Jump to content

Privacy reassurances?


Recommended Posts

Hi all!

 

I'd like thoughtful help to consider privacy with Alfred.

 

Access

When we give permissions, whatever we give the app access to — where might that info be sent, and how is that transparent? Ideally, I'd love to know for certain that my local data is sent nowhere.

 

Safeguarding

On a similar note, what would be a wise safeguard for my private data? Creating a separate user, which Alfred does not have access to? Some other approach?

 

Thanks!

Alfred seems awesome, and  I appreciate the help!

Link to comment
2 hours ago, MasterWayne said:

where might that info be sent

 

It isn't sent anywhere. Alfred needs permission to access things in order to show them to you.

 

Alfred is extremely respectful of its users' privacy. It doesn't even use Google Analytics, Crashlytics or the like, in contrast to many of the applications on Apple's App Stores.

 

2 hours ago, MasterWayne said:

Ideally, I'd love to know for certain that my local data is sent nowhere.

 

Then you will need to install an MitM proxy server so you can inspect exactly what your applications are sending and where. If that's too complicated for you, then you can install Little Snitch, which will at least tell you where your applications are trying to connect to, and allow you to block them.

 

As far as workflows go, almost all of them are written in scripting languages, so you have a copy of the source code right there. For all the others, the source code is typically on GitHub or a similar site. If you don't trust the version the author compiled, you can download the code and compile your own version.

 

2 hours ago, MasterWayne said:

On a similar note, what would be a wise safeguard for my private data?

 

Don't install software you don't trust. If you're really paranoid, then keep your sensitive data in encrypted disk images and only mount them when you need to access the data. Quit any programs you don't trust (which you shouldn't have installed anyway) before mounting them.

Link to comment

Do keep in mind that if you install something to inspect your traffic (LuLu is a free and open-source alternative to the aforementioned Little Snitch), you may see Alfred accessing your network when in reality it’s a Workflow from inside Alfred doing the connection.


Thankfully, by design Alfred’s Workflows need to be called explicitly, so when you see a warning you should know what Workflow triggered it.


As for inspecting a Workflow’s code, if you don’t have enough programming experience you can substitute that for trusting authors. For example, if you frequent these forums and over time recognise certain developers as trustworthy, it’s likely that whatever new thing they release will be trustworthy as well.

Link to comment

Thank you for these tremendously helpful responses!

 

Here are some further points from Alfred support, that may be helpful for anyone else wondering about this stuff:

 

Quote


Your Alfred preferences are stored on your Mac, or on the sync service of your choice if you choose to enable this. He doesn't connect back to our server aside from checking for software updates periodically, and when you activate your Powerpack license.

We don't track your usage, and no data is sent back to us about the files on your Mac. Alfred uses the Spotlight metadata, which is available to all apps on your Mac, in order to return search results locally.

Depending on which workflows you choose to use, some may need to connect to APIs (e.g. Google Suggest needs to connect to Google in order to provide you with in-line results), so it's worth establishing whether you're happy with specific workflows before using them.
If you uncheck the "Automatically check for updates" box in the Update tab of Alfred's Preferences, then this will turn off the only connection Alfred makes.

 

Great tips!

Link to comment
1 hour ago, MasterWayne said:

it's worth establishing whether you're happy with specific workflows before using them.

 

I have Little Snitch installed, and I've never seen a workflow try to connect to anything that wasn't either the services it integrates with (if applicable) or GitHub (or the like) to check for a newer version of the workflow.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...