does NextCloud Bookmarks compromise your browsing history?

I’ve been using nextcloud bookmarks for a while now, and had a thought. You know how Nextcloud will automatically populate the title (and sometimes description) field of a bookmark? This feature is documented in the API too.

I assume that the way this works, is that when you submit a bookmark, the Nextcloud server will visit the link and get the title.

Why this is a problem:

Imagine that you are prolific bookmarker, like I am. Then as you browse the web and bookmark pages, your Nextcloud server will be revisiting all the links that you bookmarked, re-creating your browsing history but on the server side.

Now on your side you might be using a VPN, mixing up your browsing traffic with the traffic of hundreds of other users, making it impossible for surveillance (like ISPs, governments) to figure out which sites were visited by you and which sites were visited by other people using the VPN.

However, if you are hosting Nextcloud on some cloud server, or you just signed up on a website like OwnDrive, then your Nextcloud server might have a unique IP, and based on a couple of factors, ISPs and surveillance tech could figure out that all the websites visited by that IP are from a single person. There is a lot that can be pieced together from one person’s browsing history spanning weeks and months, including your real identity.

Is this a legitimate concern? Or am I perhaps misunderstanding something about the way Nextcloud bookmarks works

1 Like

This is a legitimate concern indeed, which is why the feature is turned off by default.

1 Like

That’s good to hear! I guess the provider I was using just had it enabled. Which is not as good :confused:

So I tried setting up my own Nextcloud server just now, and when I installed and opened the Bookmarks app, it did show a popup saying “Network access is disabled by default. Go to administrator settings for the bookmarks app to allow fetching previews and favicons”. So it does seem like the server should have no network access. And I can see that my bookmarks have no previews or favicons.

However they do have titles and descriptions. And when I add a bookmark and inspect the browser requests, I can see a request that sends the url to the server, and a response that includes the title and description of the website. I’m probably missing something simple here, but how is this working?