than their ignorant and restrictive counterparts. But yes, it would still be better if everything was 100% libre, and in the best case, decentralized.

quantumgravity
Desconectado/a
se unió: 04/22/2013

"Therefore, your messages are private and meant for only one person (or a specific group of people). This is a forum where your posts are public and everyone can see them. As far as posting threads and replies goes, there is no privacy need to begin with."

Since telegram uses encryption, this argument is obsolete. Just like this forum, it get's recorded who I am and to whom I'm talking.
I don't want this information to be stored neither in telegram nor in a public forum like this.

//edit:
And I want to add that duckduckgo is actually worse than telegram: they know who i am and what i was searching for while telegram only knows the first one.
Why not use those services with tor and get rid of the problem that way?

jxself
Desconectado/a
se unió: 09/13/2010

"Leaving *diffusive* information is no problem at all"

You clearly haven't listened to Eben Moglen's speech I linked to. Please do so. He discussed that very issue, referring to it as the "...data dandruff of life which people don't think of as special in any way but which aggregates to things that people would be very creeped out to think could exist." (Or something along those lines.)

"Why don't you demand that the forum should be hostet in a decentralized way, scattered over the servers of many trisquel users? That's the whole point of my argumentation: you reject one service but you obviously don't realize that other things you do on a daily basis are basically the same thing."

Because I've been talking of Telegram. Please don't be confused though that my discussions of one thing don't mean I don't expect the same in other areas.

"The owner of telegram servers can track my meta data on conversations with a few people.
If i use google services, google knows 1) what I'm searching on the internet 2) my email conversations 3) what videos I watch 4) maybe even what products I buy etc."

Yes, and this is problematic too. Please spend some time to listen to that talk.

SuperTramp83

I am a translator!

Desconectado/a
se unió: 10/31/2014

"And I want to add that duckduckgo is actually worse"

use ixquick!

duckduckgo - uses amazon servers. servers are located in the usa (united swines of avarice), so..

ixquick - has servers both in the usa and europe (netherlands) but you can choose to use only the european ones.(default if you are in eu). And above all ixquick's been certified by Europrise, the European Privacy Seal (an independent organization) while duckduckgo to my knowledge only promises not to log your info - well I don't trust promises.. nor do i respect someone who makes business with amazon.

onpon4
Desconectado/a
se unió: 05/30/2012

It's not very wise to entrust your privacy to any third party. Ixquick says it doesn't track you, and it's likely that they're telling the truth, but you don't really know that. Use Tor, or otherwise access these services in a way that doesn't reveal your identity (e.g. public library). That's the only way to be confident that you aren't being spied on.

SuperTramp83

I am a translator!

Desconectado/a
se unió: 10/31/2014

that is right onpon. and i'm not saying that I completely trust ixquick. I'm just saying that my common sense makes me think that ixquick is better then the ugly duck privacy wise..
That being said I completely agree with you - if I have to do something really important or something that i don't want anybody to know - I boot Tails and I do my stuff!