Mapbox sends too many data to their servers

#1

I upgraded DC to 0.301.1 and at first app start, it tried to connect over encrypted channel to some amazon servers. After exploring a little I found new feature “On demand location streaming” that was turned off. When I turned it on, phone start making more connections to unauthorized locations. I’m guessing that new feature using some 3rd party services. Ok, I turned it off, but DC still attempting to establish connections to unknown IPs which rise a question - is it a bug or end of privacy?

Why DC trying establish connections to unauthorized IPs even feature above is disabled?

Screenshot

1 Like
#2

when the experimental location-streaming is turned on, the is an option to display a map. the tiles of the map are downloaded from a server; we use Mapbox for this that seems to host tiles on amazon then.

the location stream itself is not sent through mapbox, these information are sent through mail.

#3

hopefully in a future there will be a way to download the maps once and they use it offline??? I really don’t like the word “amazon” :wink:

#4

But as I said, this “experimental location-streaming” was turned off when I started DC after upgrade, but DC tried to establish connection anyway. After I played a little with this new feature, I turned it off for sure, but DC still attempting to contact Amazon servers, not too often, but it does that make me feels like a rat in someones research laboratories.

Is it possible with new future to stream simply longitude/latitude numbers without mapping and anyone can copy/paste it to preferred “Maps” application to get location mapped in a way one wants?

#5

yip, offscreen maps would be awesome, however, not sure if there is a library that can be used easily. doing things completely from scratch is a lot of work, however, we’ll see.

for now, we’re happy to have at least some map.

wrt to the connection to some cloud servers: they definetly do not come from “our” source, however, might be mapbox. mapbox is also open source - maybe someone can investigate here a bit further, what we can do to prevent this, when it appears, maybe file an issue on mapbox and/or deltachat and so on @AlexJ are you up for that?

1 Like
#6

Would it be possible to show (optionally) the location in a third party app (e.g. OsmAnd)?

And for online maps also use OSM (maybe also optionally) to silence scruples?

Ses alsoy post:

Not sure if this can help.

2 Likes
#7

The mapbox site says offline maps are possible, however…

The privacy statement on the mapbox site explicitly talks about api requests being collected, thus offline maps may not make any difference if the log of where, when and how the api is used and not-used on a device is periodically reported for third party evaluation. That there are connections even if the deltachat code is disabled doesn’t sound good.

The number of data collection APIs seems high, maybe there is one with a good offline usage privacy statement.
https://wiki.openstreetmap.org/wiki/Frameworks#Displaying_interactive_maps

2 Likes
#8

i’ve tried to target this issue by https://github.com/deltachat/deltachat-android/pull/886 and changed the title to match the issue.

we’ll see if that works, @AlexJ i’ve uploaded an apk with the changes at https://share.riseup.net/#TbsPaPSA7ZGTJGfzBJiGKg - would be great if you can test this.
EDIT: also 0.303.0 is on the way that includes the pr

wrt OsmAND: even if we could figure out how to show data there, i think this would make things way to complicated for the user.

3 Likes
#9

Probably your right.
Using third party apps are always a bad idea.

And also OsmAND wouldn’t work with iOS.

#10

I have looked around this issue a bit, because the mapbox collection of api data that is shared to unknown other parties sounded somehow troublesome to me.

If deltachat is used in an organisation regulated by the GDPR, i.e. a sports club, the the new position tracking option using the mapbox service may require re-evaluation and possibly adding statements in a data protection notice. Can somebody confirm or dismiss this?

Then there is the privacy statement from openstreetmap that seems more cautious. It points out that third party scripts and services like mapbox are not covered, and that some special “layers” (mapstyles I think) on the openstreetmap site itself are provided by third party services.
https://wiki.osmfoundation.org/wiki/Privacy_Policy#Data_we_receive_automatically

After looking a little at above list of interactive map libs, at least the projects libosmscout (multi-platform, navigation) and mapsforge (has pre-compiled map tile repositories available, and a separate mapbox iOS based fork
https://github.com/medvedNick/Mapsforge_iOS) seem to work with independent offline maps.

3 Likes
#11

SatStat uses mapsforge, and have a decent offline navigation

#12

Ok, but offline mapping or navigation that uses the mapbox SDK API (on the device), would still be covered by the mapbox privacy statements. And we have seen that the mapbox code connects to servers independetly from its usage already.

1 Like
#13

Have a look, for the website some of the “internal analytics service providers” are mentioned.

“include AdR * ll, Cust * mer.i * , Faceb ** k, G ** gle Analytics, Link * dIn, and Market* .”

#14

I think this is important, and more since Delta Chat is focus on privacy

2 Likes
#15

I don’t see it. When I use offline navigation, I don’t even turn on the mobile data. Due to my data plan, I got firewall-blocked most of my apps, and SatStat’s navigation works just fine (maybe you mean another mapbox app).
I think that the only connections needed are when downloading the maps, and that can be done through the browser.
However, this can be a little awkward for the user too.

#16

the current code (0.303.0) tries to disable this behavior, see https://github.com/deltachat/deltachat-android/pull/886/files#diff-495df73668f71d427fa787801c284675R68

assuming mapbox respects this setting, the only data send are the requested tiles then.

wrt the mentioned analytics, one should be very carful not to mix the website-cookie-whatever-policy with the data collected during map-tile-download.

however, it is great that all of you have a close eye on this.

#17

Thank a lot !

Second day firewall keeping silence…

#18

No, my firewall catching connections per application, it wasn’t browser or something else and “location streaming” was disabled by default on upgrade, but DC tried to establish connection to amazon.
I think it fixed in 0.303, thank again to Björn !

I have an idea regarding this, to simplify dev’s live and make “location” feature more robust:

  • Acquire current location from GPS and insert in a message only latitude/longitude in parseble brackets, like [geo:[40° 26′ 46″ N 79° 58′ 56″ W]] and highlight it as a link, so if one need to map it, on click/tap to show list of installed apps that supports maps. Any of them know how to map such data.

This way it would be up to user, what app to use for mapping coordinates and keep DC out of 3rd party libs and offline maps.

2 Likes
#19

that would do it, it’s the way OsmAnd share locations

#20

OK, but if I understood you correctly you disabled the mapping feature completely.

I think, concerning the current map feature

  • Online tiles are usually requested by positions plus zoom factor.
  • The track record for disabling telemetry beyond explicit map fetching has more than one known bugs still open https://github.com/mapbox/mapbox-gl-native/issues/13304
  • And the worst, those maps can’t be used without having to agree to mapbox api data collection policy for third parties.
  • Even if offline map activity logs are not sent when offline, agreement to do this later when online is required.

So the question remains whether tying in this service provider fits for deltachat’s stated “privacy focus”.

Delta Chat is like Telegram or Whatsapp but without the tracking or central control. Check out our GDPR compliancy statement.

2 Likes