From the 22nd to 26th of March, members of the KDE Privacy team met up in Leipzig, Germany, for our Spring 2019 sprint.
During the sprint, we floated a lot of different ideas that sparked plenty of discussions. The notion of privacy encompasses a wide range of topics, technologies and methods, so it is often difficult to decide what to focus on. However, all the aspects we worked on are important. We ended up tackling a variety of issues, and we are confident that our contributions will improve data protection for all users of KDE software.
Both Sandro Knauß and Volker Krause regularly work on KDE's Kontact suite (email, calendar, contacts, etc.), but this time they took on network-related issues. One of the problems is that there are still too many
To make it easier for all KDE developers, Sandro and Volker wrote an ECM-injected global unit test. The test gets added to every application and prints out warnings about
Things are further complicated by
When the script ran, many of the links it found were updates of user-facing links that a normal capable browser would "fix" on the fly. However, it also found privacy leaks, as some links were routed through URL shorteners and pastebin services, as well as to default download locations.
Another thing we identified is that, unfortunately, the KDE mirror network is still using
Meanwhile, Ivan Čukić and David Edmundson worked on improving Plasma Vault, KDE's solution for encrypting folders. The aim was to fix the issues that arise when other KDE software components interact with vaults. They made several major improvements:
David and Ivan also spent some time on KWallet, KDE's password manager. In a breakout session, David investigated how to handle KWallet sandboxing, and Ivan explored the possibility of doing elliptic-curve encrypted inter-process communication, which could be useful for handling passwords with KWallet.
Florian Müller looked into using the Tor Browser as the default browser in Plasma. He found that it is mostly blocked, as Tor Browser is started with
The integration of Tor goes way beyond of just using the browser, though. In fact, the team wants all applications to be able to use Tor. To see if this was possible, we picked some applications and worked on configuring their proxy settings. During the testing, we used a
On Monday morning, Jos van den Oever presented a proof-of-concept privacy proxy. The proxy is run by the user, and it intercepts all web traffic, storing it in a local archive. This proxy makes it possible to revisit parts of the Web even without an Internet connection. Additionally, the proxy can block unwanted content by defining filters.
The presentation was followed by a discussion on how to use such a proxy in KDE software in a user-friendly manner. Jos himself has been using his own proxy privately for a few years, but the code needs to be cleaned up and updated to the current version of Rust libraries before it can be released.
Then again, working for the future is what the Privacy team does most of the time. Gradually, most or all these features (and quite a few more) will make their way into Plasma Desktop and Plasma Mobile, making your desktop and mobile devices a safe environment against data leaks and snooping without sacrificing functionality.