Linux Mint Forums

[johndoe]

I keep seeing Linux Mint connect to Google despite my best efforts to get it to do otherwise.

On a fresh install of Linux Mint 13 i386 MATE it will make connections to http://www.l.google.com www-ccld.l.google.com and android-market.l.google.com on 1st login without having launched anything.
After telling mintupdate to test something other than google and disabling the welcome screen, then rebooting, on logon it connects to the first two hosts again plus... youtube-u.l.google.com !!!
These aren't simple pings, there's cookies, there's my side identifying itself as having a useragent of phython and plenty of HTTP data exchanged on both sides but I can't explain what or why this is happening.

I've reproduced this consistently, doing fresh installs again and again, seeing the same results. The box recording all the traffic has two NICS and wireshark is monitoring eth1 which only has the mint PC attached, no traffic from other devices or even the host itself running wireshark appears in the log.

I went onto your IRC channel (nice link from the welcome screen btw), they suggested I run sudo lsof -i , sudo netstat -lptu and sudo netstat -tulpn to establish what is making these connecitons but they're closed before I can get a chance to open the terminal... I've spent far too much time on this already and hope someone else can explain this and tell me how to stop it!

I really like what you guys have done with Gnome 2 and the fantastic mintmenu but having finally taken the time to properly look at the traffic out of all my kit, it was a massive surprise to see Mint being the only source of concern. This is a dealbreaker for a paranoid fool like myself, I don't want to connect to google for any reason... their record on privacy is shocking.

[asdfasdf]

You might want to look in the packets going out to Google and see if the contents yield any clues as to what is going on.

On this Cinnamon box, I just tried logging in (but no reboot) but I didn't see any port 80 traffic resulting.

Also, if you want to block just these connections to the specified hosts, you might try adding them to your /etc/hosts file as:

Code: Select all

127.0.0.1 www.l.google.com
127.0.0.1 www-ccld.l.google.com
127.0.0.1 android-market.l.google.com
127.0.0.1 youtube-u.l.google.com


That only works, of course, if the program is resolving the name rather than using an ip number. If it is using a hard-coded ip number, then you can use iptables to block connections to those hard-coded ip numbers.

[DrHu]

I don't know why it is doing that, but you could pick a different home page, eg duckduckgo.com and possibly edit the search engine parameters for Google or move it down the list of search engines in the preference(s) of your chosen browser..

I use Opera, and it can be blocked..

[johndoe]

I've taken every precaution to ensure I'm not posting false results and now I want an answer from someone involved in this project as to what the hell is going on, if someone knows the correct channel for this I'd like to take this up with them. I'm sure there's many who are using mint assuming that open source = privacy. Mint seem to be up front about their agreements with Yahoo and DuckDuckGo but I've not seen anything about any alliance with Google.

Since my initial post I've replicated this behaviour on another network using 2 virtual machines with an internal virtual network only available to the fresh install of mint and another VM, with two NICs running a fresh install of debian, sharing the internet side using the built in NAT feature and running wireshark to monitor the interface on the internal network only.

You might want to look in the packets going out to Google and see if the contents yield any clues as to what is going on.

That's what I've done, I don't know if you've seen the interface for Wireshark but you can see some of the text translated from hex in the packets. As mentioned, I can see my side identifying a useragent of Python and lots of cookies being set in the HTTP bits. Most of the packets are not plain text so I can't really tell what's going on, I'm not a hacker, just someone concerned enough to do my best to understand what my systems are doing.

On this Cinnamon box, I just tried logging in (but no reboot) but I didn't see any port 80 traffic resulting.

If I only monitored the mint install itself I'd not see it either, the connections are closed before I could even launch a terminal.

Also, if you want to block just these connections to the specified hosts, you might try adding them to your /etc/hosts file as...

The problem with that approach is that the hosts it connects to keep changing... if I blocked the google.com domain (and 1e100.com etc.) I'd effectively not be able to use the web as webmasters love integrating Google's free offerings into their sites even if it compromises the privacy of it's audience. I'll be dammed if my OS becomes part of their aggregated data.

I don't know why it is doing that, but you could pick a different home page, eg duckduckgo.com...

This isn't a browser issue, the connections are established at logon, on the first boot after installation without launching an application.

[asdfasdf]

You might want to look in the packets going out to Google and see if the contents yield any clues as to what is going on.

That's what I've done, I don't know if you've seen the interface for Wireshark but you can see some of the text translated from hex in the packets. As mentioned, I can see my side identifying a useragent of Python and lots of cookies being set in the HTTP bits. Most of the packets are not plain text so I can't really tell what's going on, I'm not a hacker, just someone concerned enough to do my best to understand what my systems are doing.

Yes, I am familiar with the wireshark/tshark/tcpdump/etherape type of libpcap programs.

I would suggest next going to the command line and using "tshark -V", which will let you capture the full packets in a verbose but very easy to read fashion. You might want to start "script" first, so that the output is automatically saved to a file named "typescript".

For instance, if your capturing interface is named "eth0", you could do

Code: Select all

# script
Script started, file is typescript
# tshark -V -i eth0
Capturing on eth0
 [....lotsa data....]
# exit
exit
Script done, file is typescript


Then go through the file "typescript", and look at the exact details of each of the packets.

[johndoe]

Yes, I am familiar with the wireshark/tshark/tcpdump/etherape type of libpcap programs.

I would suggest next going to the command line and using...

Wow, thanks. I should be able to run that tomorrow and post up the results.

In the mean time, if there's someone around here who knows the package/code responsible for this addition to Ubuntu...

[johndoe]

Well, here's a packet that I hope means something to someone... I can't garner the point of it. Is this perhaps a google account tie-in with a bad default setting?

Code: Select all

Hypertext Transfer Protocol
    HTTP/1.0 200 OK\r\n
        [Expert Info (Chat/Sequence): HTTP/1.0 200 OK\r\n]
            [Message: HTTP/1.0 200 OK\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Version: HTTP/1.0
        Response Code: 200
    Set-Cookie: NID=62=N9XGLuyx0gu1xAW-Cx0LoiPP39zYbmII8-rOnO1O2_baL_vNHWBT16EU6z7NTHl8uhaRhcNZDMIfnCbNTSyZHwMiUSz5W32lsPGI7lDfsG7AhzejOGhI2F_e2_iWr8de; expires=Fri, 01-Feb-2013 12:06:49 GMT; path=/; domain=.google.co.uk; HttpOnly\r\n
    Date: Thu, 02 Aug 2012 12:06:49 GMT\r\n
    Expires: -1\r\n
    Cache-Control: private, max-age=0\r\n
    Content-Type: text/html; charset=ISO-8859-1\r\n
    Set-Cookie: PREF=ID=282a9a6b18d01aed:FF=0:TM=1343909209:LM=1343909209:S=zTI-lW-G_e3KFMWT; expires=Sat, 02-Aug-2014 12:06:49 GMT; path=/; domain=.google.co.uk\r\n
    Set-Cookie: NID=62=N9XGLuyx0gu1xAW-Cx0LoiPP39zYbmII8-rOnO1O2_baL_vNHWBT16EU6z7NTHl8uhaRhcNZDMIfnCbNTSyZHwMiUSz5W32lsPGI7lDfsG7AhzejOGhI2F_e2_iWr8de; expires=Fri, 01-Feb-2013 12:06:49 GMT; path=/; domain=.google.co.uk; HttpOnly\r\n
    P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."\r\n
    Server: gws\r\n
    X-XSS-Protection: 1; mode=block\r\n
    X-Frame-Options: SAMEORIGIN\r\n
    \r\n
Line-based text data: text/htmlhttp://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657
    [truncated] <!doctype html><html itemscope="itemscope" itemtype="http://schema.org/WebPage"><head><meta itemprop="image" content="/images/google_favicon_128.png"><title>Google</title><script>window.google={kEI:"WW0aUNrgNqWM0AWE44CwBg",getE
    [truncated] ml:function(){},kHL:"en",time:function(){return(new Date).getTime()},log:function(a,b,c,e){var d=new Image,h=google,i=h.lc,f=h.li,j="";d.onerror=(d.onload=(d.onabort=function(){delete i[f]}));i[f]=d;if(!c&&b.search("&ei=")==-1)
    [truncated] var k=/^http:/i;if(k.test(g)&&google.https()){google.ml(new Error("GLMM"),false,{src:g});delete i[f];return}d.src=g;h.li=f+1},lc:[],li:0,Toolbelt:{},y:{},x:function(a,b){google.y[a.id]=[a,b];return false}};window.google.sn="web
    [truncated] var _gjwl=location;function _gjuc(){var e=_gjwl.href.indexOf("#");if(e>=0){var a=_gjwl.href.substring(e);if(a.indexOf("&q=")>0||a.indexOf("#q=")>=0){a=a.substring(1);if(a.indexOf("#")==-1){for(var c=0;c<a.length;){var d=c;if(a.
    window._gjuc())&&setTimeout(_gjp,500)};\n
    [truncated] window._gjp&&_gjp();(function(){'use strict';var h=null,j=this;var m="undefined"!=typeof navigator&&/Macintosh/.test(navigator.userAgent);var o=/\s*;\s*/,q=function(g){var c=p;if(!c.h.hasOwnProperty(g)){var n;n=function(b){var
    </script> </head><body dir="ltr" bgcolor="#fff"><script>(function(){var src='/images/srpr/nav_logo80.png';var iesg=false;document.body.onload = function(){if (document.images){new Image().src=src;}\n
    if (!iesg){document.f&&document.f.q.focus();document.gbqf&&document.gbqf.q.focus();}\n
    }\n
    [truncated] })();</script><textarea id="csi" style="display:none"></textarea><div id="mngb"><div id=gbar><nobr><b class=gb1>Search</b> <a class=gb1 href="http://www.google.co.uk/imghp?hl=en&tab=wi">Images</a> <a class=gb1 href="http://vide
    [truncated] var c,d,e=false;function f(a){var b={_sn:a?"FAILURE":"FALLBACK",_pu:c,_fu:d},h=google.ml(new Error("pml"),false,b,true);google.log(0,"",h)}function g(){if(!google.pml)f(true)}function i(a){window.setTimeout(function(){var b=doc
    true;f();i(d,g)}}google.dljp=function(a,b){c=a;google.xjsu=a;d=b;if(!google.xjsi)i(c,j)};google.dlj=i;\n
    })();\n
    [truncated] google.y.first=[];if(!google.xjs){google.dstr=[];google.rein=[];window._=window._||{};window._._DumpException=function(e){throw e};if(google.timers&&google.timers.load.t){google.timers.load.t.xjsls=new Date().getTime();}google.
    [truncated] var b,d,e,f;function g(a,c){if(a.removeEventListener){a.removeEventListener("load",c,false);a.removeEventListener("error",c,false)}else{a.detachEvent("onload",c);a.detachEvent("onerror",c)}}function h(a){f=(new Date).getTime();
    [truncated] h,false)}else{k.attachEvent("onload",h);k.attachEvent("onerror",h)}}e=b-d;function l(){if(!google.timers.load.t)return;google.timers.load.t.ol=(new Date).getTime();google.timers.load.t.iml=f;google.kCSI.imc=d;google.kCSI.imn=b;
    l,false);else if(window.attachEvent)window.attachEvent("onload",l);google.timers.load.t.prt=(f=(new Date).getTime());\n
    })();\n
    </script></body></html>

The whole output on first logon after DHCP etc. is here:
http://pastebin.com/V1pEuTzc

Having told mintupdate to use a different host to check it's connection is good and disabled the mintwelcome, here's another example after a reboot...

Code: Select all

Hypertext Transfer Protocol
    HTTP/1.0 200 OK\r\n
        [Expert Info (Chat/Sequence): HTTP/1.0 200 OK\r\n]
            [Message: HTTP/1.0 200 OK\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Version: HTTP/1.0
        Response Code: 200
    Set-Cookie: NID=62=y2uYrRYURCZwo78xdy4BXQ8gyhJJBViVfQbb-NbDQW70yX3lKrmWJ2kn4s_Mf8LUWBE6a1IvDH1VGpoUu5bTKJk-oloAGVDv8FpKq4aQfuy9tgB1vTdre1Zoc5EjfEmJ; expires=Fri, 01-Feb-2013 12:46:01 GMT; path=/; domain=.google.co.uk; HttpOnly\r\n
    Date: Thu, 02 Aug 2012 12:46:01 GMT\r\n
    Expires: -1\r\n
    Cache-Control: private, max-age=0\r\n
    Content-Type: text/html; charset=ISO-8859-1\r\n
    Set-Cookie: PREF=ID=38e62b9a4e1b6094:FF=0:TM=1343911561:LM=1343911561:S=WRhPYFRluSSqXb4k; expires=Sat, 02-Aug-2014 12:46:01 GMT; path=/; domain=.google.co.uk\r\n
    Set-Cookie: NID=62=y2uYrRYURCZwo78xdy4BXQ8gyhJJBViVfQbb-NbDQW70yX3lKrmWJ2kn4s_Mf8LUWBE6a1IvDH1VGpoUu5bTKJk-oloAGVDv8FpKq4aQfuy9tgB1vTdre1Zoc5EjfEmJ; expires=Fri, 01-Feb-2013 12:46:01 GMT; path=/; domain=.google.co.uk; HttpOnly\r\n
    P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."\r\n
    Server: gws\r\n
    X-XSS-Protection: 1; mode=block\r\n
    X-Frame-Options: SAMEORIGIN\r\n
    \r\n
Line-based text data: text/html
    [truncated] <!doctype html><html itemscope="itemscope" itemtype="http://schema.org/WebPage"><head><meta itemprop="image" content="/images/google_favicon_128.png"><title>Google</title><script>window.google={kEI:"iXYaUOepN-iX0QW9sYHoAQ",getE
    [truncated] ml:function(){},kHL:"en",time:function(){return(new Date).getTime()},log:function(a,b,c,e){var d=new Image,h=google,i=h.lc,f=h.li,j="";d.onerror=(d.onload=(d.onabort=function(){delete i[f]}));i[f]=d;if(!c&&b.search("&ei=")==-1)
    [truncated] var k=/^http:/i;if(k.test(g)&&google.https()){google.ml(new Error("GLMM"),false,{src:g});delete i[f];return}d.src=g;h.li=f+1},lc:[],li:0,Toolbelt:{},y:{},x:function(a,b){google.y[a.id]=[a,b];return false}};window.google.sn="web
    [truncated] var _gjwl=location;function _gjuc(){var e=_gjwl.href.indexOf("#");if(e>=0){var a=_gjwl.href.substring(e);if(a.indexOf("&q=")>0||a.indexOf("#q=")>=0){a=a.substring(1);if(a.indexOf("#")==-1){for(var c=0;c<a.length;){var d=c;if(a.
    window._gjuc())&&setTimeout(_gjp,500)};\n
    [truncated] window._gjp&&_gjp();(function(){'use strict';var h=null,j=this;var m="undefined"!=typeof navigator&&/Macintosh/.test(navigator.userAgent);var o=/\s*;\s*/,q=function(g){var c=p;if(!c.h.hasOwnProperty(g)){var n;n=function(b){var
    </script> </head><body dir="ltr" bgcolor="#fff"><script>(function(){var src='/images/srpr/nav_logo80.png';var iesg=false;document.body.onload = function(){if (document.images){new Image().src=src;}\n
    if (!iesg){document.f&&document.f.q.focus();document.gbqf&&document.gbqf.q.focus();}\n
    }\n
    [truncated] })();</script><textarea id="csi" style="display:none"></textarea><div id="mngb"><div id=gbar><nobr><b class=gb1>Search</b> <a class=gb1 href="http://www.google.co.uk/imghp?hl=en&tab=wi">Images</a> <a class=gb1 href="http://vide
    [truncated] var c,d,e=false;function f(a){var b={_sn:a?"FAILURE":"FALLBACK",_pu:c,_fu:d},h=google.ml(new Error("pml"),false,b,true);google.log(0,"",h)}function g(){if(!google.pml)f(true)}function i(a){window.setTimeout(function(){var b=doc
    true;f();i(d,g)}}google.dljp=function(a,b){c=a;google.xjsu=a;d=b;if(!google.xjsi)i(c,j)};google.dlj=i;\n
    })();\n
    [truncated] google.y.first=[];if(!google.xjs){google.dstr=[];google.rein=[];window._=window._||{};window._._DumpException=function(e){throw e};if(google.timers&&google.timers.load.t){google.timers.load.t.xjsls=new Date().getTime();}google.
    [truncated] var b,d,e,f;function g(a,c){if(a.removeEventListener){a.removeEventListener("load",c,false);a.removeEventListener("error",c,false)}else{a.detachEvent("onload",c);a.detachEvent("onerror",c)}}function h(a){f=(new Date).getTime();
    [truncated] h,false)}else{k.attachEvent("onload",h);k.attachEvent("onerror",h)}}e=b-d;function l(){if(!google.timers.load.t)return;google.timers.load.t.ol=(new Date).getTime();google.timers.load.t.iml=f;google.kCSI.imc=d;google.kCSI.imn=b;
    l,false);else if(window.attachEvent)window.attachEvent("onload",l);google.timers.load.t.prt=(f=(new Date).getTime());\n
    })();\n
    </script></body></html>

[johndoe]

Maybe I should have given this issue the subject line "Massive privacy concern in Linux Mint"

Because I'm not seeing much concern for the fact that the OS you're all using is behaving in a way that'd have Microsoft up in front of the EU judges again.

Seeing as Debian and Ubuntu don't decide to start a little conversation with various google hosts on every boot in it's default configuration I can only conclude that this is either part of a feature which has an unnecessary default or we're unknowingly supporting Mint financially by allowing Google to harvest yet more data on us...

I thought Linux was about freedom and choice, please could someone direct me to the bit where I choose not to have my life monitored by Google?

[johndoe]

This is the bit where I bid you all farewell, I'll stop wasting my time... you can all carry on sleepwalking into George Orwell's prophesy without me, I'm going use an OS which doesn't automatically send data to Google on every boot.

If you tolerate this, what's next?

[clem]

OK, first:

- Thanks for giving us your feedback and raising questions about Mint when concerned about its quality. This is always appreciated, we don't always have the resources to respond in a timely manner, but that's how we improve Mint and how we look into things.

Second:

- There's some level of paranoia in this post which, although it's funny, isn't justified. Linux Mint doesn't spy on its user and it certainly doesn't engage in sneakingly giving some of their personal information to Google .

Third:

- I looked into the code for mintUpdate, and it indeed connects to google.com (whether or not you indicate some other domain for the ping test (which is a different connection)), line 1710: url=urlopen("http://google.com"). It's arguable whether or not that connection to google.com should be configurable as well (and if you think it is, then you're welcome to raise an issue on https://github.com/linuxmint/mintupdate) but what's for sure is that it doesn't give any details away. We're basically talking about a python program here which is trying to assess whether or not your computer is connected to the Internet. In order to achieve this, it tries to read the one domain that's the most likely to always be working... google.com. The reason you see google.co.uk is probably because Google does some geoip on your IP address and serves mintupdate with google.co.uk instead of google.com. Once the connection is made, no data is read by mintupdate and certainly no data is sent to Google.

As a reminder, you can contact me at root@linuxmint.com (but please try not to unless it's really urgent/important...) and you can raise issues about the code on github.

Orwell wrote some brilliant books, there's no question. I see you're into Science Fiction, so I'll just quote the Hitchiker's Guide to The Galaxy: "DON'T PANIC!"

Good luck with your next OS if you've left Mint already, or welcome back if you decided to stay.

[johndoe]

Thanks for taking the time to give an informative response.

I can confirm that removing mintupdate stops the behavior reported, is it likely that any problems might occur from using 'sudo apt-get upgrade' as a replacement?
Not being a developer, finding the appropriate file on github wasn't an obvious process, those I thought likely were not the one you refer to so i''ve not seen the code in question.

While this could be amusing for someone with an inherent knowledge of Mint code modifications to Ubuntu, for an outsider looking for some privacy and seeing a lack of response/concern it was not very funny... but I appreciate that I could come across as a bit OTT to people who haven't studied what Google are up to.

Anyway, I welcome your honest response although I don't agree with your claim that no data is sent to Google when these requests are sent; On each boot, you're essentially telling Google "Hello, here's my IP address and the fingerprint of a Linux Mint installation, please add this to your profile on this IP and associated persons, I'll take your cookie", on another boot you could be in a different location but with the same cookie; with Google's multitude of other tracking devices, they have the ability to turn this non-personally identifiable information into something more powerful and I don't want to give them that opportunity.
If you try to stop google tracking in all forms, you face a very difficult challenge in 2012, mintupdate's behavior is just one tiny firework in a field full of land mines but still something to be wary of if you care about privacy.

It would seem a small task for this part of mintupdate to use the user changeable field (it already provides) for all it's web connection checking, or better still, have an option to disable this check for those who can work out if they're connected to the internet or not.

[johndoe]

Did this ever get fixed / addressed?

I stopped using Linux Mint due to the problem, wonder if it's safe to return.

[DennisEHam]

Hello Mr. Doe,

Greetings! I stumbled across your issue and previous post on my Kindle Fire while waiting for my wife to wake up so we could go to her medical appointment. So I do not have answers, but want to follow this issue you raised, and that altho I'm new to Linux would like you to know I support your concerns ~

Post by johndoe on Tue Mar 12, 2013 10:30 am
Did this ever get fixed / addressed?

I stopped using Linux Mint due to the problem, wonder if it's safe to return.
---------------------
I suspect this may relate to a post I made several weeks ago, and only got one reply that I thought was fairly dismissive. viewtopic.php?f=90&t=127671 Subject line of Suspicious source for updating time -Akamai? Security hole? So, there is another application, the clock. The other Linux distros I've tried either set the clock through our computer system time or would allow us to connect to the public network of NNTP servers using the long-established time protocol, etc.

As I don't have much time at the moment, I read several times through Mr. Lefebvre's (clem, the project leader) who responded to you. On the surface, his answer seemed somewhat reasonable, but the more I considered it, then I noticed what I thought was faulty rationale (and I'm tryiing to be non-accusatory here in the spirit of not trying to assume poor intentions).

-- I do not think your concern displays paranoia ...

-- What i found odd after some consideration has to do with Mr. Lefebvre's statement ~

" We're basically talking about a python program here which is trying to assess whether or not your computer is connected to the Internet. In order to achieve this, it tries to read the one domain that's the most likely to always be working... google.com." It seems to me, however, that a simple ping sequence in that Phython program would establish whether your computer was indeed connected to the Internet.

The other aspect relates to what little experience I have in the Android world, just my wife's cellfone and my Kindle Fire. When I go to install an App, I'm pretty sure it tells me whether or not and who it is going to make a network connection with? It would seem prudent then to raise the issue for someone about to try out one of these distributions a statement that discloses something along the line of your subject such as "If you decide to try the CD or USB version of this Linux distribution, please be advised that it will connect to XX Internet servers for the purpose of YYY" And, of course, there would have to be more elaboration on that point.

So, your experience and mine with the built-in clock application is interesting. I've been using Wireshark also on a Win 7 bootup, starting with my wireless or wired connection turned off. Then starting Wireshark and then starting the network connection just to see what happens when my laptop is "idle". It was in that vein that I ran across the Linux 14 Mint MATE clock application going out to Akamai. I suspect you know much more about Akamai than I do. When you posted the Wireshark output, I thought, "wow...this isn't a standard ping response" and that's when I kept reading.

This is also going to be a learning experience for me as Mr. Lefebrve had a link to the Python code. I'm not a programmer but since the code is supposed to be free to look at, it would be interesting to see whether that mention in the Python code is still in the Mint Update program.

Finally, two points ~

1) in my spirit of trying to give the Mint development team the benefit of the doubt, I wonder, Mr. Doe, whether they found it necessary or prudent because of their sponsors to do more than just ping to determine Internet connectivity?

2) As you read my post link above, I share the same issue with you about what is the proper way to elevate these concerns. I thought "...security hole?" in the subject line would being some serious commentators or some members of the development team into the discussion.

Cheers...

PS -- Again, I'm not a programmer but the changelog for this program at https://github.com/linuxmint/mintupdate ... /changelog is a bit cryptic to me due to my lack of experience. But since you raised the issue in the summer of 2012, I don't see a mention in the changelog that seems to relate to the issue you raised.

[michelsberg]

@ johndoe/Dennis:

default-Google'ing is still active in mintUpdate:
https://github.com/linuxmint/mintupdate/blob/master/usr/lib/linuxmint/mintUpdate/mintUpdate.py#L1711

The behaviour is a bit weird:
To determine whether it is online or not, mintUpdate tries to connect to http://google.com, if that fails, it tries to ping the user-defined domain (prefs["ping_domain"]).

I wonder why it relies on google.com, first but I really don't see a Mint-Google-conspiracy here...
The code is pretty simple and straightforward. It is just weird that, while prefs["ping_domain"] is taken into account for the online test, it is only the 2nd choice after a hard-coded connection to Google. Maybe they wanted to be fail-safe in case the user entered an invalid domain name, or a domain with much more downtime than google.com.