New version of Joplin contacting Google servers on startup

On macOS there is an popular application level firewall called Little Snitch (https://www.obdev.at/products/littlesnitch/index.html)

Linux has a similar but less capable project called Open Snitch (GitHub - evilsocket/opensnitch: OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.)

The genius of these firewalls is that they group the traffic based on which application is generating them so you can see each request in real time. This makes it very easy to see what traffic is going out of your system and what is generating it. Wireshare is very powerful but looks at packets at a lower level making is more difficult to see where the traffic is coming from.

I am not sure if there is an equivalent for Windows however one user recommends, NetLimiter: http://www.netlimiter.com/

From the screenshot it looks similar, perhaps give it a try.

Do you have the automatic update checking on?

Is this a Joplin setting you are referring to? I have been looking for this setting (Tools->Options) and I don't see it, perhaps it is a Windows setting?

Yes, on linux the option was removed (and was non-functional anyway) because the recommended method is the update script

My setting automatic update checking is off.
The most embarrassing with this kind off outgoing connections is about mobile, it’s harder to have some control in mobile device from any brand.

I just started Joplin 2.6.1.0 on Linux with a new profile so no plugins and all the settings are default.

Joplin is actually a lot more chatty than I thought. It is contacting the following domains:

• redirector.gvt1.com (Google)
• raw.githubusercontent.com
• cdn.staticaly.com
• ghproxy.com
• cdn.jsdelivr.net
• fastgit.org

I also noticed something about the spell checking, there appears to be two places to enable it:

1. Tools->Options->General->Enable spell checking in Markdown editor.
   This is off by default

2. Tools-> Spellchecker->Use spell checker.
   This is on by default and set to English

Joplin contacts redirector.gvt1.com regardless of how these two settings are toggled. So perhaps a solution would be to tie the Google server calls to these settings and to have them turned off by default. This gives the user the ability to opt-in.

Also, at least on Linux, the spell checking in 2.6.1.0 doesn't appear to work. If I turn these settings on, they do not do anything.

I suspect the github, ghproxy, jsdelivr and fastgit are all related to the plugins functionality. There was a commit to add GH mirrors for countries that had it blocked thus breaking the plugin search and I assume the plain GH request is the standard one.

cdn.staticaly.com too

Link to the relevant place in the code: joplin/RepositoryApi.ts at 56cac1f7290ce1e888bbd5ba76ada335df4f2406 · laurent22/joplin · GitHub

It was functional. It told you when a new version was available. Nobody forced a user to click on the download button, when they wanted to use the script instead.

You are right, I was incorrectly remembering it - the option was simply disabled on linux entirely - which is my only experience of it, I don't think I used the application on Linux at a time where the feature was available and the comment was unrelated to the recent PR discussion.

Thanks, I used your idea to search for the Joplin code that calls the Electon spell check api from the Electron documentation (linked above). I found this:

const unsafeOptions: Record<string, any> = {
			...
			**spellcheck: true,**
			...
		};

and this:

const windowOptions: any = {
			...
			**spellcheck: true,**
		    ...
			},

Can one of these be set to spellcheck: false until the user turns the spell checking feature on? Perhaps one of the coders could comment if this would stop Joplin from contacting Google on every startup until the user opts-in?

I can try later tonight. My Linux dev VM might need a nodejs update to use yarn via corepack.

It should, unless Electron does something very weird.

An argument I would make against this (as devil's advocate if nothing else) would be that the majority of Joplin users are likely to be far more "casual" than an ardent privacy enthusiast and would be far more likely to want and expect the application to have a basic feature such as spellchecking in a note taking application turned on as a default option, we see more than enough evidence of people asking questions of basic application functionality without having actually looked through the application settings - the most high profile case recently being a linux youtuber who failed to recognise Joplin could sync to anything other than paid cloud services.

Excellent

If you do try it, can you also try to turn on your Linux VM, can you also try to turn on the spell checking and see if it works? This could be a separate issue but it isn't working on my installation.

This could perhaps be the case but as tessus mentioned above, he doesn't use the spell checking feature. I have been a Joplin user for several years now and I have never used it either (as it appears not to even work on Linux) until I stumbled upon this issue.

Characterizing users with basic privacy concern as "ardent privacy enthusiasts" may be a bit hyperbolic.

After all, a lot of early users found out about Joplin from that original hacker news discussion. I suspect that many other users learn about Joplin from the highly regarded privacy tools and privacy guides communities or the dozens of articles on the web describing privacy respecting alternative apps.

The 'casual' you mention will typically be using whatever note taking application comes with Windows or may even search for an alternative and typically end up with the highly advertised Evernote or Google Keep.

A Joplin user has to go out of their way to learn about open source, community alternatives like Joplin and privacy is one of the key features that Joplin brings to the community.

Those other note taking applications have privacy policies that allow those corporations to use their data in ways that disempowers the user. Joplin on the other hand is a tool of user empowerment in that it gives the user autonomy over their data. Personally I don't want Google to be notified every time I write a note.

As the web and technology becomes more and more centralized, there is a real need for privacy respecting applications in the world. Joplin is a beautiful example of this and I think that is important.

Works for me on Manjaro.

Early users maybe but I personally came to this and I know more than a few others who come to Joplin primarily as a "free Evernote alternative" for which it often appears in searches. Funny you should mention Keep and Evernote because they were literally my path to Joplin (Keep originally then Evernote because I needed more functionality then Joplin because of the new account restrictions).

Linux users are far the most likely to be looking specifically for fully privacy respecting free and open source software as a matter of principle (vs free as in cost). Check out the download stats, linux makes up a much smaller proportion of the userbase (incidentally look at that nice round number on the total).

Edit: better stats here, the ones I posted I think are unfair because of the updating prompt differences:

I'm not saying privacy isn't important but my use of "ardent" here I think is justified as most really aren't too bothered unless actual data is being sent to those third party services. It isn't meant as a slur to suggest it isn't a worthwhile goal but realistically some consessions need to be made in the form of usability for the average person. If people are that concerned about calls like this to get dictionary data then these typically are the same users that will know how to sandbox an application or prevent it making any calls through their firewall.
If there is a valid alternative to getting the dictionary data updated from an online service then great but as @tessus mentioned earlier, who is actually hosting this with the same distribution resources as google?

To be clear this is mostly devil's advocate as I stated, the change in functionality wouldn't affect me in the slightest as a user who knows where the options are if I want to toggle them, this is thinking about "out of the box" usability for new and less tech-savvy users - Joplin is too big now to only consider the FOSS community.

Based on the changelog, spell checking has existed in Joplin long before this issue arose. How did it work in the previous 50 version?

Ardent implies a strong passion. I disagree that only the FOSS community or the Linux community care about privacy. I would image that the "average user", if properly informed and presented with the choice would prefer that third party Google servers are not recording every time they open their note taking application. The main issue here is that this data leak, as Dino mentioned, is "unsolicited" and without the users knowledge. In fact there is already a strong user expectation of privacy as stated in the privacy policy:

Joplin values your privacy by giving you complete control over your information and digital footprint.

Joplin applications do not send any data to any service without your authorisation.

In this case, actual data is being sent to Google servers, every time Joplin is opened, Google gets pinged with that API call. Exactly what is being sent is unclear. I would image that Google could gets data such as IP address of the client making the request, a time stamp, perhaps an API key identifying Electron or Joplin, version information or other client configuration data? If the data is sent on port 443 it may be encrypted and difficult to know exactly what is being sent.

Some of this data (such as IP address) may be personally identifiable and that has privacy implications.

While some users may not care if third party databases such as Google records every time their note taking application is opened. I would image that many users, regardless of their platform, if properly notified of the issue and given the choice would prefer to at least be given the choice to share this data, especially considering there is (currently) no way to deactivate it.

Anyway, the intent of this thread is to identify the issue and come up with potential solutions. At a bare minimum the privacy policy would need to be updated to bring Joplin back in compliance with the privacy policy.

Hopefully there is another solution that could tie the spell checking feature together with the data requests via the spellcheck: false call.

Ideally the user, regardless of their platform or personal feelings towards privacy, would be empowered to make their own informed choice which is in the spirit of Joplin privacy policy.

Interesting, when I enable those settings, and go back to a note and type

ajsdfljaslkfjlkasjflkkajsdfksajfoajsd

nothing happens. I would expect a red line would appear however I have never seen this feature. I tested it with my main profile and a new default one.

Is this actually what should happen?

Also, why are there two different places to activate this feature? Do they do different things?

On my dev VM I am using Fedora 35. Spellcheck works.

When I turn off both (in options and uncheck the one in the menu item), there are no connection attempts to redirector.gvt1.com.

image1130×538 73.2 KB

As soon as I click on Use spell checker, Joplin tries to connect to redirector.gvt1.com.

Thus trying any changes to the code makes no sense.