Recent searches
Search options
@Joe_0237@fosstodon.orgToday I found out that google docs infects html exports with spyware, no scripts, but links in your document are replaced with invisible google tracking redirects. I was using their software because a friend wanted me to work with him on a google doc, he is a pretty big fan of their software, but we were both somehow absolutely shocked that they would go that far.
#collaboraoffice is excellent free alternative to Googles collaborative office technology, its based on Libre Office technology, #collabora is the largest contributor to #libreoffice and does a lot of other good for #freesoftware . You can install it super easy if you have a #nextcloud instance, or if you use a nice cloud host, or for no charge if you want to learn some systems administration and use your own hardware.
@Suiseiseki also mentioned Etherpad check it out https://etherpad.org/ #etherpad
And @ariadne suggests #onlyoffice @ONLYOFFICE
@unchartedworlds and @cryptpad recommend CryptPad for collaborative document editing
https://cryptpad.org/
Google Docs exports automatically infected with tracking links:
txt - unaffected
html + AFFECTED
odt - unaffected
pdf - unaffected
epub + AFFECTED
rtf - unaffected
docx - unaffected
sample web html <a> tag:
<a class="c4" href="https://www.google.com/url?q=https://wikimediafoundation.org/&sa=D&source=editors&ust=1696089933805520&usg=AOvVaw2ypOvslXzoEGwdryv4bFyJ">https://wikimediafoundation.org/</a>
sample epub xhtml <a> tag:
<a class="c5" href="https://www.google.com/url?q=https://wikimediafoundation.org/&sa=D&source=editors&ust=1696087392161966&usg=AOvVaw1v4xpIFWD9GYkMFifXd1uo">https://wikimediafoundation.org/</a>
For those unfamiliar with html: the href section, everything between href=" and "> is the real link, and the section between > and </a> is the display text
This html feature is useful so that a link can display as smething like "Read more", "Profile", "Wiki" etc, but in this case it is misused.
Google tracks people that are not using any of their products by adding hidden tracking links to exports without designer knowledge or end user consent.
@r3vilo @Joe_0237 I wish that there could be laws that say, "don't do this". Maybe the EU or the Canadian Privacy Commissioner could have a go at them? /c @pluralistic
...and agreed to never trust Google and similar corporates the tiniest bit ever again.
At least I'd recommend this ending to the story.
@nik I absolutely will not trust them at all, I already didn't, but I guess this helps drive in the point that there is nothing they won't do.
@Joe_0237 @ariadne @ONLYOFFICE I second this. I switched recently from LibreOffice (what Collabora is based on) to OnlyOffice, its a much more drop in replacement for MS and Google products, whether its self-hosting an online collaborative version or a local offline editor.
@Joe_0237 interesting. Thanks! I wasn't aware of it. (Both Google its tricks and Collabora)
@Joe_0237 https://federated.computer. Collabora included and a bunch of other nice FOSS tools.
@Joe_0237 @unchartedworlds thanks for sharing! CryptPad allows real time collaboration, is end-to-end encrypted, and fully open source! 
@Joe_0237 @unchartedworlds @cryptpad
There is an instance at https://cryptpad.cz/ run by the @nolog collective.
@Joe_0237 You know I was just reading up on kubesail as a self-hosting option and it suddenly looks way more tantalizing
Guten Morgen liebe @Doris
Muss einiges an dich u. @Steffen weiterleiten, weil es ja auch schön ist, wenn man sieht, dass ihr so vieles richtig gut macht. Es geht um eines unserer Themen, #freesoftware, #libreoffice #nextcloud, #suchmaschinen, ...
Und @Joe_0237 möchte ich euch auch noch empfehlen. Zum #Sonntag 's #Brunch, anstatt #Blumen quasi. 
@Joe_0237
@angiebaby
Damn.... that's shady AF. The internet needs more fleshed out NextCloud instances. Mine has a full document collab server.
#DeGoogle
@DavBot @Joe_0237 @angiebaby I would follow but they make it more than complex to install and combine with nextcloud.
@DavBot @Joe_0237 @angiebaby that means I use self hosted nextcloud and libreoffice stays offline.
@generationX @DavBot @angiebaby a built in CODE (collabora online development edition) actually available from the nextcloud apps panel, just click to install. If it installs but does not work its probably just SELinux, you will have to change the SELinux context on the binary to allow it to be run. In app installation and a high security MAC environment are not really compatible ideas. A terminal management program that had to be run unconfined or as root would have been a lot smarter.
@Joe_0237
@generationX @angiebaby
I use caprover a docker Gui/PaaS for nextcloud/OpenOffice server, a handful of clicks, paste a couple fields, generate a hash and it was all installed and connected.
@DavBot @Joe_0237 @angiebaby you will need apache entries, letsencrypt settings, work around imagemagik not available in docker image, now how to handle files in docker, know how to update that, connect nextcloud and onlyoffice, create a network in docker, know what a reverse proxy is and all that. Of course a few clicks only...
@DavBot @Joe_0237 @angiebaby I feel very uncomfortable regarding security when I think about all that.
@generationX @DavBot @Joe_0237 @angiebaby Sandstorm.io seems much simpler than that, I hope.
@DavBot @Joe_0237 @angiebaby I will give caprover a try over the weekend. Thank you for the proposal.
@generationX
@Joe_0237 @angiebaby
It's interesting software, docker based application manager, modify supported software or create your own installs for anything docker installs.
Definitely does not replace knowing what needs to be done to make things work, but it can speed up the deployment process, manage let's Encrypt etc.
Their app repo has quite a lot of software, mastodon matrix nextcloud WordPress, Minecraft etc.
Even Better when Portainer is installed afterwards.
@Joe_0237 Confirmed. I made a simple doc, exported to HTML, and the link was prepended with "https://www.google.com/url?q="
I hate their redirects not so much for privacy reasons, but because they frequently hang (get stuck in the redirect) for me. And because I have limited bandwidth in the boonies.
@fratermus check the end of the link as well, there is a lot more added
@fratermus here is the <a> tag: <a class="c4" href="https://www.google.com/url?q=https://www.wikimedia.org/&sa=D&source=editors&ust=1696003997212491&usg=AOvVaw2DXjy5IJ_7_vcyg0A9P8vC">https://www.wikimedia.org/</a>
the destination is https://www.wikimedia.org/
the infected href (tracking redirect) is: https://www.google.com/url?q=https://www.wikimedia.org/&sa=D&source=editors&ust=1696003997212491&usg=AOvVaw2DXjy5IJ_7_vcyg0A9P8vC
@Joe_0237 This is wild. How do I reproduce?
@dangoodin assuming you are able to create a google doc:
insert a link
file > download > webpage
you get a zip with an html file, you can find the tracking link by viewing the file as text or by opening the document in a browser and hovering over the link.
@Joe_0237
yeah there is probably no bottom to their increasingly disgusting behavior, it is their business model to track us and use that data to sell ads, and also straight up sell that data. we should expect nothing less than 100% un-trustworthy activity.
@Joe_0237 can you send some examples....?
@Joe_0237 Apologies if this is unwanted, but have you tried OnlyOffice DocSpace? It managed to finally replace Google Docs as my go-to collaboration workflow. I’d bounced off their stuff previously, but the ease and completeness really surprised me: https://www.onlyoffice.com/docspace.aspx
@Joe_0237 just read through your posts and I suppose the question is, has your friend tried it haha
@ariadne He definitely has not. I also have not. Thanks for the tip tho, in the past ive used collabora office
Cryptpad might suit some people too!
(hat tip to @xanna who told me about it :-) )
@daviddd Well google is always tracking if you are using their products, how much and how is a well kept secret. Its all proprietary 
. The new shocking issue is them adding content to web exports to track people who are using sites that do not belong to them and without anyone's knowledge.
If you don't need the collaborative feature, you should install LibreOffice on your computer. Otherwise maybe look at https://www.onlyoffice.com/docspace.aspx
This only affects exports to html and ebub
@Joe_0237 also their PDF export fucking sucks. No accessibility hints (which are also necessary for other software to know how to handle pdf text better), just plain "put this glyph on this position" :<
@Joe_0237@fosstodon.org I'm glad i got my friend group to use my cryptpad instance for things we're working on
it's not great but it does work and i didn't have to explain how to use it (which is not a given; its UI just barely qualifies)
@Joe_0237 are you aware that they're parsing information about you out of your emails? When I requested my Google data archive years ago, it contained a list of all the games I bought on Steam with price and date, because the confirmation emails were sent to a gmail address.
I think the lesson here is that you can never be cynical enough about corporations.
@lil5 Interesting find. Perhaps they only officially track the google user who made the doc, so users unwittingly help the google collect stats on the author and their site, or only those that are signed with in google are tracked, and almost every person with a computer is usually signed into an account. But even so, this tactic shows that there no trust, so why shouldn't they track everyone, its not like they have to share the code they say only tracks legally.
@Joe_0237 @lil5 without a logged in account, the google domain gets the same data any other site would have. If they're not setting a cookie, and the link is taking you where it is intended, I don't see what they're doing wrong.
I'm up for being educated on this topic, as it affects my field of work. Thanks
@adg @lil5 I have not investigated that very deeply, but I don't think that the fact that any company can track makes it moral.
I don't know if they set a cookie or if not if they use a fingerprinter, but beyond any doubt they have your IP address and user agent which unless you are on a VPN or at a coffee shop or or share a network with your apartment building is probably enough to identify you.
But ...
@adg @lil5 ... even if they are not tracking the follower of the link, they are surely at least tracking link traffic on someone else's website or ebook, they know the source page because of the referer http header, they know the destination, and they know the document the link belongs to with the ID numbers the in the "ust" and "usg" url parameters.
@adg @Joe_0237 @lil5 In this case it's sending the IP address of e.g an ebook's reader to a third party. That's not something that person expects or agreed with.
Also, breaking the GDPR doesn't require that we have proof, we only need that to convict somebody, and just like most other criminals big data companies will try to hide their crimes.
(And Google got caught violating laws many times before, so I'm definitely not going to trust them...)