New version of Joplin contacting Google servers on startup

This could perhaps be the case but as tessus mentioned above, he doesn't use the spell checking feature. I have been a Joplin user for several years now and I have never used it either (as it appears not to even work on Linux) until I stumbled upon this issue.

Characterizing users with basic privacy concern as "ardent privacy enthusiasts" may be a bit hyperbolic.

After all, a lot of early users found out about Joplin from that original hacker news discussion. I suspect that many other users learn about Joplin from the highly regarded privacy tools and privacy guides communities or the dozens of articles on the web describing privacy respecting alternative apps.

The 'casual' you mention will typically be using whatever note taking application comes with Windows or may even search for an alternative and typically end up with the highly advertised Evernote or Google Keep.

A Joplin user has to go out of their way to learn about open source, community alternatives like Joplin and privacy is one of the key features that Joplin brings to the community.

Those other note taking applications have privacy policies that allow those corporations to use their data in ways that disempowers the user. Joplin on the other hand is a tool of user empowerment in that it gives the user autonomy over their data. Personally I don't want Google to be notified every time I write a note.

As the web and technology becomes more and more centralized, there is a real need for privacy respecting applications in the world. Joplin is a beautiful example of this and I think that is important.

2 Likes

Works for me on Manjaro.

Early users maybe but I personally came to this and I know more than a few others who come to Joplin primarily as a "free Evernote alternative" for which it often appears in searches. Funny you should mention Keep and Evernote because they were literally my path to Joplin (Keep originally then Evernote because I needed more functionality then Joplin because of the new account restrictions).

Linux users are far the most likely to be looking specifically for fully privacy respecting free and open source software as a matter of principle (vs free as in cost). Check out the download stats, linux makes up a much smaller proportion of the userbase (incidentally look at that nice round number on the total).

Version Date Windows macOS Linux Total
v2.6.10 2021-12-19T11:31:16Z 1,946 868 186 3,000

Edit: better stats here, the ones I posted I think are unfair because of the updating prompt differences:

Name Value
Total Windows downloads 1,987,429
Total macOs downloads 783,232
Total Linux downloads 636,942
Windows % 58%
macOS % 23%
Linux % 19%

I'm not saying privacy isn't important but my use of "ardent" here I think is justified as most really aren't too bothered unless actual data is being sent to those third party services. It isn't meant as a slur to suggest it isn't a worthwhile goal but realistically some consessions need to be made in the form of usability for the average person. If people are that concerned about calls like this to get dictionary data then these typically are the same users that will know how to sandbox an application or prevent it making any calls through their firewall.
If there is a valid alternative to getting the dictionary data updated from an online service then great but as @tessus mentioned earlier, who is actually hosting this with the same distribution resources as google?

To be clear this is mostly devil's advocate as I stated, the change in functionality wouldn't affect me in the slightest as a user who knows where the options are if I want to toggle them, this is thinking about "out of the box" usability for new and less tech-savvy users - Joplin is too big now to only consider the FOSS community.

3 Likes

Based on the changelog, spell checking has existed in Joplin long before this issue arose. How did it work in the previous 50 version?

Ardent implies a strong passion. I disagree that only the FOSS community or the Linux community care about privacy. I would image that the "average user", if properly informed and presented with the choice would prefer that third party Google servers are not recording every time they open their note taking application. The main issue here is that this data leak, as Dino mentioned, is "unsolicited" and without the users knowledge. In fact there is already a strong user expectation of privacy as stated in the privacy policy:

Joplin values your privacy by giving you complete control over your information and digital footprint.

Joplin applications do not send any data to any service without your authorisation.

In this case, actual data is being sent to Google servers, every time Joplin is opened, Google gets pinged with that API call. Exactly what is being sent is unclear. I would image that Google could gets data such as IP address of the client making the request, a time stamp, perhaps an API key identifying Electron or Joplin, version information or other client configuration data? If the data is sent on port 443 it may be encrypted and difficult to know exactly what is being sent.

Some of this data (such as IP address) may be personally identifiable and that has privacy implications.

While some users may not care if third party databases such as Google records every time their note taking application is opened. I would image that many users, regardless of their platform, if properly notified of the issue and given the choice would prefer to at least be given the choice to share this data, especially considering there is (currently) no way to deactivate it.

Anyway, the intent of this thread is to identify the issue and come up with potential solutions. At a bare minimum the privacy policy would need to be updated to bring Joplin back in compliance with the privacy policy.

Hopefully there is another solution that could tie the spell checking feature together with the data requests via the spellcheck: false call.

Ideally the user, regardless of their platform or personal feelings towards privacy, would be empowered to make their own informed choice which is in the spirit of Joplin privacy policy.

Interesting, when I enable those settings, and go back to a note and type

ajsdfljaslkfjlkasjflkkajsdfksajfoajsd

nothing happens. I would expect a red line would appear however I have never seen this feature. I tested it with my main profile and a new default one.

Is this actually what should happen?

Also, why are there two different places to activate this feature? Do they do different things?

On my dev VM I am using Fedora 35. Spellcheck works.

When I turn off both (in options and uncheck the one in the menu item), there are no connection attempts to redirector.gvt1.com.

As soon as I click on Use spell checker, Joplin tries to connect to redirector.gvt1.com.

Thus trying any changes to the code makes no sense.

1 Like

Honestly don't know, it would be worth empirically proving with older versions to see when it changed

I never said only but the linux and foss community is far more focused on it, your average user doesn't run tools looking for unsolicited network requests from applications

I agree that the situation isn't ideal but it isn't like the request is totally unsolicited, it is performing a valid function in the application. If there was a valid provider that isn't as objectively evil as google who can provide the service then I personally would be happy to use it.

Maybe the wording could be changed (although not sure to what) but I feel it is pretty clear it is talking about application data and not environmental

This was agreed to back at the start of the thread

If you launch Joplin using the --profile flag, what are the defaults? Is the Use spell checker checked and the Tools->Options-General->Use... unchecked?

When I do that this is what I see and I immediately get a redirector.gvt1.com request as soon as I open Joplin.

If I use the --profile switch, does this assume a new profile with all the default settings or are there setting stored somewhere else?

Spellchecker is on by default as far as I know. Which means, when you create a new profile, of course it will connect to the google servers.

Switch them off. Close Joplin. Not the window. The application. Ctrl+Q. Start it again.
Et voilà, no connection attempt.

1 Like

Also I've found the part in electron where this is defined in case anybody is interested

Well personally I feel that changing the working to accommodate this leak would be regressive. The part of the policy that states:

giving you complete control over your information and digital footprint.

To me this is worded really well and I would hate to see it diminished. This is exactly what environmental means to me. All of those background data requests create a digital footprint. It isn't just the application data which is more user facing but the 'behind the scenes' "infrastructure data" that is leaking outside of the users awareness that contribute to that footprint. Once the data is outside of the users control, what a third party such as Google does with that data is unknowable.

This is likely correct and perhaps the reason is not that they are uninterested in privacy but rather they lack the knowledge to run those tools or the understanding to realize the implications. That is why this discussions is important for those of us that do so we can ensure the apps like Joplin continue to act a a way to empower users regardless of their technical background.

In this specific case, the open snitch firewall is a copy of the little snitch firewall which a macOS only application. So the tools that can detect this leak originated from users on the macOS platform not Linux.

Here is exactly what I did:

  1. Launch Joplin with this command:
    $.joplin/Joplin.AppImage --profile ~/temp

  2. Observe that a new profile is created and 'Spell check is on' and 'Enable spell checking in Markdown editor' is off
    Result: 6 requests to redirector.gvt1.com

  3. Switch off spell checker (Tools->Spell checker->Use spell checker) as per your screenshot.

  4. Ctrl+Q to exit Joplin

  5. Open Joplin again
    Result: Immediately 6 requests to redirector.gvt1.com

  6. Verify that that 'Use spell checker' is unchecked.

So I am seeing different behavior than you. I get pings to redirector.gvt1.com every time, regardless of the setting.

I am on Joplin v2.6.1.0 updated with the update script yesterday.

I don't mean change it to be more permissive, I mean change it to be more explicit about the data that is sent.

The policy isn't diminished by this "leak", as @tessus has said, the request is not made if the feature is disabled - in line with the other items in the privacy policy. If it is making a request outside of this then it is a bug and needs to be properly identified as such (with evidence) and fixed.

Just to be clear, I'm not arguing against the fact that sending this information is undesirable but it does serve a function.

To me the approach is fairly clear:

  • We should not cause a regression in the new user experience by removing spell checking as a default feature
  • We should not overcomplicate the applications settings by providing something like option defaulted to null to manually specify a dictionary provider - this again would be a regression in new user experience.
  • We should update the privacy policy (if only in the short term) to account for this request as agreed here
  • We should create a GH issue to see if the request can be disabled as agreed here(or by extension if a replacement for the feature can be made by perhaps using a different provider, library or valid workaround that does not diminish the new user experience)

However such decisions are not mine to make so I'll hapilly make way for people with more experience with the project and voices of reason. This is just my personal take on it.

The fact is that many simply don't care. Facebook, google and tik tok are perfect examples of services being provided and used even if people know that their data will be misused.
Privacy and elmination of reliance of these is an admirable goal and one I personally need to work on but the fact is that for many it is an acceptable cost for the service - many people are still more than happy to accept that "free" comes at a cost, not a monetary one but a cost regardless.

1 Like

I seriously don't know what else I can do. If I turn off the spellchecker, I don't see any requests even on Linux.

Yes this is curious and more along the lines of what I would expect.

I can't reproduce your results. We are on different distros, you tested on 'Fedora 35'. I am on Ubuntu 20.04 LTS (focal fossa)

Since Joplin is an AppImage, shouldn't all of the libraries and dependencies be rolled up in the bundle so that OS doesn't matter, I thought that was the purpose of AppImages?

How about when you turn on the spell checker and type

ajndkfsajsdlfkjasdlfnlasnf

do you get a red line under the word in Joplin because I don't get that either. Perhaps the two issues are related.

I'll be checking on my own linux machine which is closer in line with yours (Linux mint 20.2) when I have a chance, I just don't physically have access to it at the moment.

Thanks I would be interested to see if you can reproduce the results.

It would be interesting to hear from a Windows user as well.

I'm on a windows laptop but I can't see those requests being made - I can see requests to api.github on wireshark and requests to my nextcloud but nothing else - hence my request for a more foolproof Windows method in case I'm missing something or if there is an IP not being resolved to a name.

I don't have any data to back this up but my instinct is that the venn diagram overlap of users with both the tik tok and Joplin apps installed on their device is probably pretty small. Those uncaring users are more likely to be putting their credit card information into Google Keep.

Joplin seems to me to be to be an app that appeals to users who care about their data.

Try that app recommended above in the superuser article I linked. I think it is free and works as an application firewall, I think it is free: http://www.netlimiter.com/

You should be able to see all the requests right away under Joplin in the app.