[kmail2] [Bug 359964] New: "Kmailleaks", or what to improve to make Kmail more privacy friendly.

eemantsal via KDE Bugzilla bugzilla_noreply at kde.org
Tue Mar 1 18:39:25 GMT 2016 

https://bugs.kde.org/show_bug.cgi?id=359964

            Bug ID: 359964
           Summary: "Kmailleaks", or what to improve to make Kmail more
                    privacy friendly.
           Product: kmail2
           Version: 5.1
          Platform: Gentoo Packages
                OS: Linux
            Status: UNCONFIRMED
          Severity: wishlist
          Priority: NOR
         Component: general
          Assignee: kdepim-bugs at kde.org
          Reporter: infmtk at openaliasbox.org

As i commented here: https://forum.kde.org/viewtopic.php?f=215&t=130580 Kmail
reveals a lot of personal information that I don't believe is really necessary
to take out of the user computer and launch it to the Internet for ever. This
is what Kmail seems to send -from a mail in my sent mail folder in Kmail 2, the
addresses and IDs have been modified for privacy reasons-:

From: My Name <myemailuser at mymailprovider.com>
To: addressee at othermailprovider.com
Subject: Whatever
Date: Tue, 41 Jul 7093  45:07:87 +0900
Message-ID: <206255.h4EBR3PX5 at mylinuxuser-nameofmyPC>
X-KMail-Identity: 1308832047
X-KMail-Dictionary: es_ES
User-Agent: KMail/ (Linux/4.4.0-gentoo; KDE/5.19.0; x86_64; ; )
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="UTF-8"

I know that some headers are necessary for a correct functioning of mail
protocols, deliveries, and such. But let me ask if the following information is
really necessary:
- Message-ID: <206255.h4EBR3PX5 at mylinuxuser-nameofmyPC>
This ID is unique for each message, and as you see, includes my user name and
the name of my machine. I've seen that sending from the webmail page, this same
server adds a Message-ID field too, but it just reads
«6dce92d4g2f5378b431e6gc3db at mymailprovider.com», surely the ID is unique too,
but at least there's no info about my mail account's name, and the machine ID
is just my provider's domain. Don't know how difficult may be decipher the
alfanumeric ID, but seems rather more discrete than "blabbermouth" Kmail. If
this ID is really indispensable, couldn't Kmail just use the mail server's
domain, just like the webmail apps do or even an indefined one like
«@localhost», or whatever that keeps users' data safe? 

- X-KMail-Identity: 1308832047    
When I just begun to pay attention to what was doing Kmail with my personal
data I wasn't sure if those numbers were unique or perhaps were just a code for
Kmail or something like that, something more generic. No, it isn't, is another
unique identifier for each message; as opposed to Message-ID it doesn't leak
the user's nor machine's name though, but being a excluse Kmail identifier I
wonder if it's necessary at all. None of my mail providers' web apps have such
a thing, the only ID they have is  Message-ID.

- X-KMail-Dictionary: es_ES
I simply cannot believe that mail providers need to know what's my mother
language, and its regional variation. This iD doesn't anything to do with
character set, it just tells what dictionary I have set for orthographic check,
right? Again no provacy respectful webmail app leaks it.

- User-Agent: KMail/ (Linux/4.4.0-gentoo; KDE/5.19.0; x86_64; ; )
This is the cherry on top of the cake... Operating system, distribution,
desktop environment, version of DE, and CPU's architecture. Why not sending
also the last time I had sex? xD
Ok, jokes apart, I think that's a festival of the "cybergossip". GMX doesn't
send a user agent, neither Gmail does -their web apps, no mail client-, so it
seems clear that such info isn't necessary at all.


So, we have 4 different sources of personal data that are leaked by Kmail and
that help advertisers and governments a lot to make a very detailed
fingerprintof the users. I don't know almost anything about mail protocols, but
3 of them seem not to be necesary at all for a correct functioning. Am I wrong
or Kmail's privacy guarentees could improve a lot? Please, look what GMX web
app sends:

MIME-Version: 1.0
Message-ID: 
From: 
To: 
Subject:
Content-Type: text/html; charset=UTF-8
Date:
Importance: normal
Sensitivity: Normal
X-Priority: 3
X-Provags-ID:

One, only one, Message-ID, out of the 4 identifiers Kmail sends -X-Provags-ID
belongs to the spam filters, I think-. Seems that Kmail could function
perfectly being at least as discrete, no?
I'm not sure about the Content-Type: text/plain; charset="UTF-8" thind, even if
this is leaking the descriptor of my character set, maybe it is necessary to
avoid weird characters in the mesages, am I right?

Reproducible: Always

Steps to Reproduce:
1. Compose a message
2. Send it
3.

Actual Results:  
A lot of unnecesary fingerprinting data are leaked.

Expected Results:  
Only reveal indispensable data for email communication workd without issues,
and not let other data go out of our computers.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the Kdepim-bugs mailing list