Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Turn off Google's surveillance on meet.jit.si
See original GitHub issueDescription
Even just the name of a chat room might contain sensible data.
Google should not be informed about people joining a chat room, since it might be able to identify them (by relating informations gained across different Web sites or on their own services) and profile their relationship.
Current behavior
Any visit to https://meet.jit.si/ or any chatroom therein informs Google through Google Analytics.
The Referer HTTP Header let Google relate the different members of a chatroom and personal data such as user’s IP and User-Agent let Google actually identify the persons in the chatroom by relating such information with those available on their ubiquitous services.
Expected Behavior
https://meet.jit.si/ doesn’t leak personal info to third party.
The users accept to trust only meet.jit.si and such trust should be honoured.
Possible Solution
Remove
<script async="" src="//www.google-analytics.com/analytics.js"></script>
from the Web pages served under https://meet.jit.si/
Steps to reproduce
Visit https://meet.jit.si/ or any chatroom therein such as https://meet.jit.si/GoogleIsProfilingYouRightNow
Environment details
A logging proxy might be useful.
As an alternative, the DevTools of the browser might suffice.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:43
- Comments:23 (13 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hey all, sorry it took so long, but it finally happened: meet.jit.si no longer has Google Analytics. Thanks a lot for your feedback.
Hi @saghul, nice to meet you and thanks for your kind answer.
At the very best, there is either a PR/marketing issue or a UI/UX error at work, here.
Misleading marketing?
Meet.jit.si market itself as a “Secure, fully featured, and completely free video conferencing”, all over the world, but
For sure, those who use meet.jit.si, necessarily trust you.
But they trust YOU. Neither Google, nor CallStats.
They just trust you.
Misleading UI?
In the home page there is no mention about Google¹ being informed I’m joining a certain chatroom or being able to learn who I’m talking with. Or to learn then name of our chatroom.
With all respect, this sound a bit like victim blaming.
Many people trust you, they are connecting to your server through encrypted TLS connections and have no reason to suspect that others will learn the name of their chatroom.
Moreover most of people have no control about their User-Agent and IP which are personal data according, for example, to European GDPR. And they are leaking such data to a third party that can use them to identify them by relating such data to the one collected into a huge amount of other websites and services.
Most users are helpless about such data: they cannot really decide to “put it out there to begin with”.
As you provide a secure service, it’s your responsibility to inform them (and to protect them).
You are talking with a hacker. Sure, I agree.
And I’m actively working to teach Informatics to kids, so that the next generation of people will be able to understand who they could trust and how much.
BUT, today, how many people know what a UUID v4 is?
Google shouldn’t be able to exploit their ignorance, don’t you think?
Yeah… but unfortunately most people today don’t even understand how Web tracking works. When they visit a Web page they are not aware about protocols, encryption, includes and so on…
And we are talking about a secure application and they trust you to protect their privacy.
All of this can be done via (opt-in) logging in your own JavaScript code.
Look at the web server’s logs. 😉
Sure! This is one of the reasons why I’m taking the time to compile this bug report.
Because I think Jitsi is a great software and has a great potential.
But this is not the topic here.
You are providing a service, marketing it as a secure service… and leaking users’ personal data.
An actual UI bug?
This is interesting, but as far as I can see, users can’t chose this option from the current UI.
I’m a web developer with 20 years of experience and I had no idea this was possible till now.
Moreover, technically speaking, using an URI fragment interpreted client side isn’t safe for the user. Try it yourself:
You will see the page will start loading but the URI fragment will disappear after a few seconds.
What will the user do if the connection hangs? Click the refresh button.
The browser will then load the page without that fragment.
So the user will leak personal data to Google anyway².
I understand
Yeah, I really understand you and I really appreciate your work.
But the more successful you are, the more Google’s surveillance will be dangerous.
They will know more about your users, more about their relationship.
To fix this is your own responsibility, as developers and as provider of a service used all around the world.
¹ or CallStats, but they are slightly less dangerous than Google these days
² AFAICS, nobody is asking consent about this, so this might even be considered a data breach of which European users should be informed, according to Article 34 of GDPR (but remember, IANAL).