Software contains nonconsensual spyware that exfiltrates the user's activity

[sneak]

Expected Behavior

The bridge gets me my mail.

Current Behavior

The bridge gets me my mail, and also reports on my activity without my consent to a third party.

Possible Solution

Disable the spyware unless the user opts in to such surveillance and tracking.

Steps to Reproduce

Run the bridge and check mail.

Version Information

Current: da76784

Context (Environment)

>>> telemetry

choose whether usage diagnostics are collected or not

Commands:
  disable      Usage diagnostics collection will be disabled
  enable       Usage diagnostics collection will be enabled


>>> telemetry disable
Usage diagnostics collection is enabled right now.
Do you want to disable usage diagnostics collection? yes/**no**: ^C

>>>

Detailed Description

See above. Furthermore, a dark pattern is present that exists to confuse the user into accidentally leaving it on. After entering an explicit command "telemetry disable", it then prompts for confirmation with confusing wording "do you want to disable yes/no", with the default option being "no", so if the user hits enter they will not disable (a double negative) and countermand their explicit instruction to "telemetry disable".

The default out of the box should be SURVEILLANCE OFF. If the user wants to transmit their data, ask them, and allow them to opt in. If the user enters the "telemetry disable" command, don't prompt them any further, and certainly don't make the default answer to that prompt to "ignore the user's command and keep sending telemetry".

Possible Implementation

Just remove all of the surveillance features from the app. They have no place in a client for end to end encrypted commuications.

[Cherkah]

plz can you confirme (rejecte) this "problem"? and if so , fix it!! as a proton license user on linux i am expecting a strong & safe app running on my all my devices ...

[BarbossHack]

5 things :

1. You can opt out before login.

2. Here is what is collected (proton-bridge/internal/telemetry/heartbeat.go) :

• SetRollout : (?)
• SetNbAccount : knows the number of connected accounts to proton bridge
• SetAutoUpdate : knows if the "auto update" setting is set
• SetAutoStart : knows if the "auto start" setting is set
• SetBeta : knows if you are using "beta" version
• SetDoh : knows if the "DoH" (dns over https) setting is set
• SetSplitMode : (?)
• SetShowAllMail : knows if the setting to show "AllMail" folder is set
• SetIMAPConnectionMode : knows if you are using SSL or StartTLS for imap
• SetSMTPConnectionMode : knows if you are using SSL or StartTLS for smtp
• SetIMAPPort : knows if you are using a custom imap port
• SetSMTPPort : knows if you are using a custom smtp port
• SetCacheLocation : knows if you are using a custom cache location
• SetKeyChainPref : knows if you are using a custom keyChain (?)
• SetPrevVersion : knows what is you bridge version

So, it does not collect any "privacy" data about your mails or your activity or else, only configuration settings...

3. You should read Privacy policy before using a service. In Proton Mail case, it's explained here (https://proton.me/legal/privacy) :

4. It's also opt-out in Proton Mail web (it's not only proton-bridge) :

5. I agree that it could be opt-in

[Cherkah]

@BarbossHack ok thanks for the clarifications.