An RSS feed is literally the same as going to the website. A request is being made to the domain and anyone who can see the data between you and the website can see it. If you think you're secure going to the website normally, then an RSS feed would be secure, too.
this post was submitted on 13 Apr 2025
56 points (98.3% liked)
Privacy
36975 readers
724 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
There's a difference: Websites have JS and requests to CDNs. RSS feeds don't.
Why do you think an RSS feed can't sit on a CDN?
What I meant were CDNs such as Google's providing common resources like fonts or JS libraries.
The RSS feed is still fetched from their server. Whoever can watch your internet traffic would still see the connection to the site.
So if you put your RSS feed application behind a vpn it would be more private?
Then, only the vpn provider would see the very same traffic, the ISP would see without vpn.
The ISP would just see your connection to the vpn provider.
The sites themselve would just see the vpn ip.
So it's not the question about whether anyone sees the traffic, but who.
Only Tor would hide this traffic in a sense.
Private to whom? You've just moved the observer from your ISP to your VPN provider and whomever is upstream from them.
What if I only add the feed via floppy
How did you get the feed in the first place?
Burner terminal from 1990
They could observe a connection to the server, big difference. If the site is on a WordPress domain, that IP might lead to a load balancer that manages hundreds of sites.
Of course the reverse is also true, so for for example Facebook, of you hit one of their IPs, then its obvious what you're accessing
The answer is absolutely yes
Keep in mind that RSS is just some XML sent over HTTPS connection. For anyone outside, it will look like gibbirish, they can say you are requesting and getting some things from that particular site but not what it is.
Privacy is not an aspect of an RSS feed. It's just a list of items in a standard format. Your reader requests it from the server, the server sends it. That's it.
Your client downloads a XML file and parses it and then maybe downloads some images. There.
If the client itself doesn't track you, it's as private as online gets.
The comment thus far are a little oversimplified... Yes, the feed is just an XML document, same as the HTML page, but there are several relevant differences. Yes, in theory, one could use server logs to determine which IP addresses make which requests for what documents, but in practice... Making things run and spying on people tend to be two different departments. With HTML, unless you block all javascript and have no images load, tracking javascript and tracking pixels will be invoked by your browser and those DO go to the tracking you department. If you hit a webpage it is FAR more likely that data goes somewhere for you to be spied on than just downloading an RSS feed (although individual items in the RSS feed may well have tracking pixels).
Depends on your threat model. If you use secure DNS and https for the RSS feed, then these people would know your IP and the IP you're connecting to:
- the DNS provider
- the RSS server
- your ISP/ VPN server
Your ISP or VPN will know you've made a TCP connection to that server at a specified port, but that's it. It's trivial for them to reverse lookup the IP back into a name.
Only the RSS server will know the specific URL you're visiting though.
Only the RSS server will know the specific URL you're visiting though.
and the site itself!
They are one and the same.
jeez I wasn't reading very carefully. I read that as "Only the RSS reader"
My first thought would be that it’s the same as using any other browser, so not a great way to be private. Am I wrong?
It is exactly the same. You can even open the RSS files in your browser directly. They're just XML files served via http(s)
I wouldn't go so far as to say it's literally the same as browsing a website. Your feed reader isn't a full web browser and as far as I know most don't execute javascript. They will still generally fetch images, and fetching the feed itself is just an http/s request, but it may or may not always be a request to the same web server as the website of whatever publication you're subscribing to. So IMO you're already starting from a somewhat better position in terms of data leakage, since the feed isn't loading analytics software or advertiser javascript or any of that stuff which feeds the vast majority of bulk data collection in the private sector.
One downside might be that if you have your feed reader set up to automatically poll for updates regularly, you may forget and it may do that polling on networks you didn't intend to (when your VPN is off or you're on school/work internet).
If you have a specific threat model, or a couple, that you want to guard against, it's much easier to come up with solutions that thwart those exact threats, than just trying to be "as private as possible" all the time (very difficult, all technical solutions have tradeoffs). You could make the requests through tor. You could use a proxy to encrypt your traffic up to a server you control before going out to the various sites. You could use a VPN service.
Those all have different tradeoffs: tor exit nodes might be widely blocked from fetching content from a lot of sites, and it might be hard to connect to tor period on some locked-down networks, the server host and their ISP can still see some details about your traffic if you run your own proxy or VPN server, but it is another step removed from your local network/isp and the site both tracking you directly by IP, user-agent, etc. VPN services might be tracking you themselves, might be working with governments, but they, similarly to proxies, interrupt the tracking done by your local network or the websites in question, with the added bonus of blending in with the traffic of other users (but they are often blocked by local network admins, and occasionally by websites as well)
As an aside, RSS-based podcasts are a place where this tends to get interesting since the field is dominated by big distribution services. Assuming HTTPS is in use, most podcasts you might subscribe to can't easily be tracked by your ISP or network admins, since they'll blend in with all the other traffic going to say, acast, libsyn, iheart, whatever, and HTTPS blocks them from seeing the full URL or data in transit, only the domain name from SNI. They can only tell that you downloaded data from a podcast network, not what podcast it was
Gonna give you a tip.
assume that 99% of anything you access online is visible to your ISP (and therefore your government and police) and the hoster of ther service.