Is Miro compromising your privacy?
In contrast to most consumer options for watching video either on DVRs or with a computer Miro does not entail an invasive procedure that for instance is at the heart of services like Tivo. Sure, on the one hand their suggestions what you'd also like are probably a great benefit for most of their users but an anecdote from 2004 shows that they might know a little bit too much. It was the Superbowl and a Tivo spokesperson said that Janet Jackson's wardrobe malfunction was the most replayed scene on the record. A bit invasive, eh? Granted, they said they only monitored 20,000 units but they obviously didn't need a Nielsen box for it.
Miro is nowhere near what services like Tivo can do but just as it is important to be aware of how much personal information you accidentally divulge by accepting cookies or through referrer URLs it is important to look at Miro for these deficiencies since some parts e.g. the program viewer is based on core Firefox technology and indeed does keep a record of cookies. Under Linux the cookies file is easily found in ~/.miro/mozilla/cookies.txt and when I opened the file I found three unique domain names:
- miroguide.com
- channelguide.participatoryculture.org (seems to no longer get assigned)
- google.com
The first two are what I would have expected but the latter one is the problem. Google is notorious for its data collection efforts and cookies are no exception - this one expires January 17th 2038. When I deleted it I was unable to get another cookie from them so I'm not sure where in the program guide it came from.
The question then is, how can one control the cookies. It's not as easy as it looks. I first tried to set specific hosts to be excluded from getting a cookie by creating hostperm.1 with a line like
"host cookie 2 exampledomain.com"
but that did not seem to be parsed by the integrated browser. Next I tried to set global rules through the Firefox pref.js settings file and it took me a while to figure out that this file is created on startup from mozsetup.py but once that was known it was a simple matter to append
user_pref("network.cookie.cookieBehavior",2); #disable all cookiesafter the vendor comment and though this did work in practice I won't be using it. The Miro people can thus know every time I start their application (when connected) and on what buttons in that programming guide I'm clicking. Giving them this much information is justified to me since they make such a nice product but obviously each user will have to weigh the importance for him or herself.
When I have some more time I'll try to get hostperm.1 working so I can have the ability to exactly specify what I want to allow and what not. Mozsetup.py on the other hand is the way to go to set certain Firefox settings and the mozillaZine has a great compilation of them. Here is a short list of paranoid options to turn off cache, Java, referrers, etc, sure to break your browsing experience. Hint: That means don't use them if you're not a Firefox guru!
network.http.sendRefererHeader,0 security.enable_java,false security.xpconnect.plugin.unrestricted,false dom.disable_image_src_set,true network.http.use-cache,false network.prefetch-next,false
One final note, this in no way helps when you are trying to keep someone from finding out what you have subscribed to, say for example on an unsecured coffee shop wifi. When Miro starts up all feeds are checked and it would be trivial to get a complete list of all the channels you subscribe to simply by monitoring your http queries.
