Does hovering over a weblink "ping" the website?

If we have pasted a weblink “as Link” and later hover the mouse above it, after a second an infobox appears with some additional data:

Textlink446×254 16.3 KB

Where does the information in this box come from in the exact moment we hover the mouse?

1. Does it come fresh out of the Internet (always actual)?
2. Or is it invisible stored somewhere in Anytype?

If 1. is true:

Then I see it as a risk!
I’ll explain it further after a feedback.

If 2. is true:

How can we edit these informations?
I don’t like the idea that there could be informations stored somewhere in our Space that we normally not see and have no control over it!

Last question if 2. is true:
If we delete this link, do these additional informations also become deleted?
Or do they stay “forever”, well hidden from us as then completely invisible ballast in the Space?

• Anytype has indeed such kind of ballast, see this BR for more information:
  Global search finds Objects that no longer contain the search string

.

I just have had a conversation with our appreciated @sturdily about it.
He said, hovering the mouse over a link does not “ping” the website.
But I’m still not convinced. Furthermore that would mean that Anytype stores these data invisible and hidden from us, what I also don’t like.

• What is true: point 1. or point 2.?

As far as I can see it:

Every time you hover over a link, Anytype sends an anonymized a request to anytype.io/bot, that then fetches the information from the website.
edit: the payload is base64 converted, not encrypted (but it’s a local process, so it just communicates to an anytype process on your computer)
edit2: as this is a local process on our machine, nothing gets sent to anytype - I wasn’t aware of that when I wrote that

This then returns the preview data via an encrypted payload to your client.
edit: it is just base64 converted
edit2: See above, sorry about that

My computer has not requested the information directly from the website.

I checked the logs at the web server I was having a link from and just saw this access log:
[04/Aug/2024:15:56:31 +0200] "GET URL/I/REQUESTED... HTTP/2.0" 200 26456 "-" "Mozilla/5.0 (compatible; AnytypeBot/1.0; +https://anytype.io/bot)"

To answer your question, 1 is partially true (as anonymized) and 2 is not (perhaps it is cached within your session as another hover over the link did not need to fetch it) (correction, it fetches the preview every time).

Thanks btw for making me look into it. This is indeed an interesting question.

And it is pretty cool they implemented it in this way. bravo to the Anytype team
edit: I initially thought it was encrypted but realized it is not. There is room for improvement how Anytype handles this.
edit2: as this is a local process on our machine, nothing gets sent to anytype - I wasn’t aware of that when I wrote that

Perhaps a team member could clarify if my assumption is correct or not

(Edit again and again …)

To new users: we have made some wrong conclusions at this point, see the further discussion that’s still running (at the moment 57 posts).
I recommend new readers to skip this post, it makes no sense for me to strike through more and more rows that aren’t longer true or no longer relevant.
But I want to behold this post without deleting it or striking through more lines, for the mere documentation how it has come to some misunderstandings.

Skip from here on:

Just to be clear here, what I said and showed you the logs, was that when hovering it does a first ping, and then no matter how much hovering I do next, it does not “re-ping”.

Still claim this, revalidated with pihole and opensnitch.

What I did found out now, was that if I close the app and reopen, it does re-ping (which was not tested). Also there seems to be a timeout for the re-ping, meaning that hovering immediately afterwards, does not re-ping.
The quick tests I did at the time, I did not test closing the App and reopening.

Like I wrote above, I did a new test just now with the youtube link.
When I said “I found out now”, was because I remembered to test with opensnitch, which is great for these kind of things.

Man, just use vpn. Anytype is not Tor browser and not intended to cover these cases.

Your space can’t leak any information if you open links , nobody can get access to your vault if you open a link

To be honest, I can’t understand your paranoia here. Anytype is private software that guarantees your privacy but not anonymity. If you want to remain anonymous, please use VPNs and other tools. Your data is encrypted end-to-end, so there is no technical possibility to access your data without your key. So please stop spreading this paranoia. Some people might read this and get freaked out by these thoughts.

We can have different opinions and both be legitimate, you know?

I don’t see this as a major security or privacy breach, but I agree with the premise: Anytype shouldn’t have any knowledge of the content users create. I doubt such a log is kept, but the mere possibility is concerning. Is this your top concern? Perhaps. Is it my top concern? Not even in the top 20.

We don’t have any technical ability to read content inside spaces. Yes, the app pings websites directly from your machine, and sites can record your IP address. I guess there are a few real use cases where people may be concerned about disclosing their IP address; these people usually use tools like VPNs to hide it. We don’t see it as reasonable to provide this kind of service, especially for free.

As a non-technical person, I will abstain in commenting on the alertness over website access. But security is indeed a priority for me.

While VPN indeed helps, VPN is sometimes not as reliable in syncing and local-only… I don’t like how sometimes I have to choose between VPN or reliable sync

• Like some past or improbable bugs: sync not working with vpn and without vpn
• Switching VPN connection also sometimes interrupts Anytype connection… I often have to pay attention to confirm P2P connection is indeed working (not effortless); but since this use case involves in using other services, I won’t put pressure on Anytype…

How can it be abused, if Anytype has no clue who you are by your passphrase? Unless by magic coincidence, the passphrase is your real name.

And how would that be a security risk? People fling words like Security here and there, but how would it be a risk? How would the vault be exploited?

And how it is a privacy risk if everything is anonymous on Anytype? If there is a Anytype Bot that pings, heck, even more anonymously private.

This was probably a “feature” that sounded cool, to show the preview of the link. Its getting into extreme FUD territory here.

Any has my e-mail address, full name, home address, and credit card number. Can’t become a member without this.

I’m fine with this, otherwise I would have stayed with the non-member version. I also don’t think this is a security risk, but as far as privacy goes I’d rather not have Any be able to keep a track of all URLs in my vault. Not that I think that it does that, or cares about it, but I like to believe there are better solutions for this.

Anytype bot is a local process. There is no server involved into it.

Thank you for the clarification. Earlier discussion led me to believe the URL is sent to a bot/service running on Anytype servers.

This explains why I could not find it. There never was an outgoing request to begin with.

Thanks!

What does security mean to you? I recommend using a VPN for those who need it. Please read my other comments. The maximum risk is exposing your IP address to websites, which you do anyway when you open them in a browser. If its ok, you don’t need vpn to enjoy state of the art security and autonomy.

@Code-Jack
Did you read Anton’s full answer?

As far as I understand the procedure to retrieve infos about a website is that Anytype sends the request to the local bot and this local bot then makes a normal https request to get some information about the website. This is like normal browsing in the web with any browser… Let us first really understand how this works before we make any assumptions about potential security issues. Especially not in the “style” you are doing it. If you ask me it’s absolutely hysterical.

There are no security issues if the request is over https. Both the request and the response are encrypted. This is my understanding, but I am not a security expert.

Yes, I did read his answer and understood the thing with the bot and that it is local - cleared. Then I answered this:
“it retrieves OG tags directly from the website” - that was my initial fear in my first post!

• That means the problem is NOT out of the world, not matter that the bot is not on a web server but local.
  The bot connects to the (dangerous) website.
  Not only connects to it (with a simple ping) but also transfers data.

I give you a further explanation why it is dangerous:
Let’s assume I send you a long text, ready to paste or import it into Anytype.
You like it, because you love reading long texts in Anytype because of the dark mode and so on.
My text contains also some links.
You read the text, you hover over the links …

Maybe secret agent Smith recognizes in that moment that you (YOU!) now have connected to that forbidden website …

Or:
You have your browser open, logged in on eBay for looking for some new shoes.
One of the links in my text I’ve send you leads also to eBay, but to a vibrator for lonely woman.
You hover over it and eBay recognizes that. The IP address is the same, it must be you!
Ebay thinks from now on:
“OK, our cust0mer siousu is interested in sex toys! I should make him a lot suggestions in that direction from today on!”
One day later, your woman uses your PC and looks on eBay. She will rub her eyes because she will see a lot suggested articles for lonely persons …
She will think you have searched for such stuff and gets angry with you!
You have no clue what has happen … :-/

I could bring more examples for other cases.
Some would bring me in danger (not you) if you hover over a link in the text that I’ve send you.
Maybe I must hide for some reason. I was a bit stupid and have send you a link that contains session data that are connected to my person.
You hover over the link, the police or agent Smith now storms your house and interrogates you, because they know now that we are somehow connected to each other.

Some guys in Arabic countries have already paid with their life for such errors.
The Amis or Israelis have send a drone to some people ti kill them, no matter how much “collateral damage” it causes.

These are of course extreme examples, but in some regions of the world a real danger.
A lot simpler dangers are more likely for most of us, but we can’t know. Everything can change rapidly.
See the war between Russia and Ukraine.
Two normal countries before, together with over 150 million people that lived a normal life.
Then came that war and lots on both sides suddenly have had good reasons for hiding.

Email and messengers are dangerous, everyone knows that.
But ANYTYPE is sooo secure!!!
It is “locally first”, and “P2P” and full of “encryption” …!
“Let’s use Anytype for staying in contact to communicate!”