How could anyone find out which sites are you following using an RSS feed? And I mean in a broad way: can the site track you? Can ISP? Network managers?
Let’s say you want to follow a bunch of political sites that you don’t want to be easily attached to, is RSS a good way to do it? Are there extra precautions to take?
My first thought would be that it’s the same as using any other browser, so not a great way to be private. Am I wrong?
An RSS feed is literally the same as going to the website. A request is being made to the domain and anyone who can see the data between you and the website can see it. If you think you’re secure going to the website normally, then an RSS feed would be secure, too.
There’s a difference: Websites have JS and requests to CDNs. RSS feeds don’t.
Why do you think an RSS feed can’t sit on a CDN?
What I meant were CDNs such as Google’s providing common resources like fonts or JS libraries.
Also, by using RSS you skip all visual garbage and more tracking that you might have to exposed.
PS: I dislike Google Fonts. It is the most insidious way that Google can track people as they are used everywhere and in almost all sites and even by some FOSS applications.
Have you heard of Local CDN? It provides at least some common things.
On, I have and have used it. Thank you.
But as far as the host server that you hit is comcerned, whether you block the fonts via uBlock or do not fulfill the server request via Local CDN, they will still use it to profile you, because you tag yourself in the minority of users in the world that do not hit the Google font servers. And Google knows this.
Since even most adblock users still do not block fonts or other assets like this. Albeit I do as I use uBlock on Medium mode, including fonts. And I dropped using Local CND as to minimise my extensions footprint.The main gain would be for the site’s aesthetics as you host some assets locally, but from a privacy perspective, you are damned if you do, and damned if you don’t. Albeit you are damned a little bit less if you do. LOL
The RSS feed is still fetched from their server. Whoever can watch your internet traffic would still see the connection to the site.
So if you put your RSS feed application behind a vpn it would be more private?
Private to whom? You’ve just moved the observer from your ISP to your VPN provider and whomever is upstream from them.
What if I only add the feed via floppy
How did you get the feed in the first place?
Burner terminal from 1990
And you burn the PC after each use.
Privacy is not an aspect of an RSS feed. It’s just a list of items in a standard format. Your reader requests it from the server, the server sends it. That’s it.
My first thought would be that it’s the same as using any other browser, so not a great way to be private. Am I wrong?
It is exactly the same. You can even open the RSS files in your browser directly. They’re just XML files served via http(s)
I wouldn’t go so far as to say it’s literally the same as browsing a website. Your feed reader isn’t a full web browser and as far as I know most don’t execute javascript. They will still generally fetch images, and fetching the feed itself is just an http/s request, but it may or may not always be a request to the same web server as the website of whatever publication you’re subscribing to. So IMO you’re already starting from a somewhat better position in terms of data leakage, since the feed isn’t loading analytics software or advertiser javascript or any of that stuff which feeds the vast majority of bulk data collection in the private sector.
One downside might be that if you have your feed reader set up to automatically poll for updates regularly, you may forget and it may do that polling on networks you didn’t intend to (when your VPN is off or you’re on school/work internet).
If you have a specific threat model, or a couple, that you want to guard against, it’s much easier to come up with solutions that thwart those exact threats, than just trying to be “as private as possible” all the time (very difficult, all technical solutions have tradeoffs). You could make the requests through tor. You could use a proxy to encrypt your traffic up to a server you control before going out to the various sites. You could use a VPN service.
Those all have different tradeoffs: tor exit nodes might be widely blocked from fetching content from a lot of sites, and it might be hard to connect to tor period on some locked-down networks, the server host and their ISP can still see some details about your traffic if you run your own proxy or VPN server, but it is another step removed from your local network/isp and the site both tracking you directly by IP, user-agent, etc. VPN services might be tracking you themselves, might be working with governments, but they, similarly to proxies, interrupt the tracking done by your local network or the websites in question, with the added bonus of blending in with the traffic of other users (but they are often blocked by local network admins, and occasionally by websites as well)
As an aside, RSS-based podcasts are a place where this tends to get interesting since the field is dominated by big distribution services. Assuming HTTPS is in use, most podcasts you might subscribe to can’t easily be tracked by your ISP or network admins, since they’ll blend in with all the other traffic going to say, acast, libsyn, iheart, whatever, and HTTPS blocks them from seeing the full URL or data in transit, only the domain name from SNI. They can only tell that you downloaded data from a podcast network, not what podcast it was
