Hello,

I want to discuss violation of user privacy in the BOINC client. Some information that is gathered by the BOINC client and is sent to remote BOINC servers can be confidential, this information is not needed for BOINC client, BOINC servers and BOINC based projects. In short this information is: user name obtained from the system, computer domain name, IP address, spec of hardware, OS name and version. This information can be sent if a user wants, but there should be configurable way to specify this information manually to respect user privacy.

Having checked BOINC client source code, I've found two places where confidential information is gathered:

1. clientgui/ProjectProcessingPage.cpp has calls to wxGetUserName() and wxGetUserId(), on Unix-like system this information correspond to pw_gecos and pw_name from struct passwd{}. If these functions are called when boincmgr is connected to some remote boinc_client, then this is logically wrong, since remote boinc_client can have no relation to the local user who run boincmgr.

2. client/hostinfo_*.cpp have get_host_info() functions that gather confidential information from the local system and this information is sent to remote servers. This information is: computer domain name, IP address, detail spec of hardware, detail information about OS, timezone, may be something more.

Probably there are another places where BOINC client gathers confidential information and sends it to remote servers.

I propose:

1. Remove wxGetUserName() and wxGetUserId() calls from clientgui/ProjectProcessingPage.cpp. Instead always ask a user to enter a user name.

2. Add new boolean option <user_privacy>, that allows a user to select privacy mode and specify all or almost all information obtained by the get_host_info() function. I would make privacy mode enabled by default. If a user does not want, then he or she always can unset <user_privacy> and get_host_info() will gather information. As I understand this information is saved in client_state.xml and can be parsed on boinc_client's startup (actually boinc_client parses this information, but then overwrites it by get_host_info()).

3. Update boincmgr and allow a user to modify user privacy related settings via GUI.

If user privacy mode is enabled by default, then default values for class HOST_INFO can be something like: localhost, 127.0.0.1, generic CPU, generic OS, etc.

Similar questions about computer domain name and IP address information hiding were raised before.

What do you think about BOINC client and user privacy, about unconditional sending of confidential information to remote BOINC servers and about proposed changes to BOINC client? May be there are another ideas?

If user privacy mode is enabled by default, then default values for class HOST_INFO can be something like: localhost, 127.0.0.1, generic CPU, generic OS, etc.

And then the user's BOINC will get no work from any project, as none can determine what operating system and hardware the user possesses, so no appropriate science applications and work can be sent to it.

1. Remove wxGetUserName() and wxGetUserId() calls from clientgui/ProjectProcessingPage.cpp. Instead always ask a user to enter a user name.

After which there will be people requesting that there be an automated thing for this, that remembers their choice.

Besides, all that BOINC Manager does is retain that information on the local computer. BM is a GUI that allows you to give commands to the client. It does not send any information out on the internet, you can check that. BM does not communicate with any project's servers, that's the client.

2. Add new boolean option <user_privacy>

There is already a client configuration option for that. It's called <suppress_net_info>0|1</suppress_net_info>
If enabled, don't send this host's IP address and domain name to servers. Otherwise, this information is sent to, and stored on, servers. It is visible to you (but not other users) via the web.

---

You, boinc_privacy, can add <suppress_net_info>1</suppress_net_info> to the cc_config.xml. Been using this for years and stops sending such things as the local host IP. Downside is, if you reinstall BOINC and got multiple devices, the project cant make out which device, so creates a new one... but then there's device merge on most all projects [not on WCG].

Else, connecting to a project is one of mutual trust. You decide which to trust and attach to [not one in outer Siberia, which does not even specify what the heck they're wanting you to process for free, nor has endorsement by acceptance on the BOINC project selection list]. Then when you install BOINC as service, it wont use the user account info, rather the anonymous boinc_master:

7 12/12/2012 2:41:17 PM Running under account boinc_master

The BOINC data goes to the general C:\ProgramData\BOINC, not a user account [think if installed as user, the data still goes to C:\ProgramData\BOINC by default].

No need for user information to transfer. Of course u use a dump-able email account to register and not one that is also used for contact with your bank... i.e. you can take steps to elevate your level of privacy and anonymity.

If user privacy mode is enabled by default, then default values for class HOST_INFO can be something like: localhost, 127.0.0.1, generic CPU, generic OS, etc.

And then the user's BOINC will get no work from any project, as none can determine what operating system and hardware the user possesses, so no appropriate science applications and work can be sent to it.

Having checked source code, now I see that this information is used by BOINC server. It is unclear why information about OS name and its version is needed to be sent if one specified --with-boinc-alt-platform and specified OS does not match installed OS (when ABI compatibility mode is used on a local system).

1. Remove wxGetUserName() and wxGetUserId() calls from clientgui/ProjectProcessingPage.cpp. Instead always ask a user to enter a user name.

After which there will be people requesting that there be an automated thing for this, that remembers their choice.

Besides, all that BOINC Manager does is retain that information on the local computer. BM is a GUI that allows you to give commands to the client. It does not send any information out on the internet, you can check that. BM does not communicate with any project's servers, that's the client.

I found only this place in the BOINC client source code that gets pw_gecos on Unix-like system (sometimes real user name) and this data is sent to the remote server (this was verified). Of course BOINC manager communicates with the boinc_client, wxGetUserName() is called by boincmgr and this function is called on a local system, obtained information about local user can be sent to remote boinc_client (cannot verify it right now, because BOINC on my system refuses to work with proxy for some reason, so I just followed source code to understand the logic).

Here I cannot agree that sending local user account information to remote server is a correct idea. Even if somebody wants to have such automated user name generation, then this information should be shown in boincmgr, I do not remember whether it shows used user name for a project (again cannot check because of problems with proxy).

2. Add new boolean option <user_privacy>

There is already a client configuration option for that. It's called <suppress_net_info>0|1</suppress_net_info>
If enabled, don't send this host's IP address and domain name to servers. Otherwise, this information is sent to, and stored on, servers. It is visible to you (but not other users) via the web.

I did not know about this option, thank you for this information.

You, boinc_privacy, can add <suppress_net_info>1</suppress_net_info> to the cc_config.xml. Been using this for years and stops sending such things as the local host IP. Downside is, if you reinstall BOINC and got multiple devices, the project cant make out which device, so creates a new one... but then there's device merge on most all projects [not on WCG].

I did not known about this option, thank you for information.

Else, connecting to a project is one of mutual trust. You decide which to trust and attach to [not one in outer Siberia, which does not even specify what the heck they're wanting you to process for free, nor has endorsement by acceptance on the BOINC project selection list]. Then when you install BOINC as service, it wont use the user account info, rather the anonymous boinc_master:

7 12/12/2012 2:41:17 PM Running under account boinc_master

The BOINC data goes to the general C:\ProgramData\BOINC, not a user account [think if installed as user, the data still goes to C:\ProgramData\BOINC by default].

I use Unix-like systems, have no idea how the BOINC client works under Windows.

No need for user information to transfer. Of course u use a dump-able email account to register and not one that is also used for contact with your bank... i.e. you can take steps to elevate your level of privacy and anonymity

I gave example with wxGetUserName() called by boincmgr, under Unix-like systems it gets and then sends (this was verified with real BOINC server) data about local user who run boincmgr to the remote server. Do not remember whether boincmgr gave any information related to gathered local user account that it was going to use during attaching/joining to a project.

It is unclear why information about OS name and its version is needed to be sent

Because not all projects support Windows, or Linux, or OS X.
Because not all projects support all versions of Windows (being 3.0, 3.1, 95, 98, ME, 98 SE, 2000, XP, Vista, 7 and 8)
Because not all projects support older Linux versions, or older OS X versions.
Because although the CPU may be a 64bit CPU, it doesn't necessarily run a 64bit OS, so to prevent that we're sending a 64bit application to a 32bit only OS...

if one specified --with-boinc-alt-platform and specified OS does not match installed OS (when ABI compatibility mode is used on a local system).

Any use of the client configuration file needs a user that knows what he's doing, knows the ins- and outs of BOINC a bit, is more than Joe Standard.

There is no --alt_platform command line switch for the client, you can only use cc_config.xml to determine another platform using the <alt_platform>platform_name</alt_platform> tags.

You only use --with-boinc-alt-platform=NAME when you compile a client under Linux, which should use an alternate OS platform name than the default one given. From [trac]wiki:BuildSystem[/trac]:
Use this option to build an client that supports an alternate platform name. For example, on a x86_64 linux system that supports both 64 bit and 32 bit executables, you might specify --with-boinc-platform=x86_64-pc-linux-gnu and --with-boinc-alt-platform=i686-pc-linux-gnu.

Here I cannot agree that sending local user account information to remote server is a correct idea.

As far as I know, BM doesn't send any information, not even to a remote server. When you use BM to connect to a remote computer, it sends a question for the password --as stored in the gui_rpc_auth.cfg file in the BOINC Data directory on the remote computer. It reads the local remote_hosts.cfg file to see which IP addresses or computer names (e.g. on the LAN) it should go to to see if there's a client there that will react, through RPC.

Then when you are prompted for the password, it'll be for computer Such_and_So or IP address xx.xx.xx.xx plus the password. BOINC Manager does not do anything with any user name it fetches from the computer.

The only user name that it shows in the Projects tab is the user name you used to make an account with on the project server. By default BOINC will use the OS account name you use to run BOINC with for this account. Unless you change that, of course. So if you run your OS under the name Bill, your account at e.g. Seti will be Bill, and that will be the name showing in BOINC Manager. And then only in the Projects tab, under the Account column.

---

It is unclear why information about OS name and its version is needed to be sent

Because not all projects support Windows, or Linux, or OS X.
Because not all projects support all versions of Windows (being 3.0, 3.1, 95, 98, ME, 98 SE, 2000, XP, Vista, 7 and 8)
Because not all projects support older Linux versions, or older OS X versions.
Because although the CPU may be a 64bit CPU, it doesn't necessarily run a 64bit OS, so to prevent that we're sending a 64bit application to a 32bit only OS...

if one specified --with-boinc-alt-platform and specified OS does not match installed OS (when ABI compatibility mode is used on a local system).

Any use of the client configuration file needs a user that knows what he's doing, knows the ins- and outs of BOINC a bit, is more than Joe Standard.

There is no --alt_platform command line switch for the client, you can only use cc_config.xml to determine another platform using the <alt_platform>platform_name</alt_platform> tags.

You only use --with-boinc-alt-platform=NAME when you compile a client under Linux, which should use an alternate OS platform name than the default one given. From [trac]wiki:BuildSystem[/trac]:
Use this option to build an client that supports an alternate platform name. For example, on a x86_64 linux system that supports both 64 bit and 32 bit executables, you might specify --with-boinc-platform=x86_64-pc-linux-gnu and --with-boinc-alt-platform=i686-pc-linux-gnu.

I used to build the BOINC client and its GUI manager from source code on Unix-like systems and I do not use Linux. Since most of projects support only Linux variant of executable file for Unix-like systems it is necessary to specify --with-boinc-alt-platform=something-linux-gnu, then enable ABI compatibility mode in the local kernel and it will be possible to run received Linux applications from some BOINC server on non-Linux Unix-like system. Of course ABI compatibility with Linux applications on local system is required. So local OS name and OS name specified in the --with-boinc-alt-platform configure command option can be different and they are different on my systems, the type of CPU is also different, but again it is given in this configure option. That's why it is really unclear why real OS name and real CPU type is sent, if these settings already are redefined in the configure option. Well, CPU supported features like SSE are not defined in the alt-platform, but they can be taken from real CPU.

I did not use <alt_platform>, because I build BOINC client from source code, so I give --with-boinc-alt-platform for the configure script.

Here I cannot agree that sending local user account information to remote server is a correct idea.

As far as I know, BM doesn't send any information, not even to a remote server. When you use BM to connect to a remote computer, it sends a question for the password --as stored in the gui_rpc_auth.cfg file in the BOINC Data directory on the remote computer. It reads the local remote_hosts.cfg file to see which IP addresses or computer names (e.g. on the LAN) it should go to to see if there's a client there that will react, through RPC.

Then when you are prompted for the password, it'll be for computer Such_and_So or IP address xx.xx.xx.xx plus the password. BOINC Manager does not do anything with any user name it fetches from the computer.

I used such configuration for remote BOINC clients management.

The only user name that it shows in the Projects tab is the user name you used to make an account with on the project server. By default BOINC will use the OS account name you use to run BOINC with for this account. Unless you change that, of course. So if you run your OS under the name Bill, your account at e.g. Seti will be Bill, and that will be the name showing in BOINC Manager. And then only in the Projects tab, under the Account column.

Yes, I was talking about this. Not only account name can be sent, I saw that information stored in GECOS (pw_gecos from struct passwd{}) was sent to remote BOINC server. I checked BOINC client source code and found that place that fetched potentially confidential information from local system user database. Would not I see this in real situation, I would ask such questions in this message board.

Thanks everyone for replies and suggestions. Since I build the BOINC client from source code, I can modify it. The topic can be closed.