WARNING: Sonic's Webmail Spellchecker Uses Google's Service! [RESOLVED]

General discussions and other topics.
11 posts Page 1 of 2
by ezekielk » Tue Mar 16, 2021 2:07 pm
I just discovered this by happenstance moments ago, when I clicked on the spellcheck icon. A small window popped up claiming it would be run through Google's algorithm, and stored there. Very disappointed. So much for Sonic's advertising how they respect their customers' privacy! All the time I've been using spellcheck automatically, and never did this warning alert me. It's only when I turned off the automatic feature, and used the manual approach, did I learn of this intrusion on my privacy.
by brandonc » Thu Mar 18, 2021 11:45 am
Our Sonic webmail page is completely Sonic made and operated, so there's no data going anywhere except for in house.

Spellcheck is done by your browser, like Google Chrome, Firefox, etc and stores any data inside your browser. It sounds like you are using Google Chrome and that's why your seeing the Google options when you are spellchecking words.

You can delete that data from within the Chrome's browser settings under, "Privacy & Security" if you ever feel the need to and it is a good idea to periodically clear data/cookies anyways.

I hope this helps!
Brandon C.
Community and Escalations
Sonic
by ezekielk » Thu Mar 18, 2021 12:13 pm
The spellcheck icon is embedded INTO the webmail service itself...so you are incorrect. There is indeed a separate spellcheck feature in my browser, but that's totally different. I have a hunch you DON'T use the webmail service, and are speaking off the top of your hat. Firefox never warns me it's using Google. But when I clicked on Sonic webmail's spellcheck icon, that notice popped up. Unfortunately, I now can't duplicate it.

Here is a forum that shows Google to be the default spell check service for Roundcube webmail, which is what Sonic uses (as well as Squirrel, but I'm nut using that particular GUI interface):

https://www.roundcubeforum.net/index.php?topic=24559.0

Just search "google" and you'll get right to it.

Here's a screenshot of the webmail options, that clearly shows spellcheck as a built in feature of Sonic's Roundcube webmail:

Attachments

by kyle.depasquale » Thu Mar 18, 2021 2:13 pm
So that link explicitly says that Google no longer offers a public spell-checking service. I don't know which one Sonic is using, but it's likely something they host internally, and is highly unlikely to be Google. It could be using a Google-compatible service though, which is what I'd imagine they're doing.
by brandonc » Thu Mar 18, 2021 2:53 pm
Thank you for pointing that out, the internal webmail spellcheck tool had completely slipped my mind and I assumed you had meant your browser's spellchecker, I apologize for that.

Looking into it further, I was able to recreate that pop-up you were talking about. I will reach out to the team that handles our Webmail service to see if there are any privacy concerns with using that API and see what we can do about changing that soon, if possible.
Brandon C.
Community and Escalations
Sonic
by ezekielk » Thu Mar 18, 2021 3:03 pm
THANK YOU! There are probably other spellcheck modules (is that the right word?) out there, that do not have overreaching tentacles to steal your privacy. I'm sure you'll find one. Maybe Github or some similar site. Meanwhile, although I prefer webmail, I'm gonna install Thunderbird.
by drew.phillips » Thu Mar 18, 2021 4:29 pm
Hi ezekielk,

Thanks for bringing this up. The message about spellcheck using Google is a custom message added by Sonic many years ago which is no longer accurate. At one point, Roundcube did use a (anonymous) Google spell check service but this has since changed.

We are using the default Roundcube settings for spell check which means it goes through a server hosted by Roundcube itself at https://spellcheck.roundcube.net. You can see this in the source code here and desribed in the configuration here.

Our default setting disables spell check before send, meaning it is only sent to the 3rd party server when the spell check button is clicked, and after agreeing to the prompt you originally pointed out.

Internally we'll have to discuss whether to run an in-house spell check server and stop sending to Roundcube, or disable the feature completely since modern browsers have good spell check capabilities built in now. The data is anonymized in the sense that it is proxied through our server so your IP and browser information is not visible to spellcheck.roundcube.net. Of course the content of the email may de-anonymize you; we can only hope that Roundcube does not store this information and only uses it to run through the spell check engine.

We'll get the message updated to change "Google" to "Roundcube". If the idea of sending any email content to a 3rd party isn't acceptable, avoid using the spell check option and use the browser's built in capabilities. Just to reiterate, by default we do not enable spell check so it would only be sent through that service when you explicitly click the spell check button and agree to the prompt about it being sent to a 3rd party.

I hope this helps. Any additional ideas or feedback are welcome.
Drew Phillips
Programmer / System Operations, Sonic.net
by ezekielk » Thu Mar 18, 2021 6:32 pm
Thank you for your detailed reply. However, I think it behooves Sonic to clearly let all its new users KNOW about this. How many years this has been going on, without any customer's knowledge, is rather alarming. Especially in light of your company's reputation of one that claims to respect customer privacy.. And yes, I can use browser spellcheck, or just compose my emails first in a simple text editor that has its own spellcheck...I used to do that all the time.
by ezekielk » Fri Mar 19, 2021 10:50 am
kyle.depasquale wrote:
So that link explicitly says that Google no longer offers a public spell-checking service.


Yet Sonic's Roundcube spellchecker explicitly states it's using Google's spellcheck service. And yesterday I came across an article dated 2017, about how Roundcube can use Google's spellcheck. Now, I can't find the article to show you, and I don't have any more time to waste trying to track it down. Whether Roundcube's alert is true or not, it certainly will upset at least SOME Sonic customers, such as myself. But the good folks at Sonic are now looking into it, so I'm glad I brought this up. I consider the issue resolved, and thanks for your input.
by drew.phillips » Fri Mar 19, 2021 11:16 am
That alert is a custom change added by Sonic many years ago and is not part of Roundcube. When Google retired the spell check API and Roundcube transparently changed things to go through their own spellcheck server, we never updated the message to reflect the change.

Quite a bit of info about Roundcube spellcheck on the net that I found is old and outdated. It was all the way back in 2013 that spell check was switched from Google to Roundcube: https://github.com/roundcube/roundcubem ... 36d28c40b6

For now, we've added another alert dialog in the settings pages that will display a similar prompt if you decide to enable spell check for every message. The alert when manually checking in a message has been updated as well to reflect the change from Google to Roundcube.
Drew Phillips
Programmer / System Operations, Sonic.net
11 posts Page 1 of 2

Who is online

In total there are 4 users online :: 1 registered, 0 hidden and 3 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: Bing [Bot] and 3 guests