Week's featured app leak: StarDict, a versatile and efficient dictionary tool
In the world of open-source applications, one software, StarDict, has recently come under fire for its data handling practices. The app, a Gtk tool that looks up text and displays the definition in a tooltip, has been found to send user selections, potentially including sensitive information, to servers in China and Taiwan.
The unsolicited network transfer of user selections is an exceptional case and should not be viewed as a common practice in Chinese apps broadly. This behaviour was identified as a security issue and was reported, patched, and plugins responsible for network communication were removed after public scrutiny, indicating that such behaviour is considered undesirable or problematic rather than standard.
It's important to note that StarDict's default behaviour of sending user clipboard selections over the network is not a widespread or accepted norm specific to Chinese apps. While some software implements "always-online" features or "home-phoning" to connect with servers for updates or additional data, this practice is not fundamental or common across all Chinese apps or software in general.
The Debian package for StarDict includes the online-dictionaries plug-in as one of its dependencies. However, for those who find this behaviour unacceptable, removing StarDict from the system may be a suitable solution.
Interestingly, StarDict has been around for decades and has its own Wikipedia entry, documenting development going back to 2003. Despite its long history, the controversy surrounding its data sharing practices has led to increased scrutiny and discussions about user privacy.
Meanwhile, in the realm of operating systems, Apple macOS has a similar function built in, called Look up, which doesn't need the internet to work because it has a built-in Dictionary app. On the other hand, Canonical is reviving TPM encryption for Ubuntu 25.10, aiming to enhance security and privacy for its users.
As for other developments, Firefox 136 has new features that fans have wanted, and Wayland's default policy isolates applications, preventing StarDict from seeing user selections on Wayland-based systems.
We would like to acknowledge Reg reader Sam L. for bringing this issue to our attention. Vincent Lefèvre from INRIA raised an alarm about StarDict sending the user's X11 selection to network servers, and he has filed bug #1110370 regarding the feature. Debian developer Maytham Alsudany responded that this isn't a bug, but a feature that can be disabled.
As the debate around user privacy and data security continues, it's crucial for developers to prioritise transparency and user consent when it comes to data handling practices. The StarDict controversy serves as a reminder of the importance of these principles in the digital age.
- The StarDict software's practice of sending user selections, potentially including sensitive information, to servers in China and Taiwan raises concerns about privacy, especially given that such behavior is not the norm in most Chinese apps or software.
- In an effort to enhance security and privacy, Canonical is reviving TPM encryption for Ubuntu 25.10, demonstrating a focus on AI-driven cybersecurity and technology that prioritizes user data protection.
- As the debate around user privacy and data security continues, it's essential for developers to prioritize transparency and user consent, ensuring that issues like the one found in StarDict are addressed and resolved promptly to maintain trust and adhere to ethical standards in the digital world.
