Skype is following your links – that’s proprietary for you

Yesterday it was reported that Skype, owned by Microsoft these days, seems to automatically follow each exchanged https link. Besides the fact that this is a huge security and personal rights problem in its own it again shows how important it is to not trust a proprietary system.

The problem, skin deep

Heise reported yesterday that Skype follows https links which have been exchanged in chats on a regular basis. First and foremost, this is a privacy issue: it looks like Skype, and thus Microsoft, scans your chat history and acts based on these findings on a regular base. That cannot be explained by “security measures” or anything like it and is not acceptable. My personal data are mine, and Microsoft should not have anything to do with as long as there is no need!

Second, there is the security problem: imagine you are exchanging private links, or even links containing passwords and usernames for direct access (you shouldn’t, but sometimes you have to). Microsoft does follows these links -and therefore gains full access to all data hidden there. Imagine these are sensitive data (private or business), you have no idea what Microsoft is going to do with them.

Third, there is the disturbing part: Microsoft only follows the https links, only the encrypted URLs. If this action would be a security thing, they would surely follow the http links as well. So there must be another explanation – but which one? It is disturbing to know that Microsoft has a motivation to regularly follow links to specifically secured content.

The problem, profound

While these news are shocking, the root problem is not Skype or the behavior of Microsoft – I am pretty sure that their Licence Agreement will cover such actions. And it is most likely that others like WhatsApp, Facebook Chat or whatnot do behave in similar ways. So the actual problem is handing over all your data to a company which you have no inside to. You have no idea what they are doing, you have no control about it, and you cannot even be sure that nothing bad is done with it. Also, most vendors try to lock you in with your service, so that switching away from them is painfully due to used workflows, tools and social networks.

The solution

From my point of view, my personal perfect solution is hosting such sensitive services on my own. However, that cannot be a solution for everyone, and I for myself cannot provide for example the SLAs others need.

Thus I guess the best solution is to be conscious about what you do – and what the consequences are. Try to avoid proprietary solutions where possible. For example for chats, try to use open protocols like XMPP. Google Talk is a good example here: company based, but still using open protocols, they even push the development forward (Jingle, …). Or, if you upload files to web services, make sure you have local backup. Also, try not to upload sensitive data – if you have to, encrypt it beforehand. And if you use social networks, try to not depend on one of them too much, use cross posts for various services at the same time if possible.

And, last but not least: ask your service providers to establish transparency and rules for a responsible and acceptable usage of your data. After all, they depend on the users trust, and if enough users are requesting such changes, they will have to follow.

Howto: Installing Owncloud News, a self hosted RSS reader

Owncloud News, a RSS news reader for the self hosting cloud service Owncloud, is available in an Alpha version. That comes right at the time Google Reader is bound to see its end soon.

I must admit that I do not understand why Google decided to shut down the Google Reader service. Social media with their unstructured news areas are nice, but no match to a well structured news feed full of read and unread news. But, there are replacements, and one pretty wise choice would be to not depend on yet another web service, but to host it yourself.

In comes Owncloud: it can already host your addresses, calendars, files and musik and can be integrated with your desktop as well. Now a RSS reader app, Owncloud News was released as an Alpha version, and indeed already looks promising:

The installation is pretty smooth as well. The requirements are a running Owncloud 5 version, so 4.5 won’t do it. The installation itself basically consists of two steps: installing and activating the so called App Framework, which is supposed to be the foundation for other Owncloud apps in the future, and afterwards installing the news app itself:

# cd /var/www
# git clone https://github.com/owncloud/appframework.git
Cloning into 'appframework'...
[...]
# git clone https://github.com/owncloud/news.git
Cloning into 'news'...
[...]

I choose /var/www here because it is recommended in the manual and because there the appropriate user has the necessary access rights. But it could be any dir, since you only link the plugins anyway:

# ln -s /var/www/appframework /var/www/owncloud/apps
# ln -s /var/www/news /var/www/owncloud/apps

Speaking about rights, make sure the web server can write cache files:

# sudo chown -R www-data:www-data /var/www/news/cache

Afterwards, login to your owncloud, and active the plugins: first the framework, followed by the actual application. Add feeds, play around, as you will see it works pretty nice.

What is still missing right now is an Android news reader which could sync with the server. When that is available as well, Owncloud News might become *the* Google Reader descendant.

Google & ActiveSync, Microsoft & CalDav: Pure irony

Today Microsoft announced plans to implement CalDav and CardDav support in Windows Phone. That will enable users to still sync with Google services once these shut down their ActiveSync support in Summer. That is highly ironic and almost ridiculous, since Google itself does not support CalDav and CardDav in Android.

It all started with Google’s Winter cleaning: Google announced a couple of weeks ago that their services will soon be no longer offer an ActiveSync interface. That means: all client devices accessing Google’s services via ActiveSync need to switch to some other way of synching. Btw., read carefully: this has nothing to do with Android. Not at all! Also, iPhones don’t have to bother because they can simply switch to CalDav and CardDav which is natively supported in iOS. However, id does affect users of Microsoft’s Windows Phone. They only had ActiveSync as an option.

Now Microsoft announced they are going to implement CardDav and CalDav support in their Windows Phone. So that users can happily sync their Windows Phones with Google services.

And here comes the irony: Google itself does not support CalDav nor CardDav on client side. Google’s Android operating system does not offer it, not at all! Google only supports its own, proprietary sync way used in the Google apps, and has support for ActiveSync, albeit pretty limited support.

So, to summarize: Google forces others to use open standards which they do not support themselves.

While it is good that Microsoft is forced to implement open standards, Google’s acting nevertheless looks ridiculous, that is just sad. I wish Google would have the guts to just add CardDav and CalDav support and have a party with the people fighting for open standards. I mean, how bad would it look like if a Microsoft operating system would support open standards better than a Google operating system?

Howto: Syncing multiple calendars between Android and Zarafa

Syncing multiple calendards between Zarafa (or any other groupware) and Android over ActiveSync is not possible due to limitation in Android. However, Zarafa can export calendars via CalDav, and there is an Android apps which adds CalDav calendars to the native calendar system.

Background: ActiveSync and CalDav

ActiveSync is the Microsoft way of syncing data, and is well established in the business ecosystems and thus also in groupware sync solutions like z-push. However, sharing multiple calendars via ActiveSync is not possible with Android without any special hacks. Additionally, ActiveSync is patented and copyrighted and as as result for each device which is able to sync via ActiveSync a fee is payed to Microsoft.

CalDav on the other hand is an open standard for syncing data, available to everyone for free. Unfortunately, it is not natively supported by Android although many groupware solutions provide support for it. But there are 3rd party apps to add CalDav support to Android.

Zarafa

The zarafa support for CalDav is quickly added by installing the zarafa-ical package. Here is for example the package description on a CentOS/Fedora system:

$ rpm -qi zarafa-ical
[...]
The zarafa-ical package includes the Zarafa iCal/CalDAV gateway service
to enable users to access their calendar using iCalendar (RFC 2445/5545)
or CalDAV (RFC 4791) compliant clients. The iCal/CalDAV gateway service
can be configured to listen for HTTP and HTTPS requests.

The configuration is done in /etc/zarafa/ical.cfg. The only really interesting part is if you want to enable ical over TLS or not. After everything is set up, try to reach the calendars of your system via web browser, the address should look similar to https://www.example.net:8443/caldav/testuser/Calendar. Afterwards, create some more calendars to verify later on that everything worked.

Many other groupware solutions offer CalDav support as well, the setup should be equal similar. The beauty in CalDav is that it does not contain any special magic.

Android

Once Zarafa is set up, you can configure the Android client. As mentioned before, Android does not provide native CalDav support, thus a 3rd party app is required. I made quite good experiences with the app CalDav sync beta. While the app does cost 2,55 €, the author does promise to open source the app once it has matured enough.

After the app was installed, you just enter user credentials and server URL and are ready to go:

The synced calendars show up in the Android calendar overview natively, and can be re-used in any calendar app out there which accesses the default Android calendar store:

That’s it, you can now sync all calendars you want, even carious task lists, to your Android mobile phone. It works pretty well for my own Zarafa setup, but we’ve also tested it at credativ with dedicated calendar server in a productive environment.

Conclusion

As a result, the sync between multiple calendars in Zarafa and Android does work now flawlessly. An additional bonus is that you are free to choose the colors of the calendars, in contrast to the ActiveSync implementation where you are stuck with a random color.

Besides, CalDav is also implemented in groupware fat clients like Thunderbird, KDE’s Kmail and Gnome’s Evolution, and you can now access all data via the same interface.

Why Android cannot sync multiple calendars via ActiveSync

If you use ActiveSync on your Android device you are not able to sync more than one calendar. The reason is the missing support in the ActiveSync implementation of Android.

Using Android multiple calendars is not a problem at all – as long as you use Google Calendars. However, in business environments – or if you want to keep your data private – it might happen that you want to use your own calendar server. In such cases the sync is most often done via ActiveSync – and there multiple calendars cannot be synced, see for example Google code issue #36797. Of course, there are also other protocols like CalDav, but unfortunately Android does not support these natively.

There are lot of discussions out there why this does not work, and the situation is not simplified by the fact that there are various ActiveSync implementations on server side and even on mobile side (Samsung ActiveSync vs Google ActiveSync, etc.). But for plain Android, the situation is clear: the code lacks the ability.

The Exchange ActiveSync protocol specifies types of folders – like one type for the default mailbox, one for user created mail folders, etc. And while Android does know the type “12, User-created Mail folder”, it does not know the type “13, User-created Calendar folder”. It does not know “14, User-created Contacts folder” either, by the way. It’s simply not implemented in the class “FolderSyncParser”. Just check the list in line 60-75, and compare it to the above given type numbers.

Thus you are not able to natively sync multiple calendars with plain Android and ActiveSync. If you really need it, you have to use one of the many, many hacks: export to Google calendars, create one user for each calendar on the server side, etc. – or use another protocol like CalDav which is not natively supported in Android but can be added by 3rd party tools.

I do hope that Google implements multi calendar sync via ActiveSync (or CalDav, speaking about) at some point in the future. I find the feature of multiple calendars extremely helpful in the daily office routine. But then again, there would be one reason less to use Google calendars on Android phones, so it might be that this is a political decision.