Escaping from Geolocation awareness in Linux

Discussion in 'all things UNIX' started by Amanda, Jan 10, 2016.

  1. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    The dude above, who mentioned "FUD"... why does he show up in threads like this, just to poohpooh demanding "proof". Smells like a plant.
    Baits you into providing "proof", and when you do -- by posting a solid example of the problem at hand, citing a reproduceable example of privacy-unfriendly behavior -- the plant resorts to chiding you (me)(search my prior posts. privacy. akonadi.) for beaing a tinfoil hattie. Yah.
    Beyond just geolocation, an increasing number of apps are being preinstalled and/or packaged with default prefs which cause them to perform silent callouts.

    Two years back (or so), I posted a rant here at wilders citing the behavior of KDE's oddly-named music player, as configured and preinstalled in kubuntu. Live session, first run, when I double-click an ogg file to determine whether sound is working... I sure as hell don't appreciate finding the default handler launching and, in adition to initiating playback, automatically scanning my drives to create a manifest of playable files found AND calling out to last.fm and other (multiple) "partner" websites (to *cough* find missing cover art, and *cough* help find other music you might like).

    In a separate discussion that I started, to post my enthusiasm for LPFW (leapard flower personal firewall), same "plant" chimed in to poohpoh and tell me "linux isn't windows" (duh! thanks) and "so there isn't a need for an outbound, per-application, firewall app".
     
  2. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,380
    Location:
    West Yorkshire, UK
    The original post made the claim that geoclue could track without permission.
    Geoclue can disabled using dconf settings and in Gnome Control Panel (possibly others).
    This is not a reasonable privacy discussion, where is the discussion that verifies and provides evidence that Geoclue does not respect privacy and therefore the need to remove/not instal/use alternatives Geoclue to protect privacy and where is the discussion as to why (is it a feature or bug, can it be fixed, is there a bug report) ?
     
  3. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,051
    When you make an allegation of any form then it requires proof otherwise it is either slander or libel which in the case of some of the posts here then libel comes to mind.
    I think its perfectly feasible to require a certain amount of evidence to back up a claim of "spying" or user tracking.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    So hey, I appreciate the value of geolocation awareness. Many users, maybe even virtually all users, want help finding nearby coffee, sexual partners, or whatever. Or just whether it's going to rain soon. But some of us would rather avoid geolocation. Indeed, we don't even want to be running the packages that enable it. And so it's disturbing to find how entangled it's become. How hard it is to remove without breaking stuff.
     
  5. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,373
    Wouldn't something like Linux From Scratch be a good starting point for people with privacy issues?
    http://www.linuxfromscratch.org/lfs/
     
  6. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    Exactly :)

    This is interesting. I guess the webkit dependency chain on geoclue is an Arch thing.That's one of the reasons I'm moving away from it.

    Geoclue's page at freedesktop.org shows an example of a how a C program can get user data. It seems, at least to me, that geoclue itself doesn't know if the user actually allowed location sharing, and rely on (other) programs' request to see if the user allowed sharing or not. From that example, it seems that programs can fake user permissions so that it could get user location.But my programming skills are very limited, I could very well be wrong.

    If I'm right, it's like I've stated before: I don't want to look on the source code of all the programs I use to see if they respect my privacy. It's much simpler to just remove all programs that allow location sharing. I don't want them on my system, it should be pretty simple to understand.

    Some people care, some don't. And as I've said before:


    ------------------------------------------------------------------


    Exactly. I wonder why so many programs require it when the vast majority will NEVER use it. Why is geoclue a dependency of webkit at all? Why force this kind of program on everybody? It seems much more logical to make geoclue a dependency only of the programs who will actually use it.
     
  7. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,244
    Location:
    Southern Rocky Mountains USA
    My definition of reasonable includes completely disabling tracking mechanisms whether they are actively being used or not. That eliminates the question of permission and trust and puts the control over them where they belong, in the hands of the end user.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,994
    And that's exactly what you have in various control panels of various distros. Simple.
    Mrk
     
  9. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,244
    Location:
    Southern Rocky Mountains USA
    True, and mostly they can be trusted but it is still nice to know you can take the radical step of completely removing it. I recently did an "apt-get remove geoclue" in Ubuntu and was pleasantly surprised to see that it not only didn't break anything, I also got back around 600mbs of disk space after doing the recommended "apt-get autoremove" afterwards. That works out nicely in this case because this Ubuntu 14.04 install is primarily used to run Virtualbox VMs and I am bit by bit trimming out anything that isn't useful for that purpose.

    I appreciate @amarildojr's hyper paranoid approach even if it is a bit much for some. He brings up real issues that I, being the relative Linux newbie that I am, never would think of. One mans fud is another mans fodder.
     
  10. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
  11. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    It seems the issue has a much deeper bottom than what I originally though. Here on Debian, there are a lot of packages that could use Google services, Twitter services, etc. Removing some of these will cause some DE's to be removed. I'm still figuring out how to remove these dependencies from some of the DE's (namely KDE and Cinnamon) without breaking them.

    See this file: http://pastebin.com/raw/jCdDFCLV

    I recommend to wget this file while installing Debian, right before "Select and Install Software", and then "cp heSYD7XW /etc/apt/preferences". This way they won't get installed at all. I don't know yet if this will cause errors or not.

    Remember to remove those packages after setting up your apt preferences file.

    So, there are two situations I'm facing:

    1) Arch will only have one of the "no-prism" conflicting packages if I install it with KDE, XFCE, and MATE. However, it will still have geoclue, geoclue2, zeitgeist, and libzeitgeist as dependencies. I could compile webkitgtk and some KDE stuff without them as dependencies, but it would take a long time to do so. I'm not in the mood for that. I could also build a dummy package for geoclue and Co, but if problems arise it could be difficult to debug.
    2) Installing Debian without the packages from the file above is pretty easy (section "No GeoLocation"). However, it still comes with tons of privacy-invading packages. I'll do a test install tomorrow with this file to see if it works. If it does, then I'm moving to Debian.

    If it doesn't work, I'll look into OpenBSD as an alternative to Linux. It's been at least 6 months since I last used it, but IIRC I can select package by package, only what I want to install. I only need my radeon firmware there, and selecting only the packages I want.

    Gosh, I can install KDE3 on OpenBSD :-*:-*:-*:-*:-*:-*
     
    Last edited: Jan 27, 2016
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Yes, that's cool for you. But you do lose many packages by doing that.
     
  14. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Couldn't you just deny any activity of those packages via firewall?

    E.g.completely block zeitgeist webkit2gtk, etc. but still have it installed.
     
  15. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,373
    Now that systemd seems to be on its way to being used by most distros, won't things potentially become even more difficult? I'm asking because, from my limited understanding, systemd ties many things together.
     
  16. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    Yes, systemd is a one-man band. I don't blame them, they do a ton of good stuff and may actually help a lot on saving the Linux desktop market (them and VALVe). I just hope they don't become the evil thing many people are afraid of. I mean, they do have a lot of power in their hands, and since it's not likely that we'd see a malicious commit in time, it's possible that they could wreck all modern Linux systems and thus destroy Linux's reputation almost completely.

    However, I don't think systemd is a problem for the BSD guys. OpenBSD has around 80 developers at any given time, and they do a good job porting and maintaining old and new packages and separating them from systemd. KDE 3.5 is by far my favorite KDE, and it works great there.

    The only reason I don't use OpenBSD is because their Kernel drivers (radeon and amdgpu) lag a little behind the drivers present on Linux, so much that I can't even move a window without lagging. I do hope they're at a better situation now, and I'll try OpenBSD 5.8 somewhere between today and tomorrow.
     
  17. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    And I am still here wondering why you/we just won't disable any network activity for those packages? ;P
     
  18. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    Because some of us are paranoid? :( And we don't want these packages, like at all. No Google service, no geolocation service, nothing. It's better to not have a nuclear weapon than to try to disable it's main component.
     
  19. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    I am totally agreeing with you. But the troubles of removing them and the packages that depend on it are too much for me.

    I will just completely block their network activity. Any other packages I should add?
     
  20. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,373
    IIRC, the BSD guys want(ed) to steer clear of systemd.
     
  21. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,244
    Location:
    Southern Rocky Mountains USA
    I haven't found any so far. Ubuntu 14.04 doesn't seem to have any packages dependent on geoclue in a default installation and I haven't added anything that does. I have a much fuller Mint VM on this system that would have anything lacking in the host.
     
  22. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,373
    How do you figure that out? I'm on Lubuntu 14.04 and when I ran a simulation using
    Code:
    apt-get remove -s geoclue*
    it threatened to burn down the house.

    I really don't understand the output of that simulation. On the one hand, there's nothing "geoclue"-related to remove!
    Code:
    NOTE: This is only a simulation!
      apt-get needs root privileges for real execution.
      Keep also in mind that locking is deactivated,
      so don't depend on the relevance to the real current situation!
    Reading package lists... Done
    Building dependency tree  
    Reading state information... Done
    Note, selecting 'geoclue-2.0' for regex 'geoclue*'
    Note, selecting 'libgeoclue0' for regex 'geoclue*'
    Note, selecting 'geoclue-localnet' for regex 'geoclue*'
    Note, selecting 'geoclue-plazes' for regex 'geoclue*'
    Note, selecting 'geoclue-ubuntu-geoip' for regex 'geoclue*'
    Note, selecting 'geoclue-gpsd' for regex 'geoclue*'
    Note, selecting 'python-geoclue' for regex 'geoclue*'
    Note, selecting 'geoclue-examples' for regex 'geoclue*'
    Note, selecting 'geoclue' for regex 'geoclue*'
    Note, selecting 'libgeoclue-dev' for regex 'geoclue*'
    Note, selecting 'geoclue-gypsy' for regex 'geoclue*'
    Note, selecting 'geoclue-hostip' for regex 'geoclue*'
    Note, selecting 'geoclue-geonames' for regex 'geoclue*'
    Note, selecting 'geoclue-gsmloc' for regex 'geoclue*'
    Note, selecting 'geoclue-provider' for regex 'geoclue*'
    Note, selecting 'geoclue-nominatim' for regex 'geoclue*'
    Note, selecting 'geoclue-skyhook' for regex 'geoclue*'
    Note, selecting 'geoclue-yahoo' for regex 'geoclue*'
    Note, selecting 'geoclue-manual' for regex 'geoclue*'
    Package 'geoclue' is not installed, so not removed
    Package 'geoclue-examples' is not installed, so not removed
    Package 'geoclue-ubuntu-geoip' is not installed, so not removed
    Package 'libgeoclue-dev' is not installed, so not removed
    Package 'geoclue-2.0' is not installed, so not removed
    Package 'geoclue-geonames' is not installed, so not removed
    Package 'geoclue-gpsd' is not installed, so not removed
    Package 'geoclue-gsmloc' is not installed, so not removed
    Package 'geoclue-gypsy' is not installed, so not removed
    Package 'geoclue-hostip' is not installed, so not removed
    Package 'geoclue-localnet' is not installed, so not removed
    Package 'geoclue-manual' is not installed, so not removed
    Package 'geoclue-nominatim' is not installed, so not removed
    Package 'geoclue-plazes' is not installed, so not removed
    Package 'geoclue-skyhook' is not installed, so not removed
    Package 'geoclue-yahoo' is not installed, so not removed
    Package 'python-geoclue' is not installed, so not removed
    The following extra packages will be installed:
    ...
    
    Then it goes ahead and suggests a list of 113 packages that will be installed:
    Code:
    The following extra packages will be installed:
      docbook-xml docbook-xsl gstreamer0.10-pulseaudio gstreamer1.0-plugins-good
      gstreamer1.0-x icoutils kate-data katepart kde-baseapps-bin
      kde-baseapps-data kde-runtime kde-runtime-data kdelibs-bin kdelibs5-data
      kdelibs5-plugins kdoctools kubuntu-debug-installer libattica0.4
      libbaloocore4 libbaloofiles4 libbalooxapian4 libcanberra-pulse
      libclucene-core1 libdbusmenu-qt2 libdlrestrictions1 libepub0 libexiv2-12
      libfftw3-single3 libkactivities-bin libkactivities-models1 libkactivities6
      libkatepartinterfaces4 libkcmutils4 libkde3support4 libkdeclarative5
      libkdecore5 libkdesu5 libkdeui5 libkdewebkit5 libkdnssd4 libkemoticons4
      libkfile4 libkhtml5 libkidletime4 libkio5 libkjsapi4 libkjsembed4
      libkmediaplayer4 libknewstuff3-4 libknotifyconfig4 libkntlm4 libkparts4
      libkpty4 libkrosscore4 libktexteditor4 libkubuntu0 libkxmlrpcclient4
      libnepomuk4 libnepomukcleaner4 libnepomukcore4abi1 libnepomukquery4a
      libnepomukutils4 libntrack-qt4-1 libntrack0 libphonon4 libplasma3
      libpolkit-qt-1-1 libpoppler-qt4-4 libpulsedsp libqapt2 libqapt2-runtime
      libqca2 libqjson0 libqmobipocket1 libqt4-dbus libqt4-designer libqt4-opengl
      libqt4-qt3support libqt4-svg libqtwebkit4 libsolid4 libsoprano4
      libstreamanalyzer0 libstreams0 libthreadweaver4 libvirtodbc0 libxml2-utils
      libzip2 nepomuk-core-data nepomuk-core-runtime ntrack-module-libnl-0
      odbcinst odbcinst1debian2 oxygen-icon-theme phonon phonon-backend-gstreamer
      phonon-backend-gstreamer-common phonon-backend-gstreamer1.0
      plasma-scriptengine-javascript pulseaudio pulseaudio-module-x11
      pulseaudio-utils qapt-batch qdbus qtchooser rtkit sgml-data
      shared-desktop-ontologies soprano-daemon ttf-dejavu-core virtuoso-minimal
      virtuoso-opensource-6.1-bin virtuoso-opensource-6.1-common
    Suggested packages:
    ...
    
    And then it lists 8 packages it will remove:
    Code:
    emv apturl [0.5.2ubuntu4]
    Remv update-notifier [0.154.1ubuntu1] [update-manager:amd64 ]
    Remv update-manager [1:0.196.14] [ubuntu-release-upgrader-gtk:amd64 ]
    Remv ubuntu-release-upgrader-gtk [1:0.220.8]
    Remv gir1.2-webkit-3.0 [2.4.8-1ubuntu1~ubuntu14.04.1]
    
    All very confusing.
     
    Last edited: Jan 28, 2016
  23. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,244
    Location:
    Southern Rocky Mountains USA
    Way too weird. I just did "sudo apt-get remove geoclue" and it was quickly removed and I got a prompt at the end suggesting the autoremove. It was quick and painless and everything worked afterwards. Apart from what came with Ubuntu, all I've added has been an assortment of browsers, wireshark, and Virtualbox. No simulations. I use imaging and restoring my Ubuntu partition on an SSD takes less than a minute.
     
  24. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,244
    Location:
    Southern Rocky Mountains USA
    Further update. I tried it on another Ubuntu 14.04 install and there is a big difference between what "apt-get remove geoclue" and "apt-get remove geoclue*" does. The list of packages is much more narrow without the wildcard and nothing gets broken. Adding the wildcard gave me the first part of what you got but it didn't want to install anything and gave me a warning about webkit dependencies. I did it without the wildcard and had the same results as the first time after running the simulation.
     
  25. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    Well, splitting hairs, in debian only the "webkit*gtk" libraries depend on geoclue.
    The qtwebkit* libraries do not. Chromium browser does not.
    I checked debian jessie repository & found the following depend on geoclue or geoclue2 or libgeoclue0:
    "emerillon", "libwebkit*gtk", "gnome-maps", "gnome-clocks", "epiphany-browser", "empathy", "redshift"

    empathy: GNOME multi-protocol chat and call client

    redshift desc: adjusts the color temperature of your screen

    emerillon desc: map viewer for the GNOME desktop

    I've heard of redshift previously. The others I've never touched.
    Okay, so that redshift can adjust colors based on time of day... instead of referencing the system time,
    it would lookup my IP and guess time of day based on geolocationo_O
    As a design decision, that falls somewhere between lame... and asinine.
    To be clear, debian redshift package doesn't just "recommend" geoclue. Redshift DEPENDS on geoclue.

    emerillon -- a map viewer that's designed such that it can't/won't show me a map
    unless I paint an "I AM _here_" bullseye on my forehead?
    No point in filing a bug ticket to complain. Gnome developers are convinced their ***** don't stink.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.