Yale Privacy Lab is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

@privacylab Aren’t you afraid of binary blobs and dependency on Google Play Services in Wire? Wire is not on F-Droid for a reason.

@kmicu we specifically recommend installing the APK from the Wire website for this reason. It has no dependency on GCM, unlike Signal (which is also why we recommend Noise as a Signal alternative).

@kmicu we will verify with the development team; there was a patch to remove the non-free dependencies a while ago, but it would be good to make sure it's in that website build. We install the APK on systems that don't have GCM or MicroG installed regularly, but it may be that some things are broken that aren't obvious. Stay tuned.

@kmicu that all said, we work with many people who don't have free platforms (almost all of them). We recommend Copperhead OS where we can (though it supports only Nexus and Pixel phones) and LineageOS, but have a hard time convincing anyone to use Replicant on the models it currently supports, especially if it requires a USB dongle for wifi.

@kmicu so, it's a tough problem. We try to encourage methods with least friction and fewest compromises, which Wire definitely is. We also want to respect privacy during the process of connecting users (we have strong reservations about sharing phone #'s between contacts, let alone signing up with one, which we also don't recommend in Wire).

@kmicu Wire is encouraging for a number of reasons but, most importantly, they've been open and honest with the FOSS community and true to their word (such as their recent release of backend server code and the security audit info)

@privacylab I understand the tradeoffs of maximizing privacy and making it accessible for *everyone* ― it is a daunting task. 😾

An APK with bundled binary blobs from Uncle Google is no option for *me* github.com/wireapp/wire-androi

I hope that Briar or Wire solve the remaining issues and show up on F-Droid soon. It is a useful litmus test to know if an app can be build independently from the source w/o any binary blobs, especially from big corpo earning on surveillance.

Yale Privacy Lab @privacylab

@kmicu just verified with Siim Teller, the head of marketing and community at Wire (who we'll also be chatting with for our 9/16 Software Freedom Day event). No GCM in the website APK, nothing stopping an F-Droid repo but time, resources, labor. mastodon.social/media/nn7PUHjr

· Web · 3 · 0

@kmicu it appears there are a number of bug reports/issues on github that need to be updated with this info, and the visibility of the bug bounty raised or a new bounty

@privacylab @kmicu But in the AndroidManifest.xml we can find
<uses-permission android:name="com.google.android.c2dm.permission.RECEIVE"/> mastodon.social/media/M-0yyD_E

@kmicu @privacylab
I have two questions for Wire:
1 - Why is location access required?
2 - Why is tracking data sent to Virginia (USA) by using Localytics?

@U039b @kmicu the first question we've asked before, see attached for the Wire response. Why Localytics, we'll find out. Few things to get to the bottom of.

mastodon.social/media/2CVChXAC

@privacylab @kmicu @U039b By the way, we have a privacy whitepaper that handles a lot of these details, it's linked from wire.com/privacy and very open to feedback on how to improve it.

@U039b @privacylab @kmicu Location - I believe YPL already forwarded my reply. Localytics - we use them for anonymized app usage tracking to better understand what works, what doesn't, feature popularity etc.

@teller
Do you know that usage tracking is sent to Virginia (USA)?
@kmicu @privacylab

@U039b @privacylab @kmicu Yes. You can opt out of it (a good % of our users do that).

@teller
Ok. Is it the "send anonymous statistics" checkbox?
@kmicu @privacylab

@teller
Ok. I think that it could be a good idea to precise the destination of those statistics in the "privacy" page 😉
@kmicu @privacylab

@teller
And what about the "libspotify" embedded in the Wire app?
@kmicu @privacylab

@U039b @privacylab @kmicu Saw YPL's feedback on it and team will check out license issue next week. As to why it's in the app - convenience feature when sharing music (we have similar feature for SoundCloud, Youtube, Vimeo).

@U039b @kmicu @teller yes, thanks everyone :) shout out to @teller for fielding all these questions *and* participating in our upcoming event on Saturday.

@U039b @kmicu that's definitely true, just used aapt to verify that the APK from the wire.com site has that line in the manifest :(

@privacylab @kmicu
<uses-permission android:name="com.google.android.c2dm.permission.RECEIVE"/>

is steal in the AndroidManifest.xml of the APK from the Wire website. here is the sha256sum of the APK.

47b6d7a0215117597ea70e31ea50e9e98bd6b5cf194cc6c59428ae16e6a08671

@U039b @kmicu right, just verified this ourselves using aapt. replying to multiple threads but may have gotten lost.

@kmicu @U039b libspotify is also in the manifest for that APK, which is definitely not necessary for the app to function (though obviously would kill the spotify features, which isn't a problem). More importantly, it would seem the license terms here wouldn't allow it to be distributed under GPLv2 or 3: developer.spotify.com/technolo

glad to be looking at this now. if still interested, please help me collect info in this pad: pad.riseup.net/p/wire-app-issu

@privacylab I prefer to trust the source code. Where is a source code for the standalone APK? Code in Wire’s Github repo *bundles* Google’s binary blobs. Am I my missing something? Please, do not confuse *using GCM* with *bundling GCM*. Wire can work on a phone without a GCM/GooglePS, but it can still bundle Google binary blobs. For example that’s the case with Signal:

github.com/wireapp/wire-androi vs
github.com/WhisperSystems/Sign vs
github.com/copperhead/Noise/bl vs
github.com/LibreSignal/LibreSi

@kmicu we'll get to the bottom of this, but know the difference (paid very close attention to the loong Signal / LibreSignal / Noise debates). It is a surprise to us that the APK uses GCM, but it's worth doing some testing to see if those services are running etc. Like you said, the source is most important here.

@kmicu checked with Wire, all versions for Android check for GCM, fall back on websockets if not installed. will verify this and look at the issues. want to help? go here: pad.riseup.net/p/wire-app-issu