Escaping from Geolocation awareness in Linux

Discussion in 'all things UNIX' started by amarildojr, Jan 10, 2016.

  1. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,963
    Location:
    Brasil
    Recently I got hit in the nuts with a terrible surprise: I was probably being tracked while using Linux. "But how could that be?", I asked myself. The answer? Turns out Free Software also has it's hands tied to the "world-wide trends", and this means you're probably being tracked right now without permission. And don't kid yourself, I'm not talking about web-browser stuff, I'm talking about system-wide stuff. Got KDE or GNOME installed? You're probably being tracked. Got MATE installed, you're also probably being tracked. You use Midori? Guess what, you're also probably being tracked. You use SDDM as a login manager? Probably racked again. And there is a whole bunch of programs out there that, for some reason, use tracking, programs that you would never think they'd do something like this, probably because you think "I'm on Linux so I'm safe". Yeah right.

    So, as always, let's get to business.

    Sadly, this tutorial will only cover Arch Linux since it's the distribution I use. However, I remember that it's pretty easy to do the same things on Debian-family distros, just search for "Debian ignore packages", using DuckDuckGo of course.

    To begin with, you must first ask yourself what kind of paranoia level you're at. Some people will simply remove the following packages. Others, like myself, will Zero-Fill their drive and start all over (it's a loss of trust thing).

    If you're a non-paranoid person, just remove the following packages:

    Code:
    sudo pacman -Rs geoclue geoclue2 webkitgtk webkitgtk2 webkit2gtk yelp zeitgeist qt5-location
    Note: It's VERY likely that a ton of currently installed packages will depend on the above. If that's the case, you can simply remove the packages without removing the dependent packages:

    Code:
    sudo pacman -Rdd geoclue geoclue2 yelp zeitgeist
    You can also tell pacman to ignore those packages automatically. Just edit "/etc/pacman.conf", uncomment the "# IgnorePkg =" line, and paste the programs that you don't want to install again, ever.

    Mine looks like this:
    Code:
    IgnorePkg   = geoclue geoclue2 webkitgtk webkitgtk2 webkit2gtk yelp zeitgeist icedtea-web java-commons-daemon java-commons-net1 java-environment-common java-gnumail java-runtime-common jdk7-openjdk jdk8-openjdk jre7-openjdk-headless jre8-openjdk-headless openjdk7-src openjdk8-src rhino libreoffice-extension-writer2latex mathjax netbeans nodejs java-commons-io qt5-location
    To the real paranoid people.

    If you're like me, it's possible that you already lost a few nights of sleep just by thinking of the possibilites of having such packages installed. You compeltely lost trust on these packages and don't even want them installed on your system, but removing them isn't enough (because you're paranoid). So, assuming you already burned your house down and bought everything new, you want to:

    • Tell pacman to ignore those packages;
    • Install packages that don't track you;
    I used to love KDE and MATE, but I won't use them anymore. Both have dependencies that depend on geoclue and company, so you either don't mind installing them and then removing them, or you don't install these packages at all. But there's a light at the end of the tunnel: XFCE, with a few MATE themes. To install them (right after installing Arch's base system), just do:

    Code:
    sudo pacman -S netsurf mate-icon-theme mate-themes mate-icon-theme-faenza caja mozo alacarte slim xfce4 xfce4-goodies ttf-dejavu
    None of these depend on webkit(s) or any package dependent on geoclue(2), so you're fine.
    (Also, read on how to use SLIM as your login manager).

    Noticed the Netsurf download? Yup, forget about pretty much all web-browsers out there. Probably the only GUI browser that doesn't track you, and that is present on Arch's repo, is Netsurf. You can use Netsuf to download and install a privacy-friendly version of Firefox, Iceweasel. It's all set and done to work with Arch. To download and install it:

    Code:
    wget https://repo.parabola.nu/libre/os/x86_64/iceweasel-1:43.0.2.deb1-1-x86_64.pkg.tar.xz
    Code:
    sudo pacman -U iceweasel-1:43.0.2.deb1-1-x86_64.pkg.tar.xz
    You might also want to install two very good packages from parabola's Repo, "your-freedom" and "your-privacy". Just remember that your-freedom will remove any non-Free package you have (which is also a Plus).

    From now on, you're on your own. But don't worry, you should have your pacman.conf set up to ignore all these tracking packages, so anytime you might install something that depend on them, you'll get a pretty WARNING.

    That's basically it for this tutorial. Stay safe, stay away from the cameras!
     
    Last edited: Jan 10, 2016
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
    Freaky stuff, indeed :eek:

    However, if you compartmentalize properly, tracking doesn't matter. At least, as long as the host isn't reporting activities of VMs. If that risk is unacceptable, use hardware isolation for your gateways and workspaces. And if super paranoid, use optoisolators to enforce network restrictions.
     
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @amarildojr

    I'm curious what this tracking activity looks like on a firewall and/or proxy, and how extensive and pervasive it is? And where exactly it's relaying data?

    Edit:

    http://www.freedesktop.org/wiki/Software/GeoClue/

    ^^^ I don't appreciate that protecting the user is merely the secondary goal there. However, in the absence of identifiable, recorded network activity, I'm also not convinced said library is being used the way you say it is.

    tl;dr Can you please provide examples of this tracking activity?
     
    Last edited: Jan 10, 2016
  4. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,963
    Location:
    Brasil
    I'll never provide such info because I don't want to deal with these packages anymore :) Sorry. I'm sure someone else will look deeply into this, though!
     
  5. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,056
    Location:
    the Netherlands
    Pardon my ignorance, as I am not yet a Linux user, but is there no simple UI setting to disable location sensing, as there is in Windows?
    Not even in KDE? If not, that's very much astonishing.
     
  6. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,963
    Location:
    Brasil
    Hm, I could have checked that. But I don't think there is such option. Geoclue will provide location to any application that requests it, so I don't think you can disable that. It will be interesting to see if there actually is such option, and if it actually does what it promisses.
     
  7. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Please provide details or you are just spreading FUD.

    Can you explain the nature of this tracking ?
    Does how does Geoclue gather your location info (does it connect externally to a 3rd party) ?
    Which applications are accessing this tracking data and what are they doing with it ?
    Is the tracking information being transmitted anywhere outside your system ?
     
  8. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,963
    Location:
    Brasil
    The tracking nature depends on the program that makes the request. Sometimes it uses GPS, other times it uses the nearest tower to see where you're at They say it's "to make programs better", but to me it doesn't matter, I don't want to have a system program that allows this, not even on a smartphone (if I ever buy one). And even though the project page says "only with user permission", I don't want to take this chance. I'm paranoid, blame it all one me.
     
  9. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    No evidence or examples. This is pure FUD.
     
  10. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,963
    Location:
    Brasil
    In parts, yes.

    I can't stop thinking about "what if's", specially given Linux recent history. One might have thought a distro would never spy on it's users, but in 2012 Ubuntu did it. After that, any remotely suspicious activity (or even a name) is ground for investigation.

    At the end of yesterday, my questions were:
    • Why would geoclue be a dependency of so many programs if most don't ask for location sharing?
    • Reading this example of how a C program can locate the user using geoclue, I did find how the demo program respects the user choice. That's cool. But I won't read the source code of all programs I use to see if they also respect user decision, specially since I'm not a programmer and can't trust myself on this job;
    • On Ubuntu, a user reported his machine was pinging servers via geoclue-ubuntu-geoip, even though he had set his clock to manual (geoclue is a dependency of the clock so that it can sync with the atomic clock). How can I guarantee this won't happen on my system, even though it's not comming from Ubuntu? Removing the package or the ones that depend on it. Simple as that.
    So after all, this thread is more of a "be in command of your machine" thread. It's not like users were never violated while using Linux. And I don't mind if people disagree, after all we all have our perspective on things ;) Some don't care, some do. This thread is targeted at those that do care about these programs. For these, there's also this reading, which is quite informative, specially if the user is running Ubuntu.
     
    Last edited: Jan 10, 2016
  11. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    624
    Location:
    United States
    Privacy protection will end up being big business down the road. It already is to some degree with VPNs taking off.
     
  12. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,963
    Location:
    Brasil
    I don't see this market taking off. I mean, how many people do you know that actually care about privacy and give up convenience? I bet 90% of people here either use Google, Android, Windows, or browsers like Chrome, Chromium, regular Firefox, etc.

    But it will be a very expensive business :p Not many people care. And it will be very hard to compete with the giants. Microsoft alone has bought almost 200 companies.
     
  13. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I tend to agree with Mirimir that the best way to deal with this is to use a compartmentalized computer or VM on a VPN and, essentially, spoof your location so geolocation won't matter, regardless of the platform. I've found that the combination of a VPN and smartdns works really well for this. There are usually several ways to determine geolocation and this combination gets different results from each one so you become a magician that can be in several places at once but none are where you really are.
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
    Right. Also, there is no single "you". There are multiple personas. Each persona only does stuff that's safe to have linked. As in linked to a particular VPN service, online accounts, GnuPG key, set of correspondents, and so on. Each persona uses its own VM(s), its own set of VPN services, its own Whonix instance, and so on.
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    720
    mirimir, just out of curiosity: Are you using or have you tried Qubes OS? I haven't so far but from what I've read it should be ideal for your needs.
     
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
    Yes, thanks, I have tried Qubes. A couple years ago. The focus seemed heavy on security and light on anonymity. And devs seemed unfriendly to outsiders. So I've stuck with VirtualBox in Linux.
     
  17. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    720
    Thanks, I see. It seems, though, that a lot has changed since then. E.g., there is now a Whonix template available.
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
    True. Maybe it's time to look again. Thanks :)
     
  19. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,963
    Location:
    Brasil
    After talking to a Parabola developer, he agreed to add geoclue and geoclue2 to the package your-privacy, which already conflicts with packages that support services from Google, Ubuntu One, Twitter, Dropbox, Yahoo, and etc. However, there's a thing to consider: The GNU pholosophy only controls the program's freedoms, so users who chose to install your-privacy will face a conflict with GPL-and-compatible packages such as MATE, Midori, etc, because they depend on WebkitGTK (also GPL-and-compatible), which has geoclue/geoclue2 as a dependency (both are GPL compatible too). So I alerted him to the possibility of rebuilding webkitgtk, webkit2gtk, and webkitgtk2, without geoclue as a dependency.
     
  20. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    That is the real problem, geolocation is deeply embedded in almost all OSes these days. It is really pervasive and I was inspired by reading all of this to do some geolocation spoofing tests. I came upon a really bad leak doing this test: http://www.browserleaks.com/geo. I found it getting way too close to my real location from a VPN nested inside a VPN that was using smart dns. I should have gotten a location on another continent and instead was getting my home location. It turned out, the Google api was getting this information from my router's SSID and Mac address. Google has a database of router locations and I'm not sure how mine got there. More than likely through my ISP since it is the one that directly connects to their network. I usually have the Wifi turned off but was doing some testing that required my real IP and had it on. Once it was off, I got the VPN location without smartdns and an error with a VPN and smart dns combined.

    http://www.zdnet.com/article/how-to-keep-your-wi-fi-location-out-of-google/

    The problem with just turning off the wifi on my own router is that all my neighbors have routers and any of their wifi signals could potentially give out my real location even with a VPN active. The solution is to use a VM with a virtual network adapter so the OS has no access to the wifi hardware. Both Windows and Linux betrayed my location in a real machine with access and control of the wifi adapter but not in a VM. Ironically, the only OS that blocked it was Windows 10 because I had disabled location in group policy and the browser couldn't use it. At the browser level, this won't work with javascript disabled and most browsers will bring up a consent dialog before it does the location. Blocking maps.google.com in a host file will also disable it.

    In regards to Qubes, I currently have Qubes 3.1 rc1 installed and it comes with Whonix, Fedora and Debian core VMs. Whonix works quite nicely and I can have it running TOR while using a couple of other VMs each on its own VPN connection. I find it a bit much to use as my main OS but it certainly is teaching me a lot. I can actually do a lot of what it does using Virtualbox if I set up both Virtualbox and the host system properly. No, I don't get security nearly to the level of Qubes but I can get things pretty tight and I can have more fun with a more flexible VM setup than what Qubes allows.
     
  21. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    I'm using Lubuntu 14.04 LTS. It doesn't come with geoclue installed.

    All the same, I ran apt-cache rdepends geoclue:
    Code:
    $ apt-cache rdepends geoclue
    geoclue
    Reverse Depends:
      empathy
      python-geoclue
      geoclue-yahoo
      geoclue-skyhook
      geoclue-plazes
      geoclue-nominatim
      geoclue-manual
      geoclue-localnet
      geoclue-hostip
      geoclue-gypsy
      geoclue-gsmloc
      geoclue-gpsd
      geoclue-geonames
      geoclue-2.0
      geoclue-2.0
      emerillon
      libgeoclue0
      geoclue-ubuntu-geoip
      geoclue-examples
      geoclue-examples
      empathy
    And, from the output of apt-cache show geoclue:
    Code:
    Task: ubuntu-desktop, ubuntu-usb, edubuntu-desktop, edubuntu-usb, ubuntu-gnome-desktop
    I'm guessing that, in addition to Lubuntu, Xubuntu and Kubuntu also don't include geoclue.
     
  22. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,963
    Location:
    Brasil
    @vasa1 Could you actually try to remove the package? Many people say it's a dependency of the Clock, which is actually "geoclue-ubuntu-geoip".
     
  23. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Code:
    08:26 PM ~ $ apt-cache policy geoclue-ubuntu-geoip
    geoclue-ubuntu-geoip:
      Installed: (none)
      Candidate: 1.0.2+14.04.20131125-0ubuntu2
      Version table:
      1.0.2+14.04.20131125-0ubuntu2 0
      500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
    08:27 PM ~ $ sudo apt-get purge geoclue-ubuntu-geoip
    [sudo] password for vasa1:
    Reading package lists... Done
    Building dependency tree   
    Reading state information... Done
    Package 'geoclue-ubuntu-geoip' is not installed, so not removed
    0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
    08:27 PM ~ $
     
  24. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,963
    Location:
    Brasil
    Very interesting! :D Lubuntu seems like a well-built distro. I'm curious to see what UbuntuMATE/Kubuntu/Xubuntu has to offer in this regard.
     
  25. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I'm using Ubuntu 14.04 LTS and it failed the browser geolocation test with the Google maps api even without geoclue. That says something about spoofing geolocation being a better approach than trying to tear it out of an OS. I think that all the api has to do is get information from OS about what the wifi adapter is seeing. It doesn't have to be connected to the router it is getting the geolocation from.
     
Loading...