Honestly don't know, it would be worth empirically proving with older versions to see when it changed
I never said only but the linux and foss community is far more focused on it, your average user doesn't run tools looking for unsolicited network requests from applications
I agree that the situation isn't ideal but it isn't like the request is totally unsolicited, it is performing a valid function in the application. If there was a valid provider that isn't as objectively evil as google who can provide the service then I personally would be happy to use it.
Maybe the wording could be changed (although not sure to what) but I feel it is pretty clear it is talking about application data and not environmental
This was agreed to back at the start of the thread
If you launch Joplin using the --profile flag, what are the defaults? Is the Use spell checker checked and the Tools->Options-General->Use... unchecked?
When I do that this is what I see and I immediately get a redirector.gvt1.com request as soon as I open Joplin.
If I use the --profile switch, does this assume a new profile with all the default settings or are there setting stored somewhere else?
Well personally I feel that changing the working to accommodate this leak would be regressive. The part of the policy that states:
giving you complete control over your information and digital footprint.
To me this is worded really well and I would hate to see it diminished. This is exactly what environmental means to me. All of those background data requests create a digital footprint. It isn't just the application data which is more user facing but the 'behind the scenes' "infrastructure data" that is leaking outside of the users awareness that contribute to that footprint. Once the data is outside of the users control, what a third party such as Google does with that data is unknowable.
This is likely correct and perhaps the reason is not that they are uninterested in privacy but rather they lack the knowledge to run those tools or the understanding to realize the implications. That is why this discussions is important for those of us that do so we can ensure the apps like Joplin continue to act a a way to empower users regardless of their technical background.
In this specific case, the open snitch firewall is a copy of the little snitch firewall which a macOS only application. So the tools that can detect this leak originated from users on the macOS platform not Linux.
Launch Joplin with this command: $.joplin/Joplin.AppImage --profile ~/temp
Observe that a new profile is created and 'Spell check is on' and 'Enable spell checking in Markdown editor' is off
Result: 6 requests to redirector.gvt1.com
Switch off spell checker (Tools->Spell checker->Use spell checker) as per your screenshot.
Ctrl+Q to exit Joplin
Open Joplin again
Result: Immediately 6 requests to redirector.gvt1.com
Verify that that 'Use spell checker' is unchecked.
So I am seeing different behavior than you. I get pings to redirector.gvt1.com every time, regardless of the setting.
I am on Joplin v2.6.1.0 updated with the update script yesterday.
I don't mean change it to be more permissive, I mean change it to be more explicit about the data that is sent.
The policy isn't diminished by this "leak", as @tessus has said, the request is not made if the feature is disabled - in line with the other items in the privacy policy. If it is making a request outside of this then it is a bug and needs to be properly identified as such (with evidence) and fixed.
Just to be clear, I'm not arguing against the fact that sending this information is undesirable but it does serve a function.
To me the approach is fairly clear:
We should not cause a regression in the new user experience by removing spell checking as a default feature
We should not overcomplicate the applications settings by providing something like option defaulted to null to manually specify a dictionary provider - this again would be a regression in new user experience.
We should update the privacy policy (if only in the short term) to account for this request as agreed here
We should create a GH issue to see if the request can be disabled as agreed here(or by extension if a replacement for the feature can be made by perhaps using a different provider, library or valid workaround that does not diminish the new user experience)
However such decisions are not mine to make so I'll hapilly make way for people with more experience with the project and voices of reason. This is just my personal take on it.
The fact is that many simply don't care. Facebook, google and tik tok are perfect examples of services being provided and used even if people know that their data will be misused.
Privacy and elmination of reliance of these is an admirable goal and one I personally need to work on but the fact is that for many it is an acceptable cost for the service - many people are still more than happy to accept that "free" comes at a cost, not a monetary one but a cost regardless.
Yes this is curious and more along the lines of what I would expect.
I can't reproduce your results. We are on different distros, you tested on 'Fedora 35'. I am on Ubuntu 20.04 LTS (focal fossa)
Since Joplin is an AppImage, shouldn't all of the libraries and dependencies be rolled up in the bundle so that OS doesn't matter, I thought that was the purpose of AppImages?
How about when you turn on the spell checker and type
ajndkfsajsdlfkjasdlfnlasnf
do you get a red line under the word in Joplin because I don't get that either. Perhaps the two issues are related.
I'll be checking on my own linux machine which is closer in line with yours (Linux mint 20.2) when I have a chance, I just don't physically have access to it at the moment.
I'm on a windows laptop but I can't see those requests being made - I can see requests to api.github on wireshark and requests to my nextcloud but nothing else - hence my request for a more foolproof Windows method in case I'm missing something or if there is an IP not being resolved to a name.
I don't have any data to back this up but my instinct is that the venn diagram overlap of users with both the tik tok and Joplin apps installed on their device is probably pretty small. Those uncaring users are more likely to be putting their credit card information into Google Keep.
Joplin seems to me to be to be an app that appeals to users who care about their data.
Try that app recommended above in the superuser article I linked. I think it is free and works as an application firewall, I think it is free: http://www.netlimiter.com/
You should be able to see all the requests right away under Joplin in the app.
I tried it and got pretty much the same results as wireshark - just this time it let me filter by application. No requests to that name but I'll try a bit more scientifically tomorrow at some point unless somebody gets there first.
I think you might be underestimating just how much of an enticement "free" is - Joplin is heavily featured as an Evernote and Onenote alternative - I know two people in real life who use Joplin along with heavy usage of facebook, instragram etc. (and no I didn't recommend it to them) and they got it because it was a free alternative - no real interest in privacy or foss, just convenience.
I'd love to believe that people cared more but pessimism is in my genes, you are either always right or pleasantly surprised.
Yes thanks for confirming. That explains why the spell checker doesn't work and likely explains the issue.
I upgraded to this new version of Joplin, and I never allowed it to contact http://redirector.gvt1.com and download the dictionary.
The problem is that because the spell checking it turned on by default, even when the user turns the spell checker off after first use, Joplin doesn't obey this setting when no spell checking dictionary exists. In this case, Joplin always tries to contact Google on startup and download a dictionary every time regardless of the setting.
Unfortunately, the end result is that with more recent versions, it isn't possible to use Joplin on this platform without pinging Google.
So perhaps a line of logic can be added to the code to take care of this edge case:
On startup, if the "Use spell checker" is unchecked, then set spellcheck: false in the Electron api call.
This way, the users who want spellchecking to be on by default can still have that, and those users who are more privacy aware are given the opportunity to deactivate the feature without contacting Google.
After reading this thread, I would like to thank the developers of Joplin (as in, the devs that actually write the code that the rest of us enjoy) for their patience. Thanks so much, Joplin is a wonderful product!
