How do you figure? Before everyone went web crazy and started bundling always-on network traffic into their calculator application, programs were a thing you could download and install and use without a network connection at all forever.
I think that’s a result of being connected to the web not a native application vs web app thing. Nothing is stopping a native app from sending telemetry to a server for every action you take.
If you can't self-host a web-based application you have no capability of ever using it without third-party tracking
It's at least possible (albeit potentially difficult) for a native application, should it have have such tracking, to have that tracking removed. Software "crackers" have shown, time and again, that so long as the code is present on a machine it can be made to run in whatever manner is desired.
> Again whatever native apps can do, web apps do all the time.
This isn't true. Yes, web apps have tons of telemetry, and every web request is logged server-side. But native apps do MORE:
- Native apps can look at what processes you're running. Web apps can't.
- Native apps can look at what software is installed. Web apps can't.
- Native apps can accurately determine exactly what operating system and browser you're using, while web apps either have to rely on a User-agent (which is trivially spoofed), or perform fingerprinting in order to come up with a guess.
- Native apps can see exactly what hardware you have. Web apps can't.
- Native apps have read/write access to every file on your system, subject to user-level permissions. Web apps require explicit selection from the user for file access. A native app can easily send your /etc/passwd file to a remote server, and can enumerate the local users.
--
Look, nobody is disputing that web apps have tons of telemetry, yet you keep responding as if that's what people are arguing with you about. What we're disputing is the exact statement I quoted. You implied that the telemetry of a native app is a subset or equal to the telemetry of a web app, and that's just plain false. It's very much the other way around. The telemetry of a web app is far less than a native app.
> - Native apps can accurately determine exactly what operating system and browser you're using, while web apps either have to rely on a User-agent (which is trivially spoofed), or perform fingerprinting in order to come up with a guess
A native app may know which browsers I have installed, but how would it know which of the umpteen ones I have I actually regularly use (if I don't do so while running the app)? The Web app, OTOH, is running in that browser, so yeah, of course it has a better chance of knowing that.
True, but to be fair, most users (Windows users, at least) don't have more than 2 browsers installed (Edge and either Firefox or Chrome, and it's likely a safe bet that if FF or Chrome are installed, that's their preferred browser). *nix users likely only have 1.
Your "umpteen" browsers is very much an edge case.
A native app running under your account can do anything you can do, so it can determine which browser you use by any number of methods, for example by checking the timestamps on the files in your various browser profiles (and of course read your browser history etc.).
Here's an example: Discord app reads all the processes running on the machine. Discord webapp can't. Telemetry is probably the same.
Another example: Microsoft Word can include a bug that makes opening a doc file run whatever command, including wiping the system. Google Docs can't do it.
It's much simpler to see telemetry in a web app - just open the Network tab. The fact that it's harder to do with a desktop app does not at all means it isn't there. Give wireshark a spin.
But web applications don't have all my data. I gave you an example just above - Discord web app can't see what other programs I have running. Discord Desktop can. Google docs can read all my data on Google Docs (shocking), but Microsoft Word could be stealing my cookies from my browser and accessing my Google Docs, my iCloud and anything else too.
You keep making these bombastic statements with no data behind. Not all web applications store every page interaction into a marketing engine. For example, I have a web application - as you navigate no additional network requests are sent (it's SPA!), and anyway I don't really have access to those the server logs because they're hosted by some Netlify-like service. See? Web application without you data that doesn't feed your interactions into a marketing engine.
Some web apps track, some desktop apps track. But clearly and without any doubt an executable running in your operating system can potential do much more than a web app you open with your up-to-date browser. An executable can even... open a web app!
You repeated this like 10+ times already in this thread, but never explained it why it's so evil. You just assume everybody is on the same page that tracking (logging actually) is bad, but it's far from obvious.
The fact that I can see access log in my web server is just a helpful tool for me as a developer to improve my services. I think the majority of sites use this in good faith and keep products healthy.
If your threat model involves secret services tracking your activity down based on downloading favicon.ico, then you might have more serious problems than architectural choices of the web platform.
Because 10+ times people keep not getting that while native apps can track you, all Web apps do track you and fed every single action into marketing engines, even if then don't public acknowledge doing so.
At my day job, we make a web application for health records that can be deployed inside an air-gapped intranet. Surely you don't think that's feeding a marketing engine?
That's a different question. All over this thread, you're repeatedly saying that 100% of web apps are feeding marketing machines. I have a counter-example.
It's a separate question of how a patient can be sure of that fact. There's actually not a really reliable way a patient could even become aware of the existence of this product, since they would never see it or be informed of it. Patients are not users of this product. Users could ask their IT department for a log of outgoing internet-bound requests from the servers. Or ask whether those servers even have the capability of contacting arbitrary third parties.
Sorry, but until you present conclusive proof that you don't, we better assume that you do. Unfair? Sure, possibly... But that's just the risk you took in choosing to use the same technology as all the personal info thieves.
I mean, one could also be running around in a supermarket in a balaclava without intending to rob the cashier -- but would you assume someone you saw doing that wasn't going to do exactly that?
You can look at the network tab of your browsers dev tools. You can see everything being exfiltrated that way.
In fact, that's pretty similar to the technique that you'd use to check on a local app too, except it's built into the browser.
I'm not particularly interested in convincing anyone that some app is or isn't leaking their data. If you don't want to use web stuff, don't use it. But I do take issue with assertions that 100% of all web apps must be doing that kind of stuff. It's obviously not true. You can develop your own web app from scratch that doesn't do it, which is sufficient to form a counter-example.
Sure I can. And you can. But to 99% of users, you're talking Greek -- ancient, not modern. And hey, BTW: Can we always? Where's the "Dev tools" menu on my phone browser?
And one counter-example does not a summer make. As long as 99% (typical Internet statistic, i.e. pulled from my mether regions) of web apps harvest your data for sale, that last percent won't get the benefit of the doubt: it's far too difficult and uncertain to find out which percent that would be.
